Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp507144ybx;
        Wed, 6 Nov 2019 04:13:16 -0800 (PST)
X-Google-Smtp-Source: APXvYqw++o9KEQXR3H0x5y5eMSk3cX9zWTqX44aJBpKWjPqeJ31yXyJ4Hm/4wMscZr3maZmL8NUf
X-Received: by 2002:a17:906:1c97:: with SMTP id g23mr34357047ejh.66.1573042396050;
        Wed, 06 Nov 2019 04:13:16 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1573042396; cv=none;
        d=google.com; s=arc-20160816;
        b=auqz67HL3jtvmMTRrHTZSEkZHQEY4TiZnECtAQpxMWE7cn/WrnU3jcw6bvTD4pLkKN
         Q/37XEr5fs7HbWVuklqTkhGGKXzhZgxwKeDgR7QtYaeSApjN6WE34NIkl91RUNgJzz0H
         Efsr66tjlUxI6zXLJtUVsCdwkkcsHftxSpQxwi4Zzly7mBzSSGyk6BZnfj5XzbJFDXpW
         bhTP3osmVu1wNjZfy8k5kOewp0iSN2f+33bDNFm1SPx6Ej+oevxEtr4Ba9/uUIDPCDo0
         nHeyS19z6USsSJoJ9JpJeJbev0/ROJLQJazSLEEbBYnvBrU83NJLtfeQsO5fsYtfC1fJ
         jHWg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=OEfw9cUz4TGuYkw6SKbOhoFYIK/OUoQLEjTHKdEArNo=;
        b=Vka6+25/dt1MT1lMJTGt+57N3agfU02LEfmhhXRjzTzJo612/wz4F2f9davBrHoQ7z
         1VU5xrrmeTIcFMbV1ITNGrNXiZOZHXCVrojENBP1dkJR5qlAI8qv1csVZSywyjfZAgOd
         hmlbG9RSdeCYgc2colYpRCyjoDn+wzPKHFSngH0+fJs3DVAEj16zfyO4LaxNOfDHcWhC
         2PTf/KTaoindqSK0ic2BOHuxjz9VSS3fzXRVZrXlJTJaWQ39yNZYc+uWnDbTzTBqxFdQ
         mhKZRTvxT0Tps0C+wt5WUFg4I+UCU3MQM/lk1AVjjUIYUq5jV8jTcrDWNxDeeEVatPKL
         om1A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=fA5EbDNN;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c29si11851855edb.223.2019.11.06.04.12.52;
        Wed, 06 Nov 2019 04:13:16 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=fA5EbDNN;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730103AbfKFMLJ (ORCPT <rfc822;noahbdev@gmail.com> + 99 others);
        Wed, 6 Nov 2019 07:11:09 -0500
Received: from mail-pg1-f195.google.com ([209.85.215.195]:37106 "EHLO
        mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727652AbfKFMLJ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 6 Nov 2019 07:11:09 -0500
Received: by mail-pg1-f195.google.com with SMTP id z24so12459225pgu.4
        for <linux-kernel@vger.kernel.org>; Wed, 06 Nov 2019 04:11:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=OEfw9cUz4TGuYkw6SKbOhoFYIK/OUoQLEjTHKdEArNo=;
        b=fA5EbDNNhUthKOfKfplHC/PC0ChmTlyF6fmMfBqXTprs8uRNto83kgWHVaS8OcRM4W
         PtnjGw4M/cfDVmAxqRXwpd9NczmkNfCR37ozIcvmzjr2X7cO2UFEL7KmJr+1+50w8OjU
         deNOf/rey23zka2vXis+c7yrfKPew7KFRjLXr7utYeN+7YLjLv3xfKMui7FXPmInxp/Q
         On2Dmvnc8TxwkGGjUYMsGTbXWJpqBe1KM6zzzWXxpNxOUDyLK+56AnnOV0rLPQxLnKQ9
         JbtS51kREKMexDTmZi4Ud4Dr9+BEtsSps39PGQA4C0wJ75PHunHRLAaUHKEGvanZURbg
         jlWA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=OEfw9cUz4TGuYkw6SKbOhoFYIK/OUoQLEjTHKdEArNo=;
        b=VcovOOpiblXNR63J+YLjCI70pztD1HZVAP/ga/w7dywsuhY/Hfe21cg+8ZnmPIIJz/
         rK7BLK4zxgfra7tvhyIcGifnnoVPs/VkHpoHvwmsAw7g9aewtUEM0r/GkjsYBnAJxrZy
