All of lore.kernel.org
 help / color / mirror / Atom feed
* usb: use-after-free write in usb_hcd_link_urb_to_ep
@ 2017-03-23 12:17 Dmitry Vyukov
  2017-03-23 14:34 ` Alan Stern
  0 siblings, 1 reply; 8+ messages in thread
From: Dmitry Vyukov @ 2017-03-23 12:17 UTC (permalink / raw)
  To: Greg Kroah-Hartman, mathias.nyman, baoyou.xie, peter.chen, wulf,
	wsa-dev, Alan Stern, javier, chris.bainbridge, USB list, LKML
  Cc: syzkaller

Hello,

I've got the following report while running syzkaller fuzzer on
093b995e3b55a0ae0670226ddfcb05bfbf0099ae. Not the preceding injected
kmalloc failure, most likely it's the root cause.

FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 0 PID: 3348 Comm: syz-executor7 Not tainted 4.11.0-rc3+ #364
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x1b8/0x28d lib/dump_stack.c:52
 fail_dump lib/fault-inject.c:45 [inline]
 should_fail+0x78a/0x870 lib/fault-inject.c:154
 should_failslab+0xec/0x120 mm/failslab.c:31
 slab_pre_alloc_hook mm/slab.h:434 [inline]
 slab_alloc mm/slab.c:3394 [inline]
 __do_kmalloc mm/slab.c:3734 [inline]
 __kmalloc+0x220/0x730 mm/slab.c:3745
 kmalloc include/linux/slab.h:495 [inline]
 kzalloc include/linux/slab.h:663 [inline]
 rh_call_control drivers/usb/core/hcd.c:522 [inline]
 rh_urb_enqueue drivers/usb/core/hcd.c:843 [inline]
 usb_hcd_submit_urb+0x693/0x1e40 drivers/usb/core/hcd.c:1646
 usb_submit_urb+0x8d4/0x1030 drivers/usb/core/urb.c:542
 usb_start_wait_urb+0x135/0x320 drivers/usb/core/message.c:56
 usb_internal_control_msg drivers/usb/core/message.c:100 [inline]
 usb_control_msg+0x330/0x460 drivers/usb/core/message.c:151
 get_port_status drivers/usb/core/hub.c:554 [inline]
 hub_ext_port_status+0x122/0x440 drivers/usb/core/hub.c:571
 hub_port_status drivers/usb/core/hub.c:593 [inline]
 hub_activate+0x3ea/0x1650 drivers/usb/core/hub.c:1068
 hub_resume+0x3c/0x50 drivers/usb/core/hub.c:3595
 usb_resume_interface.isra.5+0x149/0x380 drivers/usb/core/driver.c:1260
 usb_resume_both+0x1c2/0x710 drivers/usb/core/driver.c:1402
 usb_runtime_resume+0x1e/0x30 drivers/usb/core/driver.c:1856
 __rpm_callback+0x338/0xa50 drivers/base/power/runtime.c:334
 rpm_callback+0x18a/0x220 drivers/base/power/runtime.c:464
 rpm_resume+0xe9d/0x1880 drivers/base/power/runtime.c:818
 __pm_runtime_resume+0xa2/0x130 drivers/base/power/runtime.c:1039
 pm_runtime_get_sync include/linux/pm_runtime.h:237 [inline]
 usb_autoresume_device+0x23/0x60 drivers/usb/core/driver.c:1581
 usbdev_open+0x25b/0xa50 drivers/usb/core/devio.c:1011
 chrdev_open+0x257/0x730 fs/char_dev.c:392
 do_dentry_open+0x710/0xc80 fs/open.c:751
 vfs_open+0x105/0x220 fs/open.c:864
 do_last fs/namei.c:3349 [inline]
 path_openat+0x1151/0x35b0 fs/namei.c:3490
 do_filp_open+0x249/0x370 fs/namei.c:3525
 do_sys_open+0x502/0x6d0 fs/open.c:1051
 SYSC_open fs/open.c:1069 [inline]
 SyS_open+0x2d/0x40 fs/open.c:1064
 entry_SYSCALL_64_fastpath+0x1f/0xc2
==================================================================
BUG: KASAN: use-after-free in __list_add_valid+0xc6/0xd0
lib/list_debug.c:26 at addr ffff88003c377a20
Read of size 8 by task syz-executor7/3348
CPU: 3 PID: 3348 Comm: syz-executor7 Not tainted 4.11.0-rc3+ #364
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x1b8/0x28d lib/dump_stack.c:52
 kasan_object_err+0x1c/0x70 mm/kasan/report.c:166
 print_address_description mm/kasan/report.c:210 [inline]
 kasan_report_error mm/kasan/report.c:294 [inline]
 kasan_report.part.2+0x1be/0x480 mm/kasan/report.c:316
