* usb/core: slab-out-of-bounds read in cdc_parse_cdc_header
@ 2017-09-20 14:45 Andrey Konovalov
2017-09-21 7:31 ` Greg Kroah-Hartman
0 siblings, 1 reply; 6+ messages in thread
From: Andrey Konovalov @ 2017-09-20 14:45 UTC (permalink / raw)
To: Greg Kroah-Hartman, Jonathan Corbet, Mauro Carvalho Chehab,
Jaejoong Kim, USB list, LKML
Cc: Dmitry Vyukov, Kostya Serebryany, syzkaller
Hi!
I've got the following crash while fuzzing the kernel with syzkaller.
On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
It looks like cdc_parse_cdc_header() doesn't validate buflen before
accessing buffer[1], buffer[2] and so on. The only check present is
while (buflen > 0).
==================================================================
BUG: KASAN: slab-out-of-bounds in cdc_parse_cdc_header+0x611/0x6b0
Read of size 1 at addr ffff88006b03e554 by task kworker/1:2/2573
CPU: 1 PID: 2573 Comm: kworker/1:2 Not tainted 4.14.0-rc1+ #191
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:16
dump_stack+0x192/0x22c lib/dump_stack.c:52
print_address_description+0x78/0x280 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351
kasan_report+0x230/0x340 mm/kasan/report.c:409
__asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
cdc_parse_cdc_header+0x611/0x6b0 drivers/usb/core/message.c:2077
usbnet_generic_cdc_bind+0x284/0x1b10 drivers/net/usb/cdc_ether.c:158
usbnet_ether_cdc_bind drivers/net/usb/cdc_ether.c:329
usbnet_cdc_bind+0x2a/0x190 drivers/net/usb/cdc_ether.c:437
usbnet_probe+0xcfd/0x2ba0 drivers/net/usb/usbnet.c:1726
usb_probe_interface+0x351/0x8d0 drivers/usb/core/driver.c:361
really_probe drivers/base/dd.c:413
driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
bus_for_each_drv+0x15e/0x210 drivers/base/bus.c:463
__device_attach+0x269/0x3c0 drivers/base/dd.c:710
device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
bus_probe_device+0x1da/0x280 drivers/base/bus.c:523
device_add+0xcf9/0x1640 drivers/base/core.c:1835
usb_set_configuration+0x1064/0x1890 drivers/usb/core/message.c:1932
generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
really_probe drivers/base/dd.c:413
driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
bus_for_each_drv+0x15e/0x210 drivers/base/bus.c:463
__device_attach+0x269/0x3c0 drivers/base/dd.c:710
device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
bus_probe_device+0x1da/0x280 drivers/base/bus.c:523
device_add+0xcf9/0x1640 drivers/base/core.c:1835
usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
hub_port_connect drivers/usb/core/hub.c:4903
hub_port_connect_change drivers/usb/core/hub.c:5009
port_event drivers/usb/core/hub.c:5115
hub_event+0x23c8/0x37c0 drivers/usb/core/hub.c:5195
process_one_work+0x9fb/0x1570 kernel/workqueue.c:2119
worker_thread+0x1e4/0x1350 kernel/workqueue.c:2253
kthread+0x324/0x3f0 kernel/kthread.c:231
ret_from_fork+0x25/0x30 arch/x86/entry/entry_64.S:431
Allocated by task 2573:
save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
__kmalloc+0x81/0x1d0 mm/slub.c:3782
kmalloc ./include/linux/slab.h:498
usb_get_configuration+0x372/0x2a70 drivers/usb/core/config.c:848
usb_enumerate_device drivers/usb/core/hub.c:2290
usb_new_device+0xaae/0x1020 drivers/usb/core/hub.c:2426
hub_port_connect drivers/usb/core/hub.c:4903
hub_port_connect_change drivers/usb/core/hub.c:5009
port_event drivers/usb/core/hub.c:5115
hub_event+0x23c8/0x37c0 drivers/usb/core/hub.c:5195
process_one_work+0x9fb/0x1570 kernel/workqueue.c:2119
worker_thread+0x1e4/0x1350 kernel/workqueue.c:2253
kthread+0x324/0x3f0 kernel/kthread.c:231
ret_from_fork+0x25/0x30 arch/x86/entry/entry_64.S:43
Freed by task 3637:
save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459
kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
slab_free_hook mm/slub.c:1390
slab_free_freelist_hook mm/slub.c:1412
slab_free mm/slub.c:2988
kfree+0x96/0x1a0 mm/slub.c:3919
kvfree+0x3b/0x60 mm/util.c:416
__vunmap+0x1de/0x270 mm/vmalloc.c:1542
vfree+0x55/0xe0 mm/vmalloc.c:1606
n_tty_close+0xb7/0x120 drivers/tty/n_tty.c:1864
