* KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2)
@ 2020-09-08 7:37 syzbot
2021-12-30 15:47 ` [syzbot] " syzbot
0 siblings, 1 reply; 12+ messages in thread
From: syzbot @ 2020-09-08 7:37 UTC (permalink / raw)
To: akpm, andreyknvl, dvyukov, gregkh, gustavoars, keescook,
linux-kernel, linux-usb, m.szyprowski, noring, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: b51594df Merge tag 'docs-5.9-3' of git://git.lwn.net/linux
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=149d38ae900000
kernel config: https://syzkaller.appspot.com/x/.config?x=3c5f6ce8d5b68299
dashboard link: https://syzkaller.appspot.com/bug?extid=3ae6a2b06f131ab9849f
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3ae6a2b06f131ab9849f@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:406 [inline]
BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x376/0x780 drivers/usb/core/hcd.c:775
Write of size 2 at addr ffff88809f5ef480 by task syz-executor.4/6857
CPU: 1 PID: 6857 Comm: syz-executor.4 Not tainted 5.9.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x198/0x1fd lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
__kasan_report mm/kasan/report.c:513 [inline]
kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
check_memory_region_inline mm/kasan/generic.c:186 [inline]
check_memory_region+0x13d/0x180 mm/kasan/generic.c:192
memcpy+0x39/0x60 mm/kasan/common.c:106
memcpy include/linux/string.h:406 [inline]
usb_hcd_poll_rh_status+0x376/0x780 drivers/usb/core/hcd.c:775
call_timer_fn+0x1ac/0x760 kernel/time/timer.c:1413
expire_timers kernel/time/timer.c:1458 [inline]
__run_timers.part.0+0x67c/0xaa0 kernel/time/timer.c:1755
__run_timers kernel/time/timer.c:1736 [inline]
run_timer_softirq+0xae/0x1a0 kernel/time/timer.c:1768
__do_softirq+0x1f7/0xa91 kernel/softirq.c:298
asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:706
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline]
do_softirq_own_stack+0x9d/0xd0 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:393 [inline]
__irq_exit_rcu kernel/softirq.c:423 [inline]
irq_exit_rcu+0x235/0x280 kernel/softirq.c:435
sysvec_apic_timer_interrupt+0x51/0xf0 arch/x86/kernel/apic/apic.c:1091
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:581
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:770 [inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x4d/0x90 kernel/locking/spinlock.c:191
Code: 48 c7 c0 48 3c b6 89 48 ba 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 75 3c 48 83 3d 12 f5 bf 01 00 74 29 48 89 df 57 9d <0f> 1f 44 00 00 bf 01 00 00 00 e8 f4 6d 59 f9 65 8b 05 2d b7 0b 78
RSP: 0018:ffffc90004e0f740 EFLAGS: 00000282
RAX: 1ffffffff136c789 RBX: 0000000000000282 RCX: 1ffffffff1563f69
RDX: dffffc0000000000 RSI: 0000000000000001 RDI: 0000000000000282
RBP: ffffffff8cc156b8 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888037a37270
R13: 1ffff920009c1efa R14: ffffffff8cc156b8 R15: ffffffff8cc156b0
__debug_object_init+0x401/0xce0 lib/debugobjects.c:580
debug_object_init lib/debugobjects.c:595 [inline]
debug_object_activate+0x32c/0x3e0 lib/debugobjects.c:681
debug_rcu_head_queue kernel/rcu/rcu.h:176 [inline]
__call_rcu kernel/rcu/tree.c:2880 [inline]
call_rcu+0x2c/0x7b0 kernel/rcu/tree.c:2968
destroy_inode+0x129/0x1b0 fs/inode.c:287
iput_final fs/inode.c:1652 [inline]
iput.part.0+0x424/0x850 fs/inode.c:1678
iput+0x58/0x70 fs/inode.c:1668
proc_invalidate_siblings_dcache+0x28d/0x600 fs/proc/inode.c:160
release_task+0xc63/0x14d0 kernel/exit.c:221
wait_task_zombie kernel/exit.c:1088 [inline]
wait_consider_task+0x2fb3/0x3b20 kernel/exit.c:1315
do_wait_thread kernel/exit.c:1378 [inline]
do_wait+0x36a/0x9e0 kernel/exit.c:1449
kernel_wait4+0x14c/0x260 kernel/exit.c:1621
__do_sys_wait4+0x13f/0x150 kernel/exit.c:1649
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4171fb
Code: 54 55 41 89 d4 53 48 89 f5 89 fb 48 83 ec 10 e8 1b f9 ff ff 45 31 d2 41 89 c0 49 63 d4 48 89 ee 48 63 fb b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 19 44 89 c7 89 44 24 0c e8 51 f9 ff ff 8b 44
RSP: 002b:00007ffff8e9d6c0 EFLAGS: 00000246 ORIG_RAX: 000000000000003d
RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00000000004171fb
RDX: 0000000040000001 RSI: 00007ffff8e9d720 RDI: ffffffffffffffff
RBP: 00007ffff8e9d720 R08: 0000000000000000 R09: 000000000267c940
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000040000001
R13: 00007ffff8e9d720 R14: 000000000012605c R15: 00007ffff8e9d730
Allocated by task 31714:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
kasan_set_track mm/kasan/common.c:56 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
__do_kmalloc mm/slab.c:3655 [inline]
__kmalloc+0x1b0/0x310 mm/slab.c:3664
kmalloc include/linux/slab.h:559 [inline]
proc_do_submiturb+0x29a3/0x34d0 drivers/usb/core/devio.c:1733
proc_submiturb drivers/usb/core/devio.c:1892 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2588 [inline]
usbdev_ioctl+0x682/0x3360 drivers/usb/core/devio.c:2708
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl fs/ioctl.c:739 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The buggy address belongs to the object at ffff88809f5ef480
which belongs to the cache kmalloc-32 of size 32
The buggy address is located 0 bytes inside of
32-byte region [ffff88809f5ef480, ffff88809f5ef4a0)
The buggy address belongs to the page:
page:00000000686f7d13 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88809f5effc1 pfn:0x9f5ef
