* KASAN: stack-out-of-bounds Read in hfcsusb_probe
@ 2019-04-14 20:06 syzbot
2019-07-15 15:08 ` tranmanphong
0 siblings, 1 reply; 7+ messages in thread
From: syzbot @ 2019-04-14 20:06 UTC (permalink / raw)
To: andreyknvl, bigeasy, davem, gustavo, isdn, linux-kernel,
linux-usb, netdev, pakki001, syzkaller-bugs
Hello,
syzbot found the following crash on:
HEAD commit: 9a33b369 usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan/tree/usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=171744f3200000
kernel config: https://syzkaller.appspot.com/x/.config?x=23e37f59d94ddd15
dashboard link: https://syzkaller.appspot.com/bug?extid=8750abbc3a46ef47d509
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12ca062d200000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=154a87bb200000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+8750abbc3a46ef47d509@syzkaller.appspotmail.com
usb 1-1: config 0 interface 170 has no altsetting 0
usb 1-1: New USB device found, idVendor=0742, idProduct=200a,
bcdDevice=c2.97
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1: config 0 descriptor??
==================================================================
BUG: KASAN: stack-out-of-bounds in hfcsusb_probe.cold+0x1a43/0x267f
drivers/isdn/hardware/mISDN/hfcsusb.c:1976
Read of size 4 at addr ffff8880a84c72f0 by task kworker/0:1/12
CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc4-319354-g9a33b36 #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xe8/0x16e lib/dump_stack.c:113
print_address_description+0x6c/0x236 mm/kasan/report.c:187
kasan_report.cold+0x1a/0x3c mm/kasan/report.c:317
hfcsusb_probe.cold+0x1a43/0x267f drivers/isdn/hardware/mISDN/hfcsusb.c:1976
usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361
really_probe+0x2da/0xb10 drivers/base/dd.c:509
driver_probe_device+0x21d/0x350 drivers/base/dd.c:671
__device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778
bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
__device_attach+0x223/0x3a0 drivers/base/dd.c:844
bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514
device_add+0xad2/0x16e0 drivers/base/core.c:2106
usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2021
generic_probe+0xa2/0xda drivers/usb/core/generic.c:210
usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266
really_probe+0x2da/0xb10 drivers/base/dd.c:509
driver_probe_device+0x21d/0x350 drivers/base/dd.c:671
__device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778
bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
__device_attach+0x223/0x3a0 drivers/base/dd.c:844
bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514
device_add+0xad2/0x16e0 drivers/base/core.c:2106
usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534
hub_port_connect drivers/usb/core/hub.c:5089 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5204 [inline]
port_event drivers/usb/core/hub.c:5350 [inline]
hub_event+0x138e/0x3b00 drivers/usb/core/hub.c:5432
process_one_work+0x90f/0x1580 kernel/workqueue.c:2269
worker_thread+0x9b/0xe20 kernel/workqueue.c:2415
kthread+0x313/0x420 kernel/kthread.c:253
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
The buggy address belongs to the page:
page:ffffea0002a131c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0xfff00000000000()
raw: 00fff00000000000 ffffea0002a131c8 ffffea0002a131c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a84c7180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880a84c7200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
> ffff8880a84c7280: f1 f1 f1 f1 01 f2 00 00 00 00 00 00 00 00 f3 f3
^
ffff8880a84c7300: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880a84c7380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH] ISDN: hfcsusb: checking idx of ep configuration
2019-04-14 20:06 KASAN: stack-out-of-bounds Read in hfcsusb_probe syzbot
2019-07-15 15:08 ` tranmanphong
@ 2019-07-15 15:08 ` tranmanphong
0 siblings, 0 replies; 7+ messages in thread
From: Phong Tran @ 2019-07-15 15:08 UTC (permalink / raw)
To: syzbot+8750abbc3a46ef47d509
Cc: isdn, davem, gregkh, andreyknvl, bigeasy, gustavo, pakki001,
linux-kernel, linux-usb, syzkaller-bugs, netdev,
linux-kernel-mentees, skhan, Phong Tran
The syzbot test with random endpoint address which made the idx is
overflow in the table of endpoint configuations.
