Date: Thu, 23 Mar 2017 11:04:19 -0400 (EDT)
From: Alan Stern <stern@rowland.harvard.edu>
To: Dmitry Vyukov <dvyukov@google.com>
cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        <mathias.nyman@linux.intel.com>, <baoyou.xie@linaro.org>,
        <peter.chen@nxp.com>, <wulf@rock-chips.com>,
        <wsa-dev@sang-engineering.com>, <javier@osg.samsung.com>,
        <chris.bainbridge@gmail.com>, USB list <linux-usb@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        syzkaller <syzkaller@googlegroups.com>
Subject: Re: usb: use-after-free write in usb_hcd_link_urb_to_ep
In-Reply-To: <CACT4Y+ZPj8fuNDJrVXvirovrmGng7ii4_6vavR0m2vVfjEo91g@mail.gmail.com>
Message-ID: <Pine.LNX.4.44L0.1703231059230.1558-100000@iolanthe.rowland.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1122
Lines: 29

On Thu, 23 Mar 2017, Dmitry Vyukov wrote:

> > Putting these together:
> >
> >         The memory was allocated in usb_internal_control_msg() line 93.
> >         The later events occurred within the call in line 100 to
> >         usb_start_wait_urb().
> >
> >         The invalid access occurred within usb_start_wait_urb() line 56.
> >
> >         The memory was deallocated within usb_start_wait_urb() line 78.
> >
> > Since these routines don't involve any loops or backward jumps, this
> > says that the invalid access occurred before the memory was
> > deallocated!  So why is it reported as a problem?
> 
> 
> My first guess would be that pid 3348 did 2 calls to open and the urb
> was somehow referenced across these calls. Is it possible?

I don't think so.  The URB gets allocated and deallocated separately
for each call.  You can see this very plainly by reading the source 
code for usb_internal_control_msg() and usb_start_wait_urb().

It's possible that the same memory location was allocated and
deallocated for two different calls at different times.  That wouldn't
fool syzkaller, would it?

Alan Stern