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00029f1e08 ffffea0002684648 ffff8880aa040100
raw: ffff88809f5effc1 ffff88809f5ef000 000000010000003b 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809f5ef380: fb fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
ffff88809f5ef400: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc
>ffff88809f5ef480: 01 fc fc fc fc fc fc fc 00 00 00 fc fc fc fc fc
^
ffff88809f5ef500: fa fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc
ffff88809f5ef580: 00 00 fc fc fc fc fc fc 00 00 fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [syzbot] KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2)
2020-09-08 7:37 KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2) syzbot
@ 2021-12-30 15:47 ` syzbot
2021-12-30 20:08 ` Alan Stern
0 siblings, 1 reply; 12+ messages in thread
From: syzbot @ 2021-12-30 15:47 UTC (permalink / raw)
To: akpm, andreyknvl, dvyukov, gregkh, gustavoars, jun.li, keescook,
kishon, linux-kernel, linux-usb, m.szyprowski, noring,
pastor.winkley, peter.chen, stern, syzkaller-bugs
syzbot has found a reproducer for the following issue on:
HEAD commit: eec4df26e24e Merge tag 's390-5.16-6' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1696bbfbb00000
kernel config: https://syzkaller.appspot.com/x/.config?x=2ebd4b29568807bc
dashboard link: https://syzkaller.appspot.com/bug?extid=3ae6a2b06f131ab9849f
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11b14c1bb00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12ab99edb00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3ae6a2b06f131ab9849f@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x243/0x530 drivers/usb/core/hcd.c:774
Write of size 2 at addr ffff88801dd0d780 by task syz-executor046/3607
CPU: 1 PID: 3607 Comm: syz-executor046 Not tainted 5.16.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106
print_address_description+0x65/0x380 mm/kasan/report.c:247
__kasan_report mm/kasan/report.c:433 [inline]
kasan_report+0x19a/0x1f0 mm/kasan/report.c:450
kasan_check_range+0x2b5/0x2f0 mm/kasan/generic.c:189
memcpy+0x3c/0x60 mm/kasan/shadow.c:66
usb_hcd_poll_rh_status+0x243/0x530 drivers/usb/core/hcd.c:774
call_timer_fn+0xf6/0x210 kernel/time/timer.c:1421
expire_timers kernel/time/timer.c:1466 [inline]
__run_timers+0x71a/0x910 kernel/time/timer.c:1734
run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1747
__do_softirq+0x392/0x7a3 kernel/softirq.c:558
__irq_exit_rcu+0xec/0x170 kernel/softirq.c:637
irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1097
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x12/0x20
RIP: 0010:console_unlock+0xc88/0xe90 kernel/printk/printk.c:2716
Code: 00 e9 71 fa ff ff e8 a7 70 1a 00 e8 62 4b a0 08 48 83 7c 24 38 00 74 dd 66 2e 0f 1f 84 00 00 00 00 00 e8 8b 70 1a 00 fb 31 ff <44> 89 f6 e8 90 74 1a 00 31 db 45 85 f6 0f 95 c0 89 c1 0a 4c 24 0f
RSP: 0018:ffffc90001a8f0e0 EFLAGS: 00000246
RAX: ffffffff816a0d85 RBX: 0000000000000000 RCX: ffff888018638000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90001a8f2f0 R08: ffffffff816a0d3c R09: fffffbfff1bfd566
R10: fffffbfff1bfd566 R11: 0000000000000000 R12: ffffffff8d3ec5e8
R13: ffffffff8d3ec5b0 R14: 0000000000000001 R15: ffffc90001a8f160
vprintk_emit+0xba/0x140 kernel/printk/printk.c:2245
dev_vprintk_emit+0x2e4/0x35d drivers/base/core.c:4594
dev_printk_emit+0xd9/0x118 drivers/base/core.c:4605
_dev_warn+0x11e/0x165 drivers/base/core.c:4661
checkintf drivers/usb/core/devio.c:826 [inline]
do_proc_bulk+0x81c/0x15d0 drivers/usb/core/devio.c:1268
proc_bulk drivers/usb/core/devio.c:1351 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
usbdev_ioctl+0x36b7/0x6d00 drivers/usb/core/devio.c:2791
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fc8c54137a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe10cef0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fc8c54570b0 RCX: 00007fc8c54137a9
RDX: 0000000020000240 RSI: 00000000c0185502 RDI: 0000000000000006
RBP: 00007ffe10cef0f0 R08: 00007ffe10ceeb40 R09: 0000000000000000
R10: 000000000000ffff R11: 0000000000000246 R12: 00007fc8c53d2780
R13: 0000000000000000 R14: 00007ffe10cef0f0 R15: 00007ffe10cef0e0
</TASK>
Allocated by task 3616:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc+0xdc/0x110 mm/kasan/common.c:513
kasan_kmalloc include/linux/kasan.h:269 [inline]
__kmalloc+0x253/0x380 mm/slub.c:4423
kmalloc include/linux/slab.h:595 [inline]
do_proc_bulk+0x858/0x15d0 drivers/usb/core/devio.c:1292
proc_bulk drivers/usb/core/devio.c:1351 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
usbdev_ioctl+0x36b7/0x6d00 drivers/usb/core/devio.c:2791
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
The buggy address belongs to the object at ffff88801dd0d780
which belongs to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes inside of
8-byte region [ffff88801dd0d780, ffff88801dd0d788)
The buggy address belongs to the page:
page:ffffea0000774340 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1dd0d
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea000077d900 dead000000000002 ffff888011441280
raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), pid 22, ts 8565550793, free_ts 8556148454
prep_new_page mm/page_alloc.c:2418 [inline]
get_page_from_freelist+0x729/0x9e0 mm/page_alloc.c:4149
__alloc_pages+0x255/0x580 mm/page_alloc.c:5369
alloc_slab_page mm/slub.c:1793 [inline]
