Received: by 2002:a05:7412:251c:b0:e2:908c:2ebd with SMTP id w28csp168968rda;
        Sat, 21 Oct 2023 03:11:32 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IEtuWpaxV7/uZOxEo2fTdJyiMMqb6OVVbCQhNHqfbQmiV3m6S08jzq3yD+6TZu5Y98AJW4j
X-Received: by 2002:a05:6a20:a114:b0:17a:d173:42f1 with SMTP id q20-20020a056a20a11400b0017ad17342f1mr3672826pzk.44.1697883092235;
        Sat, 21 Oct 2023 03:11:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1697883092; cv=none;
        d=google.com; s=arc-20160816;
        b=LUtq14iar1WVk1meS1/tIaL2cr3I6GybHVy5/T4qIPCOArQOnKZZwdZ9cWhNL19opH
         TzyEHITGIYKEk3d/BUpILZ9V4lOj+FvU3Xr/lm3/DeLXxTx+YkSw23bsS8KgRHqevgSn
         F3df/ng9X+BkkPC96Ki4eYEEdWGX5dQCQy92gy6S/x+/iisIAt3uFQW8nJ6/SIk35x3N
         s19S6lqcYMkZ/j7+HFpkCZgL7YZnqNZBNuK6OzCD71xVPFxh5KTQZzV3gOx58dkc/6FF
         UvxplcRBUryKcAg9woderxEMWhb/LmCvYqd7zCobKlsgs3ARX2VWX2VPe4/gWurZ/7yk
         8dMQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=SPA9nEgtoHh2mFOQdsSOOd/bwQicsHRkMZMJP0/a/hw=;
        fh=jx3TrGjcfZwRV4/JebB+5t+wWmwkFrs3vd976xYm/pI=;
        b=BWnjSZvbS9+RrmxNes00U9VfZb8DdVcds4n2HyJTeyWdJJGG+tDrzP6NZSbkG4yVKK
         AQeGkh9PsNusEjQ8MEF+ludAI1TsgyFPyqYTKuKAwecGQrE/SzQBh/s3URypg56O4Q8J
         O4NMeSeaV3sfqwUk7orKAnHDCdJhQlWN0VYsj9U+0wMvGkVE9w9JThpqczeJlfCaSUOa
         +Y/N8F+SoAd77Z27IT8ih6Sjgl4PceOgEEaGfalihzOW0q2Vm4geEgSzdSmzbVBuKmuw
         FXAXfhRTRcjELCF/6GASjfi/jLCMXYEWkrjtvhaJj3Tyz7LQbNxO2o316n3fqFONaFdg
         fxJw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=VYkQ+BVO;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from howler.vger.email (howler.vger.email. [23.128.96.34])
        by mx.google.com with ESMTPS id e6-20020a170902d38600b001c3b4cb8c88si3282394pld.338.2023.10.21.03.11.31
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 21 Oct 2023 03:11:32 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) client-ip=23.128.96.34;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=VYkQ+BVO;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by howler.vger.email (Postfix) with ESMTP id BE4528083ACE;
	Sat, 21 Oct 2023 03:10:29 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230309AbjJUKKN (ORCPT <rfc822;gvb.lkml@gmail.com> + 99 others);
        Sat, 21 Oct 2023 06:10:13 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58262 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229478AbjJUKKL (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 21 Oct 2023 06:10:11 -0400
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8B7501A4
        for <linux-kernel@vger.kernel.org>; Sat, 21 Oct 2023 03:10:06 -0700 (PDT)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 878A1C433C8;
        Sat, 21 Oct 2023 10:10:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1697883006;
        bh=l2uGjtCIejrc6L6O3rXUOz/2g7u2EwJLoiJlt0FIuo8=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=VYkQ+BVOg6kCqPEW1B9ax8pPK6R+fdAT4cX2JnwULQw21k9NGW6AZI8czxC0KGC6l
         RR42HeXHp8tIbyXvCf/ToLzs3wfuvUk+GF/97XfiVtkQ+NKlI23AJxqAbUy4xCwrVG
         pM5PaT4bpOv9DGbjomWWZkM4NAfltHJld8yVRicI=
Date:   Sat, 21 Oct 2023 12:10:03 +0200
From:   "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
To:     "zdi-disclosures@trendmicro.com" <zdi-disclosures@trendmicro.com>
Cc:     "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "linux-usb@vger.kernel.org" <linux-usb@vger.kernel.org>,
        "valentina.manea.m@gmail.com" <valentina.manea.m@gmail.com>,
        "shuah@kernel.org" <shuah@kernel.org>,
        "i@zenithal.me" <i@zenithal.me>
Subject: Re: ZDI-CAN-22273: New Vulnerability Report
Message-ID: <2023102134-reflux-saddling-c750@gregkh>
References: <DM5PR0102MB347711AF2F5655852AC60BEB80DBA@DM5PR0102MB3477.prod.exchangelabs.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <DM5PR0102MB347711AF2F5655852AC60BEB80DBA@DM5PR0102MB3477.prod.exchangelabs.com>
X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on howler.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Sat, 21 Oct 2023 03:10:30 -0700 (PDT)

On Fri, Oct 20, 2023 at 03:25:27PM +0000, zdi-disclosures@trendmicro.com wrote:
> ### Analysis
> 
> ```
> race condition bug exists in the usb/ip VHCI driver
> it leads to UAF on `struct usb_device`
> thread 1                                                thread 2
> vhci_device_reset()                             vhci_urb_enqueue()
>  usb_put_dev(vdev->udev);
>                                                                  usb_put_dev(vdev->udev);               // free
>                                                                  vdev->udev = usb_get_dev(urb->dev);    // UAF
>  vdev->udev = NULL;
> ```
> 
> here is the patch in order to trigger the bug more easier
> ```
> diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
> index 37d1fc34e..7242244d7 100644
> --- a/drivers/usb/usbip/vhci_hcd.c
> +++ b/drivers/usb/usbip/vhci_hcd.c
> @@ -11,7 +11,7 @@
>  #include <linux/module.h>
>  #include <linux/platform_device.h>
>  #include <linux/slab.h>
> -
> +#include <linux/delay.h>
>  #include "usbip_common.h"
>  #include "vhci.h"
> 
> @@ -781,6 +781,7 @@ static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag
>                                 usbip_dbg_vhci_hc(
>                                         "Not yet?:Get_Descriptor to device 0 (get max pipe size)\n");
> 
> +                       mdelay(200);
>                         usb_put_dev(vdev->udev);
>                         vdev->udev = usb_get_dev(urb->dev);
>                         goto out;
> @@ -1075,6 +1076,7 @@ static void vhci_device_reset(struct usbip_device *ud)
>         vdev->devid  = 0;
> 
>         usb_put_dev(vdev->udev);
> +       mdelay(200);
>         vdev->udev = NULL;
> 
>         if (ud->tcp_socket) {
> ```

So you are resetting a device while it is enumerating?  That's a very
narrow window to handle, and you need a malicious device to do this,
right?

Can you submit a patch to just save off the reference of the device
before the put is called on it to be sure that all is in sync properly?

thanks,

greg k-h