tty_ldisc_close.isra.0+0x9e/0xd0 drivers/tty/tty_ldisc.c:490
tty_ldisc_kill+0x4a/0xc0 drivers/tty/tty_ldisc.c:639
tty_ldisc_release+0x10b/0x220 drivers/tty/tty_ldisc.c:807
tty_release_struct+0x1f/0x50 drivers/tty/tty_io.c:1571
tty_release+0xe60/0x15f0 drivers/tty/tty_io.c:1744
__fput+0x324/0x7e0 fs/file_table.c:210
____fput+0x1a/0x20 fs/file_table.c:244
task_work_run+0x22e/0x2e0 kernel/task_work.c:112
tracehook_notify_resume ./include/linux/tracehook.h:191
exit_to_usermode_loop+0x1d7/0x210 arch/x86/entry/common.c:162
prepare_exit_to_usermode arch/x86/entry/common.c:197
syscall_return_slowpath+0x2a7/0x310 arch/x86/entry/common.c:266
entry_SYSCALL_64_fastpath+0xa3/0xa5 arch/x86/entry/entry_64.S:238
The buggy address belongs to the object at ffff88006b03e540
which belongs to the cache kmalloc-32 of size 32
The buggy address is located 20 bytes inside of
32-byte region [ffff88006b03e540, ffff88006b03e560)
The buggy address belongs to the page:
page:ffffea0001ac0f80 count:1 mapcount:0 mapping: (null) index:0x0
flags: 0x100000000000100(slab)
raw: 0100000000000100 0000000000000000 0000000000000000 0000000180550055
raw: ffffea0001a92340 0000000200000002 ffff88006c401a00 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88006b03e400: 00 00 fc fc 00 00 00 fc fc fc fb fb fb fb fc fc
ffff88006b03e480: fb fb fb fb fc fc fb fb fb fb fc fc fb fb fb fb
>ffff88006b03e500: fc fc fb fb fb fb fc fc 00 00 04 fc fc fc fb fb
^
ffff88006b03e580: fb fb fc fc fb fb fb fb fc fc fb fb fb fb fc fc
ffff88006b03e600: fb fb fb fb fc fc fb fb fb fb fc fc fb fb fb fb
==================================================================
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: usb/core: slab-out-of-bounds read in cdc_parse_cdc_header 2017-09-20 14:45 usb/core: slab-out-of-bounds read in cdc_parse_cdc_header Andrey Konovalov @ 2017-09-21 7:31 ` Greg Kroah-Hartman 2017-09-21 8:04 ` Greg Kroah-Hartman 0 siblings, 1 reply; 6+ messages in thread From: Greg Kroah-Hartman @ 2017-09-21 7:31 UTC (permalink / raw) To: Andrey Konovalov Cc: Jonathan Corbet, Mauro Carvalho Chehab, Jaejoong Kim, USB list, LKML, Dmitry Vyukov, Kostya Serebryany, syzkaller On Wed, Sep 20, 2017 at 04:45:08PM +0200, Andrey Konovalov wrote: > Hi! > > I've got the following crash while fuzzing the kernel with syzkaller. > > On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18). > > It looks like cdc_parse_cdc_header() doesn't validate buflen before > accessing buffer[1], buffer[2] and so on. The only check present is > while (buflen > 0). Ugh, you are right, let me go work on a patch, thanks for the report... ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: usb/core: slab-out-of-bounds read in cdc_parse_cdc_header 2017-09-21 7:31 ` Greg Kroah-Hartman @ 2017-09-21 8:04 ` Greg Kroah-Hartman 2017-09-21 13:51 ` Andrey Konovalov 0 siblings, 1 reply; 6+ messages in thread From: Greg Kroah-Hartman @ 2017-09-21 8:04 UTC (permalink / raw) To: Andrey Konovalov Cc: Jonathan Corbet, Mauro Carvalho Chehab, Jaejoong Kim, USB list, LKML, Dmitry Vyukov, Kostya Serebryany, syzkaller On Thu, Sep 21, 2017 at 09:31:54AM +0200, Greg Kroah-Hartman wrote: > On Wed, Sep 20, 2017 at 04:45:08PM +0200, Andrey Konovalov wrote: > > Hi! > > > > I've got the following crash while fuzzing the kernel with syzkaller. > > > > On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18). > > > > It looks like cdc_parse_cdc_header() doesn't validate buflen before > > accessing buffer[1], buffer[2] and so on. The only check present is > > while (buflen > 0). > > Ugh, you are right, let me go work on a patch, thanks for the report... Here's a first cut at a fix for this. I think this should solve it, but it's early and my coffee has not fully kicked in... thanks, greg k-h ----------------- diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c index 4c38ea41ae96..028feaf01aa5 100644 --- a/drivers/usb/core/message.c +++ b/drivers/usb/core/message.c @@ -2069,6 +2069,10 @@ int cdc_parse_cdc_header(struct usb_cdc_parsed_header *hdr, elength = 1; goto next_desc; } + if ((buflen < elength) || (elength < 2)) { + dev_err(&intf->dev, "invalid descriptor buffer length\n"); + break; + } if (buffer[1] != USB_DT_CS_INTERFACE) { dev_err(&intf->dev, "skipping garbage\n"); goto next_desc; ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: usb/core: slab-out-of-bounds read in cdc_parse_cdc_header 2017-09-21 8:04 ` Greg Kroah-Hartman @ 2017-09-21 13:51 ` Andrey Konovalov 2017-09-21 14:07 ` Greg Kroah-Hartman 0 siblings, 1 reply; 6+ messages in thread From: Andrey Konovalov @ 2017-09-21 13:51 UTC (permalink / raw) To: Greg Kroah-Hartman Cc: Jonathan Corbet, Mauro Carvalho Chehab, Jaejoong Kim, USB list, LKML, Dmitry Vyukov, Kostya Serebryany, syzkaller On Thu, Sep 21, 2017 at 10:04 AM, Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote: > On Thu, Sep 21, 2017 at 09:31:54AM +0200, Greg Kroah-Hartman wrote: >> On Wed, Sep 20, 2017 at 04:45:08PM +0200, Andrey Konovalov wrote: >> > Hi! >> > >> > I've got the following crash while fuzzing the kernel with syzkaller. >> > >> > On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18). >> > >> > It looks like cdc_parse_cdc_header() doesn't validate buflen before >> > accessing buffer[1], buffer[2] and so on. The only check present is >> > while (buflen > 0). >> >> Ugh, you are right, let me go work on a patch, thanks for the report... > > Here's a first cut at a fix for this. I think this should solve it, but > it's early and my coffee has not fully kicked in... > > thanks, > > greg k-h > ----------------- > > diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c > index 4c38ea41ae96..028feaf01aa5 100644 > --- a/drivers/usb/core/message.c > +++ b/drivers/usb/core/message.c > @@ -2069,6 +2069,10 @@ int cdc_parse_cdc_header(struct usb_cdc_parsed_header *hdr, > elength = 1; > goto next_desc; > } > + if ((buflen < elength) || (elength < 2)) { Hi Greg, I think this should check (elength < 3), since we access both buffer[1] and buffer[2] after this check. Thanks! > + dev_err(&intf->dev, "invalid descriptor buffer length\n"); > + break; > + } > if (buffer[1] != USB_DT_CS_INTERFACE) { > dev_err(&intf->dev, "skipping garbage\n"); > goto next_desc; > > -- > You received this message because you are subscribed to the Google Groups "syzkaller" group. > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+unsubscribe@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: usb/core: slab-out-of-bounds read in cdc_parse_cdc_header 2017-09-21 13:51 ` Andrey Konovalov @ 2017-09-21 14:07 ` Greg Kroah-Hartman 2017-09-21 14:12 ` Andrey Konovalov 0 siblings, 1 reply; 6+ messages in thread From: Greg Kroah-Hartman @ 2017-09-21 14:07 UTC (permalink / raw) To: Andrey Konovalov Cc: Jonathan Corbet, Mauro Carvalho Chehab, Jaejoong Kim, USB list, LKML, Dmitry Vyukov, Kostya Serebryany, syzkaller On Thu, Sep 21, 2017 at 03:51:44PM +0200, Andrey Konovalov wrote: > On Thu, Sep 21, 2017 at 10:04 AM, Greg Kroah-Hartman > <gregkh@linuxfoundation.org> wrote: > > On Thu, Sep 21, 2017 at 09:31:54AM +0200, Greg Kroah-Hartman wrote: > >> On Wed, Sep 20, 2017 at 04:45:08PM +0200, Andrey Konovalov wrote: > >> > Hi! > >> > > >> > I've got the following crash while fuzzing the kernel with syzkaller. > >> > > >> > On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18). > >> > > >> > It looks like cdc_parse_cdc_header() doesn't validate buflen before > >> > accessing buffer[1], buffer[2] and so on. The only check present is > >> > while (buflen > 0). > >> > >> Ugh, you are right, let me go work on a patch, thanks for the report... > > > > Here's a first cut at a fix for this. I think this should solve it, but > > it's early and my coffee has not fully kicked in... > > > > thanks, > > > > greg k-h > > ----------------- > > > > diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c > > index 4c38ea41ae96..028feaf01aa5 100644 > > --- a/drivers/usb/core/message.c > > +++ b/drivers/usb/core/message.c > > @@ -2069,6 +2069,10 @@ int cdc_parse_cdc_header(struct usb_cdc_parsed_header *hdr, > > elength = 1; > > goto next_desc; > > } > > + if ((buflen < elength) || (elength < 2)) { > > Hi Greg, > > I think this should check (elength < 3), since we access both > buffer[1] and buffer[2] after this check. {sigh} yes, you are right, counted this one wrong. With this patch, updated one below, does it fix your crash? thanks, greg k-h diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c index 4c38ea41ae96..028feaf01aa5 100644 --- a/drivers/usb/core/message.c +++ b/drivers/usb/core/message.c @@ -2069,6 +2069,10 @@ int cdc_parse_cdc_header(struct usb_cdc_parsed_header *hdr, elength = 1; goto next_desc; } + if ((buflen < elength) || (elength < 3)) { + dev_err(&intf->dev, "invalid descriptor buffer length\n"); + break; + } if (buffer[1] != USB_DT_CS_INTERFACE) { dev_err(&intf->dev, "skipping garbage\n"); goto next_desc; ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: usb/core: slab-out-of-bounds read in cdc_parse_cdc_header 2017-09-21 14:07 ` Greg Kroah-Hartman @ 2017-09-21 14:12 ` Andrey Konovalov 0 siblings, 0 replies; 6+ messages in thread From: Andrey Konovalov @ 2017-09-21 14:12 UTC (permalink / raw) To: Greg Kroah-Hartman Cc: Jonathan Corbet, Mauro Carvalho Chehab, Jaejoong Kim, USB list, LKML, Dmitry Vyukov, Kostya Serebryany, syzkaller On Thu, Sep 21, 2017 at 4:07 PM, Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote: > On Thu, Sep 21, 2017 at 03:51:44PM +0200, Andrey Konovalov wrote: >> On Thu, Sep 21, 2017 at 10:04 AM, Greg Kroah-Hartman >> <gregkh@linuxfoundation.org> wrote: >> > On Thu, Sep 21, 2017 at 09:31:54AM +0200, Greg Kroah-Hartman wrote: >> >> On Wed, Sep 20, 2017 at 04:45:08PM +0200, Andrey Konovalov wrote: >> >> > Hi! >> >> > >> >> > I've got the following crash while fuzzing the kernel with syzkaller. >> >> > >> >> > On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18). >> >> > >> >> > It looks like cdc_parse_cdc_header() doesn't validate buflen before >> >> > accessing buffer[1], buffer[2] and so on. The only check present is >> >> > while (buflen > 0). >> >> >> >> Ugh, you are right, let me go work on a patch, thanks for the report... >> > >> > Here's a first cut at a fix for this. I think this should solve it, but >> > it's early and my coffee has not fully kicked in... >> > >> > thanks, >> > >> > greg k-h >> > ----------------- >> > >> > diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c >> > index 4c38ea41ae96..028feaf01aa5 100644 >> > --- a/drivers/usb/core/message.c >> > +++ b/drivers/usb/core/message.c >> > @@ -2069,6 +2069,10 @@ int cdc_parse_cdc_header(struct usb_cdc_parsed_header *hdr, >> > elength = 1; >> > goto next_desc; >> > } >> > + if ((buflen < elength) || (elength < 2)) { >> >> Hi Greg, >> >> I think this should check (elength < 3), since we access both >> buffer[1] and buffer[2] after this check. > > {sigh} yes, you are right, counted this one wrong. > > With this patch, updated one below, does it fix your crash? It does, thanks! Tested-by: Andrey Konovalov <andreyknvl@google.com> > > thanks, > > greg k-h > > > diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c > index 4c38ea41ae96..028feaf01aa5 100644 > --- a/drivers/usb/core/message.c > +++ b/drivers/usb/core/message.c > @@ -2069,6 +2069,10 @@ int cdc_parse_cdc_header(struct usb_cdc_parsed_header *hdr, > elength = 1; > goto next_desc; > } > + if ((buflen < elength) || (elength < 3)) { > + dev_err(&intf->dev, "invalid descriptor buffer length\n"); > + break; > + } > if (buffer[1] != USB_DT_CS_INTERFACE) { > dev_err(&intf->dev, "skipping garbage\n"); > goto next_desc; ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-09-21 14:12 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-09-20 14:45 usb/core: slab-out-of-bounds read in cdc_parse_cdc_header Andrey Konovalov 2017-09-21 7:31 ` Greg Kroah-Hartman 2017-09-21 8:04 ` Greg Kroah-Hartman 2017-09-21 13:51 ` Andrey Konovalov 2017-09-21 14:07 ` Greg Kroah-Hartman 2017-09-21 14:12 ` Andrey Konovalov
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.