Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp702496pxx; Wed, 28 Oct 2020 15:00:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzwh/Xt8EERZQepRv78XI8/+O8okiB10SfTJxw5Az5ChOo2FVJpUZQGN57wrbEeerW2+nAJ X-Received: by 2002:aa7:d28a:: with SMTP id w10mr1045487edq.192.1603922417643; Wed, 28 Oct 2020 15:00:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603922417; cv=none; d=google.com; s=arc-20160816; b=i4eu5pPU3+gDfFOVbNlhDtejnreewaA1VS2IhhnL9h8bBvIuztJ28BcwA8qtoUgv2E KQD8bed5Ho+CL6QPVzYfvwaJnEVX42gxzfeMX3QbFai1bbAJ31grDYKPxZqSWnbWK5Z3 lbZ2q1uKMhdCgqQsA+EsPNYawweIvkmutnoG56ZKCPen/gCt1gAD/jww8B6zEwl3SdBC Jd+uRUxHpxzwDOtFgkbCyUJW7LtTpsXH/mpleM7r8spWc8kkXHC7TxNmFMlvkhoaalUS M/Q+4RzOTdl6uiE4ojToyGdz1/X0n7nd1q6aeA4MRY8W1v+AcYDABHiAOyycoITHnRJk D83g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:mime-version :dkim-signature; bh=abYJkafoDOKX6fW7qL+UGUXhDXddixsn3/i0RMMQq/s=; b=wTlv0y6Laoi64FXCs6u/UFrXGztC5CcWr6+N4zRz980F033VCPvzM5K3npTMtfYfHu GvfntRF1GdieWNvwvQHPyRbrJjXod2pi35t7O4rSLN5l8q63hA6wA8CJV2fcGnM7Hxu8 6TwR38/cisnghKzVQop1Rz3jbSZCdJ9VpeQ8uN1Z4CsUl2tQ6aEyf4V0kY+E2CI8XbFT IbRqUPSX/BaoV2zE5+DRkK2B7uy1GPWICaY8EBiwCvtXM/3UebrFO4Qrsmt0/L5xu7hM c0w426jLCoCVplUi0R1Z0rZ6HmOjVvFditlowelxZpxielZnpks30DQjm29hoCWwuTDL RF0Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Nmrv8ERm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id op13si420764ejb.645.2020.10.28.14.59.55; Wed, 28 Oct 2020 15:00:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Nmrv8ERm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728566AbgJ1V4K (ORCPT + 99 others); Wed, 28 Oct 2020 17:56:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49738 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728235AbgJ1V4F (ORCPT ); Wed, 28 Oct 2020 17:56:05 -0400 Received: from mail-lf1-x144.google.com (mail-lf1-x144.google.com [IPv6:2a00:1450:4864:20::144]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B5DC8C0613D1; Wed, 28 Oct 2020 14:56:05 -0700 (PDT) Received: by mail-lf1-x144.google.com with SMTP id 141so733212lfn.5; Wed, 28 Oct 2020 14:56:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=abYJkafoDOKX6fW7qL+UGUXhDXddixsn3/i0RMMQq/s=; b=Nmrv8ERmGuAEq081pt54Hacig+9CAWxGFJQxue3Lde5JR5DFPU+NTw14ySZFu56JVQ ZVBUvIIQyOHqPFc5SwoAMl2fovwtXPZUS9S+p6JAIUYJydbku560HEYmNbCHiDQad/GH pnYrW2rt5czNkupHBUqcuLhGuzSHVk6NrHIsK+bITT3hlNHwWmyp0Uoavii3bfFyxZiQ CdUDy58wKidCW/HnBLvN0L6U8RNiBSUjw9/QPfoivZX5IqJDvkgJKs1l4mgK99STMIXX K4JW1f2alWxu7DLIEYu3n0+kf15nRQ/3wL0yLxaiy+pdyPCTy/gpriGI+gzBSCkPTf1x t8fg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=abYJkafoDOKX6fW7qL+UGUXhDXddixsn3/i0RMMQq/s=; b=aURR/h+ZPYn1cmm1Tnx2WjxOaNDFeksR1mm2Q7Z7K7V1ZxPwJ0PUCGHC5sv42Y6bOm UYhdsppBIohZEWLeiEOLX2hJ8pJH0SPP8uYg51yahBjoMPqMMYcItGVsQ8Mx+cZKxlmL 8KOfN9AscWa/z/2jPF6uCMFDTuJWO0g/aSSksseYr9tzFWBlYvOeGOOL3Ul9lzPMmLV0 2CsRMtUXCjJpEUsqo7sQqGbPjadUhssYEvodkG9p2pbUK14zEL1tnYkn17b9LX+VooDT KndAMGDal/1WjaFh0cLr1kfzE6dSPT44a+2GcL8GLbst8kYSv4L6qbK0Tew7UmBbDFZb 6/6g== X-Gm-Message-State: AOAM532vcSOMBZ1Op22nQN4TVmXekZplGrXAI3Brlld08yYtFFiyigj0 QLKJXmg7qSkhTig9qMKGrEEEn/0ruBcPzTteht8GZK3z X-Received: by 2002:a17:906:1246:: with SMTP id u6mr933941eja.432.1603918280500; Wed, 28 Oct 2020 13:51:20 -0700 (PDT) MIME-Version: 1.0 From: Kyungtae Kim Date: Wed, 28 Oct 2020 16:51:09 -0400 Message-ID: Subject: KASAN: use-after-free Read in do_set_interface To: Felipe Balbi , Greg KH Cc: USB list , LKML , syzkaller Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org We report a bug (in linux-5.8.13) found by FuzzUSB (a modified version of syzkaller). The bug happened when accessing a freed instance of struct fsg_dev (i.e., fsg->bulk_in) in do_set_interface() (line 2245). ================================================================== BUG: