Headline
CVE-2023-35828: Fix use after free bug in renesas_usb3_remove due to race condition
An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in renesas_usb3_remove in drivers/usb/gadget/udc/renesas_usb3.c.
* [PATCH v7] usb: gadget: udc: renesas_usb3: Fix use after free bug in renesas_usb3_remove due to race condition @ 2023-03-16 18:08 Zheng Wang 2023-03-16 19:07 ` Greg KH 0 siblings, 1 reply; 3+ messages in thread From: Zheng Wang @ 2023-03-16 18:08 UTC (permalink / raw) To: gregkh Cc: skhan, p.zabel, biju.das.jz, phil.edworthy, linux-usb, linux-kernel, hackerzheng666, 1395428693sheep, alex000young, yoshihiro.shimoda.uh, Zheng Wang
In renesas_usb3_probe, role_work is bound with renesas_usb3_role_work. renesas_usb3_start will be called to start the work.
If we remove the driver which will call usbhs_remove, there may be an unfinished work. The possible sequence is as follows:
Fix it by canceling the work before cleanup in the renesas_usb3_remove.
Note that removing a driver is a root-only operation, and should never happen.
CPU0 CPU1
| renesas\_usb3\_role\_work
renesas_usb3_remove | usb_role_switch_unregister| device_unregister | kfree(sw) | free usb3->role_sw | | usb_role_switch_set_role | //use usb3->role_sw
This bug was found by static analysis.
Fixes: 39facfa01c9f (“usb: gadget: udc: renesas_usb3: Add register of usb role switch”) Signed-off-by: Zheng Wang [email protected] Reviewed-by: Yoshihiro Shimoda [email protected]
v7:
- add more details about how the bug was found suggested by Shuah v6:
- beautify the format and add note suggested by Greg KH v5:
- fix typo v4:
- add Reviewed-by label and resubmit v4 suggested by Greg KH v3:
- modify the commit message to make it clearer suggested by Yoshihiro Shimoda v2:
- fix typo, use clearer commit message and only cancel the UAF-related work suggested by Yoshihiro Shimoda
drivers/usb/gadget/udc/renesas_usb3.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/usb/gadget/udc/renesas_usb3.c b/drivers/usb/gadget/udc/renesas_usb3.c index bee6bceafc4f…a301af66bd91 100644 — a/drivers/usb/gadget/udc/renesas_usb3.c +++ b/drivers/usb/gadget/udc/renesas_usb3.c @@ -2661,6 +2661,7 @@ static int renesas_usb3_remove(struct platform_device *pdev) debugfs_remove_recursive(usb3->dentry); device_remove_file(&pdev->dev, &dev_attr_role);
cancel_work_sync(&usb3->role_work); usb_role_switch_unregister(usb3->role_sw);
usb_del_gadget_udc(&usb3->gadget); – 2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v7] usb: gadget: udc: renesas_usb3: Fix use after free bug in renesas_usb3_remove due to race condition 2023-03-16 18:08 [PATCH v7] usb: gadget: udc: renesas_usb3: Fix use after free bug in renesas_usb3_remove due to race condition Zheng Wang @ 2023-03-16 19:07 ` Greg KH 2023-03-17 3:59 ` Zheng Hacker 0 siblings, 1 reply; 3+ messages in thread From: Greg KH @ 2023-03-16 19:07 UTC (permalink / raw) To: Zheng Wang Cc: skhan, p.zabel, biju.das.jz, phil.edworthy, linux-usb, linux-kernel, hackerzheng666, 1395428693sheep, alex000young, yoshihiro.shimoda.uh
On Fri, Mar 17, 2023 at 02:08:50AM +0800, Zheng Wang wrote: > In renesas_usb3_probe, role_work is bound with renesas_usb3_role_work.
renesas_usb3_start will be called to start the work.
If we remove the driver which will call usbhs_remove, there may be an unfinished work. The possible sequence is as follows:
Fix it by canceling the work before cleanup in the renesas_usb3_remove.
Note that removing a driver is a root-only operation, and should never happen.
CPU0 CPU1
| renesas\_usb3\_role\_work
renesas_usb3_remove | usb_role_switch_unregister| device_unregister | kfree(sw) | free usb3->role_sw | | usb_role_switch_set_role | //use usb3->role_sw This still isn’t working :(
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v7] usb: gadget: udc: renesas_usb3: Fix use after free bug in renesas_usb3_remove due to race condition 2023-03-16 19:07 ` Greg KH @ 2023-03-17 3:59 ` Zheng Hacker 0 siblings, 0 replies; 3+ messages in thread From: Zheng Hacker @ 2023-03-17 3:59 UTC (permalink / raw) To: Greg KH Cc: Zheng Wang, skhan, p.zabel, biju.das.jz, phil.edworthy, linux-usb, linux-kernel, 1395428693sheep, alex000young, yoshihiro.shimoda.uh
Greg KH [email protected] 于2023年3月17日周五 03:07写道: >
On Fri, Mar 17, 2023 at 02:08:50AM +0800, Zheng Wang wrote:
In renesas_usb3_probe, role_work is bound with renesas_usb3_role_work. renesas_usb3_start will be called to start the work.
