Using functionfs results in use-after-free reported by kasan

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi everyone,

I'm using usb functionfs for fuzzing host hardware here and so far found
two issues on the gadget side (which it wasn't intended for, but any
found bug counts!).

The first one turned out to be fixed by
08f37148b6a915a6996c7dbef87769b9efee2dba 'usb: gadget: f_fs: Fix iterations on endpoints.'
recently while the second issue still appears reliably after every use of ffs.

The dmesg output below is with configfs, but it's also reproducible with g_ffs:

modprobe g_ffs idVendor=1234 functions=hid
mkdir -p /tmp/ffs
mount -t functionfs hid /tmp/ffs
cat ep0descs ep0strs > /tmp/ffs/ep0
umount /tmp/ffs
rmmod g_ffs

(the contents of ep0{descs,strs} do not matter as long as they are valid)

So far I see this in 100% of all runs on x86_64 and aarch64.

[ 1690.458191] file system registered
[ 1690.491261] read descriptors
[ 1690.495972] read strings
[ 1738.763997] ffs_data_put(): freeing
[ 1738.768707] ==================================================================
[ 1738.769973] BUG: KASAN: use-after-free in ffs_free_inst+0xe3/0x160 [usb_f_fs] at addr ffff88006af3d168
[ 1738.771421] Write of size 8 by task usbredir2phys/1495
[ 1738.772246] CPU: 0 PID: 1495 Comm: usbredir2phys Not tainted 4.10.0-rc6-default #27
[ 1738.773444] Call Trace:
[ 1738.773858]  dump_stack+0x63/0x8f
[ 1738.774396]  kasan_object_err+0x21/0x70
[ 1738.775013]  kasan_report_error+0x1c9/0x4e0
[ 1738.775683]  ? __rcu_read_unlock+0x6d/0x90
[ 1738.776345]  kasan_report+0x39/0x40
[ 1738.776915]  ? ffs_free_inst+0xe3/0x160 [usb_f_fs]
[ 1738.777685]  __asan_store8+0x61/0x70
[ 1738.778271]  ffs_free_inst+0xe3/0x160 [usb_f_fs]
[ 1738.779020]  usb_put_function_instance+0x4b/0x60 [libcomposite]
[ 1738.779965]  ffs_attr_release+0xe/0x10 [usb_f_fs]
[ 1738.780725]  config_item_release+0x9b/0x110 [configfs]
[ 1738.781545]  config_item_put+0x23/0x30 [configfs]
[ 1738.782373]  configfs_rmdir+0x2fa/0x4e0 [configfs]
[ 1738.783141]  ? configfs_unregister_subsystem+0x1b0/0x1b0 [configfs]
[ 1738.784130]  ? may_delete+0x1bd/0x240
[ 1738.784719]  vfs_rmdir+0x109/0x1c0
[ 1738.785268]  do_rmdir+0x35b/0x370
[ 1738.785816]  ? user_path_create+0x40/0x40
[ 1738.786479]  ? syscall_trace_enter+0x27d/0x520
[ 1738.787202]  ? exit_to_usermode_loop+0xd0/0xd0
[ 1738.787923]  ? __audit_syscall_exit+0x3fe/0x4a0
[ 1738.788659]  ? SyS_mkdir+0x1a0/0x1a0
[ 1738.789238]  SyS_rmdir+0x16/0x20
[ 1738.789783]  do_syscall_64+0xe0/0x180
[ 1738.790399]  entry_SYSCALL64_slow_path+0x25/0x25
[ 1738.791136] RIP: 0033:0x7fcb48fccf17
[ 1738.791712] RSP: 002b:00007fffbc0c3d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000054
[ 1738.792908] RAX: ffffffffffffffda RBX: 00007fffbc0c3d90 RCX: 00007fcb48fccf17
[ 1738.794299] RDX: 0000000000000038 RSI: 00007fcb49f6b774 RDI: 00007fffbc0c3d90
[ 1738.795439] RBP: 0000000000000000 R08: 0000000002514660 R09: 0000000000000038
[ 1738.796567] R10: 0000000000000073 R11: 0000000000000246 R12: 0000000002513c20
[ 1738.797789] R13: 0000000000000001 R14: 0000000002514030 R15: 0000000000000000
