On Wed, 7 Dec 2016, Andrey Konovalov wrote:
> > And in any case, is there any way you can post the series of system
> > calls that syzkaller makes so we can tell what went wrong?
>
> I've attached a reproducer for a use-after-free in gadgetfs_setup().
> You need to enable KASAN to see the reports.
Okay, that helps. I see the problem: dev->hs_config ends up containing
a stale pointer in dev_config(). The patch below ought to fix that;
please verify that it really does.
The syzkaller test also shows that there should be a few more checks
for valid values in dev->config->wTotalLength and
dev->hs_config->wTotalLength. I'll do those in a separate patch.
Alan Stern
Index: usb-4.x/drivers/usb/gadget/legacy/inode.c
===================================================================
--- usb-4.x.orig/drivers/usb/gadget/legacy/inode.c
+++ usb-4.x/drivers/usb/gadget/legacy/inode.c
@@ -1799,6 +1799,8 @@ dev_config (struct file *fd, const char
goto fail;
kbuf += total;
length -= total;
+ } else {
+ dev->hs_config = NULL;
}
/* could support multiple configs, using another encoding! */
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