If we remove the driver which will call usbhs_remove, there may be an unfinished work. The possible sequence is as follows:
Fix it by canceling the work before cleanup in the renesas_usb3_remove.
Note that removing a driver is a root-only operation, and should never happen.
CPU0 CPU1
| renesas\_usb3\_role\_work
renesas_usb3_remove | usb_role_switch_unregister| device_unregister | kfree(sw) | free usb3->role_sw | | usb_role_switch_set_role | //use usb3->role_sw
This still isn’t working :(
Sorry I haven’t read your advice when submiting this version of patch.
Best Regards, Zheng
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-03-17 4:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) – links below jump to the message on this page – 2023-03-16 18:08 [PATCH v7] usb: gadget: udc: renesas_usb3: Fix use after free bug in renesas_usb3_remove due to race condition Zheng Wang 2023-03-16 19:07 ` Greg KH 2023-03-17 3:59 ` Zheng Hacker
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).
Related news
Ubuntu Security Notice 6397-1 - Daniel Moghimi discovered that some Intel Processors did not properly clear microarchitectural state after speculative execution of various instructions. A local unprivileged user could use this to obtain to sensitive information. Ruihan Li discovered that the bluetooth subsystem in the Linux kernel did not properly perform permissions checks when handling HCI sockets. A physically proximate attacker could use this to cause a denial of service.
Ubuntu Security Notice 6357-1 - Daniel Moghimi discovered that some Intel Processors did not properly clear microarchitectural state after speculative execution of various instructions. A local unprivileged user could use this to obtain to sensitive information. Ruihan Li discovered that the bluetooth subsystem in the Linux kernel did not properly perform permissions checks when handling HCI sockets. A physically proximate attacker could use this to cause a denial of service.
Ubuntu Security Notice 6340-2 - Ruihan Li discovered that the bluetooth subsystem in the Linux kernel did not properly perform permissions checks when handling HCI sockets. A physically proximate attacker could use this to cause a denial of service. Zi Fan Tan discovered that the binder IPC implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 6349-1 - Ruihan Li discovered that the bluetooth subsystem in the Linux kernel did not properly perform permissions checks when handling HCI sockets. A physically proximate attacker could use this to cause a denial of service. Zi Fan Tan discovered that the binder IPC implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 6347-1 - William Zhao discovered that the Traffic Control subsystem in the Linux kernel did not properly handle network packet retransmission in certain situations. A local attacker could use this to cause a denial of service. It was discovered that the NTFS file system implementation in the Linux kernel did not properly check buffer indexes in certain situations, leading to an out-of-bounds read vulnerability. A local attacker could possibly use this to expose sensitive information.
Ubuntu Security Notice 6340-1 - Ruihan Li discovered that the bluetooth subsystem in the Linux kernel did not properly perform permissions checks when handling HCI sockets. A physically proximate attacker could use this to cause a denial of service. Zi Fan Tan discovered that the binder IPC implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 6332-1 - Daniel Moghimi discovered that some Intel Processors did not properly clear microarchitectural state after speculative execution of various instructions. A local unprivileged user could use this to obtain to sensitive information. William Zhao discovered that the Traffic Control subsystem in the Linux kernel did not properly handle network packet retransmission in certain situations. A local attacker could use this to cause a denial of service.
Ubuntu Security Notice 6311-1 - William Zhao discovered that the Traffic Control subsystem in the Linux kernel did not properly handle network packet retransmission in certain situations. A local attacker could use this to cause a denial of service. It was discovered that the NTFS file system implementation in the Linux kernel did not properly check buffer indexes in certain situations, leading to an out-of-bounds read vulnerability. A local attacker could possibly use this to expose sensitive information.
Ubuntu Security Notice 6300-1 - William Zhao discovered that the Traffic Control subsystem in the Linux kernel did not properly handle network packet retransmission in certain situations. A local attacker could use this to cause a denial of service. It was discovered that the NTFS file system implementation in the Linux kernel did not properly check buffer indexes in certain situations, leading to an out-of-bounds read vulnerability. A local attacker could possibly use this to expose sensitive information.
Ubuntu Security Notice 6283-1 - Ruihan Li discovered that the bluetooth subsystem in the Linux kernel did not properly perform permissions checks when handling HCI sockets. A physically proximate attacker could use this to cause a denial of service. Zheng Zhang discovered that the device-mapper implementation in the Linux kernel did not properly handle locking during table_clear operations. A local attacker could use this to cause a denial of service.
An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in renesas_usb3_remove in drivers/usb/gadget/udc/renesas_usb3.c.