From patchwork Sat Oct 22 17:54:04 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Hyunwoo Kim <imv4bel@gmail.com>
X-Patchwork-Id: 7918
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:4242:0:0:0:0:0 with SMTP id s2csp1306759wrr;
        Sat, 22 Oct 2022 11:08:30 -0700 (PDT)
X-Google-Smtp-Source: 
 AMsMyM4yRGCXzmeSGjgJ57S0tsrEeirO3B3Qs0dQQbBpuB4gyKe30p6SG4rlMTQk8fUS7WEUCZUr
X-Received: by 2002:a05:6402:406:b0:458:a47:d14c with SMTP id
 q6-20020a056402040600b004580a47d14cmr23107362edv.41.1666462109887;
        Sat, 22 Oct 2022 11:08:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1666462109; cv=none;
        d=google.com; s=arc-20160816;
        b=RrLyQ+DN23g8jQRiR7eNNBfLhKkkzuUgZqGs9ggU5fxYFs618/E16Ur4We5ukDADaf
         X5PZduY8iuXMzuvlnBgj24tDX46DLNRKTWGfQAiVBLB5lHromhKMgUXoDCIiYyPa46ki
         xUSU0w55zyYKsy9b+mLk2LNI9NBf65kG6ZcwQHDZM3k9nfo5P/RNAeNTxW5dn8OElDZN
         aJdvYGXElDBHPqWrrAnbd8cu/5rV0buzjPbbtIozuDhSTXBcJx3YEokHJYxd3+lToTfj
         4oeigijKg5zAKC1s25eoWnZq9vvjMIzUPhP8lnffy6iKw90kwQ5/WW34YjJsmSqP9ii9
         6XNQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-disposition:mime-version:message-id
         :subject:cc:to:from:date:dkim-signature;
        bh=yiPOI2qbWdChk1/Ymai/KaftkTpLzceTaiv/iCDk9+0=;
        b=YwckoXbhcLkTm7UAQ1WprHuDHAudhCs91EDLkf/h3m2FI10SrkeSMHlDEHScwKvMfY
         fzLa9cICfqkEmh3bDl4oL3qRqDpphW0whmzBR4MkV9VsEAj5thOa4wz5n5p909iicVB9
         Jp8xQHmj95xIa7RcBbaNWVfuy4noaFll5zwf3DkK1yQJx8dJMXnKX6ps3by4r/heMbvm
         3rhL2oWQEksk3hONu1gTvFjAAc+lQcpp25hjTdU5aN0jf4l8GhNN7Gu8k/IecEzwd7gg
         ImrNsLqqyLm4nONZA1fNJJFwQsFWD/yMf8Vl1dc1t9wQ17/xJZKCjXWAVk70QZEGVP5v
         q00A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=mulnPztE;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 co13-20020a0564020c0d00b00458bf560cbasi19722671edb.90.2022.10.22.11.08.01;
        Sat, 22 Oct 2022 11:08:29 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=mulnPztE;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229792AbiJVRyP (ORCPT <rfc822;pwkd43@gmail.com> + 99 others);
        Sat, 22 Oct 2022 13:54:15 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44150 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229894AbiJVRyM (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 22 Oct 2022 13:54:12 -0400
Received: from mail-pj1-x102c.google.com (mail-pj1-x102c.google.com
 [IPv6:2607:f8b0:4864:20::102c])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CAEFC1911CC
        for <linux-kernel@vger.kernel.org>;
 Sat, 22 Oct 2022 10:54:09 -0700 (PDT)
Received: by mail-pj1-x102c.google.com with SMTP id
 m6-20020a17090a5a4600b00212f8dffec9so144554pji.0
        for <linux-kernel@vger.kernel.org>;
 Sat, 22 Oct 2022 10:54:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=content-disposition:mime-version:message-id:subject:cc:to:from:date
         :from:to:cc:subject:date:message-id:reply-to;
        bh=yiPOI2qbWdChk1/Ymai/KaftkTpLzceTaiv/iCDk9+0=;
        b=mulnPztEzbgWh4Jb1TPJjLrRjVzfg/2BtWLXlQyYbqr25Bf68ezqqjXe4DXV44B7xl
         94Ctl2CTR3FONxpf4n8e2tezdSJ0CPrvxj+qFhDI/injUuQjQSqOY9kOFY2NQgZyGyZU
         kVIEDlfWxqYSJ/ajMMC/gFEyvg8uu++VZmJIdkkicN1L8k9WT/cwgUylhBUBthZ2/lKS
         BaTdk45c0Tz4IMpMLlUPAkXe3DKucK+m2v6dy7PSM2XDOuzuNBo2rzhYPDehy8v4It0T
         c9IOuMRv6pPTKot7WPZYsbiB6HgJqSVckq6REVmaeQrjn2r3GT6L8PABNxoFIMjNMdRR
         h1aQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=content-disposition:mime-version:message-id:subject:cc:to:from:date
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=yiPOI2qbWdChk1/Ymai/KaftkTpLzceTaiv/iCDk9+0=;
        b=20Rki0M6gbuzeXV5x6o8zwjIyPD0hg1zqu1iavbWlwv5TWnTKY8+R4tw5yfCSoXF8j
         uQ8ONGMs5menkuLuYkaHCuiZFhnd2RR8OjEuXQqi3ZPLQKXmCW+SG0T3Ud2N4o9OUajE
         aKN8t1QR8+iMoAAIQ4ZuTFp9OmUjRXV2C9UcRvI2OTLcKNyc2GoaKIGIxDsGd3eqX82b
         Yadz3tks1QU2jQmW/7rIFjf8nl3nN4AKNdNoPuVxUj1ScBILeALJSe0pvvRIybTlRdwH
         AyWtDmscpYW4JDJ9Ut57ZP8xkDb3zZgNKBPq1Zg9jiTYbTy1ETKIbgv6J27kN1160qnL
         l8Wg==
X-Gm-Message-State: ACrzQf0b8830zmpFJCc1eyVpyfRCNvcvgcemSKuSJ6PlFYGO7KK5WYWV
        1mCzdWnxhGFfuQU8smhqpNEHa19cLag=
X-Received: by 2002:a17:902:eb89:b0:185:33d:cb34 with SMTP id
 q9-20020a170902eb8900b00185033dcb34mr25195103plg.55.1666461248549;
        Sat, 22 Oct 2022 10:54:08 -0700 (PDT)
Received: from ubuntu ([175.124.254.119])
        by smtp.gmail.com with ESMTPSA id
 q26-20020aa7843a000000b0056164b52bd8sm17219609pfn.32.2022.10.22.10.54.06
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 22 Oct 2022 10:54:07 -0700 (PDT)
Date: Sat, 22 Oct 2022 10:54:04 -0700
From: Hyunwoo Kim <imv4bel@gmail.com>
To: eli.billauer@gmail.com, arnd@arndb.de, gregkh@linuxfoundation.org
Cc: linux-kernel@vger.kernel.org
Subject: [PATCH] char: xillybus: Fix use-after-free in xillyusb_open()
Message-ID: <20221022175404.GA375335@ubuntu>
MIME-Version: 1.0
Content-Disposition: inline
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
        RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1747412173630565008?=
X-GMAIL-MSGID: =?utf-8?q?1747412173630565008?=