[ 1738.798925] Object at ffff88006af3d0c0, in cache kmalloc-512 size: 512
[ 1738.799949] Allocated:
[ 1738.800334] PID = 1498
[ 1738.800715]  
[ 1738.800722] [<ffffffffa5060b7b>] save_stack_trace+0x1b/0x20
[ 1738.801886]  
[ 1738.801893] [<ffffffffa533b4e6>] save_stack+0x46/0xd0
[ 1738.802961]  
[ 1738.802968] [<ffffffffa533b76d>] kasan_kmalloc+0xad/0xe0
[ 1738.804076]  
[ 1738.804083] [<ffffffffa5337e65>] kmem_cache_alloc_trace+0xd5/0x5f0
[ 1738.805334]  
[ 1738.805346] [<ffffffffc0cb6d9a>] ffs_fs_mount+0x20a/0x6a0 [usb_f_fs]
[ 1738.806656]  
[ 1738.806665] [<ffffffffa53763de>] mount_fs+0x5e/0x1a0
[ 1738.807720]  
[ 1738.807729] [<ffffffffa53a39bb>] vfs_kern_mount+0x6b/0x1c0
[ 1738.808877]  
[ 1738.808883] [<ffffffffa53a882d>] do_mount+0x30d/0x1590
[ 1738.809991]  
[ 1738.809997] [<ffffffffa53a9fe3>] SyS_mount+0x83/0xd0
[ 1738.811049]  
[ 1738.811055] [<ffffffffa5005670>] do_syscall_64+0xe0/0x180
[ 1738.812178]  
[ 1738.812185] [<ffffffffa5bb36af>] return_from_SYSCALL_64+0x0/0x6a
[ 1738.813399] Freed:
[ 1738.813754] PID = 1559
[ 1738.814141]  
[ 1738.814146] [<ffffffffa5060b7b>] save_stack_trace+0x1b/0x20
[ 1738.815301]  
[ 1738.815307] [<ffffffffa533b4e6>] save_stack+0x46/0xd0
[ 1738.816498]  
[ 1738.816503] [<ffffffffa533bd32>] kasan_slab_free+0x72/0xc0
[ 1738.817659]  
[ 1738.817665] [<ffffffffa5339d72>] kfree+0x82/0x110
[ 1738.818725]  
[ 1738.818736] [<ffffffffc0cb3012>] ffs_data_put+0x82/0x90 [usb_f_fs]
[ 1738.819997]  
[ 1738.820009] [<ffffffffc0cb37af>] ffs_data_closed+0xff/0x110 [usb_f_fs]
[ 1738.821369]  
[ 1738.821380] [<ffffffffc0cb380f>] ffs_fs_kill_sb+0x4f/0x70 [usb_f_fs]
[ 1738.822668]  
[ 1738.822675] [<ffffffffa5374249>] deactivate_locked_super+0x59/0x90
[ 1738.824056]  
[ 1738.824063] [<ffffffffa53748ca>] deactivate_super+0x6a/0x70
[ 1738.825227]  
[ 1738.825234] [<ffffffffa53a42e1>] cleanup_mnt+0x61/0xb0
[ 1738.826338]  
[ 1738.826345] [<ffffffffa53a4382>] __cleanup_mnt+0x12/0x20
[ 1738.827453]  
[ 1738.827460] [<ffffffffa51011d0>] task_work_run+0xa0/0xc0
[ 1738.828564]  
[ 1738.828570] [<ffffffffa5004515>] exit_to_usermode_loop+0xc5/0xd0
[ 1738.829818]  
[ 1738.829824] [<ffffffffa5005704>] do_syscall_64+0x174/0x180
[ 1738.830961]  
[ 1738.830968] [<ffffffffa5bb36af>] return_from_SYSCALL_64+0x0/0x6a
[ 1738.832196] Memory state around the buggy address:
[ 1738.832967]  ffff88006af3d000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1738.834143]  ffff88006af3d080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 1738.835285] >ffff88006af3d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1738.836431]                                                           ^
[ 1738.837474]  ffff88006af3d180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1738.838622]  ffff88006af3d200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1738.839758] ==================================================================
[ 1738.840895] Disabling lock debugging due to kernel taint
[ 1738.847928] unloading

Cheers,
Fabian
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux