Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp776354pxb; Tue, 12 Apr 2022 13:09:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyXh5pRVsCew2KpC11+vdWEdo7BE7Rn4WDlaiJElQWr9DSh8YV0SvAS4ikosNWEB5Je08it X-Received: by 2002:a17:902:7c0a:b0:156:87e0:846 with SMTP id x10-20020a1709027c0a00b0015687e00846mr39088027pll.8.1649794175819; Tue, 12 Apr 2022 13:09:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649794175; cv=none; d=google.com; s=arc-20160816; b=XJUvIC7cAFA+WijvEHhfiUcTzEjYMNnZYrQQu2YZH4xOoPN2r5xgPpWHQcYq04jp1u PKW9iRmKkHsJJUIWne39blB+ScgAGXDr8z9WwEpPW7+3eRsA16/6nKk6gcL7NDAbmvbl ipVbS1m+mwuWj4P6Ls8yLoPnAEiPpA4kjTNvm6TzQwMd+nZ5rOvl9xvy6yXooK+VWLm+ ORXkx1UdI6qn+v1HUVaIi5YiSRbw642GwWFQadmqDT9IsVydttKHuabpqO2msyDLQhuN Bdy67LW0bKqMCZn9AbI57GX7xv0HKHSNeUTll+yPdshbLjJFJEcTAQ2BqiZlnSHag6Zh jhjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=5MHraq1bOB3mBb9mQcRcFz/u0Q5YCk6315s0YxDqQhY=; b=dR18vtFizmaR7AjSlgcRTRYU9NZ1I3XRhXsDxcUvvx+Xk59Esa1ae2wHJ8K+pZ4UMK zjhSAy0faQ3vQrjgFrzJBhnyzr2zlE3aLJDGZ1qz0leoCaXoPg0aoCOGVtyHU1AqqJ1k QNLabHd/aUb3GrRtLOdrMhXjNGhpCnN7seJ+sPrv7rSu3aSNzY1oeacM/t3Rz8sDiuga WaQVBWn8F+WzBQjnoa+dx1SXTliLBpia+yZqXOrdTE2zhYm7FZz8W2CasPsK4OJ5MEql 6dGGqMxWPG5fNujaniACrhWn05QbSAtA+j9pyXpJu5lGo2e/mIA6VnIkd5KbKdThaL5c 5YkA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=kajbelk+; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id em18-20020a17090b015200b001cba36e18e7si4777714pjb.53.2022.04.12.13.09.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Apr 2022 13:09:35 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=kajbelk+; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id ADDFB673F9; Tue, 12 Apr 2022 12:57:39 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345984AbiDKMRD (ORCPT + 99 others); Mon, 11 Apr 2022 08:17:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46500 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240584AbiDKMQz (ORCPT ); Mon, 11 Apr 2022 08:16:55 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F1BFD40E4F; Mon, 11 Apr 2022 05:14:41 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 8CC9E6163D; Mon, 11 Apr 2022 12:14:41 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E600FC385A3; Mon, 11 Apr 2022 12:14:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1649679281; bh=XcjtbKiDmNUDUzHcXtTHRMT/Hnm0TsOrSzVdisG0c7A=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=kajbelk+29WQC+TRn+sWzyafuwhgoynnn1Rw5qA6hxUmo3AO3Xkx53v0y+98gC8MQ DKufahP1YjsM0Dq9qu8Ldd49kzEnPcueY3lVi+O7NeY0uSVgDJv1qI7xZfux+Csbxi vmsv+bgKBB0uv0tstlgNOh7MvPzbmThtD5Vfscpv3EPB6MYDxOSpnzWStzO07so8Xt BFTONgM5OH2hkDnOyMRpcRLjJyv/pg06VAnM/FCz1voEljK9mCGvAUzciEGWQepm7O dOHO9FszOb9laPJXdh5bdt2tM7SoTMQuaZXBm4v2C+LGmp8H/deH06iQfmisbJh0lk t60f0uPV+yVRA== Received: from johan by xi.lan with local (Exim 4.94.2) (envelope-from ) id 1ndswE-0004oq-JI; Mon, 11 Apr 2022 14:14:34 +0200 Date: Mon, 11 Apr 2022 14:14:34 +0200 From: Johan Hovold To: Dongliang Mu Cc: Oliver Neukum , "David S. Miller" , Jakub Kicinski , Paolo Abeni , Dongliang Mu , syzbot+eabbf2aaa999cc507108@syzkaller.appspotmail.com, linux-usb@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] driver: usb: nullify dangling pointer in cdc_ncm_free Message-ID: References: <20220409120901.267526-1-dzm91@hust.edu.