[PATCH 0/2][SRU][X] CVE-2018-20961: USB Gadget MIDI Function UAF

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH 0/2][SRU][X] CVE-2018-20961: USB Gadget MIDI Function UAF

Tyler Hicks-2
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20961.html

 In the Linux kernel before 4.16.4, a double free vulnerability in the
 f_midi_set_alt function of drivers/usb/gadget/function/f_midi.c in the
 f_midi driver may allow attackers to cause a denial of service or
 possibly have unspecified other impact.

Clean cherry picks. I'm unable to test without appropriate hardware but
the the build logs are clean and a test kernel boots without any issues.

The first patch isn't necessarily required for the CVE fix but the error
path doesn't work correctly without it. I think it is safe and
worthwhile to bring back with the CVE fix.

Tyler

Felipe F. Tonello (1):
  usb: gadget: f_midi: fail if set_alt fails to allocate requests

Yavuz, Tuba (1):
  USB: gadget: f_midi: fixing a possible double-free in f_midi

 drivers/usb/gadget/function/f_midi.c | 6 ++++--
 drivers/usb/gadget/u_f.h             | 2 ++
 2 files changed, 6 insertions(+), 2 deletions(-)

--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH 1/2] usb: gadget: f_midi: fail if set_alt fails to allocate requests

Tyler Hicks-2
From: "Felipe F. Tonello" <[hidden email]>

This ensures that the midi function will only work if the proper number of
IN and OUT requrests are allocated. Otherwise the function will work with less
requests then what the user wants.

Signed-off-by: Felipe F. Tonello <[hidden email]>
Signed-off-by: Felipe Balbi <[hidden email]>

CVE-2018-20961

(cherry picked from commit f0f1b8cac4d8d973e95f25d9ea132775fb43c5f4)
Signed-off-by: Tyler Hicks <[hidden email]>
---
 drivers/usb/gadget/function/f_midi.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/function/f_midi.c b/drivers/usb/gadget/function/f_midi.c
index 5ead414586a1..89db9cd22665 100644
--- a/drivers/usb/gadget/function/f_midi.c
+++ b/drivers/usb/gadget/function/f_midi.c
@@ -364,9 +364,10 @@ static int f_midi_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
  req->complete = f_midi_complete;
  err = usb_ep_queue(midi->out_ep, req, GFP_ATOMIC);
  if (err) {
- ERROR(midi, "%s queue req: %d\n",
+ ERROR(midi, "%s: couldn't enqueue request: %d\n",
     midi->out_ep->name, err);
  free_ep_req(midi->out_ep, req);
+ return err;
  }
  }
 
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH 2/2] USB: gadget: f_midi: fixing a possible double-free in f_midi

Tyler Hicks-2
In reply to this post by Tyler Hicks-2
From: "Yavuz, Tuba" <[hidden email]>

It looks like there is a possibility of a double-free vulnerability on an
error path of the f_midi_set_alt function in the f_midi driver. If the
path is feasible then free_ep_req gets called twice:

         req->complete = f_midi_complete;
         err = usb_ep_queue(midi->out_ep, req, GFP_ATOMIC);
            => ...
             usb_gadget_giveback_request
               =>
                 f_midi_complete (CALLBACK)
                   (inside f_midi_complete, for various cases of status)
                   free_ep_req(ep, req); // first kfree
         if (err) {
                 ERROR(midi, "%s: couldn't enqueue request: %d\n",
                             midi->out_ep->name, err);
                 free_ep_req(midi->out_ep, req); // second kfree
                 return err;
         }

The double-free possibility was introduced with commit ad0d1a058eac
("usb: gadget: f_midi: fix leak on failed to enqueue out requests").

Found by MOXCAFE tool.

Signed-off-by: Tuba Yavuz <[hidden email]>
Fixes: ad0d1a058eac ("usb: gadget: f_midi: fix leak on failed to enqueue out requests")
Acked-by: Felipe Balbi <[hidden email]>
Cc: stable <[hidden email]>
Signed-off-by: Greg Kroah-Hartman <[hidden email]>

