From: Andrey Konovalov <andreyknvl@google.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jonathan Corbet <corbet@lwn.net>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Jaejoong Kim <climbbb.kim@gmail.com>,
USB list <linux-usb@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>
Cc: Dmitry Vyukov <dvyukov@google.com>,
Kostya Serebryany <kcc@google.com>,
syzkaller <syzkaller@googlegroups.com>
Subject: usb/core: slab-out-of-bounds read in cdc_parse_cdc_header
Date: Wed, 20 Sep 2017 16:45:08 +0200 [thread overview]
Message-ID: <CAAeHK+y0HbzoNqcG_hZ+T==0MnFkxtMYZd_aUQ-R3gqK+VQcnw@mail.gmail.com> (raw)
Hi!
I've got the following crash while fuzzing the kernel with syzkaller.
On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
It looks like cdc_parse_cdc_header() doesn't validate buflen before
accessing buffer[1], buffer[2] and so on. The only check present is
while (buflen > 0).
==================================================================
BUG: KASAN: slab-out-of-bounds in cdc_parse_cdc_header+0x611/0x6b0
Read of size 1 at addr ffff88006b03e554 by task kworker/1:2/2573
CPU: 1 PID: 2573 Comm: kworker/1:2 Not tainted 4.14.0-rc1+ #191
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:16
dump_stack+0x192/0x22c lib/dump_stack.c:52
print_address_description+0x78/0x280 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351
kasan_report+0x230/0x340 mm/kasan/report.c:409
__asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
cdc_parse_cdc_header+0x611/0x6b0 drivers/usb/core/message.c:2077
usbnet_generic_cdc_bind+0x284/0x1b10 drivers/net/usb/cdc_ether.c:158
usbnet_ether_cdc_bind drivers/net/usb/cdc_ether.c:329
usbnet_cdc_bind+0x2a/0x190 drivers/net/usb/cdc_ether.c:437
usbnet_probe+0xcfd/0x2ba0 drivers/net/usb/usbnet.c:1726
usb_probe_interface+0x351/0x8d0 drivers/usb/core/driver.c:361
really_probe drivers/base/dd.c:413
driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
bus_for_each_drv+0x15e/0x210 drivers/base/bus.c:463
__device_attach+0x269/0x3c0 drivers/base/dd.c:710
device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
bus_probe_device+0x1da/0x280 drivers/base/bus.c:523
device_add+0xcf9/0x1640 drivers/base/core.c:1835
usb_set_configuration+0x1064/0x1890 drivers/usb/core/message.c:1932
generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
really_probe drivers/base/dd.c:413
driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
bus_for_each_drv+0x15e/0x210 drivers/base/bus.c:463
__device_attach+0x269/0x3c0 drivers/base/dd.c:710
device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
bus_probe_device+0x1da/0x280 drivers/base/bus.c:523
device_add+0xcf9/0x1640 drivers/base/core.c:1835
usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
hub_port_connect drivers/usb/core/hub.c:4903
hub_port_connect_change drivers/usb/core/hub.c:5009
port_event drivers/usb/core/hub.c:5115
hub_event+0x23c8/0x37c0 drivers/usb/core/hub.c:5195
process_one_work+0x9fb/0x1570 kernel/workqueue.c:2119
worker_thread+0x1e4/0x1350 kernel/workqueue.c:2253
kthread+0x324/0x3f0 kernel/kthread.c:231
ret_from_fork+0x25/0x30 arch/x86/entry/entry_64.S:431
Allocated by task 2573:
save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
__kmalloc+0x81/0x1d0 mm/slub.c:3782
kmalloc ./include/linux/slab.h:498