allocate_slab+0xcc/0x540 mm/slub.c:1930
new_slab mm/slub.c:1993 [inline]
___slab_alloc+0x41e/0xc40 mm/slub.c:3022
__slab_alloc mm/slub.c:3109 [inline]
slab_alloc_node mm/slub.c:3200 [inline]
slab_alloc mm/slub.c:3242 [inline]
__kmalloc+0x2eb/0x380 mm/slub.c:4419
kmalloc include/linux/slab.h:595 [inline]
kzalloc include/linux/slab.h:724 [inline]
smk_parse_smack+0x18e/0x220 security/smack/smack_access.c:468
smk_import_entry+0x22/0x400 security/smack/smack_access.c:566
smk_fetch security/smack/smack_lsm.c:300 [inline]
smack_d_instantiate+0x6ac/0xd10 security/smack/smack_lsm.c:3417
security_d_instantiate+0xa5/0x100 security/security.c:2040
d_instantiate+0x51/0x90 fs/dcache.c:2008
shmem_mknod+0x165/0x1b0 mm/shmem.c:2842
shmem_mkdir+0x2e/0x60 mm/shmem.c:2881
vfs_mkdir+0x44d/0x680 fs/namei.c:3883
dev_mkdir drivers/base/devtmpfs.c:165 [inline]
create_path drivers/base/devtmpfs.c:190 [inline]
handle_create drivers/base/devtmpfs.c:209 [inline]
handle drivers/base/devtmpfs.c:380 [inline]
devtmpfs_work_loop+0x386/0x1080 drivers/base/devtmpfs.c:395
devtmpfsd+0x44/0x50 drivers/base/devtmpfs.c:437
kthread+0x468/0x490 kernel/kthread.c:327
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1338 [inline]
free_pcp_prepare+0xd1c/0xe00 mm/page_alloc.c:1389
free_unref_page_prepare mm/page_alloc.c:3309 [inline]
free_unref_page_list+0x11f/0xa50 mm/page_alloc.c:3425
release_pages+0x15a7/0x17d0 mm/swap.c:980
tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:242 [inline]
tlb_flush_mmu+0x780/0x910 mm/mmu_gather.c:249
tlb_finish_mmu+0xcb/0x200 mm/mmu_gather.c:340
exit_mmap+0x3dd/0x6f0 mm/mmap.c:3172
__mmput+0x111/0x3a0 kernel/fork.c:1113
free_bprm+0x136/0x2f0 fs/exec.c:1481
kernel_execve+0x740/0x9a0 fs/exec.c:1978
call_usermodehelper_exec_async+0x262/0x3b0 kernel/umh.c:112
ret_from_fork+0x1f/0x30
Memory state around the buggy address:
ffff88801dd0d680: fc fc 00 fc fc fc fc 00 fc fc fc fc 00 fc fc fc
ffff88801dd0d700: fc 00 fc fc fc fc 00 fc fc fc fc fb fc fc fc fc
>ffff88801dd0d780: 01 fc fc fc fc 00 fc fc fc fc fa fc fc fc fc fa
^
ffff88801dd0d800: fc fc fc fc fa fc fc fc fc fa fc fc fc fc 00 fc
ffff88801dd0d880: fc fc fc fa fc fc fc fc fa fc fc fc fc fa fc fc
==================================================================
----------------
Code disassembly (best guess), 1 bytes skipped:
0: e9 71 fa ff ff jmpq 0xfffffa76
5: e8 a7 70 1a 00 callq 0x1a70b1
a: e8 62 4b a0 08 callq 0x8a04b71
f: 48 83 7c 24 38 00 cmpq $0x0,0x38(%rsp)
15: 74 dd je 0xfffffff4
17: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
1e: 00 00 00
21: e8 8b 70 1a 00 callq 0x1a70b1
26: fb sti
27: 31 ff xor %edi,%edi
* 29: 44 89 f6 mov %r14d,%esi <-- trapping instruction
2c: e8 90 74 1a 00 callq 0x1a74c1
31: 31 db xor %ebx,%ebx
33: 45 85 f6 test %r14d,%r14d
36: 0f 95 c0 setne %al
39: 89 c1 mov %eax,%ecx
3b: 0a 4c 24 0f or 0xf(%rsp),%cl
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [syzbot] KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2)
2021-12-30 15:47 ` [syzbot] " syzbot
@ 2021-12-30 20:08 ` Alan Stern
2021-12-31 0:49 ` syzbot
0 siblings, 1 reply; 12+ messages in thread
From: Alan Stern @ 2021-12-30 20:08 UTC (permalink / raw)
To: syzbot
Cc: akpm, andreyknvl, dvyukov, gregkh, gustavoars, jun.li, keescook,
kishon, linux-kernel, linux-usb, m.szyprowski, noring,
pastor.winkley, peter.chen, syzkaller-bugs
On Thu, Dec 30, 2021 at 07:47:18AM -0800, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: eec4df26e24e Merge tag 's390-5.16-6' of git://git.kernel.o..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1696bbfbb00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=2ebd4b29568807bc
> dashboard link: https://syzkaller.appspot.com/bug?extid=3ae6a2b06f131ab9849f
> compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11b14c1bb00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12ab99edb00000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3ae6a2b06f131ab9849f@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x243/0x530 drivers/usb/core/hcd.c:774
> Write of size 2 at addr ffff88801dd0d780 by task syz-executor046/3607
>
> CPU: 1 PID: 3607 Comm: syz-executor046 Not tainted 5.16.0-rc7-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
> <IRQ>
> __dump_stack lib/dump_stack.c:88 [inline]
> dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106
> print_address_description+0x65/0x380 mm/kasan/report.c:247
> __kasan_report mm/kasan/report.c:433 [inline]
> kasan_report+0x19a/0x1f0 mm/kasan/report.c:450
> kasan_check_range+0x2b5/0x2f0 mm/kasan/generic.c:189
> memcpy+0x3c/0x60 mm/kasan/shadow.c:66
> usb_hcd_poll_rh_status+0x243/0x530 drivers/usb/core/hcd.c:774
> call_timer_fn+0xf6/0x210 kernel/time/timer.c:1421
> expire_timers kernel/time/timer.c:1466 [inline]
> __run_timers+0x71a/0x910 kernel/time/timer.c:1734
> run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1747
> __do_softirq+0x392/0x7a3 kernel/softirq.c:558
> __irq_exit_rcu+0xec/0x170 kernel/softirq.c:637
> irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
> sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1097
> </IRQ>
> <TASK>
> asm_sysvec_apic_timer_interrupt+0x12/0x20
> RIP: 0010:console_unlock+0xc88/0xe90 kernel/printk/printk.c:2716
> Code: 00 e9 71 fa ff ff e8 a7 70 1a 00 e8 62 4b a0 08 48 83 7c 24 38 00 74 dd 66 2e 0f 1f 84 00 00 00 00 00 e8 8b 70 1a 00 fb 31 ff <44> 89 f6 e8 90 74 1a 00 31 db 45 85 f6 0f 95 c0 89 c1 0a 4c 24 0f
