Re: [PATCH v3] usbip: vudc: Fix use after free bug in vudc_remove due to race condition

From: Shuah Khan
Date: Fri Mar 17 2023 - 18:53:18 EST

Next message: Pawan Gupta: "Re: [PATCH 1/3] kvm: vmx: Add IA32_FLUSH_CMD guest support"
Previous message: David Vernet: "Re: [PATCH V4 bpf-next] BPF, docs: libbpf Overview Document"
In reply to: Zheng Wang: "[PATCH v3] usbip: vudc: Fix use after free bug in vudc_remove due to race condition"
Next in thread: Zheng Hacker: "Re: [PATCH v3] usbip: vudc: Fix use after free bug in vudc_remove due to race condition"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 3/17/23 04:09, Zheng Wang wrote:

In vudc_probe, it calls init_vudc_hw, which bound &udc->timer with v_timer.

When it calls usbip_sockfd_store, it will call v_start_timer to start the
timer work.

When we call vudc_remove to remove the driver, theremay be a sequence as
follows:

Fix it by shutdown the timer work before cleanup in vudc_remove.

Note that removing a driver is a root-only operation, and should never
happen. But the attacker can directly unplug the usb to trigger the remove
function.

CPU0 CPU1

|v_timer
vudc_remove |
kfree(udc); |
//free shost |
|udc->gadget
|//use

The udc might be removed before v_timer finished, and UAF happens.

This bug was found by Codeql static analysis and might by false positive.

This statement that this could be a false positive makes me hesitate
taking this patch.

What kind of testing have you done with this fix? Were you able to test
the scenario of unplugging usb?

thanks,
-- Shuah

Next message: Pawan Gupta: "Re: [PATCH 1/3] kvm: vmx: Add IA32_FLUSH_CMD guest support"
Previous message: David Vernet: "Re: [PATCH V4 bpf-next] BPF, docs: libbpf Overview Document"
In reply to: Zheng Wang: "[PATCH v3] usbip: vudc: Fix use after free bug in vudc_remove due to race condition"
Next in thread: Zheng Hacker: "Re: [PATCH v3] usbip: vudc: Fix use after free bug in vudc_remove due to race condition"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]