A race condition may occur if the user physically removes
the USB device while calling open() for this device node.

This is a race condition between the xillyusb_open() function and
the xillyusb_disconnect() function, which may eventually result in UAF.

So, add a mutex to the xillyusb_open() and xillyusb_disconnect()
functions to avoid race contidion.

Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
---
 drivers/char/xillybus/xillyusb.c | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/drivers/char/xillybus/xillyusb.c b/drivers/char/xillybus/xillyusb.c
index 39bcbfd908b4..d615f74dcf36 100644
--- a/drivers/char/xillybus/xillyusb.c
+++ b/drivers/char/xillybus/xillyusb.c
@@ -63,6 +63,7 @@ static const struct usb_device_id xillyusb_table[] = {
 };
 
 MODULE_DEVICE_TABLE(usb, xillyusb_table);
+static DEFINE_MUTEX(disconnect_mutex);
 
 struct xillyusb_dev;
 
@@ -1237,9 +1238,13 @@ static int xillyusb_open(struct inode *inode, struct file *filp)
 	int rc;
 	int index;
 
+	mutex_lock(&disconnect_mutex);
+
 	rc = xillybus_find_inode(inode, (void **)&xdev, &index);
-	if (rc)
+	if (rc) {
+		mutex_unlock(&disconnect_mutex);
 		return rc;
+	}
 
 	chan = &xdev->channels[index];
 	filp->private_data = chan;
@@ -1379,6 +1384,8 @@ static int xillyusb_open(struct inode *inode, struct file *filp)
 			request_read_anything(chan, OPCODE_SET_PUSH);
 	}
 
+	mutex_unlock(&disconnect_mutex);
+
 	return 0;
 
 unfifo:
@@ -1410,10 +1417,14 @@ static int xillyusb_open(struct inode *inode, struct file *filp)
 
 	kref_put(&xdev->kref, cleanup_dev);
 
+	mutex_unlock(&disconnect_mutex);
+
 	return rc;
 
 unmutex_fail:
 	mutex_unlock(&chan->lock);
+	mutex_unlock(&disconnect_mutex);
+
 	return rc;
 }
 
@@ -1698,6 +1709,8 @@ static int xillyusb_release(struct inode *inode, struct file *filp)
 	struct xillyusb_dev *xdev = chan->xdev;
 	int rc_read = 0, rc_write = 0;
 
+	mutex_lock(&disconnect_mutex);
+
 	if (filp->f_mode & FMODE_READ) {
 		struct xillyfifo *in_fifo = chan->in_fifo;
 
@@ -1760,6 +1773,8 @@ static int xillyusb_release(struct inode *inode, struct file *filp)
 
 	kref_put(&xdev->kref, cleanup_dev);
 
+	mutex_unlock(&disconnect_mutex);
+
 	return rc_read ? rc_read : rc_write;
 }
 
@@ -2172,6 +2187,8 @@ static void xillyusb_disconnect(struct usb_interface *interface)
 	int rc;
 	int i;
 
+	mutex_lock(&disconnect_mutex);
+
 	xillybus_cleanup_chrdev(xdev, &interface->dev);
 
 	/*
@@ -2228,6 +2245,8 @@ static void xillyusb_disconnect(struct usb_interface *interface)
 	xdev->dev = NULL;
 
 	kref_put(&xdev->kref, cleanup_dev);
+
+	mutex_unlock(&disconnect_mutex);
 }
 
 static struct usb_driver xillyusb_driver = {