> RSP: 0018:ffffc90001a8f0e0 EFLAGS: 00000246
> RAX: ffffffff816a0d85 RBX: 0000000000000000 RCX: ffff888018638000
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
> RBP: ffffc90001a8f2f0 R08: ffffffff816a0d3c R09: fffffbfff1bfd566
> R10: fffffbfff1bfd566 R11: 0000000000000000 R12: ffffffff8d3ec5e8
> R13: ffffffff8d3ec5b0 R14: 0000000000000001 R15: ffffc90001a8f160
> vprintk_emit+0xba/0x140 kernel/printk/printk.c:2245
> dev_vprintk_emit+0x2e4/0x35d drivers/base/core.c:4594
> dev_printk_emit+0xd9/0x118 drivers/base/core.c:4605
> _dev_warn+0x11e/0x165 drivers/base/core.c:4661
> checkintf drivers/usb/core/devio.c:826 [inline]
> do_proc_bulk+0x81c/0x15d0 drivers/usb/core/devio.c:1268
> proc_bulk drivers/usb/core/devio.c:1351 [inline]
> usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
> usbdev_ioctl+0x36b7/0x6d00 drivers/usb/core/devio.c:2791
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:874 [inline]
> __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:860
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x44/0xae
> RIP: 0033:0x7fc8c54137a9
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffe10cef0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00007fc8c54570b0 RCX: 00007fc8c54137a9
> RDX: 0000000020000240 RSI: 00000000c0185502 RDI: 0000000000000006
> RBP: 00007ffe10cef0f0 R08: 00007ffe10ceeb40 R09: 0000000000000000
> R10: 000000000000ffff R11: 0000000000000246 R12: 00007fc8c53d2780
> R13: 0000000000000000 R14: 00007ffe10cef0f0 R15: 00007ffe10cef0e0
> </TASK>
>
> Allocated by task 3616:
> kasan_save_stack mm/kasan/common.c:38 [inline]
> kasan_set_track mm/kasan/common.c:46 [inline]
> set_alloc_info mm/kasan/common.c:434 [inline]
> ____kasan_kmalloc+0xdc/0x110 mm/kasan/common.c:513
> kasan_kmalloc include/linux/kasan.h:269 [inline]
> __kmalloc+0x253/0x380 mm/slub.c:4423
> kmalloc include/linux/slab.h:595 [inline]
> do_proc_bulk+0x858/0x15d0 drivers/usb/core/devio.c:1292
> proc_bulk drivers/usb/core/devio.c:1351 [inline]
> usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
> usbdev_ioctl+0x36b7/0x6d00 drivers/usb/core/devio.c:2791
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:874 [inline]
> __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:860
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x44/0xae
Diagnostic patch.
Alan Stern
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ eec4df26e24e
Index: usb-devel/drivers/usb/core/devio.c
===================================================================
--- usb-devel.orig/drivers/usb/core/devio.c
+++ usb-devel/drivers/usb/core/devio.c
@@ -109,7 +109,7 @@ struct async {
u8 bulk_status;
};
-static bool usbfs_snoop;
+static bool usbfs_snoop = true;
module_param(usbfs_snoop, bool, S_IRUGO | S_IWUSR);
MODULE_PARM_DESC(usbfs_snoop, "true to log all usbfs traffic");
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [syzbot] KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2)
2021-12-30 20:08 ` Alan Stern
@ 2021-12-31 0:49 ` syzbot
2021-12-31 2:31 ` Alan Stern
0 siblings, 1 reply; 12+ messages in thread
From: syzbot @ 2021-12-31 0:49 UTC (permalink / raw)
To: akpm, andreyknvl, dvyukov, gregkh, gustavoars, jun.li, keescook,
kishon, linux-kernel, linux-usb, m.szyprowski, noring,
pastor.winkley, peter.chen, stern, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x376/0x780 drivers/usb/core/hcd.c:774
Write of size 2 at addr ffff8880121ae230 by task syz-executor189/4087
CPU: 1 PID: 4087 Comm: syz-executor189 Not tainted 5.16.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247
__kasan_report mm/kasan/report.c:433 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
memcpy+0x39/0x60 mm/kasan/shadow.c:66
memcpy include/linux/fortify-string.h:225 [inline]
usb_hcd_poll_rh_status+0x376/0x780 drivers/usb/core/hcd.c:774
call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421
expire_timers kernel/time/timer.c:1466 [inline]
__run_timers.part.0+0x67c/0xa30 kernel/time/timer.c:1734
__run_timers kernel/time/timer.c:1715 [inline]
run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558
invoke_softirq kernel/softirq.c:432 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:27 [inline]
RIP: 0010:check_kcov_mode kernel/kcov.c:166 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x60 kernel/kcov.c:200
Code: 48 89 ef 5d e9 b1 1c 46 00 5d be 03 00 00 00 e9 46 8c 63 02 66 0f 1f 44 00 00 48 8b be b0 01 00 00 e8 b4 ff ff ff 31 c0 c3 90 <65> 8b 05 c9 dd 8a 7e 89 c1 48 8b 34 24 81 e1 00 01 00 00 65 48 8b
RSP: 0018:ffffc900027ef930 EFLAGS: 00000293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88801b413a00 RSI: ffffffff815efbe1 RDI: 0000000000000003
RBP: ffffc900027ef970 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff815efbd7 R11: 0000000000000000 R12: 000000000000001f
R13: ffff88801fbc1d00 R14: 0000000000000200 R15: ffffc900027efa90
console_trylock_spinning kernel/printk/printk.c:1885 [inline]
vprintk_emit+0x377/0x4f0 kernel/printk/printk.c:2244
dev_vprintk_emit+0x36e/0x3b2 drivers/base/core.c:4594
dev_printk_emit+0xba/0xf1 drivers/base/core.c:4605
__dev_printk+0xcf/0xf5 drivers/base/core.c:4617
_dev_info+0xd7/0x109 drivers/base/core.c:4663
usbdev_do_ioctl drivers/usb/core/devio.c:2624 [inline]
usbdev_ioctl.cold+0x7c2/0x83c drivers/usb/core/devio.c:2791
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7faa77f20799
