Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp650631ybx;
        Wed, 6 Nov 2019 06:26:01 -0800 (PST)
X-Google-Smtp-Source: APXvYqwnZfAaR+IxHypberHp5p6iFOPpPzUZHaoMlaGV9/wWZyG7JORPKnolV7+spqhfN6W2RN9w
X-Received: by 2002:a50:8dc9:: with SMTP id s9mr2974385edh.155.1573050361120;
        Wed, 06 Nov 2019 06:26:01 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1573050361; cv=none;
        d=google.com; s=arc-20160816;
        b=OUQuG3iG5smzsExns27nOiwFB7Jq39U7TZLkfqfExDIpk4xdOPoZfSwyxsmRK3wZT/
         8ru1u0tKnWFJIWP4mpXsELNBz9cJBDdYcmnlKgBjWXSLH7OsbP7lJ1zjX979Ljy+Y751
         NKZxxDbaD5CdrwSFfCQ7X1oWg4UJ0flV6OopUEhQoscYIjjz1g+sOLzL108nEhkZs9R7
         H6aAwP1Jj0H49b/jW8L9djy9JuuCSs67nceBbkJy+XGLqgFI8SuM/51IVdU2yxVyJiKV
         cnMfjGTLUXZxnjAguue12CFqVy3PoYWpjqvwcqybo5fNBtEVXIk7nGLX2XIq0VRa/mUE
         qLag==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:to:subject:cc:dkim-signature;
        bh=VZ2YuX9WkVdA2wqZva8TfQh4uDZmSLYmnIZt2JxlnZI=;
        b=wCLiRCaH66MqkbNVs6NNbE61yj3F/ESncN9rlycOe7DLiB9K2hWgpHaWOQG/zgRSuf
         Pvh1UWsfojRrhFv5VkEq8nrL7uZmOWnKEB57CA9LxacgcM7xzPfYgX2hzYztjv368OtO
         OtxjHHXwpBujUgMsm4POrMX3XqGzkxXi+HTHJ+uAnhxmulKtdDQt5S7LXIMqKtpdjyxU
         A81jezXX9JwMPRjq/pVtlfukXkuPQQlqNnvgWk0wlFLGqety2Oj5yGYhxBZgQQyBE8s8
         0KJNp4ZPjHK7kMb+hIWAj9kDfFMtfwIzgnUbohXejkw436E1WW5prkI0F14tXEYn62+7
         9zYw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=iy429A2C;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e7si16146883ejk.20.2019.11.06.06.25.35;
        Wed, 06 Nov 2019 06:26:01 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=iy429A2C;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728452AbfKFOWk (ORCPT <rfc822;noahbdev@gmail.com> + 99 others);
        Wed, 6 Nov 2019 09:22:40 -0500
Received: from mail-pl1-f195.google.com ([209.85.214.195]:34836 "EHLO
        mail-pl1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726945AbfKFOWk (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 6 Nov 2019 09:22:40 -0500
Received: by mail-pl1-f195.google.com with SMTP id s10so668670plp.2;
        Wed, 06 Nov 2019 06:22:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=cc:subject:to:references:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-language:content-transfer-encoding;
        bh=VZ2YuX9WkVdA2wqZva8TfQh4uDZmSLYmnIZt2JxlnZI=;
        b=iy429A2Ct25xdGd6rSxaImff/6n7BsHMEcJ1elNUhEYMpfsceHyGsLNXGfuTPDayK9
         OFPB5QxinNwR4ztz4fGc0RArA+ldntUVcI17PR4mIv9i9ouOu3OprX0DrvEiucfB3qCe
         ojrGH8Y2Bej9sf4mQc5Zh2KmXMvlI28OK8qX75pVrssia1PGcmimRnnXmalbb7l9ghEF
         aSqhve8jp7NQmQsqhN4U0BZ1UsCxu1GttGQU5Kd7foRsDk3M87j5YFPXTImBlyRdyLPW
         6R37tu0qG1FEROElVWSlVT8h3l2dRpy18ed5l7anPKE2wvGdeGftqxx40ElLgYr6E9Sf
         tiRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:cc:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=VZ2YuX9WkVdA2wqZva8TfQh4uDZmSLYmnIZt2JxlnZI=;
        b=DnWNB1KhWQVzMZyR+JdHTsrzjTEnIqqatky1IB3VoR2VRN3K0GdNHH7RzvtJRHrGk3
         gVcNOUdpFQwtOj62HiPubeR/Ti9h66PtThEzRJIQ4vkOVV9H2dhVfGoph1qrXudtiMUd
         DlkiVFmERhnm028S1XzNaJm86Zw0Xhd2bHFA5cE9ZZ7tzhFmMZ1Wqc6nehfyf6NKQG4e
         j2tdjlXUxiVcwsjqlNpOxJtSXKvMBiqr+l8seiNcPXAH7vOJO1gpD7SCrMQlPpZkon5a
         XMfQ6BLSjU8bEWXe25jOS/abHCDVlFRqIaL2fmm8yRJ4MaAONUcV11loI1F1EMj+bIwR
         7Ipw==
X-Gm-Message-State: APjAAAXKVSI21YMaUB4XvFRVb6jqFjVsN0/kwnN0ZsWCoEPSjtELY8ad
        85PVc5sm9RaG/bmh0tZp9pFefk5chklyhA==
X-Received: by 2002:a17:902:8343:: with SMTP id z3mr2920223pln.200.1573050158836;
        Wed, 06 Nov 2019 06:22:38 -0800 (PST)
Received: from ?IPv6:2405:4800:58f7:3f8f:27cb:abb4:d0bd:49cb? ([2405:4800:58f7:3f8f:27cb:abb4:d0bd:49cb])
        by smtp.gmail.com with ESMTPSA id c184sm26760638pfc.159.2019.11.06.06.22.35
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Wed, 06 Nov 2019 06:22:38 -0800 (PST)
Cc:     tranmanphong@gmail.com, 2pi@mok.nu, alex.theissen@me.com,
        andreyknvl@google.com, gregkh@linuxfoundation.org,
        linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
        syzkaller-bugs@googlegroups.com,
        linux-kernel-mentees@lists.linuxfoundation.org
Subject: Re: [PATCH] usb: appledisplay: fix use-after-free in
 bl_get_brightness
To:     Oliver Neukum <oneukum@suse.com>,
        syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com
References: <00000000000042d60805933945b5@google.com>
 <20191105233652.21033-1-tranmanphong@gmail.com>
 <1573040577.3090.22.camel@suse.com>
From:   Phong Tran <tranmanphong@gmail.com>
Message-ID: <d6c628d0-71ad-7343-d80e-1b0cd0795242@gmail.com>
Date:   Wed, 6 Nov 2019 21:22:34 +0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <1573040577.3090.22.camel@suse.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org



