Commit 1e2bb714 authored Jul 16, 2020 by Pankaj Suryawanshi Committed by Harshit Agarwal Aug 25, 2020

[CVE-2020-12464] USB: core: Fix free-while-in-use bug in the USB S-Glibrary

FuzzUSB (a variant of syzkaller) found a free-while-still-in-use bug
in the USB scatter-gather library.
This bug occurs when cancellation of the S-G transfer races with
transfer completion. When that happens, usb_sg_cancel() may continue
to access the transfer's URBs after usb_sg_wait() has freed them.
The fix is to take such a reference by incrementing the
transfer's io->count field while the cancellation is in progres and
decrementing it afterward. The transfer's URBs are not deallocated
until io->complete is triggered, which happens when io->count reaches zero.

Change-Id: I0515468e3899b344b7133b631870b2f8f1523269

parent f1d01f61

drivers/usb/core/message.c

+8 −1

Original line number	Diff line number	Diff line
		@@ -588,12 +588,13 @@ void usb_sg_cancel(struct usb_sg_request *io)
		int i, retval;

		spin_lock_irqsave(&io->lock, flags);
		if (io->status) {
		if (io->status \|\| io->count == 0) {
		spin_unlock_irqrestore(&io->lock, flags);
		return;
		}
		/* shut everything down */
		io->status = -ECONNRESET;
		io->count++; /* Keep the request alive until we're done */
		spin_unlock_irqrestore(&io->lock, flags);

		for (i = io->entries - 1; i >= 0; --i) {
		@@ -607,6 +608,12 @@ void usb_sg_cancel(struct usb_sg_request *io)
		dev_warn(&io->dev->dev, "%s, unlink --> %d\n",
		__func__, retval);
		}

		spin_lock_irqsave(&io->lock, flags);
		io->count--;
		if (!io->count)
		complete(&io->complete);
		spin_unlock_irqrestore(&io->lock, flags);
		}
		EXPORT_SYMBOL_GPL(usb_sg_cancel);