KASAN reporting: general protection fault in flexcop_usb_probe

KASAN reporting: general protection fault in flexcop_usb_probe

[Oliver Neukum]

Reacting to this:

Title:              general protection fault in flexcop_usb_probe
Last occurred:      0 days ago
Reported:           102 days ago
Branches:           Mainline (with usb-fuzzer patches)
Dashboard link:     https://syzkaller.appspot.com/bug?id=c0203bd72037d0
7493f4b7562411e4f5f4553a8f
Original thread:    https://lkml.kernel.org/lkml/00000000000010fe260586
536e86@google.com/T/#u

This bug has a C reproducer.

No one replied to the original thread for this bug.

This looks like a bug in a media USB driver.

If you fix this bug, please add the following tag to the commit:
    Reported-by: syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com

#syz test: https://github.com/google/kasan.git usb-fuzzer-usb-testing-2019.07.11

From 5a34ecc6c75479a9f245a867e1ce37e6e28f58f8 Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Mon, 29 Jul 2019 16:21:11 +0200
Subject: [PATCH] b2c2-flexcop-usb: add sanity checking

The driver needs an isochronous endpoint to be present. It will
oops in its absence. Add checking for it.

Reported-by: syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/media/usb/b2c2/flexcop-usb.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/media/usb/b2c2/flexcop-usb.c b/drivers/media/usb/b2c2/flexcop-usb.c
index 1826ff825c2e..1a801dc286f8 100644
--- a/drivers/media/usb/b2c2/flexcop-usb.c
+++ b/drivers/media/usb/b2c2/flexcop-usb.c
@@ -538,6 +538,9 @@ static int flexcop_usb_probe(struct usb_interface *intf,
 	struct flexcop_device *fc = NULL;
 	int ret;
 
+	if (intf->cur_altsetting->desc.bNumEndpoints < 1)
+		return -ENODEV;
+
 	if ((fc = flexcop_device_kmalloc(sizeof(struct flexcop_usb))) == NULL) {
 		err("out of memory\n");
 		return -ENOMEM;
-- 
2.16.4

Re: general protection fault in flexcop_usb_probe

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger  
crash:

Reported-and-tested-by:  
syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com

Tested on:

commit:         6a3599ce usb-fuzzer: main usb gadget fuzzer driver
git tree:       https://github.com/google/kasan.git  
usb-fuzzer-usb-testing-2019.07.11
kernel config:  https://syzkaller.appspot.com/x/.config?x=662450485a75f217
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1036e80c600000

Note: testing is done by a robot and is best-effort only.

Re: general protection fault in flexcop_usb_probe

[Andrey Konovalov]

[-- Attachment #1: Type: text/plain, Size: 1699 bytes --]

On Mon, Jul 29, 2019 at 5:05 PM syzbot
<syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot has tested the proposed patch and the reproducer did not trigger
> crash:
>
> Reported-and-tested-by:
> syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com
>
> Tested on:
>
> commit:         6a3599ce usb-fuzzer: main usb gadget fuzzer driver
> git tree:       https://github.com/google/kasan.git
> usb-fuzzer-usb-testing-2019.07.11
> kernel config:  https://syzkaller.appspot.com/x/.config?x=662450485a75f217
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> patch:          https://syzkaller.appspot.com/x/patch.diff?x=1036e80c600000
>
> Note: testing is done by a robot and is best-effort only.

Hi Oliver,

Thanks a lot for fixing all of these USB bugs!

The usb-fuzzer branch is working again, so it should be possible to
use it for testing. But, I've actually just realized, that the proper
way to test fixes for USB bugs is to use the exact commit hash that is
provided in each bug report (the kernel interface for emulating USB
device is not stable yet, and has significantly changed at least
once). I've updated syzbot documentation to reflect this.

Let's try to retest this one with the right kernel commit id:

#syz test: https://github.com/google/kasan.git 9a33b369

Thanks!




>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/000000000000488c6d058ed337b2%40google.com.

