RE: ZDI-CAN-22273: New Vulnerability Report

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,
Do you have any updates to share regarding this vulnerability? The 120-day deadline for this case was January 31, 2024. We will publish this soon in accordance with the ZDI 120-day Disclosure policy if there is not an available fix.

Regards,
The ZDI Team

-----Original Message-----
From: gregkh@xxxxxxxxxxxxxxxxxxx <gregkh@xxxxxxxxxxxxxxxxxxx>
Sent: Saturday, October 21, 2023 6:10 AM
To: ZDI Disclosures Mailbox <zdi-disclosures@xxxxxxxxxxxxxx>
Cc: linux-kernel@xxxxxxxxxxxxxxx; linux-usb@xxxxxxxxxxxxxxx; valentina.manea.m@xxxxxxxxx; shuah@xxxxxxxxxx; i@xxxxxxxxxxx
Subject: Re: ZDI-CAN-22273: New Vulnerability Report

On Fri, Oct 20, 2023 at 03:25:27PM +0000, zdi-disclosures@xxxxxxxxxxxxxx wrote:
> ### Analysis
>
> ```
> race condition bug exists in the usb/ip VHCI driver
> it leads to UAF on `struct usb_device`
> thread 1                                                thread 2
> vhci_device_reset()                             vhci_urb_enqueue()
>  usb_put_dev(vdev->udev);
>                                                                  usb_put_dev(vdev->udev);               // free
>                                                                  vdev->udev = usb_get_dev(urb->dev);    // UAF
>  vdev->udev = NULL;
> ```
>
> here is the patch in order to trigger the bug more easier
> ```
> diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
> index 37d1fc34e..7242244d7 100644
> --- a/drivers/usb/usbip/vhci_hcd.c
> +++ b/drivers/usb/usbip/vhci_hcd.c
> @@ -11,7 +11,7 @@
>  #include <linux/module.h>
>  #include <linux/platform_device.h>
>  #include <linux/slab.h>
> -
> +#include <linux/delay.h>
>  #include "usbip_common.h"
>  #include "vhci.h"
>
> @@ -781,6 +781,7 @@ static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag
>                                 usbip_dbg_vhci_hc(
>                                         "Not yet?:Get_Descriptor to device 0 (get max pipe size)\n");
>
> +                       mdelay(200);
>                         usb_put_dev(vdev->udev);
>                         vdev->udev = usb_get_dev(urb->dev);
>                         goto out;
> @@ -1075,6 +1076,7 @@ static void vhci_device_reset(struct usbip_device *ud)
>         vdev->devid  = 0;
>
>         usb_put_dev(vdev->udev);
> +       mdelay(200);
>         vdev->udev = NULL;
>
>         if (ud->tcp_socket) {
> ```

So you are resetting a device while it is enumerating?  That's a very
narrow window to handle, and you need a malicious device to do this,
right?

Can you submit a patch to just save off the reference of the device
before the put is called on it to be sure that all is in sync properly?

thanks,

greg k-h
TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.

For details about what personal information we collect and why, please see our Privacy Notice on our website at: Read privacy policy<http://www.trendmicro.com/privacy>





[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux