Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1361591imu; Wed, 28 Nov 2018 08:27:37 -0800 (PST) X-Google-Smtp-Source: AFSGD/Wf99lwqetX4KE492DsT+nriVbWrHwi7/oOk3b+yO/zuja9/noRjteKjCTBt7zPMHOHMmGI X-Received: by 2002:a17:902:541:: with SMTP id 59mr29821003plf.88.1543422457146; Wed, 28 Nov 2018 08:27:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543422457; cv=none; d=google.com; s=arc-20160816; b=M9r9OID6vZFyUBtLy3SZoCrL1WegYBFNFIhljpCPHgQ66BN8Q7T6jmDGRq3nBJltQJ IZ35z+kRR5+NGCXByz/zC6uI2h7HuTOFJwDeCRIMr7qVEedp2VEVJyfG+h/Gft1qgyVZ KNdNTWRroJJeYNahxW5HQOipizGZp0Vm2QyQdKaEPI33YjBt2dUfu5xqX38pfqOh4kjJ CwqeLmdhv7dO+NHDdyEsRPDPgyNVM6ig+chMLHafCmAOkazU0tHWsNLnj0Kchfodzwnm Si/B9exmr6qD/DXHOkvWvTiHkz+U1a7SwrqFdoKc1/h6pTqqGCu/YAjrIO89nKBHeP+z ggHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:in-reply-to :subject:cc:to:from:date; bh=gXUFc5FlTHiOx5wojjZJ3ggCdRgatIBIdYMqrTslRAI=; b=E6Fmv+SOVqzAsCC6T0u2PfWQquSmXQQu0z6ZuCYQPYw7okPg0hKLDQsBr4whopuhWh /1qtK/cXsbJoPTQ0oZ06KS0Z7Xx8Ub3OeIgjc6yWBMxdUvF8bEuQqQCxzNG3PgLyQEjT HdRZJxyBEmy+rQVx/IXP7NE95esMHlewne3CSGOjX+Fs1tP2m6JHSCYzmUVYQKl7Ppld n5cgxgp3GVgcYmyLaJ6U67+VIwdNetwrHzrIuWlbWjjsFaB0hknyFUaFyQYsnO3ZPtM6 JIPFk0eLKqaQmQLAd5vmc/5xvdFsiU1Sx8Oqr2cnY08Z1sq6H0mas6smVtvrs/b88oHK KEhQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y10si7204121plt.406.2018.11.28.08.27.12; Wed, 28 Nov 2018 08:27:37 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729041AbeK2D2L (ORCPT + 99 others); Wed, 28 Nov 2018 22:28:11 -0500 Received: from iolanthe.rowland.org ([192.131.102.54]:42470 "HELO iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1728262AbeK2D2L (ORCPT ); Wed, 28 Nov 2018 22:28:11 -0500 Received: (qmail 4961 invoked by uid 2102); 28 Nov 2018 11:25:58 -0500 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 28 Nov 2018 11:25:58 -0500 Date: Wed, 28 Nov 2018 11:25:58 -0500 (EST) From: Alan Stern X-X-Sender: stern@iolanthe.rowland.org To: Greg KH cc: syzbot , , , , Kernel development list , USB list , Subject: [PATCH] USB: Fix invalid-free bug in port_over_current_notify() In-Reply-To: <00000000000094bcc5057b92843f@google.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Syzbot and KASAN found the following invalid-free bug in port_over_current_notify(): -------------------------------------------------------------------------- BUG: KASAN: double-free or invalid-free in port_over_current_notify drivers/usb/core/hub.c:5192 [inline] BUG: KASAN: double-free or invalid-free in port_event drivers/usb/core/hub.c:5241 [inline] BUG: KASAN: double-free or invalid-free in hub_event+0xd97/0x4140 drivers/usb/core/hub.c:5384 CPU: 1 PID: 32710 Comm: kworker/1:3 Not tainted 4.20.0-rc3+ #129 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x244/0x39d lib/dump_stack.c:113 print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256 kasan_report_invalid_free+0x64/0xa0 mm/kasan/report.c:336 __kasan_slab_free+0x13a/0x150 mm/kasan/kasan.c:501 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kfree+0xcf/0x230 mm/slab.c:3817 port_over_current_notify drivers/usb/core/hub.c:5192 [inline] port_event drivers/usb/core/hub.c:5241 [inline] hub_event+0xd97/0x4140 drivers/usb/core/hub.c:5384 process_one_work+0xc90/0x1c40 kernel/workqueue.c:2153 worker_thread+0x17f/0x1390 kernel/workqueue.c:2296 kthread+0x35a/0x440 kernel/kthread.c:246 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 -------------------------------------------------------------------------- The problem is caused by use of a static array to store environment-string pointers. When the routine is called by multiple threads concurrently, the pointers from one thread can overwrite those from another. The solution is to use an ordinary automatic array instead of a static array. Signed-off-by: Alan Stern Reported-by: syzbot+98881958e1410ec7e53c@syzkaller.appspotmail.com --- [as1881] drivers/usb/core/hub.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) Index: usb-4.x/drivers/usb/core/hub.c =================================================================== --- usb-4.x.orig/drivers/usb/core/hub.c +++ usb-4.x/drivers/usb/core/hub.c @@ -5163,7 +5163,7 @@ static void hub_port_connect_change(stru /* Handle notifying userspace about hub over-current events */ static void port_over_current_notify(struct usb_port *port_dev) { - static char *envp[] = { NULL, NULL, NULL }; + char *envp[3]; struct device *hub_dev; char *port_dev_path; @@ -5187,6 +5187,7 @@ static void port_over_current_notify(str if (!envp[1]) goto exit; + envp[2] = NULL; kobject_uevent_env(&hub_dev->kobj, KOBJ_CHANGE, envp); kfree(envp[1]);