From patchwork Mon Apr 15 15:15:05 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1923775 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VJ9hq2dcwz1yZf for ; Tue, 16 Apr 2024 01:15:22 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rwO39-000727-PN; Mon, 15 Apr 2024 15:15:15 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rwO33-00071H-HV for kernel-team@lists.ubuntu.com; Mon, 15 Apr 2024 15:15:09 +0000 Received: from mail-io1-f72.google.com (mail-io1-f72.google.com [209.85.166.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 5E29C4031E for ; Mon, 15 Apr 2024 15:15:09 +0000 (UTC) Received: by mail-io1-f72.google.com with SMTP id ca18e2360f4ac-7c7e21711d0so270302239f.3 for ; Mon, 15 Apr 2024 08:15:09 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713194108; x=1713798908; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=d4gtWgR/wtW8g/zYTAq3gkIb9VGXAzuh3wbyuHQ8rb4=; b=Fpk2CqCyrzEzLlfqDlHnDkK7P9RsAYVkqJVoQEXZknvYYbTCDgcTj/WVl3K/OvgCYP B4/D2zBgMGnUFG7JtZE9tg5J2im6+LFCcgWBzzMc1iDVmXK7NK7a4B+vPT3sRZ9CmkuS oGWEu9dXHLpitzN/FO97WBtXlO+qqSPPt5v6vLc2n2YGZ3FzlHREeBzZTZcrtPGhR3SW JMOXXe7p2qBQPRysEe9pt1P3rDyCC0Xib4ePQaRDdRxJhQqpUKR+8aS077Da6qivuprH GBmb+8K2Sb4lQKgeALKtWzvL0Mc87rpoFyVn9i87xLm8e53tt7v7baY/djTmtxoQidsI xYCQ== X-Gm-Message-State: AOJu0YwrHQBizba4xMfU34oG0Et8Ia+rkFktBDV57X3iuFxhLO/3VBnJ qTDAXr3mImlWKfv/1C5zuS7XibTRrK4aAN3ZstGJRPTf5y0HsK6gRo+PZfO16jG60nByJU5pV2E xR+r9YykbS2dhw+auyRPuv/nh3kGUGlEUJ+Fc8suORn7MtQJ4UQ/kutArcyB5Kle8zLDwPiOxwp HgBDIx2eBiQQ== X-Received: by 2002:a05:6e02:164a:b0:36b:11d7:2b84 with SMTP id v10-20020a056e02164a00b0036b11d72b84mr8964738ilu.29.1713194107947; Mon, 15 Apr 2024 08:15:07 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGm5LiQpKNevOi+/BngJFzLIpQoKtth+mxBKc1XsFvbiOPWgScNPFc+P2RNmNyEJz1CTlKU6A== X-Received: by 2002:a05:6e02:164a:b0:36b:11d7:2b84 with SMTP id v10-20020a056e02164a00b0036b11d72b84mr8964717ilu.29.1713194107667; Mon, 15 Apr 2024 08:15:07 -0700 (PDT) Received: from smtp.gmail.com (104-218-69-129.dynamic.lnk.ne.allofiber.net. [104.218.69.129]) by smtp.gmail.com with ESMTPSA id q9-20020a056e02078900b0036b1e842514sm634552ils.83.2024.04.15.08.15.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Apr 2024 08:15:07 -0700 (PDT) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][M/J][PATCH 1/1] usb: cdns3: fix memory double free when handle zero packet Date: Mon, 15 Apr 2024 10:15:05 -0500 Message-Id: <20240415151505.47774-2-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240415151505.47774-1-bethany.jamison@canonical.com> References: <20240415151505.47774-1-bethany.jamison@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Frank Li 829 if (request->complete) { 830 spin_unlock(&priv_dev->lock); 831 usb_gadget_giveback_request(&priv_ep->endpoint, 832 request); 833 spin_lock(&priv_dev->lock); 834 } 835 836 if (request->buf == priv_dev->zlp_buf) 837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, request); Driver append an additional zero packet request when queue a packet, which length mod max packet size is 0. When transfer complete, run to line 831, usb_gadget_giveback_request() will free this requestion. 836 condition is true, so cdns3_gadget_ep_free_request() free this request again. Log: [ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.140696][ T150] [ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36): [ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3] Add check at line 829, skip call usb_gadget_giveback_request() if it is additional zero length packet request. Needn't call usb_gadget_giveback_request() because it is allocated in this driver. Cc: stable@vger.kernel.org Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver") Signed-off-by: Frank Li Reviewed-by: Roger Quadros Acked-by: Peter Chen Link: https://lore.kernel.org/r/20240202154217.661867-2-Frank.Li@nxp.com Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 5fd9e45f1ebcd57181358af28506e8a661a260b3) CVE-2024-26748 Signed-off-by: Bethany Jamison --- drivers/usb/cdns3/cdns3-gadget.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/usb/cdns3/cdns3-gadget.c b/drivers/usb/cdns3/cdns3-gadget.c index b99308f77f277..9e8502ca351f0 100644 --- a/drivers/usb/cdns3/cdns3-gadget.c +++ b/drivers/usb/cdns3/cdns3-gadget.c @@ -827,7 +827,11 @@ void cdns3_gadget_giveback(struct cdns3_endpoint *priv_ep, return; } - if (request->complete) { + /* + * zlp request is appended by driver, needn't call usb_gadget_giveback_request() to notify + * gadget composite driver. + */ + if (request->complete && request->buf != priv_dev->zlp_buf) { spin_unlock(&priv_dev->lock); usb_gadget_giveback_request(&priv_ep->endpoint, request);