OpenCloudOS-Kernel/drivers/usb
Norihiko Hama f356fd0cbd usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error
commit 6334b8e4553cc69f51e383c9de545082213d785e upstream.

When ncm function is working and then stop usb0 interface for link down,
eth_stop() is called. At this piont, accidentally if usb transport error
should happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled.

After that, ncm_disable() is called to disable for ncm unbind
but gether_disconnect() is never called since 'in_ep' is not enabled.

As the result, ncm object is released in ncm unbind
but 'dev->port_usb' associated to 'ncm->port' is not NULL.

And when ncm bind again to recover netdev, ncm object is reallocated
but usb0 interface is already associated to previous released ncm object.

Therefore, once usb0 interface is up and eth_start_xmit() is called,
released ncm object is dereferrenced and it might cause use-after-free memory.

[function unlink via configfs]
  usb0: eth_stop dev->port_usb=ffffff9b179c3200
  --> error happens in usb_ep_enable().
  NCM: ncm_disable: ncm=ffffff9b179c3200
  --> no gether_disconnect() since ncm->port.in_ep->enabled is false.
  NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200
  NCM: ncm_free: ncm free ncm=ffffff9b179c3200   <-- released ncm

[function link via configfs]
  NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000
  NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000
  NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0
  usb0: eth_open dev->port_usb=ffffff9b179c3200  <-- previous released ncm
  usb0: eth_start dev->port_usb=ffffff9b179c3200 <--
  eth_start_xmit()
  --> dev->wrap()
  Unable to handle kernel paging request at virtual address dead00000000014f

This patch addresses the issue by checking if 'ncm->netdev' is not NULL at
ncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'.
It's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect
rather than check 'ncm->port.in_ep->enabled' since it might not be enabled
but the gether connection might be established.

Signed-off-by: Norihiko Hama <Norihiko.Hama@alpsalpine.com>
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/r/20240327023550.51214-1-Norihiko.Hama@alpsalpine.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-04-27 17:11:40 +02:00
..
atm
c67x00 usb: c67x00-drv: Convert to platform remove callback returning void 2023-05-28 12:36:14 +01:00
cdns3 usb: cdns3: fix memory double free when handle zero packet 2024-03-01 13:35:02 +01:00
chipidea usb: chipidea: core: handle power lost in workqueue 2024-02-23 09:24:57 +01:00
class Revert "usb: cdc-wdm: close race between read and workqueue" 2024-04-27 17:11:40 +02:00
common usb: ulpi: Fix debugfs directory leak 2024-02-23 09:24:56 +01:00
core usb: Disable USB3 LPM at shutdown 2024-04-27 17:11:40 +02:00
dwc2 usb: dwc2: host: Fix dereference issue in DDMA completion flow. 2024-04-27 17:11:40 +02:00
dwc3 usb: dwc3: pci: Drop duplicate ID 2024-04-03 15:29:03 +02:00
early usb: early: xhci-dbc: Use memcpy_and_pad() 2023-01-31 10:40:54 +01:00
fotg210 usb: fotg210-hcd: delete an incorrect bounds test 2024-01-01 12:42:41 +00:00
gadget usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error 2024-04-27 17:11:40 +02:00
host usb: xhci: Add timeout argument in address_device USB HCD callback 2024-04-27 17:11:36 +02:00
image scsi: usb: uas: Declare two host templates and host template pointers const 2023-03-24 19:20:00 -04:00
isp1760 usb: isp1760: Convert to platform remove callback returning void 2023-05-28 12:38:01 +01:00
misc usb: misc: onboard-hub: add support for Microchip USB5744 2023-12-03 07:33:08 +01:00
mon usb: mon: Fix atomicity violation in mon_bin_vma_fault 2024-01-25 15:35:43 -08:00
mtu3 usb: Explicitly include correct DT includes 2023-07-25 18:20:02 +02:00
musb usb: musb: Get the musb_qh poniter after musb_giveback 2023-10-02 13:37:57 +02:00
phy Revert "usb: phy: generic: Get the vbus supply" 2024-04-03 15:28:58 +02:00
renesas_usbhs usb: Explicitly include correct DT includes 2023-07-25 18:20:02 +02:00
roles usb: roles: don't get/set_role() when usb_role_switch is unregistered 2024-03-01 13:35:02 +01:00
serial USB: serial: option: add Telit FN920C04 rmnet compositions 2024-04-27 17:11:40 +02:00
storage USB: UAS: return ENODEV when submit urbs fail with device not attached 2024-04-03 15:28:58 +02:00
typec usb: typec: tcpci: add generic tcpci fallback compatible 2024-04-13 13:07:38 +02:00
usbip USB: usbip: fix stub_dev hub disconnect 2023-11-20 11:59:26 +01:00
Kconfig usb: move config USB_USS720 to usb's misc Kconfig 2023-03-29 10:34:08 +02:00
Makefile usb: host: u132-hcd: Delete driver 2023-03-21 14:06:11 +01:00
usb-skeleton.c