KASAN reporting: general protection fault in flexcop_usb_probe

KASAN reporting: general protection fault in flexcop_usb_probe

[Oliver Neukum]

Reacting to this:

Title:              general protection fault in flexcop_usb_probe
Last occurred:      0 days ago
Reported:           102 days ago
Branches:           Mainline (with usb-fuzzer patches)
Dashboard link:     https://syzkaller.appspot.com/bug?id=c0203bd72037d0
7493f4b7562411e4f5f4553a8f
Original thread:    https://lkml.kernel.org/lkml/00000000000010fe260586
536e86@google.com/T/#u

This bug has a C reproducer.

No one replied to the original thread for this bug.

This looks like a bug in a media USB driver.

If you fix this bug, please add the following tag to the commit:
    Reported-by: syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com

#syz test: https://github.com/google/kasan.git 9a33b369

From 5a34ecc6c75479a9f245a867e1ce37e6e28f58f8 Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Mon, 29 Jul 2019 16:21:11 +0200
Subject: [PATCH] b2c2-flexcop-usb: add sanity checking

The driver needs an isochronous endpoint to be present. It will
oops in its absence. Add checking for it.

Reported-by: syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/media/usb/b2c2/flexcop-usb.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/media/usb/b2c2/flexcop-usb.c b/drivers/media/usb/b2c2/flexcop-usb.c
index 1826ff825c2e..1a801dc286f8 100644
--- a/drivers/media/usb/b2c2/flexcop-usb.c
+++ b/drivers/media/usb/b2c2/flexcop-usb.c
@@ -538,6 +538,9 @@ static int flexcop_usb_probe(struct usb_interface *intf,
 	struct flexcop_device *fc = NULL;
 	int ret;
 
+	if (intf->cur_altsetting->desc.bNumEndpoints < 1)
+		return -ENODEV;
+
 	if ((fc = flexcop_device_kmalloc(sizeof(struct flexcop_usb))) == NULL) {
 		err("out of memory\n");
 		return -ENOMEM;

Re: general protection fault in flexcop_usb_probe

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger  
crash:

Reported-and-tested-by:  
syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com

Tested on:

commit:         9a33b369 usb-fuzzer: main usb gadget fuzzer driver
git tree:       https://github.com/google/kasan.git
kernel config:  https://syzkaller.appspot.com/x/.config?x=23e37f59d94ddd15
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1226c2d8600000

Note: testing is done by a robot and is best-effort only.

Re: general protection fault in flexcop_usb_probe

[Andrey Konovalov]

On Tue, Jul 30, 2019 at 10:30 AM syzbot
<syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot has tested the proposed patch and the reproducer did not trigger
> crash:
>
> Reported-and-tested-by:
> syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com
>
> Tested on:
>
> commit:         9a33b369 usb-fuzzer: main usb gadget fuzzer driver
> git tree:       https://github.com/google/kasan.git
> kernel config:  https://syzkaller.appspot.com/x/.config?x=23e37f59d94ddd15
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> patch:          https://syzkaller.appspot.com/x/patch.diff?x=1226c2d8600000
>
> Note: testing is done by a robot and is best-effort only.
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/00000000000081a9c1058ee1d06a%40google.com.

Hi Oliver,

I was wondering if you've submitted this patch anywhere? The bug is
still happening.

https://syzkaller.appspot.com/bug?id=c0203bd72037d07493f4b7562411e4f5f4553a8f

Thanks!

Re: general protection fault in flexcop_usb_probe

[Oliver Neukum]

Am Freitag, den 20.09.2019, 18:01 +0200 schrieb Andrey Konovalov:

> > Reported-and-tested-by:
> > syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com

[..]
> Hi Oliver,
> 
> I was wondering if you've submitted this patch anywhere? The bug is
> still happening.
> 
> https://syzkaller.appspot.com/bug?id=c0203bd72037d07493f4b7562411e4f5f4553a8f

Hi,

I definitely did submit it:
https://www.mail-archive.com/linux-media@vger.kernel.org/msg148850.html

	Regards
		Oliver

Re: general protection fault in flexcop_usb_probe

[Andrey Konovalov]

On Mon, Sep 23, 2019 at 11:21 AM Oliver Neukum <oneukum@suse.com> wrote:
>
> Am Freitag, den 20.09.2019, 18:01 +0200 schrieb Andrey Konovalov:
>
> > > Reported-and-tested-by:
> > > syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com
>
> [..]
> > Hi Oliver,
> >
> > I was wondering if you've submitted this patch anywhere? The bug is
> > still happening.
> >
> > https://syzkaller.appspot.com/bug?id=c0203bd72037d07493f4b7562411e4f5f4553a8f
>
> Hi,
>
> I definitely did submit it:
> https://www.mail-archive.com/linux-media@vger.kernel.org/msg148850.html

Hi Mauro,

Do you know what happened to this patch? Did it get lost?

