From: Andrey Konovalov <andreyknvl@google.com>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: syzbot <syzbot+a9fefd18c7b240f19c54@syzkaller.appspotmail.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
LKML <linux-kernel@vger.kernel.org>,
USB list <linux-usb@vger.kernel.org>,
rafael@kernel.org,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Subject: Re: KASAN: slab-out-of-bounds Read in hex_string
Date: Mon, 29 Apr 2019 22:24:59 +0200 [thread overview]
Message-ID: <CAAeHK+w2YKjSuTT39Rvb9mkdD=HuaYLhgZu4==hK18f=7fNxvQ@mail.gmail.com> (raw)
In-Reply-To: <Pine.LNX.4.44L0.1904291604510.1632-100000@iolanthe.rowland.org>
On Mon, Apr 29, 2019 at 10:07 PM Alan Stern <stern@rowland.harvard.edu> wrote:
>
> On Mon, 29 Apr 2019, syzbot wrote:
>
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit: 43151d6c usb-fuzzer: main usb gadget fuzzer driver
> > git tree: https://github.com/google/kasan/tree/usb-fuzzer
> > console output: https://syzkaller.appspot.com/x/log.txt?x=139ac37f200000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=4183eeef650d1234
> > dashboard link: https://syzkaller.appspot.com/bug?extid=a9fefd18c7b240f19c54
> > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17f3b338a00000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+a9fefd18c7b240f19c54@syzkaller.appspotmail.com
> >
> > ==================================================================
> > BUG: KASAN: slab-out-of-bounds in hex_string+0x418/0x4b0 lib/vsprintf.c:975
> > Read of size 1 at addr ffff88821a41bd38 by task kworker/0:1/12
> >
> > CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc3-319004-g43151d6 #6
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Workqueue: usb_hub_wq hub_event
> > Call Trace:
> > __dump_stack lib/dump_stack.c:77 [inline]
> > dump_stack+0xe8/0x16e lib/dump_stack.c:113
> > print_address_description+0x6c/0x236 mm/kasan/report.c:187
> > kasan_report.cold+0x1a/0x3c mm/kasan/report.c:317
> > hex_string+0x418/0x4b0 lib/vsprintf.c:975
> > pointer+0x460/0x910 lib/vsprintf.c:1985
> > vsnprintf+0x5a0/0x16b0 lib/vsprintf.c:2400
> > pointer+0x60b/0x910 lib/vsprintf.c:2038
> > vsnprintf+0x5a0/0x16b0 lib/vsprintf.c:2400
> > vscnprintf+0x29/0x80 lib/vsprintf.c:2499
> > vprintk_store+0x45/0x4b0 kernel/printk/printk.c:1900
> > vprintk_emit+0x210/0x5a0 kernel/printk/printk.c:1957
> > dev_vprintk_emit+0x50e/0x553 drivers/base/core.c:3185
> > dev_printk_emit+0xbf/0xf6 drivers/base/core.c:3196
> > __dev_printk+0x1ed/0x215 drivers/base/core.c:3208
> > _dev_info+0xdc/0x10e drivers/base/core.c:3254
> > dlfb_parse_vendor_descriptor drivers/video/fbdev/udlfb.c:1532 [inline]
>
> Accessing beyond the end of the descriptor.
>
> #syz test: https://github.com/google/kasan.git usb-fuzzer
Hi Alan,
Thanks for the patch!
syzbot should now be able to understand the quilt patch format that
you use, feel free to give it a try next time :)
>
> --- a/drivers/video/fbdev/udlfb.c
> +++ b/drivers/video/fbdev/udlfb.c
> @@ -1511,6 +1511,7 @@ static int dlfb_parse_vendor_descriptor(
> char *buf;
> char *desc_end;
> int total_len;
> + int width;
>
> buf = kzalloc(MAX_VENDOR_DESCRIPTOR_SIZE, GFP_KERNEL);
> if (!buf)
> @@ -1529,9 +1530,10 @@ static int dlfb_parse_vendor_descriptor(
> }
>
> if (total_len > 5) {
> + width = min(total_len, 11);
> dev_info(&intf->dev,
> - "vendor descriptor length: %d data: %11ph\n",
> - total_len, desc);
> + "vendor descriptor length: %d data: %*ph\n",
> + total_len, width, desc);
>
> if ((desc[0] != total_len) || /* descriptor length */
> (desc[1] != 0x5f) || /* vendor descriptor type */
>
>
WARNING: multiple messages have this Message-ID (diff)
From: Andrey Konovalov <andreyknvl@google.com>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: syzbot <syzbot+a9fefd18c7b240f19c54@syzkaller.appspotmail.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
LKML <linux-kernel@vger.kernel.org>,
USB list <linux-usb@vger.kernel.org>,
rafael@kernel.org,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Subject: KASAN: slab-out-of-bounds Read in hex_string