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd37de1eb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007faa77f64098 RCX: 00007faa77f20799
RDX: 0000000020000240 RSI: 00000000c0185502 RDI: 0000000000000006
RBP: 00007ffd37de1ee0 R08: 00007ffd37de1930 R09: 0000000000000000
R10: 000000000000ffff R11: 0000000000000246 R12: 000000000001297d
R13: 00007ffd37de1ec4 R14: 00007ffd37de1ee0 R15: 00007ffd37de1ed0
</TASK>
Allocated by task 4081:
kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc mm/kasan/common.c:513 [inline]
____kasan_kmalloc mm/kasan/common.c:472 [inline]
__kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:522
kmalloc include/linux/slab.h:595 [inline]
do_proc_bulk+0x2fc/0xba0 drivers/usb/core/devio.c:1292
proc_bulk drivers/usb/core/devio.c:1351 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
usbdev_ioctl+0x586/0x36c0 drivers/usb/core/devio.c:2791
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
The buggy address belongs to the object at ffff8880121ae230
which belongs to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes inside of
8-byte region [ffff8880121ae230, ffff8880121ae238)
The buggy address belongs to the page:
page:ffffea0000486b80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x121ae
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 dead000000000100 dead000000000122 ffff888010c41280
raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 2449997177, free_ts 0
prep_new_page mm/page_alloc.c:2418 [inline]
get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4149
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369
alloc_page_interleave+0x1e/0x200 mm/mempolicy.c:2036
alloc_pages+0x29f/0x300 mm/mempolicy.c:2185
alloc_slab_page mm/slub.c:1793 [inline]
allocate_slab mm/slub.c:1930 [inline]
new_slab+0x32d/0x4a0 mm/slub.c:1993
___slab_alloc+0x918/0xfe0 mm/slub.c:3022
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3109
slab_alloc_node mm/slub.c:3200 [inline]
slab_alloc mm/slub.c:3242 [inline]
__kmalloc+0x2fb/0x340 mm/slub.c:4419
acpi_ns_internalize_name drivers/acpi/acpica/nsutils.c:331 [inline]
acpi_ns_internalize_name+0xf2/0x1a1 drivers/acpi/acpica/nsutils.c:312
acpi_ns_get_node_unlocked drivers/acpi/acpica/nsutils.c:666 [inline]
acpi_ns_get_node_unlocked+0x1d8/0x278 drivers/acpi/acpica/nsutils.c:635
acpi_ns_get_node+0x4b/0x6a drivers/acpi/acpica/nsutils.c:726
acpi_ns_evaluate+0xd2/0x966 drivers/acpi/acpica/nseval.c:62
acpi_evaluate_object+0x3db/0x7f5 drivers/acpi/acpica/nsxfeval.c:354
acpi_evaluate_dsm+0x188/0x270 drivers/acpi/utils.c:678
acpi_check_dsm drivers/acpi/utils.c:710 [inline]
acpi_check_dsm+0x60/0x260 drivers/acpi/utils.c:701
device_has_acpi_name drivers/pci/pci-label.c:44 [inline]
acpi_attr_is_visible+0xaf/0x130 drivers/pci/pci-label.c:221
page_owner free stack trace missing
Memory state around the buggy address:
ffff8880121ae100: fc fc fc 00 fc fc fc fc 00 fc fc fc fc 00 fc fc
ffff8880121ae180: fc fc fa fc fc fc fc 00 fc fc fc fc 00 fc fc fc
>ffff8880121ae200: fc fb fc fc fc fc 01 fc fc fc fc fb fc fc fc fc
^
ffff8880121ae280: fb fc fc fc fc fb fc fc fc fc fb fc fc fc fc fb
ffff8880121ae300: fc fc fc fc fb fc fc fc fc fb fc fc fc fc 00 fc
==================================================================
----------------
Code disassembly (best guess):
0: 48 89 ef mov %rbp,%rdi
3: 5d pop %rbp
4: e9 b1 1c 46 00 jmpq 0x461cba
9: 5d pop %rbp
a: be 03 00 00 00 mov $0x3,%esi
f: e9 46 8c 63 02 jmpq 0x2638c5a
14: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
1a: 48 8b be b0 01 00 00 mov 0x1b0(%rsi),%rdi
21: e8 b4 ff ff ff callq 0xffffffda
26: 31 c0 xor %eax,%eax
28: c3 retq
29: 90 nop
* 2a: 65 8b 05 c9 dd 8a 7e mov %gs:0x7e8addc9(%rip),%eax # 0x7e8addfa <-- trapping instruction
31: 89 c1 mov %eax,%ecx
33: 48 8b 34 24 mov (%rsp),%rsi
37: 81 e1 00 01 00 00 and $0x100,%ecx
3d: 65 gs
3e: 48 rex.W
3f: 8b .byte 0x8b
Tested on:
commit: eec4df26 Merge tag 's390-5.16-6' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=13e94c1bb00000
kernel config: https://syzkaller.appspot.com/x/.config?x=1a86c22260afac2f
dashboard link: https://syzkaller.appspot.com/bug?extid=3ae6a2b06f131ab9849f
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1798d2c3b00000
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [syzbot] KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2)
2021-12-31 0:49 ` syzbot
@ 2021-12-31 2:31 ` Alan Stern
2021-12-31 5:24 ` syzbot
2022-05-19 12:51 ` [syzbot] KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2) Dmitry Vyukov
0 siblings, 2 replies; 12+ messages in thread
From: Alan Stern @ 2021-12-31 2:31 UTC (permalink / raw)
To: syzbot
Cc: andreyknvl, dvyukov, gregkh, linux-kernel, linux-usb, syzkaller-bugs
[Trimmed CC: list]
On Thu, Dec 30, 2021 at 04:49:18PM -0800, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status
...
> Tested on:
>
> commit: eec4df26 Merge tag 's390-5.16-6' of git://git.kernel.o..
> git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
I'm glad to see that the git tree is reported properly, but the commit
label is too short. The reproducer bug report had exactly the opposite
problems! It said:
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: eec4df26e24e Merge tag 's390-5.16-6' of git://git.kernel.o..
> git tree: upstream
Andrey or Dmitry? Can you guys unify these two outputs to make both
lines correct always?
