In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---
In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---
In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---
In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---
In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---
In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---
In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---
In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---
In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---
In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---
In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---
In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---
In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---
In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---
In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---
In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---
In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---
In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---
In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---
In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---
In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---
In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---
In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---
In the Linux kernel, the following vulnerability has been resolved:HID: logitech-hidpp: Fix kernel crash on receiver USB disconnecthidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU)races when it races with itself.hidpp_connect_event() primarily runs from a workqueue but it also runson probe() and if a device-connected packet is received by the hwwhen the thread running hidpp_connect_event() from probe() is waiting onthe hw, then a second thread running hidpp_connect_event() will bestarted from the workqueue.This opens the following races (note the below code is simplified):1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; }We can actually see this race hit in the dmesg in the abrt outputattached to rhbz#2227968:[ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.[ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected.Testing with extra logging added has shown that after this the 2 threadstake turn grabbing the hw access mutex (send_mutex) so they ping-pongthrough all the other TOCTOU cases managing to hit all of them:2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; }3. Initializing the power_supply class for the battery (problematic!):hidpp_initialize_battery(){ if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);}4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev);The really big problem here is 3. Hitting the race leads to the followingsequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg);So now we have registered 2 power supplies for the same battery,which looks a bit weird from userspace s pov but this is not eventhe really big problem.Notice how:1. This is all devm-maganaged2. The hidpp->battery.desc struct is shared between the 2 power supplies3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup()This causes a use after free scenario on USB disconnect of the receiver:1. The last registered power supply class device gets unregistered2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one:Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08...Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_eventSep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0...Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680Sep 22 20:01:35 eric kernel: ---truncated---