Thanks!

Re: general protection fault in flexcop_usb_probe

[Hans Verkuil]

On 9/23/19 2:46 PM, Andrey Konovalov wrote:
> On Mon, Sep 23, 2019 at 11:21 AM Oliver Neukum <oneukum@suse.com> wrote:
>>
>> Am Freitag, den 20.09.2019, 18:01 +0200 schrieb Andrey Konovalov:
>>
>>>> Reported-and-tested-by:
>>>> syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com
>>
>> [..]
>>> Hi Oliver,
>>>
>>> I was wondering if you've submitted this patch anywhere? The bug is
>>> still happening.
>>>
>>> https://syzkaller.appspot.com/bug?id=c0203bd72037d07493f4b7562411e4f5f4553a8f
>>
>> Hi,
>>
>> I definitely did submit it:
>> https://www.mail-archive.com/linux-media@vger.kernel.org/msg148850.html
> 
> Hi Mauro,
> 
> Do you know what happened to this patch? Did it get lost?
> 
> Thanks!
> 

Still sitting unreviewed in patchwork: https://patchwork.linuxtv.org/patch/57785/

Not sure why this wasn't picked up.

Regards,

	Hans

Re: general protection fault in flexcop_usb_probe

[Oliver Neukum]

Am Montag, den 23.09.2019, 14:51 +0200 schrieb Hans Verkuil:
> On 9/23/19 2:46 PM, Andrey Konovalov wrote:
> > On Mon, Sep 23, 2019 at 11:21 AM Oliver Neukum <oneukum@suse.com> wrote:
> > > 
> > > Am Freitag, den 20.09.2019, 18:01 +0200 schrieb Andrey Konovalov:
> > > 
> > > > > Reported-and-tested-by:
> > > > > syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com
> > > 
> > > [..]
> > > > Hi Oliver,
> > > > 
> > > > I was wondering if you've submitted this patch anywhere? The bug is
> > > > still happening.
> > > > 
> > > > https://syzkaller.appspot.com/bug?id=c0203bd72037d07493f4b7562411e4f5f4553a8f
> > > 
> > > Hi,
> > > 
> > > I definitely did submit it:
> > > https://www.mail-archive.com/linux-media@vger.kernel.org/msg148850.html
> > 
> > Hi Mauro,
> > 
> > Do you know what happened to this patch? Did it get lost?
> > 
> > Thanks!
> > 
> 
> Still sitting unreviewed in patchwork: https://patchwork.linuxtv.org/patch/57785/
> 
> Not sure why this wasn't picked up.

Hi,

AFAICT it is still in the state new. What should I do?

	Regards
		Oliver

Re: general protection fault in flexcop_usb_probe

[Hans Verkuil]

Hi Sean,

Mauro is very busy, so can you pick this up? And perhaps check patchwork for more
trivial DVB patches that can be included in a pull request?

Regards,

	Hans

On 11/7/19 4:02 PM, Oliver Neukum wrote:
> Am Montag, den 23.09.2019, 14:51 +0200 schrieb Hans Verkuil:
>> On 9/23/19 2:46 PM, Andrey Konovalov wrote:
>>> On Mon, Sep 23, 2019 at 11:21 AM Oliver Neukum <oneukum@suse.com> wrote:
>>>>
>>>> Am Freitag, den 20.09.2019, 18:01 +0200 schrieb Andrey Konovalov:
>>>>
>>>>>> Reported-and-tested-by:
>>>>>> syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com
>>>>
>>>> [..]
>>>>> Hi Oliver,
>>>>>
>>>>> I was wondering if you've submitted this patch anywhere? The bug is
>>>>> still happening.
>>>>>
>>>>> https://syzkaller.appspot.com/bug?id=c0203bd72037d07493f4b7562411e4f5f4553a8f
>>>>
>>>> Hi,
>>>>
>>>> I definitely did submit it:
>>>> https://www.mail-archive.com/linux-media@vger.kernel.org/msg148850.html
>>>
>>> Hi Mauro,
>>>
>>> Do you know what happened to this patch? Did it get lost?
>>>
>>> Thanks!
>>>
>>
>> Still sitting unreviewed in patchwork: https://patchwork.linuxtv.org/patch/57785/
>>
>> Not sure why this wasn't picked up.
> 
> Hi,
> 
> AFAICT it is still in the state new. What should I do?
> 
> 	Regards
> 		Oliver
> 

Re: general protection fault in flexcop_usb_probe

[Sean Young]

Hi Hans, Oliver,

My bad, it slipped between the cracks. I am preparing a pull request now.