this adds the checking for fixing the error report from
syzbot
KASAN: stack-out-of-bounds Read in hfcsusb_probe [1]
The patch tested by syzbot [2]
Reported-by: syzbot+8750abbc3a46ef47d509@syzkaller.appspotmail.com
[1]:
https://syzkaller.appspot.com/bug?id=30a04378dac680c5d521304a00a86156bb913522
[2]:
https://groups.google.com/d/msg/syzkaller-bugs/_6HBdge8F3E/OJn7wVNpBAAJ
Signed-off-by: Phong Tran <tranmanphong@gmail.com>
---
drivers/isdn/hardware/mISDN/hfcsusb.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c
index 4c99739b937e..0e224232f746 100644
--- a/drivers/isdn/hardware/mISDN/hfcsusb.c
+++ b/drivers/isdn/hardware/mISDN/hfcsusb.c
@@ -1955,6 +1955,9 @@ hfcsusb_probe(struct usb_interface *intf, const struct usb_device_id *id)
/* get endpoint base */
idx = ((ep_addr & 0x7f) - 1) * 2;
+ if (idx > 15)
+ return -EIO;
+
if (ep_addr & 0x80)
idx++;
attr = ep->desc.bmAttributes;
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [Linux-kernel-mentees] [PATCH] ISDN: hfcsusb: checking idx of ep configuration
@ 2019-07-15 15:08 ` tranmanphong
0 siblings, 0 replies; 7+ messages in thread
From: tranmanphong @ 2019-07-15 15:08 UTC (permalink / raw)
The syzbot test with random endpoint address which made the idx is
overflow in the table of endpoint configuations.
this adds the checking for fixing the error report from
syzbot
KASAN: stack-out-of-bounds Read in hfcsusb_probe [1]
The patch tested by syzbot [2]
Reported-by: syzbot+8750abbc3a46ef47d509 at syzkaller.appspotmail.com
[1]:
https://syzkaller.appspot.com/bug?id=30a04378dac680c5d521304a00a86156bb913522
[2]:
https://groups.google.com/d/msg/syzkaller-bugs/_6HBdge8F3E/OJn7wVNpBAAJ
Signed-off-by: Phong Tran <tranmanphong at gmail.com>
---
drivers/isdn/hardware/mISDN/hfcsusb.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c
index 4c99739b937e..0e224232f746 100644
--- a/drivers/isdn/hardware/mISDN/hfcsusb.c
+++ b/drivers/isdn/hardware/mISDN/hfcsusb.c
@@ -1955,6 +1955,9 @@ hfcsusb_probe(struct usb_interface *intf, const struct usb_device_id *id)
/* get endpoint base */
idx = ((ep_addr & 0x7f) - 1) * 2;
+ if (idx > 15)
+ return -EIO;
+
if (ep_addr & 0x80)
idx++;
attr = ep->desc.bmAttributes;
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [Linux-kernel-mentees] [PATCH] ISDN: hfcsusb: checking idx of ep configuration
@ 2019-07-15 15:08 ` tranmanphong
0 siblings, 0 replies; 7+ messages in thread
From: Phong Tran @ 2019-07-15 15:08 UTC (permalink / raw)
The syzbot test with random endpoint address which made the idx is
overflow in the table of endpoint configuations.
this adds the checking for fixing the error report from
syzbot
KASAN: stack-out-of-bounds Read in hfcsusb_probe [1]
The patch tested by syzbot [2]
Reported-by: syzbot+8750abbc3a46ef47d509 at syzkaller.appspotmail.com
[1]:
https://syzkaller.appspot.com/bug?id=30a04378dac680c5d521304a00a86156bb913522
[2]:
https://groups.google.com/d/msg/syzkaller-bugs/_6HBdge8F3E/OJn7wVNpBAAJ
Signed-off-by: Phong Tran <tranmanphong at gmail.com>
---
drivers/isdn/hardware/mISDN/hfcsusb.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c
index 4c99739b937e..0e224232f746 100644
--- a/drivers/isdn/hardware/mISDN/hfcsusb.c
+++ b/drivers/isdn/hardware/mISDN/hfcsusb.c
@@ -1955,6 +1955,9 @@ hfcsusb_probe(struct usb_interface *intf, const struct usb_device_id *id)
/* get endpoint base */
idx = ((ep_addr & 0x7f) - 1) * 2;
+ if (idx > 15)
+ return -EIO;
+
if (ep_addr & 0x80)
idx++;
attr = ep->desc.bmAttributes;
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] ISDN: hfcsusb: checking idx of ep configuration
2019-07-15 15:08 ` tranmanphong
(?)