KASAN: use-after-free in do_set_interface.part.7+0xa6b/0xd90 drivers/usb/gadget/function/f_mass_storage.c:2245 Read of size 8 at addr ffff88806bc940f8 by task file-storage/2063 CPU: 3 PID: 2063 Comm: file-storage Not tainted 5.8.13 #4 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xa7/0xea lib/dump_stack.c:118 print_address_description.constprop.8+0x3f/0x60 mm/kasan/report.c:383 kasan_report.cold.11+0x20/0x37 mm/kasan/report.c:513 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:146 do_set_interface.part.7+0xa6b/0xd90 drivers/usb/gadget/function/f_mass_storage.c:2245 do_set_interface drivers/usb/gadget/function/f_mass_storage.c:2202 [inline] handle_exception drivers/usb/gadget/function/f_mass_storage.c:2426 [inline] fsg_main_thread+0x12c7/0x59f1 drivers/usb/gadget/function/f_mass_storage.c:2466 kthread+0x374/0x480 kernel/kthread.c:291 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293 Allocated by task 1910: save_stack+0x21/0x50 mm/kasan/common.c:48 set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc mm/kasan/common.c:494 [inline] __kasan_kmalloc.constprop.6+0xc7/0xd0 mm/kasan/common.c:467 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:508 kmem_cache_alloc_trace+0x139/0x330 mm/slub.c:2851 kzalloc ./include/linux/slab.h:555 [inline] fsg_alloc+0x77/0x290 drivers/usb/gadget/function/f_mass_storage.c:3417 usb_get_function+0x58/0xc0 drivers/usb/gadget/functions.c:61 config_usb_cfg_link+0x1ed/0x3a0 drivers/usb/gadget/configfs.c:435 configfs_symlink+0x4f5/0xf10 fs/configfs/symlink.c:202 vfs_symlink fs/namei.c:3953 [inline] vfs_symlink+0x304/0x540 fs/namei.c:3939 do_symlinkat+0x104/0x1a0 fs/namei.c:3980 __do_sys_symlinkat fs/namei.c:3994 [inline] __se_sys_symlinkat fs/namei.c:3991 [inline] __x64_sys_symlinkat+0x6e/0xb0 fs/namei.c:3991 do_syscall_64+0x54/0xa0 arch/x86/entry/common.c:392 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 2072: save_stack+0x21/0x50 mm/kasan/common.c:48 set_track mm/kasan/common.c:56 [inline] kasan_set_free_info mm/kasan/common.c:316 [inline] __kasan_slab_free+0x139/0x190 mm/kasan/common.c:455 kasan_slab_free+0xe/0x10 mm/kasan/common.c:464 slab_free_hook mm/slub.c:1474 [inline] slab_free_freelist_hook mm/slub.c:1507 [inline] slab_free mm/slub.c:3072 [inline] kfree+0xef/0x3d0 mm/slub.c:4052 fsg_free+0x84/0xa0 drivers/usb/gadget/function/f_mass_storage.c:3408 usb_put_function+0x38/0x50 drivers/usb/gadget/functions.c:87 config_usb_cfg_unlink+0x2e9/0x3a0 drivers/usb/gadget/configfs.c:476 configfs_unlink+0x379/0x77e fs/configfs/symlink.c:250 vfs_unlink+0x241/0x550 fs/namei.c:3825 do_unlinkat+0x3e7/0x610 fs/namei.c:3889 __do_sys_unlink fs/namei.c:3936 [inline] __se_sys_unlink fs/namei.c:3934 [inline] __x64_sys_unlink+0x3d/0x50 fs/namei.c:3934 do_syscall_64+0x54/0xa0 arch/x86/entry/common.c:392 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff88806bc94000 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 248 bytes inside of 512-byte region [ffff88806bc94000, ffff88806bc94200) The buggy address belongs to the page: page:ffffea0001af2500 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea0001af2500 order:2 compound_mapcount:0 compound_pincount:0 flags: 0x100000000010200(slab|head) raw: 0100000000010200 dead000000000100 dead000000000122 ffff88806c40e580 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88806bc93f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88806bc94000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88806bc94080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88806bc94100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88806bc94180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Regards, Kyungtae Kim