Date: Mon, 29 Apr 2019 22:24:59 +0200 [thread overview]
Message-ID: <CAAeHK+w2YKjSuTT39Rvb9mkdD=HuaYLhgZu4==hK18f=7fNxvQ@mail.gmail.com> (raw)
On Mon, Apr 29, 2019 at 10:07 PM Alan Stern <stern@rowland.harvard.edu> wrote:
>
> On Mon, 29 Apr 2019, syzbot wrote:
>
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit: 43151d6c usb-fuzzer: main usb gadget fuzzer driver
> > git tree: https://github.com/google/kasan/tree/usb-fuzzer
> > console output: https://syzkaller.appspot.com/x/log.txt?x=139ac37f200000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=4183eeef650d1234
> > dashboard link: https://syzkaller.appspot.com/bug?extid=a9fefd18c7b240f19c54
> > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17f3b338a00000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+a9fefd18c7b240f19c54@syzkaller.appspotmail.com
> >
> > ==================================================================
> > BUG: KASAN: slab-out-of-bounds in hex_string+0x418/0x4b0 lib/vsprintf.c:975
> > Read of size 1 at addr ffff88821a41bd38 by task kworker/0:1/12
> >
> > CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc3-319004-g43151d6 #6
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Workqueue: usb_hub_wq hub_event
> > Call Trace:
> > __dump_stack lib/dump_stack.c:77 [inline]
> > dump_stack+0xe8/0x16e lib/dump_stack.c:113
> > print_address_description+0x6c/0x236 mm/kasan/report.c:187
> > kasan_report.cold+0x1a/0x3c mm/kasan/report.c:317
> > hex_string+0x418/0x4b0 lib/vsprintf.c:975
> > pointer+0x460/0x910 lib/vsprintf.c:1985
> > vsnprintf+0x5a0/0x16b0 lib/vsprintf.c:2400
> > pointer+0x60b/0x910 lib/vsprintf.c:2038
> > vsnprintf+0x5a0/0x16b0 lib/vsprintf.c:2400
> > vscnprintf+0x29/0x80 lib/vsprintf.c:2499
> > vprintk_store+0x45/0x4b0 kernel/printk/printk.c:1900
> > vprintk_emit+0x210/0x5a0 kernel/printk/printk.c:1957
> > dev_vprintk_emit+0x50e/0x553 drivers/base/core.c:3185
> > dev_printk_emit+0xbf/0xf6 drivers/base/core.c:3196
> > __dev_printk+0x1ed/0x215 drivers/base/core.c:3208
> > _dev_info+0xdc/0x10e drivers/base/core.c:3254
> > dlfb_parse_vendor_descriptor drivers/video/fbdev/udlfb.c:1532 [inline]
>
> Accessing beyond the end of the descriptor.
>
> #syz test: https://github.com/google/kasan.git usb-fuzzer
Hi Alan,
Thanks for the patch!
syzbot should now be able to understand the quilt patch format that
you use, feel free to give it a try next time :)
>
> --- a/drivers/video/fbdev/udlfb.c
> +++ b/drivers/video/fbdev/udlfb.c
> @@ -1511,6 +1511,7 @@ static int dlfb_parse_vendor_descriptor(
> char *buf;
> char *desc_end;
> int total_len;
> + int width;
>
> buf = kzalloc(MAX_VENDOR_DESCRIPTOR_SIZE, GFP_KERNEL);
> if (!buf)
> @@ -1529,9 +1530,10 @@ static int dlfb_parse_vendor_descriptor(
> }
>
> if (total_len > 5) {
> + width = min(total_len, 11);
> dev_info(&intf->dev,
> - "vendor descriptor length: %d data: %11ph\n",
> - total_len, desc);
> + "vendor descriptor length: %d data: %*ph\n",
> + total_len, width, desc);
>
> if ((desc[0] != total_len) || /* descriptor length */
> (desc[1] != 0x5f) || /* vendor descriptor type */
>
>
next prev parent reply other threads:[~2019-04-29 20:25 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-29 12:06 KASAN: slab-out-of-bounds Read in hex_string syzbot
2019-04-29 20:07 ` Alan Stern
2019-04-29 20:07 ` Alan Stern
2019-04-29 20:24 ` Andrey Konovalov [this message]
2019-04-29 20:24 ` Andrey Konovalov
2019-04-29 20:52 ` syzbot
2019-04-29 20:52 ` syzbot
2019-04-29 21:09 ` Eric Biggers
2019-04-29 21:09 ` Eric Biggers
2019-04-30 14:13 ` Alan Stern
2019-04-30 14:13 ` Alan Stern
2019-08-13 12:55 ` Andrey Konovalov
2020-03-18 15:46 ` Andrey Konovalov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAAeHK+w2YKjSuTT39Rvb9mkdD=HuaYLhgZu4==hK18f=7fNxvQ@mail.gmail.com' \
--to=andreyknvl@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=rafael@kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=syzbot+a9fefd18c7b240f19c54@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.