Received: by 2002:a19:f614:0:0:0:0:0 with SMTP id x20csp43439lfe; Fri, 15 Apr 2022 18:34:33 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwr0N46Km5OgeOvIyNZKVaoAYbqfO8lK/XEC39QLRTKzvy27aUsjJQY1xYhVKpOmDGk68F0 X-Received: by 2002:a62:ed0e:0:b0:4fa:11ed:2ad1 with SMTP id u14-20020a62ed0e000000b004fa11ed2ad1mr1572873pfh.34.1650072873392; Fri, 15 Apr 2022 18:34:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650072873; cv=none; d=google.com; s=arc-20160816; b=vkZgekiSS6jEoWYnV5u2zrvs2RkZfCxCka51+h9p/xtFQJTkxwReaMsc2BC5y1xWcj TP6XHf5oPubT72Xa/M3MfxEmuI9ntteroOj+4LrPJhb7ZvT2nZpw5Q8QACLsGBC6H5sG M+XWg7DYsvBZwhrUy7cmiYR8wkDFhuTRrj3NRSHHfZj4eFALAJZ1y1Bh+OF+YTqWnGS+ ZJCgf3ji0rRaV2iA7ye/ipB0JMo5q25BReBCe9GZb4kglUNtiARjcLkplU/wigVmMLSp fyQcBxmHBxR1lHwEzgUYteaqLcGN36V0n8nVAQ73sEFQaTqtUNE2+Ci0eRIfPPAoTdnA Mmjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=lCC3Pfudq3lc52JAAG1sG7HbUkpkTnk/H8GtNDbWO8Q=; b=d1Uii77bbgIRttcPhM78elZv1+zeIF4OmUAAhVVyuAiguj6gJXRu9r055mL7Rw7b1l cIIp08phgobX8swl+3gDcwnLSAhWP//8kUvCoVU9fUmZqA6MzpVv90ePFStLujU17v6f eFoGfDUnWVmTGd3Y+s4LcUBFswkVcEQbgcOGuQuv/AwEL4BikpVuwyaCVE/DEZdyb0kG kaRA8F9+FJm+IY7sTmk68xb9nDBiuhi/Jx2slcvEnfeRLM6/GYciuyJEFuzcIvU7uWe+ X3nSaPEMPjdqV97WbqrImjVLtrtNSJ57dnxzGvT7wXLxeVvIoXxv+4xuNTiSgs6hVJVa UA4Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=JDV8GhcH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id b17-20020a170902e95100b00158bb1390a6si2783735pll.428.2022.04.15.18.34.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 Apr 2022 18:34:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=JDV8GhcH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 4E7D511A2D; Fri, 15 Apr 2022 18:01:06 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229733AbiDNPef (ORCPT + 99 others); Thu, 14 Apr 2022 11:34:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50372 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1348298AbiDNOMg (ORCPT ); Thu, 14 Apr 2022 10:12:36 -0400 Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EC34214096; Thu, 14 Apr 2022 07:04:24 -0700 (PDT) Received: by mail-ej1-x631.google.com with SMTP id bh17so10244904ejb.8; Thu, 14 Apr 2022 07:04:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lCC3Pfudq3lc52JAAG1sG7HbUkpkTnk/H8GtNDbWO8Q=; b=JDV8GhcH1zuJn0OOA5UBejxDG49F0Z45Kj3qjuDnZOLw3BeSKpEqyUCjjG41ySlXbg FEnNIudzU1mntcXCjLDBNBT8BKflg+3dpqBlAaleqoEHANJ9daDRUsG+0hsKroKanNn9 a7B3NDbIxMlL3YYwChHq8Wi0QE7bmKoQmzJQQn4WTpw8xvcu5f9qrJoMUP0hVujhS1La oU4dxgEbPcHNoSUBtp/w2e/hP9XwkAs51/H3gCbxQcdVcR6z2efMHTrRc27Q40/sjRzm xlRKxL0j5fJhLCnTMldi5q+qjMWbAMDY+34Xv/TVcFb6jzOcJRVmnSRik4t4sUMpGu7J 3fJQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lCC3Pfudq3lc52JAAG1sG7HbUkpkTnk/H8GtNDbWO8Q=; b=W82b45rpXmRYljZ+faz/GGy9MI2LtFVCcjA48gTvEYiVywQO5hE6ybsIyvuIEMQKdh 0C1/1+ibGuGAxHz/zfl186MVrwxfOJv3q7K4zlCAQY6+NSlqCXWiLLqliIMCUeXyP19c 2k2NwOa0wSg0b0tBI0p1XdIYXDb9fUIsS9Z59G2/fiNSTRJp2jcbb+SKVqlBMk3omnmF LExjnXN9ZcX4PRXV9kVU/k48Ti39hsJtmjZHnVQQYbJIOI++MbgzSRAWA38+en1cmrp2 7O8dyDWMIZ29Mo3H9ES/URpS/aLTw8/91SLHy/dOKEFe5IzBXf8S6XGi9ezN1st2xOeJ IFWQ== X-Gm-Message-State: AOAM533l6gphMMR6haQwaDKLEI4hWtCSMMxn/Y1oLX27KkjQGdfZ1we4 cMkykQcxluTyHx6LUbAT5EP7OcbFdWLiQvjQeOc= X-Received: by 2002:a17:906:b157:b0:6d0:9f3b:a6aa with SMTP id bt23-20020a170906b15700b006d09f3ba6aamr2461492ejb.365.1649945062793; Thu, 14 Apr 2022 07:04:22 -0700 (PDT) MIME-Version: 1.0 References: <20220409120901.267526-1-dzm91@hust.edu.cn> In-Reply-To: From: Dongliang Mu Date: Thu, 14 Apr 2022 22:03:55 +0800 Message-ID: Subject: Re: [PATCH] driver: usb: nullify dangling pointer in cdc_ncm_free To: Johan Hovold Cc: Dongliang Mu , Oliver Neukum , "David S. Miller" , Jakub Kicinski , Paolo Abeni , syzbot+eabbf2aaa999cc507108@syzkaller.appspotmail.com, USB , "open list:NETWORKING [GENERAL]" , linux-kernel Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Apr 14, 2022 at 9:58 PM Dongliang Mu wrote: > > On Mon, Apr 11, 2022 at 8:14 PM Johan Hovold wrote: > > > > On Sat, Apr 09, 2022 at 08:09:00PM +0800, Dongliang Mu wrote: > > > From: Dongliang Mu > > > > > > cdc_ncm_bind calls cdc_ncm_bind_common and sets dev->data[0] > > > with ctx. However, in the unbind function - cdc_ncm_unbind, > > > it calls cdc_ncm_free and frees ctx, leaving dev->data[0] as > > > a dangling pointer. The following ioctl operation will trigger > > > the UAF in the function cdc_ncm_set_dgram_size. > > > > > > Fix this by setting dev->data[0] as zero. > > > > This sounds like a poor band-aid. Please explain how this prevent the > > ioctl() from racing with unbind(). > > You mean the following thread interlaving? > > ioctl unbind > cdc_ncm_free(ctx); > dev->data[0] > dev->data[0] = 0; > > It seems this will still trigger UAF. Maybe we need to add mutex to > prevent this. But I am not sure. ioctl unbind cdc_ncm_free(ctx); dev->data[0] = 0; dev->data[0] This will trigger a null pointer dereference if my patch is applied, right? > > > > > Johan > > > > > ================================================================== > > > BUG: KASAN: use-after-free in cdc_ncm_set_dgram_size+0xc91/0xde0 > > > Read of size 8 at addr ffff8880755210b0 by task dhcpcd/3174 > > > > > > Call Trace: > > > > > > __dump_stack lib/dump_stack.c:88 [inline] > > > dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 > > > print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313 > > > print_report mm/kasan/report.c:429 [inline] > > > kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491 > > > cdc_ncm_set_dgram_size+0xc91/0xde0 drivers/net/usb/cdc_ncm.c:608 > > > cdc_ncm_change_mtu+0x10c/0x140 drivers/net/usb/cdc_ncm.c:798 > > > __dev_set_mtu net/core/dev.c:8519 [inline] > > > dev_set_mtu_ext+0x352/0x5b0 net/core/dev.c:8572 > > > dev_set_mtu+0x8e/0x120 net/core/dev.c:8596 > > > dev_ifsioc+0xb87/0x1090 net/core/dev_ioctl.c:332 > > > dev_ioctl+0x1b9/0xe30 net/core/dev_ioctl.c:586 > > > sock_do_ioctl+0x15a/0x230 net/socket.c:1136 > > > sock_ioctl+0x2f1/0x640 net/socket.c:1239 > > > vfs_ioctl fs/ioctl.c:51 [inline] > > > __do_sys_ioctl fs/ioctl.c:870 [inline] > > > __se_sys_ioctl fs/ioctl.c:856 [inline] > > > __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856 > > > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > > > do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80 > > > entry_SYSCALL_64_after_hwframe+0x44/0xae > > > RIP: 0033:0x7f00859e70e7 > > > RSP: 002b:00007ffedd503dd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 > > > RAX: ffffffffffffffda RBX: 00007f00858f96c8 RCX: 00007f00859e70e7 > > > RDX: 00007ffedd513fc8 RSI: 0000000000008922 RDI: 0000000000000018 > > > RBP: 00007ffedd524178 R08: 00007ffedd513f88 R09: 00007ffedd513f38 > > > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 > > > R13: 00007ffedd513fc8 R14: 0000000000000028 R15: 0000000000008922 > > > > > > > > Reported-by: syzbot+eabbf2aaa999cc507108@syzkaller.appspotmail.com > > > Signed-off-by: Dongliang Mu > > > --- > > > drivers/net/usb/cdc_ncm.c | 1 + > > > 1 file changed, 1 insertion(+) > > > > > > diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c > > > index 15f91d691bba..9fc2df9f0b63 100644 > > > --- a/drivers/net/usb/cdc_ncm.c > > > +++ b/drivers/net/usb/cdc_ncm.c > > > @@ -1019,6 +1019,7 @@ void cdc_ncm_unbind(struct usbnet *dev, struct usb_interface *intf) > > > > > > usb_set_intfdata(intf, NULL); > > > cdc_ncm_free(ctx); > > > + dev->data[0] = 0; > > > } > > > EXPORT_SYMBOL_GPL(cdc_ncm_unbind);