@ 2019-07-15 18:10 ` davem
-1 siblings, 0 replies; 7+ messages in thread
From: David Miller @ 2019-07-15 18:10 UTC (permalink / raw)
To: tranmanphong
Cc: syzbot+8750abbc3a46ef47d509, isdn, gregkh, andreyknvl, bigeasy,
gustavo, pakki001, linux-kernel, linux-usb, syzkaller-bugs,
netdev, linux-kernel-mentees, skhan
From: Phong Tran <tranmanphong@gmail.com>
Date: Mon, 15 Jul 2019 22:08:14 +0700
> The syzbot test with random endpoint address which made the idx is
> overflow in the table of endpoint configuations.
>
> this adds the checking for fixing the error report from
> syzbot
>
> KASAN: stack-out-of-bounds Read in hfcsusb_probe [1]
> The patch tested by syzbot [2]
>
> Reported-by: syzbot+8750abbc3a46ef47d509@syzkaller.appspotmail.com
>
> [1]:
> https://syzkaller.appspot.com/bug?id=30a04378dac680c5d521304a00a86156bb913522
> [2]:
> https://groups.google.com/d/msg/syzkaller-bugs/_6HBdge8F3E/OJn7wVNpBAAJ
>
> Signed-off-by: Phong Tran <tranmanphong@gmail.com>
Applied.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Linux-kernel-mentees] [PATCH] ISDN: hfcsusb: checking idx of ep configuration
@ 2019-07-15 18:10 ` davem
0 siblings, 0 replies; 7+ messages in thread
From: davem @ 2019-07-15 18:10 UTC (permalink / raw)
From: Phong Tran <tranmanphong at gmail.com>
Date: Mon, 15 Jul 2019 22:08:14 +0700
> The syzbot test with random endpoint address which made the idx is
> overflow in the table of endpoint configuations.
>
> this adds the checking for fixing the error report from
> syzbot
>
> KASAN: stack-out-of-bounds Read in hfcsusb_probe [1]
> The patch tested by syzbot [2]
>
> Reported-by: syzbot+8750abbc3a46ef47d509 at syzkaller.appspotmail.com
>
> [1]:
> https://syzkaller.appspot.com/bug?id=30a04378dac680c5d521304a00a86156bb913522
> [2]:
> https://groups.google.com/d/msg/syzkaller-bugs/_6HBdge8F3E/OJn7wVNpBAAJ
>
> Signed-off-by: Phong Tran <tranmanphong at gmail.com>
Applied.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Linux-kernel-mentees] [PATCH] ISDN: hfcsusb: checking idx of ep configuration
@ 2019-07-15 18:10 ` davem
0 siblings, 0 replies; 7+ messages in thread
From: David Miller @ 2019-07-15 18:10 UTC (permalink / raw)
From: Phong Tran <tranmanphong@gmail.com>
Date: Mon, 15 Jul 2019 22:08:14 +0700
> The syzbot test with random endpoint address which made the idx is
> overflow in the table of endpoint configuations.
>
> this adds the checking for fixing the error report from
> syzbot
>
> KASAN: stack-out-of-bounds Read in hfcsusb_probe [1]
> The patch tested by syzbot [2]
>
> Reported-by: syzbot+8750abbc3a46ef47d509 at syzkaller.appspotmail.com
>
> [1]:
> https://syzkaller.appspot.com/bug?id=30a04378dac680c5d521304a00a86156bb913522
> [2]:
> https://groups.google.com/d/msg/syzkaller-bugs/_6HBdge8F3E/OJn7wVNpBAAJ
>
> Signed-off-by: Phong Tran <tranmanphong at gmail.com>
Applied.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-07-15 18:10 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-14 20:06 KASAN: stack-out-of-bounds Read in hfcsusb_probe syzbot
2019-07-15 15:08 ` [PATCH] ISDN: hfcsusb: checking idx of ep configuration Phong Tran
2019-07-15 15:08 ` [Linux-kernel-mentees] " Phong Tran
2019-07-15 15:08 ` tranmanphong
2019-07-15 18:10 ` David Miller
2019-07-15 18:10 ` [Linux-kernel-mentees] " David Miller
2019-07-15 18:10 ` davem
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.