On Tue, Dec 6, 2016 at 9:30 PM, Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> wrote: > [CC: list drastically trimmed] > > On Tue, 6 Dec 2016, Andrey Konovalov wrote: > >> On Tue, Dec 6, 2016 at 1:28 PM, Andrey Konovalov <andreyknvl@xxxxxxxxxx> wrote: >> > On Mon, Dec 5, 2016 at 8:31 PM, Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> wrote: >> >> On Mon, 5 Dec 2016, Andrey Konovalov wrote: >> >> >> >>> Hi! >> >>> >> >>> I've got the following error report while running the syzkaller fuzzer. >> >>> >> >>> On commit 3c49de52d5647cda8b42c4255cf8a29d1e22eff5 (Dec 2). >> >>> >> >>> BUG: KASAN: use-after-free in gadgetfs_setup+0x208a/0x20e0 at addr >> >>> ffff88003dfe5bf2 > >> >> Can you test whether the patch below fixes this problem? >> > >> > Hi Alan, >> > >> > Yes, I believe it does. >> > It also seems to fix the warnings in dummy_free_request() I've been getting. >> >> It seems that I was wrong. Still see both use-after-free and warnings. > > You posted three messages about possibly related problems: > > use-after-free in gadgetfs_setup (this one), > > GPF in usb_gadget_unregister_driver, > > warning in dummy_free_request. > > Are you saying the patch below didn't fix any of them? No, as far as I can see. > > And in any case, is there any way you can post the series of system > calls that syzkaller makes so we can tell what went wrong? I've attached a reproducer for a use-after-free in gadgetfs_setup(). You need to enable KASAN to see the reports. Thanks for looking at this! > > Alan Stern > >> >> Index: usb-4.x/drivers/usb/gadget/legacy/inode.c >> >> =================================================================== >> >> --- usb-4.x.orig/drivers/usb/gadget/legacy/inode.c >> >> +++ usb-4.x/drivers/usb/gadget/legacy/inode.c >> >> @@ -1762,6 +1762,10 @@ dev_config (struct file *fd, const char >> >> } >> >> spin_unlock_irq(&dev->lock); >> >> >> >> + /* Registered but not yet bound to a UDC driver? */ >> >> + if (dev->gadget_registered) >> >> + return -EIO; >> >> + >> >> if (len < (USB_DT_CONFIG_SIZE + USB_DT_DEVICE_SIZE + 4)) >> >> return -EINVAL; >> >> >
Attachment:
gadget-setup-uaf-poc.c
Description: Binary data
