cve/published/2021/CVE-2021-46933.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-46933: usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.

 ffs_data_clear is indirectly called from both ffs_fs_kill_sb and
 ffs_ep0_release, so it ends up being called twice when userland closes ep0
 and then unmounts f_fs.
 If userland provided an eventfd along with function's USB descriptors, it
 ends up calling eventfd_ctx_put as many times, causing a refcount
 underflow.
 NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.

 Also, set epfiles to NULL right after de-allocating it, for readability.

 For completeness, ffs_data_clear actually ends up being called thrice, the
 last call being before the whole ffs structure gets freed, so when this
 specific sequence happens there is a second underflow happening (but not
 being reported):

 /sys/kernel/debug/tracing# modprobe usb_f_fs
 /sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter
 /sys/kernel/debug/tracing# echo function > current_tracer
 /sys/kernel/debug/tracing# echo 1 > tracing_on
 (setup gadget, run and kill function userland process, teardown gadget)
 /sys/kernel/debug/tracing# echo 0 > tracing_on
 /sys/kernel/debug/tracing# cat trace
  smartcard-openp-436     [000] .....  1946.208786: ffs_data_clear <-ffs_data_closed
  smartcard-openp-431     [000] .....  1946.279147: ffs_data_clear <-ffs_data_closed
  smartcard-openp-431     [000] .n...  1946.905512: ffs_data_clear <-ffs_data_put

 Warning output corresponding to above trace:
 [ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c
 [ 1946.293094] refcount_t: underflow; use-after-free.
 [ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E)
 [ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G         C OE     5.15.0-1-rpi #1  Debian 5.15.3-1
 [ 1946.417950] Hardware name: BCM2835
 [ 1946.425442] Backtrace:
 [ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24)
 [ 1946.448226]  r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c
 [ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30)
 [ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154)
 [ 1946.482067]  r5:c04a948c r4:c0a71dc8
 [ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4)
 [ 1946.506758]  r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04
 [ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c)
 [ 1946.535309]  r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0
 [ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74)
 [ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs])
 [ 1946.582664]  r5:c3b84c00 r4:c2695b00
 [ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs])
 [ 1946.609608]  r5:bf54d014 r4:c2695b00
 [ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs])
 [ 1946.636217]  r7:c0dfcb84 r6:c3a12260 r5:bf54d014 r4:c229f000
 [ 1946.646273] [<bf547d74>] (ffs_fs_kill_sb [usb_f_fs]) from [<c0326d50>] (deactivate_locked_super+0x54/0x9c)
 [ 1946.664893]  r5:bf54d014 r4:c229f000
 [ 1946.672921] [<c0326cfc>] (deactivate_locked_super) from [<c0326df8>] (deactivate_super+0x60/0x64)
 [ 1946.690722]  r5:c2a09000 r4:c229f000
 [ 1946.698706] [<c0326d98>] (deactivate_super) from [<c0349a28>] (cleanup_mnt+0xe4/0x14c)
 [ 1946.715553]  r5:c2a09000 r4:00000000
 [ 1946.723528] [<c0349944>] (cleanup_mnt) from [<c0349b08>] (__cleanup_mnt+0x1c/0x20)
 [ 1946.739922]  r7:c0dfcb84 r6:c3a12260 r5:c3a126fc r4:00000000
 [ 1946.750088] [<c0349aec>] (__cleanup_mnt) from [<c0143d10>] (task_work_run+0x84/0xb8)
 [ 1946.766602] [<c0143c8c>] (task_work_run) from [<c010bdc8>] (do_work_pending+0x470/0x56c)
 [ 1946.783540]  r7:5ac3c35a r6:c0d0424c r5:c200bfb0 r4:c200a000
 [ 1946.793614] [<c010b958>] (do_work_pending) from [<c01000c0>] (slow_work_pending+0xc/0x20)
 [ 1946.810553] Exception stack(0xc200bfb0 to 0xc200bff8)
 [ 1946.820129] bfa0:                                     00000000 00000000 000000aa b5e21430
 [ 1946.837104] bfc0: bef867a0 00000001 bef86840 00000034 bef86838 bef86790 bef86794 bef867a0
 [ 1946.854125] bfe0: 00000000 bef86798 b67b7a1c b6d626a4 60000010 b5a23760
 [ 1946.865335]  r10:00000000 r9:c200a000 r8:c0100224 r7:00000034 r6:bef86840 r5:00000001
 [ 1946.881914]  r4:bef867a0
 [ 1946.888793] ---[ end trace 7387f2a9725b28d0 ]---

