KASAN: use-after-free Read in do_set_interface

From: Kyungtae Kim
Date: Wed Oct 28 2020 - 17:56:13 EST


We report a bug (in linux-5.8.13) found by FuzzUSB (a modified version
of syzkaller).

The bug happened when accessing a freed instance of struct fsg_dev
(i.e., fsg->bulk_in) in do_set_interface() (line 2245).

==================================================================
BUG: KASAN: use-after-free in do_set_interface.part.7+0xa6b/0xd90
drivers/usb/gadget/function/f_mass_storage.c:2245
Read of size 8 at addr ffff88806bc940f8 by task file-storage/2063

CPU: 3 PID: 2063 Comm: file-storage Not tainted 5.8.13 #4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xa7/0xea lib/dump_stack.c:118
print_address_description.constprop.8+0x3f/0x60 mm/kasan/report.c:383
kasan_report.cold.11+0x20/0x37 mm/kasan/report.c:513
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:146
do_set_interface.part.7+0xa6b/0xd90
drivers/usb/gadget/function/f_mass_storage.c:2245
do_set_interface drivers/usb/gadget/function/f_mass_storage.c:2202 [inline]
handle_exception drivers/usb/gadget/function/f_mass_storage.c:2426 [inline]
fsg_main_thread+0x12c7/0x59f1 drivers/usb/gadget/function/f_mass_storage.c:2466
kthread+0x374/0x480 kernel/kthread.c:291
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

Allocated by task 1910:
save_stack+0x21/0x50 mm/kasan/common.c:48
set_track mm/kasan/common.c:56 [inline]
__kasan_kmalloc mm/kasan/common.c:494 [inline]
__kasan_kmalloc.constprop.6+0xc7/0xd0 mm/kasan/common.c:467
kasan_kmalloc+0x9/0x10 mm/kasan/common.c:508
kmem_cache_alloc_trace+0x139/0x330 mm/slub.c:2851
kzalloc ./include/linux/slab.h:555 [inline]
fsg_alloc+0x77/0x290 drivers/usb/gadget/function/f_mass_storage.c:3417
usb_get_function+0x58/0xc0 drivers/usb/gadget/functions.c:61
config_usb_cfg_link+0x1ed/0x3a0 drivers/usb/gadget/configfs.c:435
configfs_symlink+0x4f5/0xf10 fs/configfs/symlink.c:202
vfs_symlink fs/namei.c:3953 [inline]
vfs_symlink+0x304/0x540 fs/namei.c:3939
do_symlinkat+0x104/0x1a0 fs/namei.c:3980
__do_sys_symlinkat fs/namei.c:3994 [inline]
__se_sys_symlinkat fs/namei.c:3991 [inline]
__x64_sys_symlinkat+0x6e/0xb0 fs/namei.c:3991
do_syscall_64+0x54/0xa0 arch/x86/entry/common.c:392
entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 2072:
save_stack+0x21/0x50 mm/kasan/common.c:48
set_track mm/kasan/common.c:56 [inline]
kasan_set_free_info mm/kasan/common.c:316 [inline]
__kasan_slab_free+0x139/0x190 mm/kasan/common.c:455
kasan_slab_free+0xe/0x10 mm/kasan/common.c:464
slab_free_hook mm/slub.c:1474 [inline]
slab_free_freelist_hook mm/slub.c:1507 [inline]
slab_free mm/slub.c:3072 [inline]
kfree+0xef/0x3d0 mm/slub.c:4052
fsg_free+0x84/0xa0 drivers/usb/gadget/function/f_mass_storage.c:3408
usb_put_function+0x38/0x50 drivers/usb/gadget/functions.c:87
config_usb_cfg_unlink+0x2e9/0x3a0 drivers/usb/gadget/configfs.c:476
configfs_unlink+0x379/0x77e fs/configfs/symlink.c:250
vfs_unlink+0x241/0x550 fs/namei.c:3825
do_unlinkat+0x3e7/0x610 fs/namei.c:3889
__do_sys_unlink fs/namei.c:3936 [inline]
__se_sys_unlink fs/namei.c:3934 [inline]
__x64_sys_unlink+0x3d/0x50 fs/namei.c:3934
do_syscall_64+0x54/0xa0 arch/x86/entry/common.c:392
entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff88806bc94000
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 248 bytes inside of
512-byte region [ffff88806bc94000, ffff88806bc94200)
The buggy address belongs to the page:
page:ffffea0001af2500 refcount:1 mapcount:0 mapping:0000000000000000
index:0x0 head:ffffea0001af2500 order:2 compound_mapcount:0
compound_pincount:0
flags: 0x100000000010200(slab|head)
raw: 0100000000010200 dead000000000100 dead000000000122 ffff88806c40e580
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff88806bc93f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88806bc94000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88806bc94080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88806bc94100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88806bc94180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Regards,
Kyungtae Kim