[thirdparty/kernel/stable-queue.git] / queue-6.8 / usb-gadget-f_ncm-fix-uaf-ncm-object-at-re-bind-after-usb-ep-transport-error.patch

From 6334b8e4553cc69f51e383c9de545082213d785e Mon Sep 17 00:00:00 2001
From: Norihiko Hama <Norihiko.Hama@alpsalpine.com>
Date: Wed, 27 Mar 2024 11:35:50 +0900
Subject: usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error

From: Norihiko Hama <Norihiko.Hama@alpsalpine.com>

commit 6334b8e4553cc69f51e383c9de545082213d785e upstream.

When ncm function is working and then stop usb0 interface for link down,
eth_stop() is called. At this piont, accidentally if usb transport error
should happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled.

After that, ncm_disable() is called to disable for ncm unbind
but gether_disconnect() is never called since 'in_ep' is not enabled.

As the result, ncm object is released in ncm unbind
but 'dev->port_usb' associated to 'ncm->port' is not NULL.

And when ncm bind again to recover netdev, ncm object is reallocated
but usb0 interface is already associated to previous released ncm object.

Therefore, once usb0 interface is up and eth_start_xmit() is called,
released ncm object is dereferrenced and it might cause use-after-free memory.

[function unlink via configfs]
  usb0: eth_stop dev->port_usb=ffffff9b179c3200
  --> error happens in usb_ep_enable().
  NCM: ncm_disable: ncm=ffffff9b179c3200
  --> no gether_disconnect() since ncm->port.in_ep->enabled is false.
  NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200
  NCM: ncm_free: ncm free ncm=ffffff9b179c3200   <-- released ncm

[function link via configfs]
  NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000
  NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000
  NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0
  usb0: eth_open dev->port_usb=ffffff9b179c3200  <-- previous released ncm
  usb0: eth_start dev->port_usb=ffffff9b179c3200 <--
  eth_start_xmit()
  --> dev->wrap()
  Unable to handle kernel paging request at virtual address dead00000000014f

This patch addresses the issue by checking if 'ncm->netdev' is not NULL at
ncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'.
It's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect
rather than check 'ncm->port.in_ep->enabled' since it might not be enabled
but the gether connection might be established.

Signed-off-by: Norihiko Hama <Norihiko.Hama@alpsalpine.com>
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/r/20240327023550.51214-1-Norihiko.Hama@alpsalpine.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/gadget/function/f_ncm.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/usb/gadget/function/f_ncm.c
+++ b/drivers/usb/gadget/function/f_ncm.c
@@ -878,7 +878,7 @@ static int ncm_set_alt(struct usb_functi
 		if (alt > 1)
 			goto fail;
 
-		if (ncm->port.in_ep->enabled) {
+		if (ncm->netdev) {
 			DBG(cdev, "reset ncm\n");
 			ncm->netdev = NULL;
 			gether_disconnect(&ncm->port);
@@ -1367,7 +1367,7 @@ static void ncm_disable(struct usb_funct
 
 	DBG(cdev, "ncm deactivated\n");
 
-	if (ncm->port.in_ep->enabled) {
+	if (ncm->netdev) {
 		ncm->netdev = NULL;
 		gether_disconnect(&ncm->port);
 	}
Commit	Line	Data
5c17fab8 GKH	1	From 6334b8e4553cc69f51e383c9de545082213d785e Mon Sep 17 00:00:00 2001
	2	From: Norihiko Hama <Norihiko.Hama@alpsalpine.com>
	3	Date: Wed, 27 Mar 2024 11:35:50 +0900
	4	Subject: usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error
	5
	6	From: Norihiko Hama <Norihiko.Hama@alpsalpine.com>
	7
	8	commit 6334b8e4553cc69f51e383c9de545082213d785e upstream.
	9
	10	When ncm function is working and then stop usb0 interface for link down,
	11	eth_stop() is called. At this piont, accidentally if usb transport error
	12	should happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled.
	13
	14	After that, ncm_disable() is called to disable for ncm unbind
	15	but gether_disconnect() is never called since 'in_ep' is not enabled.
	16
	17	As the result, ncm object is released in ncm unbind
	18	but 'dev->port_usb' associated to 'ncm->port' is not NULL.
	19
	20	And when ncm bind again to recover netdev, ncm object is reallocated
	21	but usb0 interface is already associated to previous released ncm object.
	22
	23	Therefore, once usb0 interface is up and eth_start_xmit() is called,
	24	released ncm object is dereferrenced and it might cause use-after-free memory.
	25
	26	[function unlink via configfs]
	27	usb0: eth_stop dev->port_usb=ffffff9b179c3200
	28	--> error happens in usb_ep_enable().
	29	NCM: ncm_disable: ncm=ffffff9b179c3200
	30	--> no gether_disconnect() since ncm->port.in_ep->enabled is false.
	31	NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200
	32	NCM: ncm_free: ncm free ncm=ffffff9b179c3200 <-- released ncm
	33
	34	[function link via configfs]
	35	NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000
	36	NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000
	37	NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0
	38	usb0: eth_open dev->port_usb=ffffff9b179c3200 <-- previous released ncm
	39	usb0: eth_start dev->port_usb=ffffff9b179c3200 <--
	40	eth_start_xmit()
	41	--> dev->wrap()
	42	Unable to handle kernel paging request at virtual address dead00000000014f
	43
	44	This patch addresses the issue by checking if 'ncm->netdev' is not NULL at
	45	ncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'.
	46	It's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect
	47	rather than check 'ncm->port.in_ep->enabled' since it might not be enabled
	48	but the gether connection might be established.
	49
	50	Signed-off-by: Norihiko Hama <Norihiko.Hama@alpsalpine.com>
	51	Cc: stable <stable@kernel.org>
	52	Link: https://lore.kernel.org/r/20240327023550.51214-1-Norihiko.Hama@alpsalpine.com
	53	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	54	---
	55	drivers/usb/gadget/function/f_ncm.c \| 4 ++--
	56	1 file changed, 2 insertions(+), 2 deletions(-)
	57
	58	--- a/drivers/usb/gadget/function/f_ncm.c
	59	+++ b/drivers/usb/gadget/function/f_ncm.c
	60	@@ -878,7 +878,7 @@ static int ncm_set_alt(struct usb_functi
	61	if (alt > 1)
	62	goto fail;
	63
	64	- if (ncm->port.in_ep->enabled) {
65	+ if (ncm->netdev) {
66	DBG(cdev, "reset ncm\n");
67	ncm->netdev = NULL;
68	gether_disconnect(&ncm->port);
69	@@ -1367,7 +1367,7 @@ static void ncm_disable(struct usb_funct
70
71	DBG(cdev, "ncm deactivated\n");
72
73	- if (ncm->port.in_ep->enabled) {
74	+ if (ncm->netdev) {
75	ncm->netdev = NULL;
76	gether_disconnect(&ncm->port);
77	}