Moving on... Important lines from the console log:
[ 76.919138][ T4081] usb usb9: usbdev_do_ioctl: BULK
[ 76.924966][ T4081] usb usb9: usbfs: process 4081 (syz-executor189) did not claim interface 0 before use
[ 76.935186][ T4081] usb usb9: ep1 int-in, length 1, timeout 9
[ 76.941355][ T4099] usb usb9: opened by process 4099: syz-executor189
[ 76.942606][ T4087] usb usb9: usbdev_do_ioctl: BULK
[ 76.949968][ C1]
==================================================================
[ 76.950070][ C1] BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x376/0x780
[ 76.950102][ C1] Write of size 2 at addr ffff8880121ae230 by task syz-executor189/4087
It's hard to tell what's really happening. The suspicious part is the
"length 1" combined with the "Write of size 2" -- but they refer to
different processes!
Maybe this diagnostic patch will help a little.
Alan Stern
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ eec4df26e24e
Index: usb-devel/drivers/usb/core/devio.c
===================================================================
--- usb-devel.orig/drivers/usb/core/devio.c
+++ usb-devel/drivers/usb/core/devio.c
@@ -109,7 +109,7 @@ struct async {
u8 bulk_status;
};
-static bool usbfs_snoop;
+static bool usbfs_snoop = true;
module_param(usbfs_snoop, bool, S_IRUGO | S_IWUSR);
MODULE_PARM_DESC(usbfs_snoop, "true to log all usbfs traffic");
Index: usb-devel/drivers/usb/core/hcd.c
===================================================================
--- usb-devel.orig/drivers/usb/core/hcd.c
+++ usb-devel/drivers/usb/core/hcd.c
@@ -809,8 +809,10 @@ static int rh_queue_status (struct usb_h
unsigned len = 1 + (urb->dev->maxchild / 8);
spin_lock_irqsave (&hcd_root_hub_lock, flags);
+ dev_info(hcd->self.controller, "rh_queue_status: len %d tblen %d\n",
+ len, urb->transfer_buffer_length);
if (hcd->status_urb || urb->transfer_buffer_length < len) {
- dev_dbg (hcd->self.controller, "not queuing rh status urb\n");
+ dev_info(hcd->self.controller, "not queuing rh status urb\n");
retval = -EINVAL;
goto done;
}
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [syzbot] KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2)
2021-12-31 2:31 ` Alan Stern
@ 2021-12-31 5:24 ` syzbot
2021-12-31 17:33 ` Alan Stern
2022-05-19 12:51 ` [syzbot] KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2) Dmitry Vyukov
1 sibling, 1 reply; 12+ messages in thread
From: syzbot @ 2021-12-31 5:24 UTC (permalink / raw)
To: andreyknvl, dvyukov, gregkh, linux-kernel, linux-usb, stern,
syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x376/0x780 drivers/usb/core/hcd.c:774
Write of size 2 at addr ffff8880127f7028 by task syz-executor029/4082
CPU: 1 PID: 4082 Comm: syz-executor029 Not tainted 5.16.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247
__kasan_report mm/kasan/report.c:433 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
memcpy+0x39/0x60 mm/kasan/shadow.c:66
memcpy include/linux/fortify-string.h:225 [inline]
usb_hcd_poll_rh_status+0x376/0x780 drivers/usb/core/hcd.c:774
call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421
expire_timers kernel/time/timer.c:1466 [inline]
__run_timers.part.0+0x67c/0xa30 kernel/time/timer.c:1734
__run_timers kernel/time/timer.c:1715 [inline]
run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558
invoke_softirq kernel/softirq.c:432 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70 kernel/locking/spinlock.c:194
Code: 74 24 10 e8 aa db 15 f8 48 89 ef e8 62 51 16 f8 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 <e8> a3 1b 09 f8 65 8b 05 bc a0 bb 76 85 c0 74 0a 5b 5d c3 e8 d0 02
RSP: 0018:ffffc9000283f8b0 EFLAGS: 00000206
RAX: 0000000000000002 RBX: 0000000000000200 RCX: 1ffffffff1b22571
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
RBP: ffffffff8ca3bc60 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff817dd258 R11: 0000000000000000 R12: ffff88801cffc240
R13: ffff88801dba4000 R14: ffff88801dba4180 R15: 0000000000000000
spin_unlock_irqrestore include/linux/spinlock.h:404 [inline]
rh_queue_status drivers/usb/core/hcd.c:834 [inline]
rh_urb_enqueue drivers/usb/core/hcd.c:841 [inline]
usb_hcd_submit_urb+0x155c/0x2300 drivers/usb/core/hcd.c:1546
usb_submit_urb+0x86d/0x18a0 drivers/usb/core/urb.c:594
usbfs_start_wait_urb+0x128/0x3d0 drivers/usb/core/devio.c:1125
do_proc_bulk+0x535/0xba0 drivers/usb/core/devio.c:1313
proc_bulk drivers/usb/core/devio.c:1351 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
usbdev_ioctl+0x586/0x36c0 drivers/usb/core/devio.c:2791
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fe659509799
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffbcc163b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fe65954d098 RCX: 00007fe659509799