On 11/6/19 6:42 PM, Oliver Neukum wrote:
> Am Mittwoch, den 06.11.2019, 06:36 +0700 schrieb Phong Tran:
>> In context of USB disconnect, the delaywork trigger and calling
>> appledisplay_bl_get_brightness() and the msgdata was freed.
>>
>> add the checking return value of usb_control_msg() and only update the
>> data while the retval is valid.
> 
> Hi,
> 
> I am afraid there are some issues with your patch. First, let me stress
> that you found the right place to fix an issue and you partially fixed
> an issue. But the the fix you applied is incomplete and left another
> issue open.
> 
> Your patch still allows doing IO to a device that may already be bound
> to another driver. That is bad, especially as the buffer is already
> free. Yes, if IO is failing, you have fixed that narrow issue.
> But it need not fail.
> 
> If you look into appledisplay_probe() you will see that it can fail
> because backlight_device_register() fails. The error handling will
> thereupon kill the URB and free memory. But it will not kill an already
> scheduled work. The scheduled work will then call usb_control_msg()
> on pdata->msgdata, which has been freed. If that IO fails, all is well.
> If not, the issue still exists.
> 
Hello Oliver,

argee, there need a cancel workqueue in case error of probe().

> Secondly, your error check is off by 2. You are checking only for
> usb_control_msg() failing. But it can return only one byte instead
> of two. If that happens, the value you return is stale, although
> the buffer is correctly allocated.
> 
> 	Regards
> 		Oliver
> 
> The correct fix for both issues would be:
> 
> #syz test: https://github.com/google/kasan.git e0bd8d79
> 
>  From 2497a62bdbeb9bd94f690c22d96dd1b8cf22861f Mon Sep 17 00:00:00 2001
> From: Oliver Neukum <oneukum@suse.com>
> Date: Wed, 6 Nov 2019 12:36:28 +0100
> Subject: [PATCH] appledisplay: fix error handling in the scheduled work
> 
> The work item can operate on
> 
> 1. stale memory left over from the last transfer
> the actual length of the data transfered needs to be checked
> 2. memory already freed
> the error handling in appledisplay_probe() needs
> to cancel the work in that case
> 
> Signed-off-by: Oliver Neukum <oneukum@suse.com>
> ---
>   drivers/usb/misc/appledisplay.c | 8 +++++++-
>   1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/misc/appledisplay.c b/drivers/usb/misc/appledisplay.c
> index ac92725458b5..ba1eaabc7796 100644
> --- a/drivers/usb/misc/appledisplay.c
> +++ b/drivers/usb/misc/appledisplay.c
> @@ -164,7 +164,12 @@ static int appledisplay_bl_get_brightness(struct backlight_device *bd)
>   		0,
>   		pdata->msgdata, 2,
>   		ACD_USB_TIMEOUT);
> -	brightness = pdata->msgdata[1];
> +	if (retval < 2) {
> +		if (retval >= 0)
> +			retval = -EMSGSIZE;
> +	} else {
> +		brightness = pdata->msgdata[1];
> +	}

compare with message size (2) can be considered.

if (retval == 2) {
	brightness = pdata->msgdata[1];
} else {
	retval = -EMSGSIZE;
}

Regards,
Phong.

>   	mutex_unlock(&pdata->sysfslock);
>   
>   	if (retval < 0)
> @@ -299,6 +304,7 @@ static int appledisplay_probe(struct usb_interface *iface,
>   	if (pdata) {
>   		if (pdata->urb) {
>   			usb_kill_urb(pdata->urb);
> +			cancel_delayed_work_sync(&pdata->work);
>   			if (pdata->urbdata)
>   				usb_free_coherent(pdata->udev, ACD_URB_BUFFER_LEN,
>   					pdata->urbdata, pdata->urb->transfer_dma);
>