leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5e5ff0b4b6
linux/drivers/usb
History
Tetsuo Handa 5e5ff0b4b6 USB: cdc-wdm: Fix use after free in service_outstanding_interrupt(). 
syzbot is reporting UAF at usb_submit_urb() [1], for
service_outstanding_interrupt() is not checking WDM_DISCONNECTING
before calling usb_submit_urb(). Close the race by doing same checks
wdm_read() does upon retry.

Also, while wdm_read() checks WDM_DISCONNECTING with desc->rlock held,
service_interrupt_work() does not hold desc->rlock. Thus, it is possible
that usb_submit_urb() is called from service_outstanding_interrupt() from
service_interrupt_work() after WDM_DISCONNECTING was set and kill_urbs()
 from wdm_disconnect() completed. Thus, move kill_urbs() in
wdm_disconnect() to after cancel_work_sync() (which makes sure that
service_interrupt_work() is no longer running) completed.

Although it seems to be safe to dereference desc->intf->dev in
service_outstanding_interrupt() even if WDM_DISCONNECTING was already set
because desc->rlock or cancel_work_sync() prevents wdm_disconnect() from
reaching list_del() before service_outstanding_interrupt() completes,
let's not emit error message if WDM_DISCONNECTING is set by
wdm_disconnect() while usb_submit_urb() is in progress.

[1] https://syzkaller.appspot.com/bug?extid=9e04e2df4a32fb661daf

Reported-by: syzbot <syzbot+9e04e2df4a32fb661daf@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/620e2ee0-b9a3-dbda-a25b-a93e0ed03ec5@i-love.sakura.ne.jp
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-12-28 15:44:23 +01:00
..
atm drivers: usb: atm: use pr_err() and pr_warn() instead of raw printk() 2020-12-09 15:22:51 +01:00
c67x00 Linux 5.9-rc3 2020-08-31 07:11:45 +02:00
cdns3 Below are main changes for v5.11-rc1: 2020-12-10 11:30:31 +01:00
chipidea Below are main changes for v5.11-rc1: 2020-12-10 11:30:31 +01:00
class USB: cdc-wdm: Fix use after free in service_outstanding_interrupt(). 2020-12-28 15:44:23 +01:00
common usb: common: ulpi: Constify static attribute_group struct 2020-11-26 13:40:43 +01:00
core USB: add RESET_RESUME quirk for Snapscan 1212 2020-12-07 15:29:08 +01:00
dwc2 usb: dwc2: Avoid leaving the error_debugfs label unused 2020-10-27 11:33:53 +02:00
dwc3 USB: fixes for v5.10-rc2 2020-11-02 13:36:11 +01:00
early usb: early: ehci-dbgp: convert to readl_poll_timeout_atomic() 2020-09-25 16:29:09 +02:00
gadget usb: gadget: fsl_mxc_udc: Remove the driver 2020-12-28 15:41:33 +01:00
host powerpc updates for 5.11 2020-12-17 13:34:25 -08:00
image USB: microtek: use set_host_byte() 2020-09-16 12:42:10 +02:00
isp1760 usb: isp1760-hcd: convert to readl_poll_timeout_atomic() 2020-09-25 16:30:05 +02:00
misc USB / Thunderbolt patches for 5.11-rc1 2020-12-15 13:54:56 -08:00
mon
mtu3 usb: mtu3: fix memory corruption in mtu3_debugfs_regset() 2020-12-07 15:26:18 +01:00
musb usb: Fix fall-through warnings for Clang 2020-11-23 17:46:01 +01:00
phy Char / Misc driver updates for 5.11-rc1 2020-12-15 14:10:09 -08:00
renesas_usbhs usb: Use fallthrough pseudo-keyword 2020-07-10 08:55:17 +02:00
roles device connection: Remove struct device_connection 2020-09-07 11:14:09 +02:00
serial USB-serial updates for 5.11-rc1 2020-12-11 16:16:52 +01:00
storage USB: UAS: introduce a quirk to set no_write_same 2020-12-09 20:00:26 +01:00
typec usb: ucsi: convert comma to semicolon 2020-12-11 16:19:54 +01:00
usbip usbip: Remove in_interrupt() check 2020-10-28 13:06:06 +01:00
Kconfig
Makefile usb: host: imx21-hcd: Remove the driver 2020-11-13 15:22:46 +01:00
usb-skeleton.c