RDX: 0000000020000240 RSI: 00000000c0185502 RDI: 0000000000000006
RBP: 00007fffbcc163e0 R08: 00007fffbcc15e30 R09: 0000000000000000
R10: 000000000000ffff R11: 0000000000000246 R12: 0000000000012b3a
R13: 00007fffbcc163c4 R14: 00007fffbcc163e0 R15: 00007fffbcc163d0
</TASK>
Allocated by task 4082:
kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc mm/kasan/common.c:513 [inline]
____kasan_kmalloc mm/kasan/common.c:472 [inline]
__kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:522
kmalloc include/linux/slab.h:595 [inline]
do_proc_bulk+0x2fc/0xba0 drivers/usb/core/devio.c:1292
proc_bulk drivers/usb/core/devio.c:1351 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
usbdev_ioctl+0x586/0x36c0 drivers/usb/core/devio.c:2791
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
The buggy address belongs to the object at ffff8880127f7028
which belongs to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes inside of
8-byte region [ffff8880127f7028, ffff8880127f7030)
The buggy address belongs to the page:
page:ffffea000049fdc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x127f7
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 dead000000000100 dead000000000122 ffff888010c41280
raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 2292076002, free_ts 0
prep_new_page mm/page_alloc.c:2418 [inline]
get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4149
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369
alloc_page_interleave+0x1e/0x200 mm/mempolicy.c:2036
alloc_pages+0x29f/0x300 mm/mempolicy.c:2185
alloc_slab_page mm/slub.c:1793 [inline]
allocate_slab mm/slub.c:1930 [inline]
new_slab+0x32d/0x4a0 mm/slub.c:1993
___slab_alloc+0x918/0xfe0 mm/slub.c:3022
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3109
slab_alloc_node mm/slub.c:3200 [inline]
slab_alloc mm/slub.c:3242 [inline]
__kmalloc+0x2fb/0x340 mm/slub.c:4419
acpi_ns_internalize_name drivers/acpi/acpica/nsutils.c:331 [inline]
acpi_ns_internalize_name+0xf2/0x1a1 drivers/acpi/acpica/nsutils.c:312
acpi_ns_get_node_unlocked drivers/acpi/acpica/nsutils.c:666 [inline]
acpi_ns_get_node_unlocked+0x1d8/0x278 drivers/acpi/acpica/nsutils.c:635
acpi_ns_get_node+0x4b/0x6a drivers/acpi/acpica/nsutils.c:726
acpi_get_handle+0x129/0x211 drivers/acpi/acpica/nsxfname.c:98
acpi_has_method+0x6e/0xb0 drivers/acpi/utils.c:553
acpi_is_video_device+0x154/0x210 drivers/acpi/scan.c:1226
acpi_set_pnp_ids drivers/acpi/scan.c:1365 [inline]
acpi_init_device_object+0xee0/0x1a60 drivers/acpi/scan.c:1747
acpi_add_single_object+0xe4/0x1aa0 drivers/acpi/scan.c:1793
page_owner free stack trace missing
Memory state around the buggy address:
ffff8880127f6f00: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
ffff8880127f6f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880127f7000: fb fc fc fc fc 01 fc fc fc fc fa fc fc fc fc 00
^
ffff8880127f7080: fc fc fc fc fa fc fc fc fc fa fc fc fc fc fa fc
ffff8880127f7100: fc fc fc fa fc fc fc fc fa fc fc fc fc fa fc fc
==================================================================
----------------
Code disassembly (best guess):
0: 74 24 je 0x26
2: 10 e8 adc %ch,%al
4: aa stos %al,%es:(%rdi)
5: db 15 f8 48 89 ef fistl -0x1076b708(%rip) # 0xef894903
b: e8 62 51 16 f8 callq 0xf8165172
10: 81 e3 00 02 00 00 and $0x200,%ebx
16: 75 25 jne 0x3d
18: 9c pushfq
19: 58 pop %rax
1a: f6 c4 02 test $0x2,%ah
1d: 75 2d jne 0x4c
1f: 48 85 db test %rbx,%rbx
22: 74 01 je 0x25
24: fb sti
25: bf 01 00 00 00 mov $0x1,%edi
* 2a: e8 a3 1b 09 f8 callq 0xf8091bd2 <-- trapping instruction
2f: 65 8b 05 bc a0 bb 76 mov %gs:0x76bba0bc(%rip),%eax # 0x76bba0f2
36: 85 c0 test %eax,%eax
38: 74 0a je 0x44
3a: 5b pop %rbx
3b: 5d pop %rbp
3c: c3 retq
3d: e8 .byte 0xe8
3e: d0 02 rolb (%rdx)
Tested on:
commit: eec4df26 Merge tag 's390-5.16-6' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=12ab1f85b00000
kernel config: https://syzkaller.appspot.com/x/.config?x=1a86c22260afac2f
dashboard link: https://syzkaller.appspot.com/bug?extid=3ae6a2b06f131ab9849f
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=14522335b00000
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [syzbot] KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2)
2021-12-31 5:24 ` syzbot
@ 2021-12-31 17:33 ` Alan Stern
2021-12-31 17:44 ` syzbot
0 siblings, 1 reply; 12+ messages in thread
From: Alan Stern @ 2021-12-31 17:33 UTC (permalink / raw)
To: syzbot
Cc: andreyknvl, dvyukov, gregkh, linux-kernel, linux-usb, syzkaller-bugs
On Thu, Dec 30, 2021 at 09:24:09PM -0800, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
> BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x376/0x780 drivers/usb/core/hcd.c:774
> Write of size 2 at addr ffff8880127f7028 by task syz-executor029/4082
Still not enough information.