[-- Attachment #2: flexcop.txt --]
[-- Type: text/plain, Size: 535 bytes --]

diff --git a/drivers/media/usb/b2c2/flexcop-usb.c b/drivers/media/usb/b2c2/flexcop-usb.c
index 1826ff825c2e..1a801dc286f8 100644
--- a/drivers/media/usb/b2c2/flexcop-usb.c
+++ b/drivers/media/usb/b2c2/flexcop-usb.c
@@ -538,6 +538,9 @@ static int flexcop_usb_probe(struct usb_interface *intf,
 	struct flexcop_device *fc = NULL;
 	int ret;
 
+	if (intf->cur_altsetting->desc.bNumEndpoints < 1)
+		return -ENODEV;
+
 	if ((fc = flexcop_device_kmalloc(sizeof(struct flexcop_usb))) == NULL) {
 		err("out of memory\n");
 		return -ENOMEM;

Re: general protection fault in flexcop_usb_probe

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger  
crash:

Reported-and-tested-by:  
syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com

Tested on:

commit:         9a33b369 usb-fuzzer: main usb gadget fuzzer driver
git tree:       https://github.com/google/kasan.git
kernel config:  https://syzkaller.appspot.com/x/.config?x=23e37f59d94ddd15
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
patch:          https://syzkaller.appspot.com/x/patch.diff?x=11cc12d8600000

Note: testing is done by a robot and is best-effort only.

Re: general protection fault in flexcop_usb_probe

[Oliver Neukum]

Am Montag, den 29.07.2019, 18:54 +0200 schrieb Andrey Konovalov:

Hi,

> Thanks a lot for fixing all of these USB bugs!

I fear the day we get serious about MA USB.
All these issues will turn into security issues.

> The usb-fuzzer branch is working again, so it should be possible to
> use it for testing. But, I've actually just realized, that the proper
> way to test fixes for USB bugs is to use the exact commit hash that is
> provided in each bug report (the kernel interface for emulating USB
> device is not stable yet, and has significantly changed at least
> once). I've updated syzbot documentation to reflect this.

Where is taht documentation?

> Let's try to retest this one with the right kernel commit id:
> 
> #syz test: https://github.com/google/kasan.git 9a33b369

Retesting.

	Regards
		Oliver

Re: general protection fault in flexcop_usb_probe

[Dmitry Vyukov]

On Tue, Jul 30, 2019 at 9:51 AM Oliver Neukum <oneukum@suse.com> wrote:
>
> Am Montag, den 29.07.2019, 18:54 +0200 schrieb Andrey Konovalov:
>
> Hi,
>
> > Thanks a lot for fixing all of these USB bugs!
>
> I fear the day we get serious about MA USB.
> All these issues will turn into security issues.
>
> > The usb-fuzzer branch is working again, so it should be possible to
> > use it for testing. But, I've actually just realized, that the proper
> > way to test fixes for USB bugs is to use the exact commit hash that is
> > provided in each bug report (the kernel interface for emulating USB
> > device is not stable yet, and has significantly changed at least
> > once). I've updated syzbot documentation to reflect this.
>
> Where is taht documentation?

Hi Oliver,

The link is referenced in every bug report ;)
https://groups.google.com/forum/#!topic/syzkaller-bugs/C4kgnyomFyQ
> See https://goo.gl/tpsmEJ for more information about syzbot.

KASAN reporting: general protection fault in flexcop_usb_probe

[Oliver Neukum]

Reacting to this:

Title:              general protection fault in flexcop_usb_probe
Last occurred:      0 days ago
Reported:           102 days ago
Branches:           Mainline (with usb-fuzzer patches)
Dashboard link:     https://syzkaller.appspot.com/bug?id=c0203bd72037d0
7493f4b7562411e4f5f4553a8f
Original thread:    https://lkml.kernel.org/lkml/00000000000010fe260586
536e86@google.com/T/#u

This bug has a C reproducer.

No one replied to the original thread for this bug.

This looks like a bug in a media USB driver.

If you fix this bug, please add the following tag to the commit:
    Reported-by: syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com

#syz test: https://github.com/google/kasan.git 9a33b369

From 5a34ecc6c75479a9f245a867e1ce37e6e28f58f8 Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Mon, 29 Jul 2019 16:21:11 +0200
Subject: [PATCH] b2c2-flexcop-usb: add sanity checking

The driver needs an isochronous endpoint to be present. It will
oops in its absence. Add checking for it.

Reported-by: syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/media/usb/b2c2/flexcop-usb.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/media/usb/b2c2/flexcop-usb.c b/drivers/media/usb/b2c2/flexcop-usb.c
index 1826ff825c2e..1a801dc286f8 100644
--- a/drivers/media/usb/b2c2/flexcop-usb.c
+++ b/drivers/media/usb/b2c2/flexcop-usb.c
@@ -538,6 +538,9 @@ static int flexcop_usb_probe(struct usb_interface *intf,
 	struct flexcop_device *fc = NULL;
 	int ret;
 
+	if (intf->cur_altsetting->desc.bNumEndpoints < 1)
+		return -ENODEV;
+
 	if ((fc = flexcop_device_kmalloc(sizeof(struct flexcop_usb))) == NULL) {
 		err("out of memory\n");
 		return -ENOMEM;