From: Alan Stern <stern@rowland.harvard.edu>
To: Andrey Konovalov <andreyknvl@google.com>
Cc: syzbot <syzbot+403741a091bf41d4ae79@syzkaller.appspotmail.com>,
Benjamin Tissoires <benjamin.tissoires@redhat.com>,
Jiri Kosina <jikos@kernel.org>, <linux-input@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
USB list <linux-usb@vger.kernel.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Subject: Re: KASAN: slab-out-of-bounds Write in ga_probe
Date: Thu, 19 Sep 2019 15:19:28 -0400 (EDT) [thread overview]
Message-ID: <Pine.LNX.4.44L0.1909191515350.6904-100000@iolanthe.rowland.org> (raw)
In-Reply-To: <CAAeHK+wh0bQKRXU_7fOC5XZKUUL1QW8DskCBJKQACwqZd=tZyw@mail.gmail.com>
On Thu, 19 Sep 2019, Andrey Konovalov wrote:
> On Tue, Sep 17, 2019 at 8:24 PM Alan Stern <stern@rowland.harvard.edu> wrote:
> >
> > On Mon, 16 Sep 2019, syzbot wrote:
> >
> > > Hello,
> > >
> > > syzbot found the following crash on:
> > >
> > > HEAD commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
> > > git tree: https://github.com/google/kasan.git usb-fuzzer
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=14045831600000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=5c6633fa4ed00be5
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=403741a091bf41d4ae79
> > > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13c1e62d600000
> > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=166a3a95600000
> > >
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: syzbot+403741a091bf41d4ae79@syzkaller.appspotmail.com
> > >
> > > usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor,
> > > different from the interface descriptor's value: 9
> > > usb 1-1: New USB device found, idVendor=0e8f, idProduct=0012, bcdDevice=
> > > 0.00
> > > usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
> > > usb 1-1: config 0 descriptor??
> > > greenasia 0003:0E8F:0012.0001: unknown main item tag 0x0
> > > greenasia 0003:0E8F:0012.0001: hidraw0: USB HID v0.00 Device [HID
> > > 0e8f:0012] on usb-dummy_hcd.0-1/input0
> > > ==================================================================
> > > BUG: KASAN: slab-out-of-bounds in set_bit
> > > include/asm-generic/bitops-instrumented.h:28 [inline]
> > > BUG: KASAN: slab-out-of-bounds in gaff_init drivers/hid/hid-gaff.c:97
> > > [inline]
> > > BUG: KASAN: slab-out-of-bounds in ga_probe+0x1fd/0x6f0
> > > drivers/hid/hid-gaff.c:146
> > > Write of size 8 at addr ffff8881d9acafc0 by task kworker/1:1/78
> > >
> > > CPU: 1 PID: 78 Comm: kworker/1:1 Not tainted 5.3.0-rc7+ #0
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > Google 01/01/2011
> > > Workqueue: usb_hub_wq hub_event
> > > Call Trace:
> > > __dump_stack lib/dump_stack.c:77 [inline]
> > > dump_stack+0xca/0x13e lib/dump_stack.c:113
> > > print_address_description+0x6a/0x32c mm/kasan/report.c:351
> > > __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
> > > kasan_report+0xe/0x12 mm/kasan/common.c:618
> > > check_memory_region_inline mm/kasan/generic.c:185 [inline]
> > > check_memory_region+0x128/0x190 mm/kasan/generic.c:192
> > > set_bit include/asm-generic/bitops-instrumented.h:28 [inline]
> > > gaff_init drivers/hid/hid-gaff.c:97 [inline]
> > > ga_probe+0x1fd/0x6f0 drivers/hid/hid-gaff.c:146
> > > hid_device_probe+0x2be/0x3f0 drivers/hid/hid-core.c:2209
> > > really_probe+0x281/0x6d0 drivers/base/dd.c:548
> > > driver_probe_device+0x101/0x1b0 drivers/base/dd.c:721
> > > __device_attach_driver+0x
> > >
> > >
> > > ---
> > > This bug is generated by a bot. It may contain errors.
> > > See https://goo.gl/tpsmEJ for more information about syzbot.
> > > syzbot engineers can be reached at syzkaller@googlegroups.com.
> > >
> > > syzbot will keep track of this bug report. See:
> > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > > syzbot can test patches for this bug, for details see:
> > > https://goo.gl/tpsmEJ#testing-patches
> >
> > The driver assumes that the device contains an input.
>
> BTW, these two reports look fairly similar:
>
> https://syzkaller.appspot.com/bug?extid=94e2b9e9c7d1dd332345
> https://syzkaller.appspot.com/bug?extid=1e86e2ccce227cca899b
Indeed they do. I don't have time to patch them now; maybe next week.
Unless you or someone else would like to do it first... :-)
Essentially the same fix should work for each of these -- looks like
they were written using copy-and-paste. In fact, a quick grep through
drivers/hid/*.c shows about 9 of them with the same suspect
initialization code for hidinput.
Alan Stern
> > drivers/hid/hid-gaff.c | 12 +++++++++---
> > 1 file changed, 9 insertions(+), 3 deletions(-)
> >
> > Index: usb-devel/drivers/hid/hid-gaff.c
> > ===================================================================
> > --- usb-devel.orig/drivers/hid/hid-gaff.c
> > +++ usb-devel/drivers/hid/hid-gaff.c
> > @@ -64,14 +64,20 @@ static int gaff_init(struct hid_device *
> > {
> > struct gaff_device *gaff;
> > struct hid_report *report;
> > - struct hid_input *hidinput = list_entry(hid->inputs.next,
> > - struct hid_input, list);
> > + struct hid_input *hidinput;
> > struct list_head *report_list =
> > &hid->report_enum[HID_OUTPUT_REPORT].report_list;
> > struct list_head *report_ptr = report_list;
> > - struct input_dev *dev = hidinput->input;
> > + struct input_dev *dev;
> > int error;
> >
> > + if (list_empty(&hid->inputs)) {
> > + hid_err(hid, "no inputs found\n");
> > + return -ENODEV;
> > + }
> > + hidinput = list_entry(hid->inputs.next, struct hid_input, list);
> > + dev = hidinput->input;
> > +
> > if (list_empty(report_list)) {
> > hid_err(hid, "no output reports found\n");
> > return -ENODEV;
WARNING: multiple messages have this Message-ID (diff)
From: Alan Stern <stern@rowland.harvard.edu>
To: Andrey Konovalov <andreyknvl@google.com>
Cc: syzbot <syzbot+403741a091bf41d4ae79@syzkaller.appspotmail.com>,
Benjamin Tissoires <benjamin.tissoires@redhat.com>,
Jiri Kosina <jikos@kernel.org>,
linux-input@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
USB list <linux-usb@vger.kernel.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Subject: Re: KASAN: slab-out-of-bounds Write in ga_probe
Date: Thu, 19 Sep 2019 15:19:28 -0400 (EDT) [thread overview]
Message-ID: <Pine.LNX.4.44L0.1909191515350.6904-100000@iolanthe.rowland.org> (raw)
In-Reply-To: <CAAeHK+wh0bQKRXU_7fOC5XZKUUL1QW8DskCBJKQACwqZd=tZyw@mail.gmail.com>
On Thu, 19 Sep 2019, Andrey Konovalov wrote:
> On Tue, Sep 17, 2019 at 8:24 PM Alan Stern <stern@rowland.harvard.edu> wrote:
> >
> > On Mon, 16 Sep 2019, syzbot wrote:
> >
> > > Hello,
> > >
> > > syzbot found the following crash on:
> > >
> > > HEAD commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
> > > git tree: https://github.com/google/kasan.git usb-fuzzer
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=14045831600000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=5c6633fa4ed00be5
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=403741a091bf41d4ae79
> > > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13c1e62d600000
> > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=166a3a95600000
> > >
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: syzbot+403741a091bf41d4ae79@syzkaller.appspotmail.com
> > >
> > > usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor,
> > > different from the interface descriptor's value: 9
> > > usb 1-1: New USB device found, idVendor=0e8f, idProduct=0012, bcdDevice=
> > > 0.00
> > > usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
> > > usb 1-1: config 0 descriptor??
