From owner-freebsd-bugs Sat Aug 18 5:50: 9 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 59CFE37B40B for ; Sat, 18 Aug 2001 05:50:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f7ICo1u59974; Sat, 18 Aug 2001 05:50:01 -0700 (PDT) (envelope-from gnats) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 1071937B412 for ; Sat, 18 Aug 2001 05:41:30 -0700 (PDT) (envelope-from nobody@FreeBSD.org) Received: (from nobody@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f7ICfTK59548; Sat, 18 Aug 2001 05:41:29 -0700 (PDT) (envelope-from nobody) Message-Id: <200108181241.f7ICfTK59548@freefall.freebsd.org> Date: Sat, 18 Aug 2001 05:41:29 -0700 (PDT) From: Bodo Rueskamp To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: kern/29847: USB usbd_probe_and_attach() is broken and may crash the system Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 29847 >Category: kern >Synopsis: USB usbd_probe_and_attach() is broken and may crash the system >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Aug 18 05:50:00 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Bodo Rueskamp >Release: 4.3-RELEASE, 4-STABLE and 5-CURRENT >Organization: Communications Laboratories GmbH >Environment: >Description: "usbd_probe_and_attach()" in "/sys/dev/usb/usb_subr.c" uses the automatic variable "uaa"to store information for probe and attach functions. If an USB module with an active device is unloaded and reloaded, the automatic variable "uaa" doesn't contain valid information and the USB_MATCH function of the loaded driver (and others) may crash the system. >How-To-Repeat: (1) boot a kernel without USB (2) start "usbd" (this will load 'usbd.ko') (3) load "ums.ko" (4) attach a USB mouse (5) unload "ums.ko" (6) reload "ums.ko" (you may use any other driver with a matching USB device in steps 3-6) Now the USB_MATCH routine of "ums" (and "uhub") is called with a pointer to an "uaa" which is invalid. This causes a crash on my system, because "uaa->driver" is the NULL pointer. This may vary on other systems. >Fix: Use "malloc()" to allocate "uaa" in "usbd_probe_and_attach()" in file "/sys/dev/usb/usb_subr.c" and insert a "free()" into the appropriate function after the device is removed (unplugged) from the system. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message