Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1966547pxb; Mon, 22 Feb 2021 16:15:32 -0800 (PST) X-Google-Smtp-Source: ABdhPJxNa+2DgIUiZtO/47cJrCFrtveKbRxVA44KEojP3fpQR+AAeKIV5jYJT90Pjfz0fZOqM2mx X-Received: by 2002:a17:906:2c02:: with SMTP id e2mr23514763ejh.155.1614039331992; Mon, 22 Feb 2021 16:15:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614039331; cv=none; d=google.com; s=arc-20160816; b=vNN98gFe2S0vq92Q4I0ERbo2sZkS6vTn8o0nDc+t2bQj/qX16F5LAgjsXdQ5IolGPv p0YHB6klps3QXjUeLn65k1BXDYpJ+lhUZQSYfK7dJPbjB2/+izVkygAbMgWOu82gubB8 6QtWiAAzT8InXyC/0XGXxTvC2Cym1sLTgIdUJDJOvv2V4f160BNB9tCfPXnurux8DOg8 rBPRNQ1Zt36OTnHTnyLaePqrIRszfzdS/Hb5IqMlE1YmpGJ/sSGomUICS4TJua8pWZWL OWFdgu7vOLu2JusH8XX07+x009fLbxJAJmF+/VnDE3Zvu0t2gYXXvTCU6DKLY8vmZWHP XI5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=mX3To0edoU8ufRNN2jIA7l3mvVTfN4KPZW2jW+o1J28=; b=qN5L/AhCsEdWvsG9n/fC2lkdInFxg/p7OcsSY3q3YslM5OH14etWnoDf9xRAprhobV CK+Lj5HpLkKo0+UWHfkTIxdmre5dCITXUEVTZsTY/w98mo9AyzEH/CNO2q4yNBAfzOD/ kmRcM5yalZpC/aXb92hBXh5h4ZsLEjy1R8JrlZmfbwULVRlk1Z//v5EskmBX4x2znlTv NQ+u689FHbLb4l1g6+J5g4OrsMWg5aQlkJPyelcm5DZ5uJ4VAhJIaCN0DbN6hALwhARC gxqHgd9R0CHchTqKPoUe+VQwNV2VZXoknY2mZhi5XEvwmK2ivN3ZQV7K3tXwi9aFW4Uz CbMA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g9si5337644ejk.262.2021.02.22.16.15.07; Mon, 22 Feb 2021 16:15:31 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231614AbhBVXsX (ORCPT + 99 others); Mon, 22 Feb 2021 18:48:23 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:52774 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230125AbhBVXsR (ORCPT ); Mon, 22 Feb 2021 18:48:17 -0500 Received: from 1.general.cascardo.us.vpn ([10.172.70.58] helo=mussarela) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lEKvL-0000qH-TA; Mon, 22 Feb 2021 23:47:32 +0000 Date: Mon, 22 Feb 2021 20:47:26 -0300 From: Thadeu Lima de Souza Cascardo To: Felipe Balbi Cc: Jim Lin , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v3] usb: gadget: configfs: Fix KASAN use-after-free Message-ID: <20210222234726.GA166848@mussarela> References: <1484647168-30135-1-git-send-email-jilin@nvidia.com> <878tqakmiy.fsf@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <878tqakmiy.fsf@linux.intel.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 17, 2017 at 12:29:09PM +0200, Felipe Balbi wrote: > > Hi, > > Jim Lin writes: > > When gadget is disconnected, running sequence is like this. > > . composite_disconnect > > . Call trace: > > usb_string_copy+0xd0/0x128 > > gadget_config_name_configuration_store+0x4 > > gadget_config_name_attr_store+0x40/0x50 > > configfs_write_file+0x198/0x1f4 > > vfs_write+0x100/0x220 > > SyS_write+0x58/0xa8 > > . configfs_composite_unbind > > . configfs_composite_bind > > > > In configfs_composite_bind, it has > > "cn->strings.s = cn->configuration;" > > > > When usb_string_copy is invoked. it would > > allocate memory, copy input string, release previous pointed memory space, > > and use new allocated memory. > > > > When gadget is connected, host sends down request to get information. > > Call trace: > > usb_gadget_get_string+0xec/0x168 > > lookup_string+0x64/0x98 > > composite_setup+0xa34/0x1ee8 > > > > If gadget is disconnected and connected quickly, in the failed case, > > cn->configuration memory has been released by usb_string_copy kfree but > > configfs_composite_bind hasn't been run in time to assign new allocated > > "cn->configuration" pointer to "cn->strings.s". > > > > When "strlen(s->s) of usb_gadget_get_string is being executed, the dangling > > memory is accessed, "BUG: KASAN: use-after-free" error occurs. > > > > Signed-off-by: Jim Lin > > --- > > Changes in v2: > > Changes in v3: > > Change commit description > > well, I need to be sure you tested this with Linus' tree. The reason I'm > asking is because this could be a bug caused by Android changes. From > your previous patch, the problem started with android_setup(). > > Please test with v4.10-rc4 and any configfs-based gadget. > > -- > balbi I tested this with dummy_hcd on top of a 5.8 kernel and I got lsusb to respond with an error instead of the right manufacturer string, after overwriting such a string after binding. With the patch applied, after the string is overwritten, lsusb will show the updated string. Because of commit 81c7462883b0cc0a4eeef0687f80ad5b5baee5f6 ("USB: replace hardcode maximum usb string length by definition"), the patch will need a fixup. Should I send a v2 with my sign-off? Thanks. Cascardo.