Sorry about this.

Sean

On Thu, Nov 07, 2019 at 04:47:50PM +0100, Hans Verkuil wrote:
> Hi Sean,
> 
> Mauro is very busy, so can you pick this up? And perhaps check patchwork for more
> trivial DVB patches that can be included in a pull request?
> 
> Regards,
> 
> 	Hans
> 
> On 11/7/19 4:02 PM, Oliver Neukum wrote:
> > Am Montag, den 23.09.2019, 14:51 +0200 schrieb Hans Verkuil:
> >> On 9/23/19 2:46 PM, Andrey Konovalov wrote:
> >>> On Mon, Sep 23, 2019 at 11:21 AM Oliver Neukum <oneukum@suse.com> wrote:
> >>>>
> >>>> Am Freitag, den 20.09.2019, 18:01 +0200 schrieb Andrey Konovalov:
> >>>>
> >>>>>> Reported-and-tested-by:
> >>>>>> syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com
> >>>>
> >>>> [..]
> >>>>> Hi Oliver,
> >>>>>
> >>>>> I was wondering if you've submitted this patch anywhere? The bug is
> >>>>> still happening.
> >>>>>
> >>>>> https://syzkaller.appspot.com/bug?id=c0203bd72037d07493f4b7562411e4f5f4553a8f
> >>>>
> >>>> Hi,
> >>>>
> >>>> I definitely did submit it:
> >>>> https://www.mail-archive.com/linux-media@vger.kernel.org/msg148850.html
> >>>
> >>> Hi Mauro,
> >>>
> >>> Do you know what happened to this patch? Did it get lost?
> >>>
> >>> Thanks!
> >>>
> >>
> >> Still sitting unreviewed in patchwork: https://patchwork.linuxtv.org/patch/57785/
> >>
> >> Not sure why this wasn't picked up.
> > 
> > Hi,
> > 
> > AFAICT it is still in the state new. What should I do?
> > 
> > 	Regards
> > 		Oliver
> > 

KASAN reporting: general protection fault in flexcop_usb_probe

[Oliver Neukum]

Reacting to this:

Title:              general protection fault in flexcop_usb_probe
Last occurred:      0 days ago
Reported:           102 days ago
Branches:           Mainline (with usb-fuzzer patches)
Dashboard link:     https://syzkaller.appspot.com/bug?id=c0203bd72037d0
7493f4b7562411e4f5f4553a8f
Original thread:    https://lkml.kernel.org/lkml/00000000000010fe260586
536e86@google.com/T/#u

This bug has a C reproducer.

No one replied to the original thread for this bug.

This looks like a bug in a media USB driver.

If you fix this bug, please add the following tag to the commit:
    Reported-by: syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com

#syz test: https://github.com/google/kasan.git usb-fuzzer-usb-testing-2019.07.11

From 5a34ecc6c75479a9f245a867e1ce37e6e28f58f8 Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Mon, 29 Jul 2019 16:21:11 +0200
Subject: [PATCH] b2c2-flexcop-usb: add sanity checking

The driver needs an isochronous endpoint to be present. It will
oops in its absence. Add checking for it.

Reported-by: syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/media/usb/b2c2/flexcop-usb.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/media/usb/b2c2/flexcop-usb.c b/drivers/media/usb/b2c2/flexcop-usb.c
index 1826ff825c2e..1a801dc286f8 100644
--- a/drivers/media/usb/b2c2/flexcop-usb.c
+++ b/drivers/media/usb/b2c2/flexcop-usb.c
@@ -538,6 +538,9 @@ static int flexcop_usb_probe(struct usb_interface *intf,
 	struct flexcop_device *fc = NULL;
 	int ret;
 
+	if (intf->cur_altsetting->desc.bNumEndpoints < 1)
+		return -ENODEV;
+
 	if ((fc = flexcop_device_kmalloc(sizeof(struct flexcop_usb))) == NULL) {
 		err("out of memory\n");
 		return -ENOMEM;
-- 
2.16.4