Re: usb/gadget: use-after-free in gadgetfs_setup

2016-12-12 Thread Alan Stern
On Mon, 12 Dec 2016, Krzysztof Opasiak wrote: > > Ah, good, that clears it up. The problem is that stop_activity() nukes > > all the endpoints except for endpoint 0! > > > > The patch below should fix the problem. > > > > Alan Stern > > > > > > > > Index:

Re: usb/gadget: use-after-free in gadgetfs_setup

2016-12-12 Thread Andrey Konovalov
On Mon, Dec 12, 2016 at 9:09 PM, Alan Stern wrote: > On Mon, 12 Dec 2016, Andrey Konovalov wrote: > >> On Mon, Dec 12, 2016 at 7:44 PM, Alan Stern >> wrote: >> > >> > I'm still puzzled. Can you try running the test with the diagnostic >> >

Re: usb/gadget: use-after-free in gadgetfs_setup

2016-12-12 Thread Krzysztof Opasiak
On 12/12/2016 09:09 PM, Alan Stern wrote: > On Mon, 12 Dec 2016, Andrey Konovalov wrote: > >> On Mon, Dec 12, 2016 at 7:44 PM, Alan Stern >> wrote: >>> >>> I'm still puzzled. Can you try running the test with the diagnostic >>> patch below? The resulting kernel

Re: usb/gadget: use-after-free in gadgetfs_setup

2016-12-12 Thread Alan Stern
On Mon, 12 Dec 2016, Andrey Konovalov wrote: > On Mon, Dec 12, 2016 at 7:44 PM, Alan Stern wrote: > > > > I'm still puzzled. Can you try running the test with the diagnostic > > patch below? The resulting kernel log ought to help pin down where the > > problem comes

Re: usb/gadget: use-after-free in gadgetfs_setup

2016-12-12 Thread Andrey Konovalov
On Mon, Dec 12, 2016 at 7:44 PM, Alan Stern wrote: > > I'm still puzzled. Can you try running the test with the diagnostic > patch below? The resulting kernel log ought to help pin down where the > problem comes from. Sure, here's the log: usb 1-1: string descriptor

Re: usb/gadget: use-after-free in gadgetfs_setup

2016-12-12 Thread Alan Stern
On Mon, 12 Dec 2016, Andrey Konovalov wrote: > > Can you also provide reproducers for the "GPF in > > usb_gadget_unregister_driver" and the "warning in dummy_free_request" > > tests? > > Hi Alan, > > I haven't managed to obtain a working reproducer, though the fuzzer > hits it pretty often :( >

Re: usb/gadget: use-after-free in gadgetfs_setup

2016-12-12 Thread Andrey Konovalov
On Fri, Dec 9, 2016 at 8:57 PM, Alan Stern wrote: > On Fri, 9 Dec 2016, Andrey Konovalov wrote: > >> On Wed, Dec 7, 2016 at 8:15 PM, Alan Stern wrote: >> > On Wed, 7 Dec 2016, Andrey Konovalov wrote: >> > >> >> > And in any case, is there any

Re: usb/gadget: use-after-free in gadgetfs_setup

2016-12-09 Thread Alan Stern
On Fri, 9 Dec 2016, Andrey Konovalov wrote: > On Wed, Dec 7, 2016 at 8:15 PM, Alan Stern wrote: > > On Wed, 7 Dec 2016, Andrey Konovalov wrote: > > > >> > And in any case, is there any way you can post the series of system > >> > calls that syzkaller makes so we can

Re: usb/gadget: use-after-free in gadgetfs_setup

2016-12-08 Thread Andrey Konovalov
On Wed, Dec 7, 2016 at 8:15 PM, Alan Stern wrote: > On Wed, 7 Dec 2016, Andrey Konovalov wrote: > >> > And in any case, is there any way you can post the series of system >> > calls that syzkaller makes so we can tell what went wrong? >> >> I've attached a reproducer

Re: usb/gadget: use-after-free in gadgetfs_setup

2016-12-07 Thread Alan Stern
On Wed, 7 Dec 2016, Andrey Konovalov wrote: > > And in any case, is there any way you can post the series of system > > calls that syzkaller makes so we can tell what went wrong? > > I've attached a reproducer for a use-after-free in gadgetfs_setup(). > You need to enable KASAN to see the

Re: usb/gadget: use-after-free in gadgetfs_setup

2016-12-07 Thread Andrey Konovalov
On Tue, Dec 6, 2016 at 9:30 PM, Alan Stern wrote: > [CC: list drastically trimmed] > > On Tue, 6 Dec 2016, Andrey Konovalov wrote: > >> On Tue, Dec 6, 2016 at 1:28 PM, Andrey Konovalov >> wrote: >> > On Mon, Dec 5, 2016 at 8:31 PM, Alan Stern

Re: usb/gadget: use-after-free in gadgetfs_setup

2016-12-06 Thread Alan Stern
[CC: list drastically trimmed] On Tue, 6 Dec 2016, Andrey Konovalov wrote: > On Tue, Dec 6, 2016 at 1:28 PM, Andrey Konovalov > wrote: > > On Mon, Dec 5, 2016 at 8:31 PM, Alan Stern > > wrote: > >> On Mon, 5 Dec 2016, Andrey Konovalov wrote:

Re: usb/gadget: use-after-free in gadgetfs_setup

2016-12-06 Thread Andrey Konovalov
On Tue, Dec 6, 2016 at 1:28 PM, Andrey Konovalov wrote: > On Mon, Dec 5, 2016 at 8:31 PM, Alan Stern wrote: >> On Mon, 5 Dec 2016, Andrey Konovalov wrote: >> >>> Hi! >>> >>> I've got the following error report while running the syzkaller fuzzer.

Re: usb/gadget: use-after-free in gadgetfs_setup

2016-12-06 Thread Andrey Konovalov
On Mon, Dec 5, 2016 at 8:31 PM, Alan Stern wrote: > On Mon, 5 Dec 2016, Andrey Konovalov wrote: > >> Hi! >> >> I've got the following error report while running the syzkaller fuzzer. >> >> On commit 3c49de52d5647cda8b42c4255cf8a29d1e22eff5 (Dec 2). >> >> BUG: KASAN:

Re: usb/gadget: use-after-free in gadgetfs_setup

2016-12-05 Thread Alan Stern
On Mon, 5 Dec 2016, Andrey Konovalov wrote: > Hi! > > I've got the following error report while running the syzkaller fuzzer. > > On commit 3c49de52d5647cda8b42c4255cf8a29d1e22eff5 (Dec 2). > > BUG: KASAN: use-after-free in gadgetfs_setup+0x208a/0x20e0 at addr > 88003dfe5bf2 > Read of size

usb/gadget: use-after-free in gadgetfs_setup

2016-12-05 Thread Andrey Konovalov
Hi! I've got the following error report while running the syzkaller fuzzer. On commit 3c49de52d5647cda8b42c4255cf8a29d1e22eff5 (Dec 2). BUG: KASAN: use-after-free in gadgetfs_setup+0x208a/0x20e0 at addr 88003dfe5bf2 Read of size 2 by task syz-executor0/22994 CPU: 3 PID: 22994 Comm: