Date: Sat, 18 Aug 2001 05:41:29 -0700 (PDT) From: Bodo Rueskamp <br@clabsms.de> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/29847: USB usbd_probe_and_attach() is broken and may crash the system Message-ID: <200108181241.f7ICfTK59548@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 29847 >Category: kern >Synopsis: USB usbd_probe_and_attach() is broken and may crash the system >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Aug 18 05:50:00 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Bodo Rueskamp >Release: 4.3-RELEASE, 4-STABLE and 5-CURRENT >Organization: Communications Laboratories GmbH >Environment: >Description: "usbd_probe_and_attach()" in "/sys/dev/usb/usb_subr.c" uses the automatic variable "uaa"to store information for probe and attach functions. If an USB module with an active device is unloaded and reloaded, the automatic variable "uaa" doesn't contain valid information and the USB_MATCH function of the loaded driver (and others) may crash the system. >How-To-Repeat: (1) boot a kernel without USB (2) start "usbd" (this will load 'usbd.ko') (3) load "ums.ko" (4) attach a USB mouse (5) unload "ums.ko" (6) reload "ums.ko" (you may use any other driver with a matching USB device in steps 3-6) Now the USB_MATCH routine of "ums" (and "uhub") is called with a pointer to an "uaa" which is invalid. This causes a crash on my system, because "uaa->driver" is the NULL pointer. This may vary on other systems. >Fix: Use "malloc()" to allocate "uaa" in "usbd_probe_and_attach()" in file "/sys/dev/usb/usb_subr.c" and insert a "free()" into the appropriate function after the device is removed (unplugged) from the system. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108181241.f7ICfTK59548>