RE: ZDI-CAN-22273: New Vulnerability Report

From: zdi-disclosures@xxxxxxxxxxxxxx
Date: Fri Feb 16 2024 - 12:34:22 EST

Next message: Manivannan Sadhasivam: "[PATCH v2 0/5] PCI: dwc: Add support for integrating HDMA with DWC EP driver"
Previous message: Stephen Hemminger: "Re: [PATCH net-next v2] net: sysfs: Do not create sysfs for non BQL device"
Next in thread: gregkh@xxxxxxxxxxxxxxxxxxx: "Re: ZDI-CAN-22273: New Vulnerability Report"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,
Do you have any updates to share regarding this vulnerability? The 120-day deadline for this case was January 31, 2024. We will publish this soon in accordance with the ZDI 120-day Disclosure policy if there is not an available fix.

Regards,
The ZDI Team

-----Original Message-----
From: gregkh@xxxxxxxxxxxxxxxxxxx <gregkh@xxxxxxxxxxxxxxxxxxx>
Sent: Saturday, October 21, 2023 6:10 AM
To: ZDI Disclosures Mailbox <zdi-disclosures@xxxxxxxxxxxxxx>
Cc: linux-kernel@xxxxxxxxxxxxxxx; linux-usb@xxxxxxxxxxxxxxx; valentina.manea.m@xxxxxxxxx; shuah@xxxxxxxxxx; i@xxxxxxxxxxx
Subject: Re: ZDI-CAN-22273: New Vulnerability Report

On Fri, Oct 20, 2023 at 03:25:27PM +0000, zdi-disclosures@xxxxxxxxxxxxxx wrote:
> ### Analysis
>
> ```
> race condition bug exists in the usb/ip VHCI driver
> it leads to UAF on `struct usb_device`
> thread 1 thread 2
> vhci_device_reset() vhci_urb_enqueue()
> usb_put_dev(vdev->udev);
> usb_put_dev(vdev->udev); // free
> vdev->udev = usb_get_dev(urb->dev); // UAF
> vdev->udev = NULL;
> ```
>
> here is the patch in order to trigger the bug more easier
> ```
> diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
> index 37d1fc34e..7242244d7 100644
> --- a/drivers/usb/usbip/vhci_hcd.c
> +++ b/drivers/usb/usbip/vhci_hcd.c
> @@ -11,7 +11,7 @@
> #include <linux/module.h>
> #include <linux/platform_device.h>
> #include <linux/slab.h>
> -
> +#include <linux/delay.h>
> #include "usbip_common.h"
> #include "vhci.h"
>
> @@ -781,6 +781,7 @@ static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag
> usbip_dbg_vhci_hc(
> "Not yet?:Get_Descriptor to device 0 (get max pipe size)\n");
>
> + mdelay(200);
> usb_put_dev(vdev->udev);
> vdev->udev = usb_get_dev(urb->dev);
> goto out;
> @@ -1075,6 +1076,7 @@ static void vhci_device_reset(struct usbip_device *ud)
> vdev->devid = 0;
>
> usb_put_dev(vdev->udev);
> + mdelay(200);
> vdev->udev = NULL;
>
> if (ud->tcp_socket) {
> ```

So you are resetting a device while it is enumerating? That's a very
narrow window to handle, and you need a malicious device to do this,
right?

Can you submit a patch to just save off the reference of the device
before the put is called on it to be sure that all is in sync properly?

thanks,

greg k-h
TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.

For details about what personal information we collect and why, please see our Privacy Notice on our website at: Read privacy policy<http://www.trendmicro.com/privacy>

Next message: Manivannan Sadhasivam: "[PATCH v2 0/5] PCI: dwc: Add support for integrating HDMA with DWC EP driver"
Previous message: Stephen Hemminger: "Re: [PATCH net-next v2] net: sysfs: Do not create sysfs for non BQL device"
Next in thread: gregkh@xxxxxxxxxxxxxxxxxxx: "Re: ZDI-CAN-22273: New Vulnerability Report"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]