usb_get_configuration+0x372/0x2a70 drivers/usb/core/config.c:848
usb_enumerate_device drivers/usb/core/hub.c:2290
usb_new_device+0xaae/0x1020 drivers/usb/core/hub.c:2426
hub_port_connect drivers/usb/core/hub.c:4903
hub_port_connect_change drivers/usb/core/hub.c:5009
port_event drivers/usb/core/hub.c:5115
hub_event+0x23c8/0x37c0 drivers/usb/core/hub.c:5195
process_one_work+0x9fb/0x1570 kernel/workqueue.c:2119
worker_thread+0x1e4/0x1350 kernel/workqueue.c:2253
kthread+0x324/0x3f0 kernel/kthread.c:231
ret_from_fork+0x25/0x30 arch/x86/entry/entry_64.S:43
Freed by task 3637:
save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459
kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
slab_free_hook mm/slub.c:1390
slab_free_freelist_hook mm/slub.c:1412
slab_free mm/slub.c:2988
kfree+0x96/0x1a0 mm/slub.c:3919
kvfree+0x3b/0x60 mm/util.c:416
__vunmap+0x1de/0x270 mm/vmalloc.c:1542
vfree+0x55/0xe0 mm/vmalloc.c:1606
n_tty_close+0xb7/0x120 drivers/tty/n_tty.c:1864
tty_ldisc_close.isra.0+0x9e/0xd0 drivers/tty/tty_ldisc.c:490
tty_ldisc_kill+0x4a/0xc0 drivers/tty/tty_ldisc.c:639
tty_ldisc_release+0x10b/0x220 drivers/tty/tty_ldisc.c:807
tty_release_struct+0x1f/0x50 drivers/tty/tty_io.c:1571
tty_release+0xe60/0x15f0 drivers/tty/tty_io.c:1744
__fput+0x324/0x7e0 fs/file_table.c:210
____fput+0x1a/0x20 fs/file_table.c:244
task_work_run+0x22e/0x2e0 kernel/task_work.c:112
tracehook_notify_resume ./include/linux/tracehook.h:191
exit_to_usermode_loop+0x1d7/0x210 arch/x86/entry/common.c:162
prepare_exit_to_usermode arch/x86/entry/common.c:197
syscall_return_slowpath+0x2a7/0x310 arch/x86/entry/common.c:266
entry_SYSCALL_64_fastpath+0xa3/0xa5 arch/x86/entry/entry_64.S:238
The buggy address belongs to the object at ffff88006b03e540
which belongs to the cache kmalloc-32 of size 32
The buggy address is located 20 bytes inside of
32-byte region [ffff88006b03e540, ffff88006b03e560)
The buggy address belongs to the page:
page:ffffea0001ac0f80 count:1 mapcount:0 mapping: (null) index:0x0
flags: 0x100000000000100(slab)
raw: 0100000000000100 0000000000000000 0000000000000000 0000000180550055
raw: ffffea0001a92340 0000000200000002 ffff88006c401a00 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88006b03e400: 00 00 fc fc 00 00 00 fc fc fc fb fb fb fb fc fc
ffff88006b03e480: fb fb fb fb fc fc fb fb fb fb fc fc fb fb fb fb
>ffff88006b03e500: fc fc fb fb fb fb fc fc 00 00 04 fc fc fc fb fb
^
ffff88006b03e580: fb fb fc fc fb fb fb fb fc fc fb fb fb fb fc fc
ffff88006b03e600: fb fb fb fb fc fc fb fb fb fb fc fc fb fb fb fb
==================================================================
next reply other threads:[~2017-09-20 14:45 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-20 14:45 Andrey Konovalov [this message]
2017-09-21 7:31 ` usb/core: slab-out-of-bounds read in cdc_parse_cdc_header Greg Kroah-Hartman
2017-09-21 8:04 ` Greg Kroah-Hartman
2017-09-21 13:51 ` Andrey Konovalov
2017-09-21 14:07 ` Greg Kroah-Hartman
2017-09-21 14:12 ` Andrey Konovalov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAAeHK+y0HbzoNqcG_hZ+T==0MnFkxtMYZd_aUQ-R3gqK+VQcnw@mail.gmail.com' \
--to=andreyknvl@google.com \
--cc=climbbb.kim@gmail.com \
--cc=corbet@lwn.net \
--cc=dvyukov@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=kcc@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.