Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp508702ybx; Wed, 6 Nov 2019 04:14:39 -0800 (PST) X-Google-Smtp-Source: APXvYqw7VD56ToIIV7zhy3AYi3XPH1rIRaNd7oTrO6WuMyehM9IA5PY++YHYcLIMO8N3aKlIfxtO X-Received: by 2002:a17:906:fc13:: with SMTP id ov19mr29554077ejb.184.1573042479330; Wed, 06 Nov 2019 04:14:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573042479; cv=none; d=google.com; s=arc-20160816; b=U4CThOqovyHmt6m34pfHEviTFWfEfqJM0tXmaYIl61h2IPUZZ/ACYu8t4ClAlKbQgQ ibI4btHlJaTaM1iARg/RyfTBIQ8qmcM+6r6dZHYSvVNjip+v7VFrHlvNxFsEsI7STkqE rFIkOwPAV+g2qmG5msJBMs1m8lW7ZUBEfEAN7cR0+opbIzd0poFuGZ+54ile8rvrUfcq ndO7VAN5wpytI6bRfq3OM+WJHOSJd3YhgDDIIWF6WXXTmpgC61sXjl8y+AQF9hSIWcwO iIfc8FKMkR8JMnCjtU7U1IBuWf5nT6IFCJpkaT0F02QVlfQzApgU6AmwYRA6y6Yq14eX DcFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=fvggoBmVPHsmq8MljpGEGs96jCpg2b7Ib4WvpQs+2nE=; b=qg6IcUDMcTLMXS41hv36EI/sPG2hryojpl7pf3czcIK7Mli1hiZUbcZCkU7YuN7WeN peiWKOtgfEUuCKqnCs8rz/JT7F8xIvcNnTCoP5pjaTw7KZKIF4wcnAbJdXwr3uaA2/lv i/hEiYexSpmeETTMkI5Tx73biuDyOrAeb4YOBPlUUukyyCNhZHxB2DuPh6kGQ2k9tGTg EoUztPK7uGXvPh/niBaqb4/+fKBZqMc1MkQZwXJGDqDPkLmc09pcXZqOTlQW2ZZJplQO XscuVNs9LF4ujTC3wBSO9hf85vtDIiwp1F89zNHuPgf2Mgj+VNS0gJtzWKk5ci6dozR1 otCQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=S+4x+fUo; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v3si15666845ejq.52.2019.11.06.04.14.15; Wed, 06 Nov 2019 04:14:39 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=S+4x+fUo; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731237AbfKFMLY (ORCPT + 99 others); Wed, 6 Nov 2019 07:11:24 -0500 Received: from mail-pf1-f196.google.com ([209.85.210.196]:41561 "EHLO mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730461AbfKFMLX (ORCPT ); Wed, 6 Nov 2019 07:11:23 -0500 Received: by mail-pf1-f196.google.com with SMTP id p26so18716963pfq.8 for ; Wed, 06 Nov 2019 04:11:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fvggoBmVPHsmq8MljpGEGs96jCpg2b7Ib4WvpQs+2nE=; b=S+4x+fUoX2Te9gAAKioxA/6aiwmDy1LJwKLNVbuddPUNqG+BlHLAZDZ3M8mOnnaQAQ z4k7Hqtl0uvCBIK7ohN2/mf3Y13MXKphlMsv0sAlf9anzW3hrLyt1ZdA6bvSOPfVHgbD Zgj5Ng8KGnwXlmXicQZ47JZ/BmPQexGqEJ+L6O4OR5QQQNhvZTlkZMv9+Vh4krk4wLbH 22uceJ4m7i+E7nRrVa3gGiwHuRKpzKddyNDCzKDRAftOlpHrYv8coKONbN/BA24GoP8P MBjLW5MPqL68xzrwas3b4NRW+wdZZTxVUN9r+Jt4hpPlWfWybqM3Jp547oCT58qzseP3 Cc9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fvggoBmVPHsmq8MljpGEGs96jCpg2b7Ib4WvpQs+2nE=; b=bdSW/IPQ5WY2Gm1JGaZbQ9V1pOmny1ioawhp3vDePF0bjfgcYcTP44xFpNFu9R5Mcp dgAOj/KS/KwQLGEYExD8+onx3g9SGez05PZQUhs4CQbxTTd1U3l4b5TicQPUl/x54Txi ck1RnlPjpWrIFzH7QkAcuK7BllVbMih9IpfL3ZdVqNucveMl3cAixZQsH2mfGbaRZQPc CQYxj2xyo4z4C4dqM1IuiG1hXn9GAMuKN9YdPwSRdIh4+fIVpQKH2pD3kVaCxkhr04gl 1lkW+/s8C4hyIMrVF8UPP4AGwuSm6Nih4G54pK/t4EYBbTRsVJ1+CrAvoTO+bf30yDEq oNJg== X-Gm-Message-State: APjAAAVfX/HB59oz+pdlkTha+SmxN0lweN6RDmv8AXh+tuZsHP7lG6+k CxuGn2qxuueL3OHfVShi40+eYdNv0IRL5zLyJu4eTg== X-Received: by 2002:a63:9d0f:: with SMTP id i15mr2563556pgd.286.1573042282725; Wed, 06 Nov 2019 04:11:22 -0800 (PST) MIME-Version: 1.0 References: <00000000000042d60805933945b5@google.com> <20191105233652.21033-1-tranmanphong@gmail.com> In-Reply-To: From: Andrey Konovalov Date: Wed, 6 Nov 2019 13:11:09 +0100 Message-ID: Subject: Re: [PATCH] usb: appledisplay: fix use-after-free in bl_get_brightness To: Phong Tran Cc: syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com, 2pi@mok.nu, alex.theissen@me.com, Greg Kroah-Hartman , LKML , USB list , syzkaller-bugs , linux-kernel-mentees@lists.linuxfoundation.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Nov 6, 2019 at 1:10 PM Andrey Konovalov wrote: > > On Wed, Nov 6, 2019 at 12:37 AM Phong Tran wrote: > > > > In context of USB disconnect, the delaywork trigger and calling > > appledisplay_bl_get_brightness() and the msgdata was freed. > > > > add the checking return value of usb_control_msg() and only update the > > data while the retval is valid. > > > > Reported-by: syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com > > Reported-and-tested-by: > > syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com > > > > https://groups.google.com/d/msg/syzkaller-bugs/dRmkh2UYusY/l2a6Mg3FAQAJ > > Hi Phong, > > FYI, when testing patches with the usb-fuzzer instance, you need to > provide the same kernel commit id as the one where the bug was > triggered. Please see here for details: https://github.com/google/syzkaller/blob/master/docs/syzbot.md#usb-bugs > > > > > Signed-off-by: Phong Tran > > --- > > drivers/usb/misc/appledisplay.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/usb/misc/appledisplay.c b/drivers/usb/misc/appledisplay.c > > index ac92725458b5..3e3dfa5a3954 100644 > > --- a/drivers/usb/misc/appledisplay.c > > +++ b/drivers/usb/misc/appledisplay.c > > @@ -164,7 +164,8 @@ static int appledisplay_bl_get_brightness(struct backlight_device *bd) > > 0, > > pdata->msgdata, 2, > > ACD_USB_TIMEOUT); > > - brightness = pdata->msgdata[1]; > > + if (retval >= 0) > > + brightness = pdata->msgdata[1]; > > mutex_unlock(&pdata->sysfslock); > > > > if (retval < 0) > > -- > > 2.20.1 > >