Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S935499AbdCWPWo (ORCPT <rfc822;w@1wt.eu>);
        Thu, 23 Mar 2017 11:22:44 -0400
Received: from mail-ua0-f180.google.com ([209.85.217.180]:36344 "EHLO
        mail-ua0-f180.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1756083AbdCWPWl (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 23 Mar 2017 11:22:41 -0400
MIME-Version: 1.0
In-Reply-To: <Pine.LNX.4.44L0.1703231059230.1558-100000@iolanthe.rowland.org>
References: <CACT4Y+ZPj8fuNDJrVXvirovrmGng7ii4_6vavR0m2vVfjEo91g@mail.gmail.com>
 <Pine.LNX.4.44L0.1703231059230.1558-100000@iolanthe.rowland.org>
From: Dmitry Vyukov <dvyukov@google.com>
Date: Thu, 23 Mar 2017 16:22:19 +0100
Message-ID: <CACT4Y+b0CoZY7S+OYjYBdJv6z1tTVqrE+awxUhiC5=bShpgxdg@mail.gmail.com>
Subject: Re: usb: use-after-free write in usb_hcd_link_urb_to_ep
To: Alan Stern <stern@rowland.harvard.edu>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        mathias.nyman@linux.intel.com, baoyou.xie@linaro.org,
        peter.chen@nxp.com, wulf@rock-chips.com, wsa-dev@sang-engineering.com,
        javier@osg.samsung.com, chris.bainbridge@gmail.com,
        USB list <linux-usb@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        syzkaller <syzkaller@googlegroups.com>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1356
Lines: 33

On Thu, Mar 23, 2017 at 4:04 PM, Alan Stern <stern@rowland.harvard.edu> wrote:
> On Thu, 23 Mar 2017, Dmitry Vyukov wrote:
>
>> > Putting these together:
>> >
>> >         The memory was allocated in usb_internal_control_msg() line 93.
>> >         The later events occurred within the call in line 100 to
>> >         usb_start_wait_urb().
>> >
>> >         The invalid access occurred within usb_start_wait_urb() line 56.
>> >
>> >         The memory was deallocated within usb_start_wait_urb() line 78.
>> >
>> > Since these routines don't involve any loops or backward jumps, this
>> > says that the invalid access occurred before the memory was
>> > deallocated!  So why is it reported as a problem?
>>
>>
>> My first guess would be that pid 3348 did 2 calls to open and the urb
>> was somehow referenced across these calls. Is it possible?
>
> I don't think so.  The URB gets allocated and deallocated separately
> for each call.  You can see this very plainly by reading the source
> code for usb_internal_control_msg() and usb_start_wait_urb().
>
> It's possible that the same memory location was allocated and
> deallocated for two different calls at different times.  That wouldn't
> fool syzkaller, would it?


Generally it does not fool KASAN because of heap memory quarantine.
I will take a closer look tomorrow.
Thanks for looking into this.