Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 56F8CC74A5B for ; Sat, 18 Mar 2023 07:39:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229618AbjCRHji (ORCPT ); Sat, 18 Mar 2023 03:39:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55050 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229470AbjCRHjg (ORCPT ); Sat, 18 Mar 2023 03:39:36 -0400 Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EE5CD38EAB; Sat, 18 Mar 2023 00:39:34 -0700 (PDT) Received: by mail-pl1-x629.google.com with SMTP id p20so7532168plw.13; Sat, 18 Mar 2023 00:39:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1679125174; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=KifuD1TEh3F1Ne+hI+4GjlOzrP3hRlNmdxQcN1SglFY=; b=BLjG+7RU2Kw97QqDxBzh7SslTBRDNk9W0FpQqz4U1L/hKvcY+Q2v+A892mF2w5KRWT Zz4gvIOEapoD7AKDSsp6rqhq+z2lHKsl4wGcLGcGkqPtDQpYzFpRxHnudFaM3AsitosH iZ7B7sp/71/0mxZ8rlHavtRucOBw+o+NsJSf6AgFDl7a129hnsFydwT+QeLxMXhmplN8 09v6Hy0oKmMvuvaEFZdZtzeqiNL5kt4oENFAO7PcIWSCFpd+JvSDbkuGboFAEOIFw6IX 7LMOlYWVJ+fivg2esDTCzYvmStb6UqHfDOegT9UO1qo9vevmN0ya1F31EghrbL8OHHOn EQUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679125174; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=KifuD1TEh3F1Ne+hI+4GjlOzrP3hRlNmdxQcN1SglFY=; b=FzCCk2FseLdq2KQSxqio4mahUkej/ecOfNwvZBstuJg/ND2mBtnSkRtkK/zspyxP3N SZot7Bh8CxFlqGHlLfUYx6vQ3+nhd8I7s+SZ/eQgQzUNYjWFGHGCquxgag/dylHpWqhw MXv2q0k4GWOlDJG6U1f3rtBpQRV9iq4SEBdvDLBUjVbNs1sPOL37dVOJznSV0CgWx0dC 4B5L046bajtkv3RVEIY1ezoMpU919ZLu4NlTJIVCE7Ah3b1fns0Y98ZR7gycrqLjcKEZ P3AElZuostsjuKNhsJbvjaT5YVyZSJP39SXMEGaH6saBYVOW4/TJboqFZMqJB7aO4GFt H21g== X-Gm-Message-State: AO0yUKWaGl5EXp2ZEsquFPH4Cvyq6NyuSBSX5mUK3Q2/uANikgjtZpjy TSH2+p3C830ENHfQFFOsHrfQ2x5gATnuHrUkqWQ= X-Google-Smtp-Source: AK7set/Z40nLC1Dpb97U3BNPdlud05w7i6nWUY2w8RmmwzIO38rQL693RYVobLrr/QhlmgktaA6BMabvhxe9l5KrxtU= X-Received: by 2002:a17:902:f80b:b0:1a0:4321:920e with SMTP id ix11-20020a170902f80b00b001a04321920emr3752280plb.12.1679125174445; Sat, 18 Mar 2023 00:39:34 -0700 (PDT) MIME-Version: 1.0 References: <20230317100954.2626573-1-zyytlz.wz@163.com> In-Reply-To: From: Zheng Hacker Date: Sat, 18 Mar 2023 15:39:22 +0800 Message-ID: Subject: Re: [PATCH v3] usbip: vudc: Fix use after free bug in vudc_remove due to race condition To: Shuah Khan Cc: Zheng Wang , valentina.manea.m@gmail.com, gregkh@linuxfoundation.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, 1395428693sheep@gmail.com, alex000young@gmail.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Shuah Khan =E4=BA=8E2023=E5=B9=B43=E6=9C=8818= =E6=97=A5=E5=91=A8=E5=85=AD 06:53=E5=86=99=E9=81=93=EF=BC=9A > > On 3/17/23 04:09, Zheng Wang wrote: > > In vudc_probe, it calls init_vudc_hw, which bound &udc->timer with v_ti= mer. > > > > When it calls usbip_sockfd_store, it will call v_start_timer to start t= he > > timer work. > > > > When we call vudc_remove to remove the driver, theremay be a sequence a= s > > follows: > > > > Fix it by shutdown the timer work before cleanup in vudc_remove. > > > > Note that removing a driver is a root-only operation, and should never > > happen. But the attacker can directly unplug the usb to trigger the rem= ove > > function. > > > > CPU0 CPU1 > > > > |v_timer > > vudc_remove | > > kfree(udc); | > > //free shost | > > |udc->gadget > > |//use > > > > The udc might be removed before v_timer finished, and UAF happens. > > > > This bug was found by Codeql static analysis and might by false positiv= e. > > This statement that this could be a false positive makes me hesitate > taking this patch. > > What kind of testing have you done with this fix? Were you able to test > the scenario of unplugging usb? > Sorry I did't make a full test for I did't have the device. The attacking scenario if based on other cases. Best regads, Zheng > thanks, > -- Shuah