 The Linux kernel CVE team has assigned CVE-2021-46933 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.0 with commit 5e33f6fdf735cda1d4580fe6f1878da05718fe73 and fixed in 4.4.298 with commit f976dd7011150244a7ba820f2c331e9fb253befa
 	Issue introduced in 4.0 with commit 5e33f6fdf735cda1d4580fe6f1878da05718fe73 and fixed in 4.9.296 with commit cc8c8028c21b2a3842a1e98e99e55028df275919
 	Issue introduced in 4.0 with commit 5e33f6fdf735cda1d4580fe6f1878da05718fe73 and fixed in 4.14.261 with commit 52500239e3f2d6fc77b6f58632a9fb98fe74ac09
 	Issue introduced in 4.0 with commit 5e33f6fdf735cda1d4580fe6f1878da05718fe73 and fixed in 4.19.224 with commit 33f6a0cbb7772146e1c11f38028fffbfed14728b
 	Issue introduced in 4.0 with commit 5e33f6fdf735cda1d4580fe6f1878da05718fe73 and fixed in 5.4.170 with commit 240fc586e83d645912accce081a48aa63a45f6ee
 	Issue introduced in 4.0 with commit 5e33f6fdf735cda1d4580fe6f1878da05718fe73 and fixed in 5.10.90 with commit 1c4ace3e6b8575745c50dca9e76e0021e697d645
 	Issue introduced in 4.0 with commit 5e33f6fdf735cda1d4580fe6f1878da05718fe73 and fixed in 5.15.13 with commit ebef2aa29f370b5096c16020c104e393192ef684
 	Issue introduced in 4.0 with commit 5e33f6fdf735cda1d4580fe6f1878da05718fe73 and fixed in 5.16 with commit b1e0887379422975f237d43d8839b751a6bcf154

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-46933
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/usb/gadget/function/f_fs.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa
 	https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919
 	https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09
 	https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b
 	https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee
 	https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645
 	https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684
 	https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-46933: usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.

	ffs_data_clear is indirectly called from both ffs_fs_kill_sb and
	ffs_ep0_release, so it ends up being called twice when userland closes ep0
	and then unmounts f_fs.
	If userland provided an eventfd along with function's USB descriptors, it
	ends up calling eventfd_ctx_put as many times, causing a refcount
	underflow.
	NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.

	Also, set epfiles to NULL right after de-allocating it, for readability.

	For completeness, ffs_data_clear actually ends up being called thrice, the
	last call being before the whole ffs structure gets freed, so when this
	specific sequence happens there is a second underflow happening (but not
	being reported):

	/sys/kernel/debug/tracing# modprobe usb_f_fs
	/sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter
	/sys/kernel/debug/tracing# echo function > current_tracer
	/sys/kernel/debug/tracing# echo 1 > tracing_on
	(setup gadget, run and kill function userland process, teardown gadget)
	/sys/kernel/debug/tracing# echo 0 > tracing_on
	/sys/kernel/debug/tracing# cat trace
	smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed
	smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed
	smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_put

