Bug 1831726 (CVE-2020-12464)

Summary: CVE-2020-12464 kernel: use-after-free in usb_sg_cancel function in drivers/usb/core/message.c
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, bmasney, dvlasenk, hdegoede, hkrzesin, ichavero, itamar, jarodwilson, jeremy, jforbes, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mjg59, mlangsdo, nmurray, ptalbert, qzhao, rkeshri, rt-maint, rvrbovsk, steved, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in usb_sg_cancel in drivers/usb/core/message.c in the USB core subsystem. This flaw allows a local attacker with a special user or root privileges to crash the system due to a race problem in the scatter-gather cancellation and transfer completion in usb_sg_wait. This vulnerability can also lead to a leak of internal kernel information.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1831731, 1836894, 1836895, 1836896, 1836897, 1836898, 1870321, 1900751    
Bug Blocks: 1831730    

Description Guilherme de Almeida Suckevicz 2020-05-05 14:25:10 UTC
A use-after-free flaw was found in usb_sg_cancel in drivers/usb/core/message.c in USB core subsystem. This flaw could allow a local attacker with special user privilege (or root) to crash the system due to a race problem in scatter-gather cancellation and transfer completion in usb_sg_wait. This vulnerability can even lead to a kernel information leak problem .

Here usb_sg_cancel() does not take any reference to the transfer and there is nothing to prevent the URBs from being deallocated while the routine is trying to use them.

Taking a reference by incrementing the transfer's io->count field while the cancellation is in progress and decrementing it afterwards can be way to address this.  The transfer's URBs are not deallocated until io->complete is triggered, which happens when io->count reaches zero.
~~~
BUG: KASAN: use-after-free in atomic_read
include/asm-generic/atomic-instrumented.h:26 [inline]
BUG: KASAN: use-after-free in usb_hcd_unlink_urb+0x5f/0x170
drivers/usb/core/hcd.c:1607
Read of size 4 at addr ffff888065379610 by task kworker/u4:1/27
~~~

References:
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.8
https://lkml.org/lkml/2020/3/23/52

Upstream commit:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=056ad39ee9253873522f6469c3364964a322912b

Comment 1 Guilherme de Almeida Suckevicz 2020-05-05 14:29:44 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1831731]

Comment 2 Justin M. Forbes 2020-05-05 14:37:49 UTC
This was fixed for Fedora with the 5.6.8 stable kernel updates.

Comment 6 Rohit Keshri 2020-05-18 12:57:20 UTC
Mitigation:

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Comment 9 errata-xmlrpc 2021-05-18 13:19:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1578 https://access.redhat.com/errata/RHSA-2021:1578

Comment 10 errata-xmlrpc 2021-05-18 14:40:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1739 https://access.redhat.com/errata/RHSA-2021:1739