From: Alan Stern <stern@rowland.harvard.edu> To: Andrey Konovalov <andreyknvl@google.com> Cc: syzbot <syzbot+403741a091bf41d4ae79@syzkaller.appspotmail.com>, Benjamin Tissoires <benjamin.tissoires@redhat.com>, Jiri Kosina <jikos@kernel.org>, <linux-input@vger.kernel.org>, LKML <linux-kernel@vger.kernel.org>, USB list <linux-usb@vger.kernel.org>, syzkaller-bugs <syzkaller-bugs@googlegroups.com> Subject: Re: KASAN: slab-out-of-bounds Write in ga_probe Date: Thu, 19 Sep 2019 15:19:28 -0400 (EDT) [thread overview] Message-ID: <Pine.LNX.4.44L0.1909191515350.6904-100000@iolanthe.rowland.org> (raw) In-Reply-To: <CAAeHK+wh0bQKRXU_7fOC5XZKUUL1QW8DskCBJKQACwqZd=tZyw@mail.gmail.com> On Thu, 19 Sep 2019, Andrey Konovalov wrote: > On Tue, Sep 17, 2019 at 8:24 PM Alan Stern <stern@rowland.harvard.edu> wrote: > > > > On Mon, 16 Sep 2019, syzbot wrote: > > > > > Hello, > > > > > > syzbot found the following crash on: > > > > > > HEAD commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver > > > git tree: https://github.com/google/kasan.git usb-fuzzer > > > console output: https://syzkaller.appspot.com/x/log.txt?x=14045831600000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=5c6633fa4ed00be5 > > > dashboard link: https://syzkaller.appspot.com/bug?extid=403741a091bf41d4ae79 > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13c1e62d600000 > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=166a3a95600000 > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > > Reported-by: syzbot+403741a091bf41d4ae79@syzkaller.appspotmail.com > > > > > > usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, > > > different from the interface descriptor's value: 9 > > > usb 1-1: New USB device found, idVendor=0e8f, idProduct=0012, bcdDevice= > > > 0.00 > > > usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 > > > usb 1-1: config 0 descriptor?? > > > greenasia 0003:0E8F:0012.0001: unknown main item tag 0x0 > > > greenasia 0003:0E8F:0012.0001: hidraw0: USB HID v0.00 Device [HID > > > 0e8f:0012] on usb-dummy_hcd.0-1/input0 > > > ================================================================== > > > BUG: KASAN: slab-out-of-bounds in set_bit > > > include/asm-generic/bitops-instrumented.h:28 [inline] > > > BUG: KASAN: slab-out-of-bounds in gaff_init drivers/hid/hid-gaff.c:97 > > > [inline] > > > BUG: KASAN: slab-out-of-bounds in ga_probe+0x1fd/0x6f0 > > > drivers/hid/hid-gaff.c:146 > > > Write of size 8 at addr ffff8881d9acafc0 by task kworker/1:1/78 > > > > > > CPU: 1 PID: 78 Comm: kworker/1:1 Not tainted 5.3.0-rc7+ #0 > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > > Google 01/01/2011 > > > Workqueue: usb_hub_wq hub_event > > > Call Trace: > > > __dump_stack lib/dump_stack.c:77 [inline] > > > dump_stack+0xca/0x13e lib/dump_stack.c:113 > > > print_address_description+0x6a/0x32c mm/kasan/report.c:351 > > > __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482 > > > kasan_report+0xe/0x12 mm/kasan/common.c:618 > > > check_memory_region_inline mm/kasan/generic.c:185 [inline] > > > check_memory_region+0x128/0x190 mm/kasan/generic.c:192 > > > set_bit include/asm-generic/bitops-instrumented.h:28 [inline] > > > gaff_init drivers/hid/hid-gaff.c:97 [inline] > > > ga_probe+0x1fd/0x6f0 drivers/hid/hid-gaff.c:146 > > > hid_device_probe+0x2be/0x3f0 drivers/hid/hid-core.c:2209 > > > really_probe+0x281/0x6d0 drivers/base/dd.c:548 > > > driver_probe_device+0x101/0x1b0 drivers/base/dd.c:721 > > > __device_attach_driver+0x > > > > > > > > > --- > > > This bug is generated by a bot. It may contain errors. > > > See https://goo.gl/tpsmEJ for more information about syzbot. > > > syzbot engineers can be reached at syzkaller@googlegroups.com. > > > > > > syzbot will keep track of this bug report. See: > > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > > syzbot can test patches for this bug, for details see: > > > https://goo.gl/tpsmEJ#testing-patches > > > > The driver assumes that the device contains an input. > > BTW, these two reports look fairly similar: > > https://syzkaller.appspot.com/bug?extid=94e2b9e9c7d1dd332345 > https://syzkaller.appspot.com/bug?extid=1e86e2ccce227cca899b