On Wed, Dec 7, 2016 at 8:15 PM, Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> wrote:
> On Wed, 7 Dec 2016, Andrey Konovalov wrote:
>
>> > And in any case, is there any way you can post the series of system
>> > calls that syzkaller makes so we can tell what went wrong?
>>
>> I've attached a reproducer for a use-after-free in gadgetfs_setup().
>> You need to enable KASAN to see the reports.
>
> Okay, that helps. I see the problem: dev->hs_config ends up containing
> a stale pointer in dev_config(). The patch below ought to fix that;
> please verify that it really does.
Hi Alan,
Have been fuzzing with your patch, haven't seen any more reports.
Thanks!
>
> The syzkaller test also shows that there should be a few more checks
> for valid values in dev->config->wTotalLength and
> dev->hs_config->wTotalLength. I'll do those in a separate patch.
>
> Alan Stern
>
>
>
> Index: usb-4.x/drivers/usb/gadget/legacy/inode.c
> ===================================================================
> --- usb-4.x.orig/drivers/usb/gadget/legacy/inode.c
> +++ usb-4.x/drivers/usb/gadget/legacy/inode.c
> @@ -1799,6 +1799,8 @@ dev_config (struct file *fd, const char
> goto fail;
> kbuf += total;
> length -= total;
> + } else {
> + dev->hs_config = NULL;
> }
>
> /* could support multiple configs, using another encoding! */
>
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
