Bug 1831726 (CVE-2020-12464) - CVE-2020-12464 kernel: use-after-free in usb_sg_cancel function in drivers/usb/core/message.c
Summary: CVE-2020-12464 kernel: use-after-free in usb_sg_cancel function in drivers/us...
Keywords:
Status: NEW
Alias: CVE-2020-12464
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1831731 1836894 1836895 1836896 1836897 1836898 1870321 1900751
Blocks: 1831730
TreeView+ depends on / blocked
 
Reported: 2020-05-05 14:25 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-09-15 05:47 UTC (History)
45 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in usb_sg_cancel in drivers/usb/core/message.c in the USB core subsystem. This flaw allows a local attacker with a special user or root privileges to crash the system due to a race problem in the scatter-gather cancellation and transfer completion in usb_sg_wait. This vulnerability can also lead to a leak of internal kernel information.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:2538 0 None None None 2021-06-23 18:05:50 UTC
Red Hat Product Errata RHBA-2021:2541 0 None None None 2021-06-24 11:50:38 UTC

Description Guilherme de Almeida Suckevicz 2020-05-05 14:25:10 UTC
A use-after-free flaw was found in usb_sg_cancel in drivers/usb/core/message.c in USB core subsystem. This flaw could allow a local attacker with special user privilege (or root) to crash the system due to a race problem in scatter-gather cancellation and transfer completion in usb_sg_wait. This vulnerability can even lead to a kernel information leak problem .

Here usb_sg_cancel() does not take any reference to the transfer and there is nothing to prevent the URBs from being deallocated while the routine is trying to use them.

Taking a reference by incrementing the transfer's io->count field while the cancellation is in progress and decrementing it afterwards can be way to address this.  The transfer's URBs are not deallocated until io->complete is triggered, which happens when io->count reaches zero.
~~~
BUG: KASAN: use-after-free in atomic_read
include/asm-generic/atomic-instrumented.h:26 [inline]
BUG: KASAN: use-after-free in usb_hcd_unlink_urb+0x5f/0x170
drivers/usb/core/hcd.c:1607
Read of size 4 at addr ffff888065379610 by task kworker/u4:1/27
~~~

References:
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.6.8
https://lkml.org/lkml/2020/3/23/52

Upstream commit:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=056ad39ee9253873522f6469c3364964a322912b

Comment 1 Guilherme de Almeida Suckevicz 2020-05-05 14:29:44 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1831731]

Comment 2 Justin M. Forbes 2020-05-05 14:37:49 UTC
This was fixed for Fedora with the 5.6.8 stable kernel updates.

Comment 6 Rohit Keshri 2020-05-18 12:57:20 UTC
Mitigation:

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Comment 9 errata-xmlrpc 2021-05-18 13:19:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1578 https://access.redhat.com/errata/RHSA-2021:1578

Comment 10 errata-xmlrpc 2021-05-18 14:40:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1739 https://access.redhat.com/errata/RHSA-2021:1739


Note You need to log in before you can comment on or make changes to this bug.