Re: [BUG] usb: serial: garmin_gps: A possible concurrency use-after-free bug

From: Jia-Ju Bai
Date: Thu Dec 20 2018 - 08:48:38 EST

Next message: Rob Herring: "Re: [PATCH v1 01/12] dt-bindings: usb: add support for dwc3 controller on HiSilicon SoCs"
Previous message: Matthias Schwarzott: "Re: [PATCH] media: si2165: fix a missing check of return value"
In reply to: Johan Hovold: "Re: [BUG] usb: serial: garmin_gps: A possible concurrency use-after-free bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2018/12/20 21:46, Johan Hovold wrote:

On Thu, Dec 20, 2018 at 09:41:16PM +0800, Jia-Ju Bai wrote:

In drivers/usb/serial/garmin_gps.c,
the functions garmin_read_bulk_callback() and garmin_write_bulk_callback()
may be concurrently executed.

In garmin_write_bulk_callback() on line 969:
kfree(urb->transfer_buffer);
In garmin_read_bulk_callback() on line 1165:
unsigned char *data = urb->transfer_buffer;
Thus, a concurrency use-after-free bug may occur.

No, they operate on different struct urb.

This possible bug is found by a static analysis tool written by myself.

Seems you need to update your tool. Please also make sure to review its
output before reporting anything.

Okay, thanks for your reply.
Sorry for my false positive...

Best wishes,
Jia-Ju Bai

Next message: Rob Herring: "Re: [PATCH v1 01/12] dt-bindings: usb: add support for dwc3 controller on HiSilicon SoCs"
Previous message: Matthias Schwarzott: "Re: [PATCH] media: si2165: fix a missing check of return value"
In reply to: Johan Hovold: "Re: [BUG] usb: serial: garmin_gps: A possible concurrency use-after-free bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]