Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/dev/usb Reset ud_ifaces and ud_cdesc to NULL, to prevent...



details:   https://anonhg.NetBSD.org/src/rev/aa8f5c5ae5e0
branches:  trunk
changeset: 1010663:aa8f5c5ae5e0
user:      maxv <maxv%NetBSD.org@localhost>
date:      Sun May 31 18:33:08 2020 +0000

description:
Reset ud_ifaces and ud_cdesc to NULL, to prevent use-after-free in
usb_free_device().

Reported-by: syzbot+c7e74d0ae89e9f08f863%syzkaller.appspotmail.com@localhost

diffstat:

 sys/dev/usb/usb_subr.c |  13 ++++++++++---
 1 files changed, 10 insertions(+), 3 deletions(-)

diffs (41 lines):

diff -r c4f92215e65d -r aa8f5c5ae5e0 sys/dev/usb/usb_subr.c
--- a/sys/dev/usb/usb_subr.c    Sun May 31 18:20:23 2020 +0000
+++ b/sys/dev/usb/usb_subr.c    Sun May 31 18:33:08 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: usb_subr.c,v 1.246 2020/05/31 18:20:23 jdolecek Exp $  */
+/*     $NetBSD: usb_subr.c,v 1.247 2020/05/31 18:33:08 maxv Exp $      */
 /*     $FreeBSD: src/sys/dev/usb/usb_subr.c,v 1.18 1999/11/17 22:33:47 n_hibma Exp $   */
 
 /*
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: usb_subr.c,v 1.246 2020/05/31 18:20:23 jdolecek Exp $");
+__KERNEL_RCSID(0, "$NetBSD: usb_subr.c,v 1.247 2020/05/31 18:33:08 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_compat_netbsd.h"
@@ -734,14 +734,21 @@
                if (err) {
                        while (--ifcidx >= 0)
                                usbd_free_iface_data(dev, ifcidx);
+                       kmem_free(dev->ud_ifaces,
+                           nifc * sizeof(struct usbd_interface));
+                       dev->ud_ifaces = NULL;
                        goto bad;
                }
        }
 
        return USBD_NORMAL_COMPLETION;
 
- bad:
+bad:
+       /* XXX Use usbd_set_config() to reset the config? */
+       /* XXX Should we forbid USB_UNCONFIG_NO from bConfigurationValue? */
+       dev->ud_config = USB_UNCONFIG_NO;
        kmem_free(cdp, len);
+       dev->ud_cdesc = NULL;
        if (bdp != NULL) {
                kmem_free(bdp, UGETW(bdp->wTotalLength));
                dev->ud_bdesc = NULL;



Home | Main Index | Thread Index | Old Index