CVE-2018-20961

(cherry picked from commit 7fafcfdf6377b18b2a726ea554d6e593ba44349f)
Signed-off-by: Tyler Hicks <[hidden email]>
---
 drivers/usb/gadget/function/f_midi.c | 3 ++-
 drivers/usb/gadget/u_f.h             | 2 ++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/function/f_midi.c b/drivers/usb/gadget/function/f_midi.c
index 89db9cd22665..8232850f7b80 100644
--- a/drivers/usb/gadget/function/f_midi.c
+++ b/drivers/usb/gadget/function/f_midi.c
@@ -366,7 +366,8 @@ static int f_midi_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
  if (err) {
  ERROR(midi, "%s: couldn't enqueue request: %d\n",
     midi->out_ep->name, err);
- free_ep_req(midi->out_ep, req);
+ if (req->buf != NULL)
+ free_ep_req(midi->out_ep, req);
  return err;
  }
  }
diff --git a/drivers/usb/gadget/u_f.h b/drivers/usb/gadget/u_f.h
index 69a1d10df04f..3ee365fbc2e2 100644
--- a/drivers/usb/gadget/u_f.h
+++ b/drivers/usb/gadget/u_f.h
@@ -65,7 +65,9 @@ struct usb_request *alloc_ep_req(struct usb_ep *ep, size_t len, int default_len)
 /* Frees a usb_request previously allocated by alloc_ep_req() */
 static inline void free_ep_req(struct usb_ep *ep, struct usb_request *req)
 {
+ WARN_ON(req->buf == NULL);
  kfree(req->buf);
+ req->buf = NULL;
  usb_ep_free_request(ep, req);
 }
 
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [PATCH 0/2][SRU][X] CVE-2018-20961: USB Gadget MIDI Function UAF

Connor Kuehl
In reply to this post by Tyler Hicks-2
On 8/14/19 4:21 PM, Tyler Hicks wrote:

> https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20961.html
>
>   In the Linux kernel before 4.16.4, a double free vulnerability in the
>   f_midi_set_alt function of drivers/usb/gadget/function/f_midi.c in the
>   f_midi driver may allow attackers to cause a denial of service or
>   possibly have unspecified other impact.
>
> Clean cherry picks. I'm unable to test without appropriate hardware but
> the the build logs are clean and a test kernel boots without any issues.
>
> The first patch isn't necessarily required for the CVE fix but the error
> path doesn't work correctly without it. I think it is safe and
> worthwhile to bring back with the CVE fix.
>
> Tyler
>
> Felipe F. Tonello (1):
>    usb: gadget: f_midi: fail if set_alt fails to allocate requests
>
> Yavuz, Tuba (1):
>    USB: gadget: f_midi: fixing a possible double-free in f_midi
>
>   drivers/usb/gadget/function/f_midi.c | 6 ++++--
>   drivers/usb/gadget/u_f.h             | 2 ++
>   2 files changed, 6 insertions(+), 2 deletions(-)
>

Acked-by: Connor Kuehl <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [PATCH 0/2][SRU][X] CVE-2018-20961: USB Gadget MIDI Function UAF

Stefan Bader-2
In reply to this post by Tyler Hicks-2
On 15.08.19 01:21, Tyler Hicks wrote:

> https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20961.html
>
>  In the Linux kernel before 4.16.4, a double free vulnerability in the
>  f_midi_set_alt function of drivers/usb/gadget/function/f_midi.c in the
>  f_midi driver may allow attackers to cause a denial of service or
>  possibly have unspecified other impact.
>
> Clean cherry picks. I'm unable to test without appropriate hardware but
> the the build logs are clean and a test kernel boots without any issues.
>
> The first patch isn't necessarily required for the CVE fix but the error
> path doesn't work correctly without it. I think it is safe and
> worthwhile to bring back with the CVE fix.
>
> Tyler
>
> Felipe F. Tonello (1):
>   usb: gadget: f_midi: fail if set_alt fails to allocate requests
>
> Yavuz, Tuba (1):
>   USB: gadget: f_midi: fixing a possible double-free in f_midi
>
>  drivers/usb/gadget/function/f_midi.c | 6 ++++--
>  drivers/usb/gadget/u_f.h             | 2 ++
>  2 files changed, 6 insertions(+), 2 deletions(-)
>
Acked-by: Stefan Bader <[hidden email]>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

APPLIED: [PATCH 0/2][SRU][X] CVE-2018-20961: USB Gadget MIDI Function UAF

Kleber Souza
In reply to this post by Tyler Hicks-2
On 8/15/19 1:21 AM, Tyler Hicks wrote:

> https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20961.html
>
>  In the Linux kernel before 4.16.4, a double free vulnerability in the
>  f_midi_set_alt function of drivers/usb/gadget/function/f_midi.c in the
>  f_midi driver may allow attackers to cause a denial of service or
>  possibly have unspecified other impact.
>
> Clean cherry picks. I'm unable to test without appropriate hardware but
> the the build logs are clean and a test kernel boots without any issues.
>
> The first patch isn't necessarily required for the CVE fix but the error
> path doesn't work correctly without it. I think it is safe and
> worthwhile to bring back with the CVE fix.
>
> Tyler
>
> Felipe F. Tonello (1):
>   usb: gadget: f_midi: fail if set_alt fails to allocate requests
>
> Yavuz, Tuba (1):
>   USB: gadget: f_midi: fixing a possible double-free in f_midi
>
>  drivers/usb/gadget/function/f_midi.c | 6 ++++--
>  drivers/usb/gadget/u_f.h             | 2 ++
>  2 files changed, 6 insertions(+), 2 deletions(-)
>

Applied to xenial/master-next branch.

Thanks,
Kleber

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team