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220409120901.267526-1-dzm91@hust.edu.cn> X-Spam-Status: No, score=-2.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Apr 09, 2022 at 08:09:00PM +0800, Dongliang Mu wrote: > From: Dongliang Mu > > cdc_ncm_bind calls cdc_ncm_bind_common and sets dev->data[0] > with ctx. However, in the unbind function - cdc_ncm_unbind, > it calls cdc_ncm_free and frees ctx, leaving dev->data[0] as > a dangling pointer. The following ioctl operation will trigger > the UAF in the function cdc_ncm_set_dgram_size. > > Fix this by setting dev->data[0] as zero. This sounds like a poor band-aid. Please explain how this prevent the ioctl() from racing with unbind(). Johan > ================================================================== > BUG: KASAN: use-after-free in cdc_ncm_set_dgram_size+0xc91/0xde0 > Read of size 8 at addr ffff8880755210b0 by task dhcpcd/3174 > > Call Trace: > > __dump_stack lib/dump_stack.c:88 [inline] > dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 > print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313 > print_report mm/kasan/report.c:429 [inline] > kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491 > cdc_ncm_set_dgram_size+0xc91/0xde0 drivers/net/usb/cdc_ncm.c:608 > cdc_ncm_change_mtu+0x10c/0x140 drivers/net/usb/cdc_ncm.c:798 > __dev_set_mtu net/core/dev.c:8519 [inline] > dev_set_mtu_ext+0x352/0x5b0 net/core/dev.c:8572 > dev_set_mtu+0x8e/0x120 net/core/dev.c:8596 > dev_ifsioc+0xb87/0x1090 net/core/dev_ioctl.c:332 > dev_ioctl+0x1b9/0xe30 net/core/dev_ioctl.c:586 > sock_do_ioctl+0x15a/0x230 net/socket.c:1136 > sock_ioctl+0x2f1/0x640 net/socket.c:1239 > vfs_ioctl fs/ioctl.c:51 [inline] > __do_sys_ioctl fs/ioctl.c:870 [inline] > __se_sys_ioctl fs/ioctl.c:856 [inline] > __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x44/0xae > RIP: 0033:0x7f00859e70e7 > RSP: 002b:00007ffedd503dd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 > RAX: ffffffffffffffda RBX: 00007f00858f96c8 RCX: 00007f00859e70e7 > RDX: 00007ffedd513fc8 RSI: 0000000000008922 RDI: 0000000000000018 > RBP: 00007ffedd524178 R08: 00007ffedd513f88 R09: 00007ffedd513f38 > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 > R13: 00007ffedd513fc8 R14: 0000000000000028 R15: 0000000000008922 > > Reported-by: syzbot+eabbf2aaa999cc507108@syzkaller.appspotmail.com > Signed-off-by: Dongliang Mu > --- > drivers/net/usb/cdc_ncm.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c > index 15f91d691bba..9fc2df9f0b63 100644 > --- a/drivers/net/usb/cdc_ncm.c > +++ b/drivers/net/usb/cdc_ncm.c > @@ -1019,6 +1019,7 @@ void cdc_ncm_unbind(struct usbnet *dev, struct usb_interface *intf) > > usb_set_intfdata(intf, NULL); > cdc_ncm_free(ctx); > + dev->data[0] = 0; > } > EXPORT_SYMBOL_GPL(cdc_ncm_unbind);