Indeed they do. I don't have time to patch them now; maybe next week. Unless you or someone else would like to do it first... :-) Essentially the same fix should work for each of these -- looks like they were written using copy-and-paste. In fact, a quick grep through drivers/hid/*.c shows about 9 of them with the same suspect initialization code for hidinput. Alan Stern > > drivers/hid/hid-gaff.c | 12 +++++++++--- > > 1 file changed, 9 insertions(+), 3 deletions(-) > > > > Index: usb-devel/drivers/hid/hid-gaff.c > > =================================================================== > > --- usb-devel.orig/drivers/hid/hid-gaff.c > > +++ usb-devel/drivers/hid/hid-gaff.c > > @@ -64,14 +64,20 @@ static int gaff_init(struct hid_device * > > { > > struct gaff_device *gaff; > > struct hid_report *report; > > - struct hid_input *hidinput = list_entry(hid->inputs.next, > > - struct hid_input, list); > > + struct hid_input *hidinput; > > struct list_head *report_list = > > &hid->report_enum[HID_OUTPUT_REPORT].report_list; > > struct list_head *report_ptr = report_list; > > - struct input_dev *dev = hidinput->input; > > + struct input_dev *dev; > > int error; > > > > + if (list_empty(&hid->inputs)) { > > + hid_err(hid, "no inputs found\n"); > > + return -ENODEV; > > + } > > + hidinput = list_entry(hid->inputs.next, struct hid_input, list); > > + dev = hidinput->input; > > + > > if (list_empty(report_list)) { > > hid_err(hid, "no output reports found\n"); > > return -ENODEV;
WARNING: multiple messages have this Message-ID (diff)
From: Alan Stern <stern@rowland.harvard.edu> To: Andrey Konovalov <andreyknvl@google.com> Cc: syzbot <syzbot+403741a091bf41d4ae79@syzkaller.appspotmail.com>, Benjamin Tissoires <benjamin.tissoires@redhat.com>, Jiri Kosina <jikos@kernel.org>, linux-input@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>, USB list <linux-usb@vger.kernel.org>, syzkaller-bugs <syzkaller-bugs@googlegroups.com> Subject: Re: KASAN: slab-out-of-bounds Write in ga_probe Date: Thu, 19 Sep 2019 15:19:28 -0400 (EDT) [thread overview] Message-ID: <Pine.LNX.4.44L0.1909191515350.6904-100000@iolanthe.rowland.org> (raw) In-Reply-To: <CAAeHK+wh0bQKRXU_7fOC5XZKUUL1QW8DskCBJKQACwqZd=tZyw@mail.gmail.com> On Thu, 19 Sep 2019, Andrey Konovalov wrote: > On Tue, Sep 17, 2019 at 8:24 PM Alan Stern <stern@rowland.harvard.edu> wrote: > > > > On Mon, 16 Sep 2019, syzbot wrote: > > > > > Hello, > > > > > > syzbot found the following crash on: > > > > > > HEAD commit: f0df5c1b usb-fuzzer: main usb gadget fuzzer driver > > > git tree: https://github.com/google/kasan.git usb-fuzzer > > > console output: https://syzkaller.appspot.com/x/log.txt?x=14045831600000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=5c6633fa4ed00be5 > > > dashboard link: https://syzkaller.appspot.com/bug?extid=403741a091bf41d4ae79 > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13c1e62d600000 > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=166a3a95600000 > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > > Reported-by: syzbot+403741a091bf41d4ae79@syzkaller.appspotmail.com > > > > > > usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, > > > different from the interface descriptor's value: 9 > > > usb 1-1: New USB device found, idVendor=0e8f, idProduct=0012, bcdDevice= > > > 0.00 > > > usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 > > > usb 1-1: config 0 descriptor?? > > > greenasia 0003:0E8F:0012.0001: unknown main item tag 0x0 > > > greenasia 0003:0E8F:0012.0001: hidraw0: USB HID v0.00 Device [HID > > > 0e8f:0012] on usb-dummy_hcd.0-1/input0 > > > ================================================================== > > > BUG: KASAN: slab-out-of-bounds in set_bit > > > include/asm-generic/bitops-instrumented.h:28 [inline] > > > BUG: KASAN: slab-out-of-bounds in gaff_init drivers/hid/hid-gaff.c:97 > > > [inline] > > > BUG: KASAN: slab-out-of-bounds in ga_probe+0x1fd/0x6f0 > > > drivers/hid/hid-gaff.c:146 > > > Write of size 8 at addr ffff8881d9acafc0 by task kworker/1:1/78 > > > > > > CPU: 1 PID: 78 Comm: kworker/1:1 Not tainted 