mbox series

[v4,0/2] usb: gadget: use after free in dev_config

Message ID 20211231172138.7993-1-hbh25y@gmail.com
Headers show
Series usb: gadget: use after free in dev_config | expand

Message

Hangyu Hua Dec. 31, 2021, 5:21 p.m. UTC 
There are two bugs:
dev->buf does not need to be released if it already exists before
executing dev_config.
dev->config and dev->hs_config and dev->dev need to be cleaned if
dev_config fails to avoid UAF.

v2:
1. break one patch up into two separate patches.
2. use "fail:" to clear all members.

v3:
fix a mistake in [PATCH v3 2/2]

v4:
avoid multiple unnecessary statement labels in [PATCH v4 2/2]

Hangyu Hua (2):
  usb: gadget: don't release an existing dev->buf
  usb: gadget: clear related members when goto fail

 drivers/usb/gadget/legacy/inode.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

Comments

Alan Stern Dec. 31, 2021, 5:34 p.m. UTC | #1 
On Sat, Jan 01, 2022 at 01:21:37AM +0800, Hangyu Hua wrote:
> dev->buf does not need to be released if it already exists before
> executing dev_config.
> 
> Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
> ---

Acked-by: Alan Stern <stern@rowland.harvard.edu>

>  drivers/usb/gadget/legacy/inode.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
> index 3b58f4fc0a80..eaad03c0252f 100644
> --- a/drivers/usb/gadget/legacy/inode.c
> +++ b/drivers/usb/gadget/legacy/inode.c
> @@ -1826,8 +1826,9 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
>  	spin_lock_irq (&dev->lock);
>  	value = -EINVAL;
>  	if (dev->buf) {
> +		spin_unlock_irq(&dev->lock);
>  		kfree(kbuf);
> -		goto fail;
> +		return value;
>  	}
>  	dev->buf = kbuf;
>  
> -- 
> 2.25.1
>