> > > greenasia 0003:0E8F:0012.0001: unknown main item tag 0x0
> > > greenasia 0003:0E8F:0012.0001: hidraw0: USB HID v0.00 Device [HID
> > > 0e8f:0012] on usb-dummy_hcd.0-1/input0
> > > ==================================================================
> > > BUG: KASAN: slab-out-of-bounds in set_bit
> > > include/asm-generic/bitops-instrumented.h:28 [inline]
> > > BUG: KASAN: slab-out-of-bounds in gaff_init drivers/hid/hid-gaff.c:97
> > > [inline]
> > > BUG: KASAN: slab-out-of-bounds in ga_probe+0x1fd/0x6f0
> > > drivers/hid/hid-gaff.c:146
> > > Write of size 8 at addr ffff8881d9acafc0 by task kworker/1:1/78
> > >
> > > CPU: 1 PID: 78 Comm: kworker/1:1 Not tainted 5.3.0-rc7+ #0
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > > Google 01/01/2011
> > > Workqueue: usb_hub_wq hub_event
> > > Call Trace:
> > > __dump_stack lib/dump_stack.c:77 [inline]
> > > dump_stack+0xca/0x13e lib/dump_stack.c:113
> > > print_address_description+0x6a/0x32c mm/kasan/report.c:351
> > > __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
> > > kasan_report+0xe/0x12 mm/kasan/common.c:618
> > > check_memory_region_inline mm/kasan/generic.c:185 [inline]
> > > check_memory_region+0x128/0x190 mm/kasan/generic.c:192
> > > set_bit include/asm-generic/bitops-instrumented.h:28 [inline]
> > > gaff_init drivers/hid/hid-gaff.c:97 [inline]
> > > ga_probe+0x1fd/0x6f0 drivers/hid/hid-gaff.c:146
> > > hid_device_probe+0x2be/0x3f0 drivers/hid/hid-core.c:2209
> > > really_probe+0x281/0x6d0 drivers/base/dd.c:548
> > > driver_probe_device+0x101/0x1b0 drivers/base/dd.c:721
> > > __device_attach_driver+0x
> > >
> > >
> > > ---
> > > This bug is generated by a bot. It may contain errors.
> > > See https://goo.gl/tpsmEJ for more information about syzbot.
> > > syzbot engineers can be reached at syzkaller@googlegroups.com.
> > >
> > > syzbot will keep track of this bug report. See:
> > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > > syzbot can test patches for this bug, for details see:
> > > https://goo.gl/tpsmEJ#testing-patches
> >
> > The driver assumes that the device contains an input.
>
> BTW, these two reports look fairly similar:
>
> https://syzkaller.appspot.com/bug?extid=94e2b9e9c7d1dd332345
> https://syzkaller.appspot.com/bug?extid=1e86e2ccce227cca899b
Indeed they do. I don't have time to patch them now; maybe next week.
Unless you or someone else would like to do it first... :-)
Essentially the same fix should work for each of these -- looks like
they were written using copy-and-paste. In fact, a quick grep through
drivers/hid/*.c shows about 9 of them with the same suspect
initialization code for hidinput.
Alan Stern
> > drivers/hid/hid-gaff.c | 12 +++++++++---
> > 1 file changed, 9 insertions(+), 3 deletions(-)
> >
> > Index: usb-devel/drivers/hid/hid-gaff.c
> > ===================================================================
> > --- usb-devel.orig/drivers/hid/hid-gaff.c
> > +++ usb-devel/drivers/hid/hid-gaff.c
> > @@ -64,14 +64,20 @@ static int gaff_init(struct hid_device *
> > {
> > struct gaff_device *gaff;
> > struct hid_report *report;
> > - struct hid_input *hidinput = list_entry(hid->inputs.next,
> > - struct hid_input, list);
> > + struct hid_input *hidinput;
> > struct list_head *report_list =
> > &hid->report_enum[HID_OUTPUT_REPORT].report_list;
> > struct list_head *report_ptr = report_list;
> > - struct input_dev *dev = hidinput->input;
> > + struct input_dev *dev;
> > int error;
> >
> > + if (list_empty(&hid->inputs)) {
> > + hid_err(hid, "no inputs found\n");
> > + return -ENODEV;
> > + }
> > + hidinput = list_entry(hid->inputs.next, struct hid_input, list);
> > + dev = hidinput->input;
> > +
> > if (list_empty(report_list)) {
> > hid_err(hid, "no output reports found\n");
> > return -ENODEV;
next prev parent reply other threads:[~2019-09-19 19:19 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-16 13:29 KASAN: slab-out-of-bounds Write in ga_probe syzbot
2019-09-17 18:24 ` Alan Stern
2019-09-17 18:24 ` Alan Stern
2019-09-18 11:26 ` Andrey Konovalov
2019-09-18 12:07 ` syzbot
2019-09-19 17:05 ` Andrey Konovalov
2019-09-19 19:19 ` Alan Stern [this message]
2019-09-19 19:19 ` Alan Stern
2019-10-03 18:53 ` [PATCH] HID: Fix assumption that devices have inputs Alan Stern
2019-10-04 15:47 ` Benjamin Tissoires
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.44L0.1909191515350.6904-100000@iolanthe.rowland.org \
--to=stern@rowland.harvard.edu \
--cc=andreyknvl@google.com \
--cc=benjamin.tissoires@redhat.com \
--cc=jikos@kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=syzbot+403741a091bf41d4ae79@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.