         Ch0Zlf/44Iehg0IyX0goB9AUCxmBou+Pg8ZJbwgSYeH0ROXQequIwSAMDQ2PUtkojdgO
         1DwLEV/i3OxBMAeXsn6/6Exsx6kKwVEGA6UxQW2EJQypfGIAQwmRi66sXS6HrT9IggxV
         xQowOPwPXKKKqsvgcAaZ70YbfJpph6hq2jmQHqYt4Im2fctBUfnR2CFWTDjPxbweJyob
         QFRw==
X-Gm-Message-State: APjAAAU+4rDntNZdeXyIkVdKp/4qv8TypQ1vOdI+yZYidJQiQZhyFQfO
        b4cmz2RNyU5mNlyBW8zQsbLT12QfThG2SklX1rTtoTOV
X-Received: by 2002:aa7:9ad0:: with SMTP id x16mr2953838pfp.51.1573042268452;
 Wed, 06 Nov 2019 04:11:08 -0800 (PST)
MIME-Version: 1.0
References: <00000000000042d60805933945b5@google.com> <20191105233652.21033-1-tranmanphong@gmail.com>
In-Reply-To: <20191105233652.21033-1-tranmanphong@gmail.com>
From:   Andrey Konovalov <andreyknvl@google.com>
Date:   Wed, 6 Nov 2019 13:10:56 +0100
Message-ID: <CAAeHK+zKShqnZ=R8KQvVjsfOkAGrWW5jbsXRUnuEY8k4XN3+Fw@mail.gmail.com>
Subject: Re: [PATCH] usb: appledisplay: fix use-after-free in bl_get_brightness
To:     Phong Tran <tranmanphong@gmail.com>
Cc:     syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com, 2pi@mok.nu,
        alex.theissen@me.com,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        LKML <linux-kernel@vger.kernel.org>,
        USB list <linux-usb@vger.kernel.org>,
        syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
        linux-kernel-mentees@lists.linuxfoundation.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Nov 6, 2019 at 12:37 AM Phong Tran <tranmanphong@gmail.com> wrote:
>
> In context of USB disconnect, the delaywork trigger and calling
> appledisplay_bl_get_brightness() and the msgdata was freed.
>
> add the checking return value of usb_control_msg() and only update the
> data while the retval is valid.
>
> Reported-by: syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com
> Reported-and-tested-by:
> syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com
>
> https://groups.google.com/d/msg/syzkaller-bugs/dRmkh2UYusY/l2a6Mg3FAQAJ

Hi Phong,

FYI, when testing patches with the usb-fuzzer instance, you need to
provide the same kernel commit id as the one where the bug was
triggered. Please see here for details:

>
> Signed-off-by: Phong Tran <tranmanphong@gmail.com>
> ---
>  drivers/usb/misc/appledisplay.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/usb/misc/appledisplay.c b/drivers/usb/misc/appledisplay.c
> index ac92725458b5..3e3dfa5a3954 100644
> --- a/drivers/usb/misc/appledisplay.c
> +++ b/drivers/usb/misc/appledisplay.c
> @@ -164,7 +164,8 @@ static int appledisplay_bl_get_brightness(struct backlight_device *bd)
>                 0,
>                 pdata->msgdata, 2,
>                 ACD_USB_TIMEOUT);
> -       brightness = pdata->msgdata[1];
> +       if (retval >= 0)
> +               brightness = pdata->msgdata[1];
>         mutex_unlock(&pdata->sysfslock);
>
>         if (retval < 0)
> --
> 2.20.1
>