 kasan_report mm/kasan/report.c:337 [inline]
 __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:337
 __list_add_valid+0xc6/0xd0 lib/list_debug.c:26
 __list_add include/linux/list.h:59 [inline]
 list_add_tail include/linux/list.h:92 [inline]
 usb_hcd_link_urb_to_ep+0x281/0x4e0 drivers/usb/core/hcd.c:1275
 rh_call_control drivers/usb/core/hcd.c:502 [inline]
 rh_urb_enqueue drivers/usb/core/hcd.c:843 [inline]
 usb_hcd_submit_urb+0x403/0x1e40 drivers/usb/core/hcd.c:1646
 usb_submit_urb+0x8d4/0x1030 drivers/usb/core/urb.c:542
 usb_start_wait_urb+0x135/0x320 drivers/usb/core/message.c:56
 usb_internal_control_msg drivers/usb/core/message.c:100 [inline]
 usb_control_msg+0x330/0x460 drivers/usb/core/message.c:151
 get_port_status drivers/usb/core/hub.c:554 [inline]
 hub_ext_port_status+0x122/0x440 drivers/usb/core/hub.c:571
 hub_port_status drivers/usb/core/hub.c:593 [inline]
 hub_activate+0x3ea/0x1650 drivers/usb/core/hub.c:1068
 hub_resume+0x3c/0x50 drivers/usb/core/hub.c:3595
 usb_resume_interface.isra.5+0x149/0x380 drivers/usb/core/driver.c:1260
 usb_resume_both+0x1c2/0x710 drivers/usb/core/driver.c:1402
 usb_runtime_resume+0x1e/0x30 drivers/usb/core/driver.c:1856
 __rpm_callback+0x338/0xa50 drivers/base/power/runtime.c:334
 rpm_callback+0x18a/0x220 drivers/base/power/runtime.c:464
 rpm_resume+0xe9d/0x1880 drivers/base/power/runtime.c:818
 __pm_runtime_resume+0xa2/0x130 drivers/base/power/runtime.c:1039
 pm_runtime_get_sync include/linux/pm_runtime.h:237 [inline]
 usb_autoresume_device+0x23/0x60 drivers/usb/core/driver.c:1581
 usbdev_open+0x25b/0xa50 drivers/usb/core/devio.c:1011
 chrdev_open+0x257/0x730 fs/char_dev.c:392
 do_dentry_open+0x710/0xc80 fs/open.c:751
 vfs_open+0x105/0x220 fs/open.c:864
 do_last fs/namei.c:3349 [inline]
 path_openat+0x1151/0x35b0 fs/namei.c:3490
 do_filp_open+0x249/0x370 fs/namei.c:3525
 do_sys_open+0x502/0x6d0 fs/open.c:1051
 SYSC_open fs/open.c:1069 [inline]
 SyS_open+0x2d/0x40 fs/open.c:1064
 entry_SYSCALL_64_fastpath+0x1f/0xc2
RIP: 0033:0x40b3f1
RSP: 002b:00007f642ad93410 EFLAGS: 00000293 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: cccccccccccccccd RCX: 000000000040b3f1
RDX: 0000000000000000 RSI: 00000000001cd000 RDI: 00007f642ad93440
RBP: 0000000000000086 R08: 0000000000000000 R09: 00000000000000fb
R10: ffffffffffffffff R11: 0000000000000293 R12: 00000000004a7e31
R13: 0000000000000000 R14: 00007f642ad93618 R15: 00007f642ad93788
Object at ffff88003c377a00, in cache kmalloc-192 size: 192
Allocated:
PID = 3348
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:517
 set_track mm/kasan/kasan.c:529 [inline]
 kasan_kmalloc+0xbc/0xf0 mm/kasan/kasan.c:620
 __do_kmalloc mm/slab.c:3736 [inline]
 __kmalloc+0x13c/0x730 mm/slab.c:3745
 kmalloc include/linux/slab.h:495 [inline]
 usb_alloc_urb+0x24/0x50 drivers/usb/core/urb.c:73
 usb_internal_control_msg drivers/usb/core/message.c:93 [inline]
 usb_control_msg+0x1d7/0x460 drivers/usb/core/message.c:151
 get_port_status drivers/usb/core/hub.c:554 [inline]
 hub_ext_port_status+0x122/0x440 drivers/usb/core/hub.c:571
 hub_port_status drivers/usb/core/hub.c:593 [inline]
 hub_activate+0x3ea/0x1650 drivers/usb/core/hub.c:1068
 hub_resume+0x3c/0x50 drivers/usb/core/hub.c:3595
 usb_resume_interface.isra.5+0x149/0x380 drivers/usb/core/driver.c:1260
 usb_resume_both+0x1c2/0x710 drivers/usb/core/driver.c:1402
 usb_runtime_resume+0x1e/0x30 drivers/usb/core/driver.c:1856
 __rpm_callback+0x338/0xa50 drivers/base/power/runtime.c:334
 rpm_callback+0x18a/0x220 drivers/base/power/runtime.c:464