5.3.0-rc7+ #0 > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > > Google 01/01/2011 > > > Workqueue: usb_hub_wq hub_event > > > Call Trace: > > > __dump_stack lib/dump_stack.c:77 [inline] > > > dump_stack+0xca/0x13e lib/dump_stack.c:113 > > > print_address_description+0x6a/0x32c mm/kasan/report.c:351 > > > __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482 > > > kasan_report+0xe/0x12 mm/kasan/common.c:618 > > > check_memory_region_inline mm/kasan/generic.c:185 [inline] > > > check_memory_region+0x128/0x190 mm/kasan/generic.c:192 > > > set_bit include/asm-generic/bitops-instrumented.h:28 [inline] > > > gaff_init drivers/hid/hid-gaff.c:97 [inline] > > > ga_probe+0x1fd/0x6f0 drivers/hid/hid-gaff.c:146 > > > hid_device_probe+0x2be/0x3f0 drivers/hid/hid-core.c:2209 > > > really_probe+0x281/0x6d0 drivers/base/dd.c:548 > > > driver_probe_device+0x101/0x1b0 drivers/base/dd.c:721 > > > __device_attach_driver+0x > > > > > > > > > --- > > > This bug is generated by a bot. It may contain errors. > > > See https://goo.gl/tpsmEJ for more information about syzbot. > > > syzbot engineers can be reached at syzkaller@googlegroups.com. > > > > > > syzbot will keep track of this bug report. See: > > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > > syzbot can test patches for this bug, for details see: > > > https://goo.gl/tpsmEJ#testing-patches > > > > The driver assumes that the device contains an input. > > BTW, these two reports look fairly similar: > > https://syzkaller.appspot.com/bug?extid=94e2b9e9c7d1dd332345 > https://syzkaller.appspot.com/bug?extid=1e86e2ccce227cca899b Indeed they do. I don't have time to patch them now; maybe next week. Unless you or someone else would like to do it first... :-) Essentially the same fix should work for each of these -- looks like they were written using copy-and-paste. In fact, a quick grep through drivers/hid/*.c shows about 9 of them with the same suspect initialization code for hidinput. Alan Stern > > drivers/hid/hid-gaff.c | 12 +++++++++--- > > 1 file changed, 9 insertions(+), 3 deletions(-) > > > > Index: usb-devel/drivers/hid/hid-gaff.c > > =================================================================== > > --- usb-devel.orig/drivers/hid/hid-gaff.c > > +++ usb-devel/drivers/hid/hid-gaff.c > > @@ -64,14 +64,20 @@ static int gaff_init(struct hid_device * > > { > > struct gaff_device *gaff; > > struct hid_report *report; > > - struct hid_input *hidinput = list_entry(hid->inputs.next, > > - struct hid_input, list); > > + struct hid_input *hidinput; > > struct list_head *report_list = > > &hid->report_enum[HID_OUTPUT_REPORT].report_list; > > struct list_head *report_ptr = report_list; > > - struct input_dev *dev = hidinput->input; > > + struct input_dev *dev; > > int error; > > > > + if (list_empty(&hid->inputs)) { > > + hid_err(hid, "no inputs found\n"); > > + return -ENODEV; > > + } > > + hidinput = list_entry(hid->inputs.next, struct hid_input, list); > > + dev = hidinput->input; > > + > > if (list_empty(report_list)) { > > hid_err(hid, "no output reports found\n"); > > return -ENODEV;
next prev parent reply other threads:[~2019-09-19 19:19 UTC|newest] Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-09-16 13:29 KASAN: slab-out-of-bounds Write in ga_probe syzbot 2019-09-17 18:24 ` Alan Stern 2019-09-17 18:24 ` Alan Stern 2019-09-18 11:26 ` Andrey Konovalov 2019-09-18 12:07 ` syzbot 2019-09-19 17:05 ` Andrey Konovalov 2019-09-19 19:19 ` Alan Stern [this message] 2019-09-19 19:19 ` Alan Stern 2019-10-03 18:53 ` [PATCH] HID: Fix assumption that devices have inputs Alan Stern 2019-10-04 15:47 ` Benjamin Tissoires
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=Pine.LNX.4.44L0.1909191515350.6904-100000@iolanthe.rowland.org \ --to=stern@rowland.harvard.edu \ --cc=andreyknvl@google.com \ --cc=benjamin.tissoires@redhat.com \ --cc=jikos@kernel.org \ --cc=linux-input@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-usb@vger.kernel.org \ --cc=syzbot+403741a091bf41d4ae79@syzkaller.appspotmail.com \ --cc=syzkaller-bugs@googlegroups.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.