Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp266394pxb; Thu, 14 Apr 2022 22:08:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzqKGDsst9GPuFcqXAp1HntYYPN6vJwlRuqMdaG3L6iyzf8cxaQsxF+vSxkZhaIdM0FnJvr X-Received: by 2002:a65:4108:0:b0:399:1f0e:50da with SMTP id w8-20020a654108000000b003991f0e50damr5199109pgp.2.1649999333188; Thu, 14 Apr 2022 22:08:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649999333; cv=none; d=google.com; s=arc-20160816; b=ZBkWty+xJLm9CFva4BAJOcBUEsPp4U/gbK1NbJbRcx7ygtI7zHWc0D4TIFA7Jn8o19 SkgmPxw3dVajxmaNh7dESHOA5fu+7kRzkpPAXqm7DveA8xjkpzfHCh0iGmxFwKxhKVUC pC8VH5d3I/ZE/fL+KtX0KE5h/loy0Buo2ZaCjBSUBF4+lXb+igZwCtBJ5E2J82xycueA IvKAOsI/2JP2xLyh44+/kIMtAQ4PO2b3MbA1FeRlaTol2HcBi3iHbaPQHB/V9iE8BMLu x0qtKziWLBCCpffVXgnHew+MfswukBZ1wsH1/gCXxCF7N2LjKfPPmjBCtFaPPb3zxBSX sZrw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=uYldqlfvDnUO//XnpL4/gJepKZlc0bM1hOqCfUDNXHQ=; b=btIBPutX0VvGOeYoS6AgMMldi/4I8M+jljUt5MHoyqPScoFeu97Aftxa1tQ2Ip0FDs yr5GPJ0sukYPxdGO9GJU/cZ5BmnF8UAYtXiozVtEPkMQsAVFj1nQYCH5DpGfj5mNch6c QoHoapi4JZNPKuDCGZUjQ786f/JEPWqUV2xhVDBjl0QxY5qMbEnyEj+hMJSmwhHdGDPk Ovd2xoMNujiEMA8NJtAAWOvGRjrh6cW3YfyGjOA4bkwaXBYDb7xTFA1YPopRCab5jCMp 0hReVqJOxixBR618bX/A3NBXw8aX11urnXKTZo8akKm5RRkYMEBcgStDHJYZu12HpGBg 3VxQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=hskXrMh1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j37-20020a634a65000000b003a283acb929si578147pgl.490.2022.04.14.22.07.45; Thu, 14 Apr 2022 22:08:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=hskXrMh1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344189AbiDNP0F (ORCPT + 99 others); Thu, 14 Apr 2022 11:26:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57286 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1348222AbiDNOCi (ORCPT ); Thu, 14 Apr 2022 10:02:38 -0400 Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C9DCBF04; Thu, 14 Apr 2022 07:00:09 -0700 (PDT) Received: by mail-ej1-x62b.google.com with SMTP id u15so10178889ejf.11; Thu, 14 Apr 2022 07:00:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uYldqlfvDnUO//XnpL4/gJepKZlc0bM1hOqCfUDNXHQ=; b=hskXrMh1N9NmYRDTvxW0ec01jIgWA993bv1y/GsRkBmbTF28G2+VMlnMu4qN+Zwbb9 TgaW0UQnmQR/k+m62R2GhWbDQ6yKD1gI/QMfCKcPgeJtJxIZZ8vjBapbZT7bDzkGzoQ8 vqcWMY2+P50WGkhM1i0sjP2RYnZu/s4ibVgiVK7yxrYaBV45EnnMlwByJuRGFxRYjvKj 7Gly2BTlU0rhrcP3xBQ4a9VLxxWPfoZsI/SwiGADF5r/AI2mQXDTY5zCJcBSVI3ZH3zl 2ZpiAcCeo7Fg4owqDDGVZLW5xGddnlKy/m4102X/WcNfMzgNax8V8VtLCYwDEmF4gA7A PZKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uYldqlfvDnUO//XnpL4/gJepKZlc0bM1hOqCfUDNXHQ=; b=TVt8CcXK1Q3ueATtP0Hee+6+5z/sJNz/vctL443DZPGJ/ZJC6oeQlQNBpSTv4+EVr0 RjurO0IRJg7RXSKCVNCQDrzlysCgs95n0PV0uvFlr2YPieJKy0tGFYtVfEdgGx8A2zkL WhA7dG+IDEjjTl6JNbb92/A1zyL8YBPU2y6lw5H2aAsP5rqKKckiJ6at2nD23xbbermh EbNiqfLj6A8FTDM4miHemb9xf9b5XXCw+APu8jGhnq8vwOt+4IJ34MJlfKMQySRwEPnf +MCgsLG/ryHRiMVWMtfCzHGm3K+zvEIxvlHGKiPU7EJR0OkzhpSgWim/vBHpsDYE+6xv hn9w== X-Gm-Message-State: AOAM530HwOwXZm6IAFmP3Wgnjd1RCL1K5Gj5QBOd8O9uyxfXYV1SdxGu QVQjWXdI64PldV7HC8KZN332frmPs1EJ0vvMBbiippn//HE= X-Received: by 2002:a17:907:a423:b0:6e8:8ffd:6e5e with SMTP id sg35-20020a170907a42300b006e88ffd6e5emr2382624ejc.708.1649944808390; Thu, 14 Apr 2022 07:00:08 -0700 (PDT) MIME-Version: 1.0 References: <20220409120901.267526-1-dzm91@hust.edu.cn> In-Reply-To: From: Dongliang Mu Date: Thu, 14 Apr 2022 21:59:41 +0800 Message-ID: Subject: Re: [PATCH] driver: usb: nullify dangling pointer in cdc_ncm_free To: Andy Shevchenko Cc: Dongliang Mu , Oliver Neukum , "David S. Miller" , Jakub Kicinski , Paolo Abeni , syzbot+eabbf2aaa999cc507108@syzkaller.appspotmail.com, USB , netdev , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 11, 2022 at 10:55 PM Andy Shevchenko wrote: > > On Sun, Apr 10, 2022 at 5:14 AM Dongliang Mu wrote: > > > > From: Dongliang Mu > > > > cdc_ncm_bind calls cdc_ncm_bind_common and sets dev->data[0] > > with ctx. However, in the unbind function - cdc_ncm_unbind, > > it calls cdc_ncm_free and frees ctx, leaving dev->data[0] as > > a dangling pointer. The following ioctl operation will trigger > > the UAF in the function cdc_ncm_set_dgram_size. > > First of all, please use the standard form of referring to the func() > as in this sentence. OK, no problem. > > > Fix this by setting dev->data[0] as zero. > > > > ================================================================== > > BUG: KASAN: use-after-free in cdc_ncm_set_dgram_size+0xc91/0xde0 > > Read of size 8 at addr ffff8880755210b0 by task dhcpcd/3174 > > > > Please, avoid SO noisy commit messages. Find the core part of the > traceback(s) which should be rarely more than 5-10 lines. Sure. I will revise them in the v2 patch. > > ... > > The code seems fine. > > -- > With Best Regards, > Andy Shevchenko