 rpm_resume+0xe9d/0x1880 drivers/base/power/runtime.c:818
 __pm_runtime_resume+0xa2/0x130 drivers/base/power/runtime.c:1039
 pm_runtime_get_sync include/linux/pm_runtime.h:237 [inline]
 usb_autoresume_device+0x23/0x60 drivers/usb/core/driver.c:1581
 usbdev_open+0x25b/0xa50 drivers/usb/core/devio.c:1011
 chrdev_open+0x257/0x730 fs/char_dev.c:392
 do_dentry_open+0x710/0xc80 fs/open.c:751
 vfs_open+0x105/0x220 fs/open.c:864
 do_last fs/namei.c:3349 [inline]
 path_openat+0x1151/0x35b0 fs/namei.c:3490
 do_filp_open+0x249/0x370 fs/namei.c:3525
 do_sys_open+0x502/0x6d0 fs/open.c:1051
 SYSC_open fs/open.c:1069 [inline]
 SyS_open+0x2d/0x40 fs/open.c:1064
 entry_SYSCALL_64_fastpath+0x1f/0xc2
Freed:
PID = 3348
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:517
 set_track mm/kasan/kasan.c:529 [inline]
 kasan_slab_free+0x81/0xc0 mm/kasan/kasan.c:593
 __cache_free mm/slab.c:3514 [inline]
 kfree+0xd7/0x250 mm/slab.c:3831
 urb_destroy+0x4a/0xa0 drivers/usb/core/urb.c:26
 kref_put include/linux/kref.h:72 [inline]
 usb_free_urb+0x30/0x40 drivers/usb/core/urb.c:96
 usb_start_wait_urb+0x234/0x320 drivers/usb/core/message.c:78
 usb_internal_control_msg drivers/usb/core/message.c:100 [inline]
 usb_control_msg+0x330/0x460 drivers/usb/core/message.c:151
 get_port_status drivers/usb/core/hub.c:554 [inline]
 hub_ext_port_status+0x122/0x440 drivers/usb/core/hub.c:571
 hub_port_status drivers/usb/core/hub.c:593 [inline]
 hub_activate+0x3ea/0x1650 drivers/usb/core/hub.c:1068
 hub_resume+0x3c/0x50 drivers/usb/core/hub.c:3595
 usb_resume_interface.isra.5+0x149/0x380 drivers/usb/core/driver.c:1260
 usb_resume_both+0x1c2/0x710 drivers/usb/core/driver.c:1402
 usb_runtime_resume+0x1e/0x30 drivers/usb/core/driver.c:1856
 __rpm_callback+0x338/0xa50 drivers/base/power/runtime.c:334
 rpm_callback+0x18a/0x220 drivers/base/power/runtime.c:464
 rpm_resume+0xe9d/0x1880 drivers/base/power/runtime.c:818
 __pm_runtime_resume+0xa2/0x130 drivers/base/power/runtime.c:1039
 pm_runtime_get_sync include/linux/pm_runtime.h:237 [inline]
 usb_autoresume_device+0x23/0x60 drivers/usb/core/driver.c:1581
 usbdev_open+0x25b/0xa50 drivers/usb/core/devio.c:1011
 chrdev_open+0x257/0x730 fs/char_dev.c:392
 do_dentry_open+0x710/0xc80 fs/open.c:751
 vfs_open+0x105/0x220 fs/open.c:864
 do_last fs/namei.c:3349 [inline]
 path_openat+0x1151/0x35b0 fs/namei.c:3490
 do_filp_open+0x249/0x370 fs/namei.c:3525
 do_sys_open+0x502/0x6d0 fs/open.c:1051
 SYSC_open fs/open.c:1069 [inline]
 SyS_open+0x2d/0x40 fs/open.c:1064
 entry_SYSCALL_64_fastpath+0x1f/0xc2
Memory state around the buggy address:
 ffff88003c377900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88003c377980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff88003c377a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff88003c377a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff88003c377b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

^ permalink raw reply	[flat|nested] 8+ messages in thread
end of thread, other threads:[~2017-03-24 17:11 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-03-23 12:17 usb: use-after-free write in usb_hcd_link_urb_to_ep Dmitry Vyukov
2017-03-23 14:34 ` Alan Stern
2017-03-23 14:39   ` Dmitry Vyukov
2017-03-23 15:04     ` Alan Stern
2017-03-23 15:22       ` Dmitry Vyukov
2017-03-24 10:32         ` Dmitry Vyukov
2017-03-24 14:27           ` Alan Stern
2017-03-24 17:11             ` Dmitry Vyukov

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.