Re: [PATCH v3] usb: gadget: configfs: Fix KASAN use-after-free

[Macpaul Lin]

Hi Jim,

> Jim Lin <jilin@xxxxxxxxxx> writes:
> > When gadget is disconnected, running sequence is like this.
> > . composite_disconnect
> > . Call trace:
> >   usb_string_copy+0xd0/0x128
> >   gadget_config_name_configuration_store+0x4
> >   gadget_config_name_attr_store+0x40/0x50
> >   configfs_write_file+0x198/0x1f4
> >   vfs_write+0x100/0x220
> >   SyS_write+0x58/0xa8
> > . configfs_composite_unbind
> > . configfs_composite_bind
> >

[deleted]

> > When "strlen(s->s) of usb_gadget_get_string is being executed, the dangling
> > memory is accessed, "BUG: KASAN: use-after-free" error occurs.
> >
> > Signed-off-by: Jim Lin <jilin@xxxxxxxxxx>
> > ---
> > Changes in v2:
> > Changes in v3:
> >  Change commit description
>
> well, I need to be sure you tested this with Linus' tree. The reason I'm
> asking is because this could be a bug caused by Android changes. From
> your previous patch, the problem started with android_setup().
>
> Please test with v4.10-rc4 and any configfs-based gadget.
>
> --
> balbi

I've got the similar problem on Android, however,
Linux guys require you and other people to test your patch on pure Linux.
Since Linux is exactly a "PC" based OS, only common patches should be
commit to Linux code base.
Except the bug is quite common in 3 OS, in "Linux PC" and in "Android
Linux" or "Chromium OS".

I'm not sure about the difference between Chromium OS and Linux PC.
According to CVE report, it looks like the change is from  Chromium OS?
Dose Nvidia has a pure Linux software team can verify your patch on
your platform?
I think if you can prove the result is okay on Linux PC or on Chromium
OS will help.

-- 
Best regards,
Macpaul Lin