From owner-freebsd-bugs@freebsd.org Mon Aug 19 19:50:56 2019 Return-Path: Delivered-To: freebsd-bugs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 17138D005C for ; Mon, 19 Aug 2019 19:50:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org [IPv6:2610:1c1:1:606c::50:13]) by mx1.freebsd.org (Postfix) with ESMTP id 46C4Kq6x9gz4Fcj for ; Mon, 19 Aug 2019 19:50:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id EDE4FD005B; Mon, 19 Aug 2019 19:50:55 +0000 (UTC) Delivered-To: bugs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EC9EFD005A for ; Mon, 19 Aug 2019 19:50:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46C4Kq5qBgz4Fch for ; Mon, 19 Aug 2019 19:50:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id A9C051F9E1 for ; Mon, 19 Aug 2019 19:50:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id x7JJotoe087903 for ; Mon, 19 Aug 2019 19:50:55 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id x7JJotxn087902 for bugs@FreeBSD.org; Mon, 19 Aug 2019 19:50:55 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 239973] Kernel Panic: device_get_ivars(9) returns NULL which leads to Null pointer dereference for multiple drivers Date: Mon, 19 Aug 2019 19:50:55 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: neerajpal09@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.mimetype attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Aug 2019 19:50:56 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D239973 Bug ID: 239973 Summary: Kernel Panic: device_get_ivars(9) returns NULL which leads to Null pointer dereference for multiple drivers Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: neerajpal09@gmail.com Attachment #206706 text/plain mime type: Created attachment 206706 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D206706&action= =3Dedit kernel panic log Kernel Panic is observed for NULL pointer dereference in FreeBSD kernel driver code due to which kernel gets in panic then it has to reboot. Actually, this vulnerability resides in lots of kernel drivers like "uhub0", "ubt0", "umass0", "run0", "uhid0" etc., mostly usb devices. Tested and observed the panic for following kernel drivers: - usb, - umass (storage), - ubt(bluetooth), - run0(wifi), - uhid Devices which are using the structure "usb_attach_arg" with device_get_ivars(9) as mentioned below: "struct usb_attach_arg *uaa =3D device_get_ivars(dev)" are prone to NULL pointer dereference bug as there is no check for the same and the api device_get_ivars(9) is returning NULL. device_get_ivars(9) from the file "/usr/src/sys/kern/subr_bus.c" returns a NULL pointer, which get assigned to *uaa structure object (function "uhub_probe" from file "/usr/src/sys/dev/usb/usb_bus.c"), then, after that there is a if-else condition which is checking the usb_mode from that structure and there panic occurs due to dereferencing the NULL pointer Same valid for other kernel drivers. There are still lots of drivers which are lacking this NULL pointer dereference check, apart from what mentioned here. [steps to reproduce] * devctl disable uhub0 * devctl enable uhub0 <=3D BOOM - panic appears Panic occurs here, after enabling the already disabled device (but only with usb related drivers) [Privilege] Root privilege is required. [Reproducibility] Reproducibility is 100% [Log] Attached file "panic.log" [Patch] Please find the attached patch file "patch.diff" for the file "usb_hub.c", "ng_ubt.c", "if_run.c", "umass.c" and "uhid.c" After applying the patch, it first returns the "ENXIO" as mentioned in the patch code then later invocation returns "EBUSY" as device is enabled, which can be verified by disabling it again. --=20 You are receiving this mail because: You are the assignee for the bug.=