	Warning output corresponding to above trace:
	[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c
	[ 1946.293094] refcount_t: underflow; use-after-free.
	[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E)
	[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1
	[ 1946.417950] Hardware name: BCM2835
	[ 1946.425442] Backtrace:
	[ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24)
	[ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c
	[ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30)
	[ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154)
	[ 1946.482067] r5:c04a948c r4:c0a71dc8
	[ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4)
	[ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04
	[ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c)
	[ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0
	[ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74)
	[ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs])
	[ 1946.582664] r5:c3b84c00 r4:c2695b00
	[ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs])
	[ 1946.609608] r5:bf54d014 r4:c2695b00
	[ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs])
	[ 1946.636217] r7:c0dfcb84 r6:c3a12260 r5:bf54d014 r4:c229f000
	[ 1946.646273] [<bf547d74>] (ffs_fs_kill_sb [usb_f_fs]) from [<c0326d50>] (deactivate_locked_super+0x54/0x9c)
	[ 1946.664893] r5:bf54d014 r4:c229f000
	[ 1946.672921] [<c0326cfc>] (deactivate_locked_super) from [<c0326df8>] (deactivate_super+0x60/0x64)
	[ 1946.690722] r5:c2a09000 r4:c229f000
	[ 1946.698706] [<c0326d98>] (deactivate_super) from [<c0349a28>] (cleanup_mnt+0xe4/0x14c)
	[ 1946.715553] r5:c2a09000 r4:00000000
	[ 1946.723528] [<c0349944>] (cleanup_mnt) from [<c0349b08>] (__cleanup_mnt+0x1c/0x20)
	[ 1946.739922] r7:c0dfcb84 r6:c3a12260 r5:c3a126fc r4:00000000
	[ 1946.750088] [<c0349aec>] (__cleanup_mnt) from [<c0143d10>] (task_work_run+0x84/0xb8)
	[ 1946.766602] [<c0143c8c>] (task_work_run) from [<c010bdc8>] (do_work_pending+0x470/0x56c)
	[ 1946.783540] r7:5ac3c35a r6:c0d0424c r5:c200bfb0 r4:c200a000
	[ 1946.793614] [<c010b958>] (do_work_pending) from [<c01000c0>] (slow_work_pending+0xc/0x20)
	[ 1946.810553] Exception stack(0xc200bfb0 to 0xc200bff8)
	[ 1946.820129] bfa0: 00000000 00000000 000000aa b5e21430
	[ 1946.837104] bfc0: bef867a0 00000001 bef86840 00000034 bef86838 bef86790 bef86794 bef867a0
	[ 1946.854125] bfe0: 00000000 bef86798 b67b7a1c b6d626a4 60000010 b5a23760
	[ 1946.865335] r10:00000000 r9:c200a000 r8:c0100224 r7:00000034 r6:bef86840 r5:00000001
	[ 1946.881914] r4:bef867a0
	[ 1946.888793] ---[ end trace 7387f2a9725b28d0 ]---

	The Linux kernel CVE team has assigned CVE-2021-46933 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.0 with commit 5e33f6fdf735cda1d4580fe6f1878da05718fe73 and fixed in 4.4.298 with commit f976dd7011150244a7ba820f2c331e9fb253befa
	Issue introduced in 4.0 with commit 5e33f6fdf735cda1d4580fe6f1878da05718fe73 and fixed in 4.9.296 with commit cc8c8028c21b2a3842a1e98e99e55028df275919
	Issue introduced in 4.0 with commit 5e33f6fdf735cda1d4580fe6f1878da05718fe73 and fixed in 4.14.261 with commit 52500239e3f2d6fc77b6f58632a9fb98fe74ac09
	Issue introduced in 4.0 with commit 5e33f6fdf735cda1d4580fe6f1878da05718fe73 and fixed in 4.19.224 with commit 33f6a0cbb7772146e1c11f38028fffbfed14728b
	Issue introduced in 4.0 with commit 5e33f6fdf735cda1d4580fe6f1878da05718fe73 and fixed in 5.4.170 with commit 240fc586e83d645912accce081a48aa63a45f6ee
	Issue introduced in 4.0 with commit 5e33f6fdf735cda1d4580fe6f1878da05718fe73 and fixed in 5.10.90 with commit 1c4ace3e6b8575745c50dca9e76e0021e697d645
	Issue introduced in 4.0 with commit 5e33f6fdf735cda1d4580fe6f1878da05718fe73 and fixed in 5.15.13 with commit ebef2aa29f370b5096c16020c104e393192ef684
	Issue introduced in 4.0 with commit 5e33f6fdf735cda1d4580fe6f1878da05718fe73 and fixed in 5.16 with commit b1e0887379422975f237d43d8839b751a6bcf154

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-46933
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/usb/gadget/function/f_fs.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/f976dd7011150244a7ba820f2c331e9fb253befa
	https://git.kernel.org/stable/c/cc8c8028c21b2a3842a1e98e99e55028df275919
	https://git.kernel.org/stable/c/52500239e3f2d6fc77b6f58632a9fb98fe74ac09
	https://git.kernel.org/stable/c/33f6a0cbb7772146e1c11f38028fffbfed14728b
	https://git.kernel.org/stable/c/240fc586e83d645912accce081a48aa63a45f6ee
	https://git.kernel.org/stable/c/1c4ace3e6b8575745c50dca9e76e0021e697d645
	https://git.kernel.org/stable/c/ebef2aa29f370b5096c16020c104e393192ef684
	https://git.kernel.org/stable/c/b1e0887379422975f237d43d8839b751a6bcf154