A use-after-free flaw was found in usb_sg_cancel in drivers/usb/core/message.c in USB core subsystem. This flaw could allow a local attacker with special user privilege (or root) to crash the system due to a race problem in scatter-gather cancellation and transfer completion in usb_sg_wait. This vulnerability can even lead to a kernel information leak problem . Here usb_sg_cancel() does not take any reference to the transfer and there is nothing to prevent the URBs from being deallocated while the routine is trying to use them. Taking a reference by incrementing the transfer's io->count field while the cancellation is in progress and decrementing it afterwards can be way to address this. The transfer's URBs are not deallocated until io->complete is triggered, which happens when io->count reaches zero. ~~~ BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] BUG: KASAN: use-after-free in usb_hcd_unlink_urb+0x5f/0x170 drivers/usb/core/hcd.c:1607 Read of size 4 at addr ffff888065379610 by task kworker/u4:1/27 ~~~ References: https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.8 https://lkml.org/lkml/2020/3/23/52 Upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=056ad39ee9253873522f6469c3364964a322912b
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1831731]
This was fixed for Fedora with the 5.6.8 stable kernel updates.
Mitigation: Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1578 https://access.redhat.com/errata/RHSA-2021:1578
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1739 https://access.redhat.com/errata/RHSA-2021:1739