Alan Stern
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ eec4df26e24e
Index: usb-devel/drivers/usb/core/devio.c
===================================================================
--- usb-devel.orig/drivers/usb/core/devio.c
+++ usb-devel/drivers/usb/core/devio.c
@@ -109,7 +109,7 @@ struct async {
u8 bulk_status;
};
-static bool usbfs_snoop;
+static bool usbfs_snoop = true;
module_param(usbfs_snoop, bool, S_IRUGO | S_IWUSR);
MODULE_PARM_DESC(usbfs_snoop, "true to log all usbfs traffic");
Index: usb-devel/drivers/usb/core/hcd.c
===================================================================
--- usb-devel.orig/drivers/usb/core/hcd.c
+++ usb-devel/drivers/usb/core/hcd.c
@@ -771,6 +771,8 @@ void usb_hcd_poll_rh_status(struct usb_h
clear_bit(HCD_FLAG_POLL_PENDING, &hcd->flags);
hcd->status_urb = NULL;
urb->actual_length = length;
+ dev_info(hcd->self.controller, "poll_rh_status: len %d maxch %d tblen %d\n",
+ length, urb->dev->maxchild, urb->transfer_buffer_length);
memcpy(urb->transfer_buffer, buffer, length);
usb_hcd_unlink_urb_from_ep(hcd, urb);
@@ -809,8 +811,10 @@ static int rh_queue_status (struct usb_h
unsigned len = 1 + (urb->dev->maxchild / 8);
spin_lock_irqsave (&hcd_root_hub_lock, flags);
+ dev_info(hcd->self.controller, "rh_queue_status: len %d maxch %d tblen %d\n",
+ len, urb->dev->maxchild, urb->transfer_buffer_length);
if (hcd->status_urb || urb->transfer_buffer_length < len) {
- dev_dbg (hcd->self.controller, "not queuing rh status urb\n");
+ dev_info(hcd->self.controller, "not queuing rh status urb\n");
retval = -EINVAL;
goto done;
}
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [syzbot] KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2)
2021-12-31 17:33 ` Alan Stern
@ 2021-12-31 17:44 ` syzbot
2021-12-31 20:30 ` Alan Stern
0 siblings, 1 reply; 12+ messages in thread
From: syzbot @ 2021-12-31 17:44 UTC (permalink / raw)
To: andreyknvl, dvyukov, gregkh, linux-kernel, linux-usb, stern,
syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status
vhci_hcd vhci_hcd.0: poll_rh_status: len 2 maxch 0 tblen 1
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x5f4/0x780 drivers/usb/core/hcd.c:776
Write of size 2 at addr ffff88801da403c0 by task syz-executor133/4062
CPU: 1 PID: 4062 Comm: syz-executor133 Not tainted 5.16.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247
__kasan_report mm/kasan/report.c:433 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
memcpy+0x39/0x60 mm/kasan/shadow.c:66
memcpy include/linux/fortify-string.h:225 [inline]
usb_hcd_poll_rh_status+0x5f4/0x780 drivers/usb/core/hcd.c:776
call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421
expire_timers kernel/time/timer.c:1466 [inline]
__run_timers.part.0+0x67c/0xa30 kernel/time/timer.c:1734
__run_timers kernel/time/timer.c:1715 [inline]
run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558
invoke_softirq kernel/softirq.c:432 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70 kernel/locking/spinlock.c:194
Code: 74 24 10 e8 ca db 15 f8 48 89 ef e8 82 51 16 f8 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 <e8> c3 1b 09 f8 65 8b 05 dc a0 bb 76 85 c0 74 0a 5b 5d c3 e8 f0 02
RSP: 0018:ffffc9000289f8b0 EFLAGS: 00000206
RAX: 0000000000000002 RBX: 0000000000000200 RCX: 1ffffffff1b22579
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
RBP: ffffffff8ca3bc60 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff817dd258 R11: 0000000000000000 R12: ffff88801d9a7d40
R13: ffff888147c88000 R14: ffff888147c88180 R15: 0000000000000000
spin_unlock_irqrestore include/linux/spinlock.h:404 [inline]
rh_queue_status drivers/usb/core/hcd.c:836 [inline]
rh_urb_enqueue drivers/usb/core/hcd.c:843 [inline]
usb_hcd_submit_urb+0x15ac/0x2390 drivers/usb/core/hcd.c:1548
usb_submit_urb+0x86d/0x18a0 drivers/usb/core/urb.c:594
usbfs_start_wait_urb+0x128/0x3d0 drivers/usb/core/devio.c:1125
do_proc_bulk+0x535/0xba0 drivers/usb/core/devio.c:1313
proc_bulk drivers/usb/core/devio.c:1351 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
usbdev_ioctl+0x586/0x36c0 drivers/usb/core/devio.c:2791
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fecb7004799
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffb13c1078 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fecb7048098 RCX: 00007fecb7004799
RDX: 0000000020000240 RSI: 00000000c0185502 RDI: 0000000000000006
RBP: 00007fffb13c10a0 R08: 00007fffb13c0af0 R09: 0000000000000000
R10: 000000000000ffff R11: 0000000000000246 R12: 00007fecb6fc3770
R13: 0000000000000000 R14: 00007fffb13c10a0 R15: 00007fffb13c1090
</TASK>
Allocated by task 4062:
kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc mm/kasan/common.c:513 [inline]
____kasan_kmalloc mm/kasan/common.c:472 [inline]
__kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:522
kmalloc include/linux/slab.h:595 [inline]
do_proc_bulk+0x2fc/0xba0 drivers/usb/core/devio.c:1292
proc_bulk drivers/usb/core/devio.c:1351 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2625 [inline]
usbdev_ioctl+0x586/0x36c0 drivers/usb/core/devio.c:2791
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
The buggy address belongs to the object at ffff88801da403c0
which belongs to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes inside of
8-byte region [ffff88801da403c0, ffff88801da403c8)
The buggy address belongs to the page:
page:ffffea0000769000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1da40
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 dead000000000100 dead000000000122 ffff888010c41280
raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 2973, ts 21401832644, free_ts 18932450065
prep_new_page mm/page_alloc.c:2418 [inline]
get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4149
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369
alloc_pages+0x1a7/0x300 mm/mempolicy.c:2190
alloc_slab_page mm/slub.c:1793 [inline]
allocate_slab mm/slub.c:1930 [inline]
new_slab+0x32d/0x4a0 mm/slub.c:1993
___slab_alloc+0x918/0xfe0 mm/slub.c:3022
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3109
slab_alloc_node mm/slub.c:3200 [inline]
slab_alloc mm/slub.c:3242 [inline]
__kmalloc+0x2fb/0x340 mm/slub.c:4419
kmalloc include/linux/slab.h:595 [inline]
kernfs_fop_write_iter+0x231/0x500 fs/kernfs/file.c:273
call_write_iter include/linux/fs.h:2162 [inline]
new_sync_write+0x429/0x660 fs/read_write.c:503
vfs_write+0x7cd/0xae0 fs/read_write.c:590
ksys_write+0x12d/0x250 fs/read_write.c:643
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1338 [inline]
free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1389
free_unref_page_prepare mm/page_alloc.c:3309 [inline]
free_unref_page+0x19/0x690 mm/page_alloc.c:3388
kasan_depopulate_vmalloc_pte+0x5c/0x70 mm/kasan/shadow.c:380
apply_to_pte_range mm/memory.c:2518 [inline]
apply_to_pmd_range mm/memory.c:2562 [inline]
apply_to_pud_range mm/memory.c:2598 [inline]
apply_to_p4d_range mm/memory.c:2634 [inline]
__apply_to_page_range+0x686/0x1030 mm/memory.c:2668
kasan_release_vmalloc+0xa7/0xc0 mm/kasan/shadow.c:490
__purge_vmap_area_lazy+0x8f9/0x1c50 mm/vmalloc.c:1708
_vm_unmap_aliases.part.0+0x3f0/0x500 mm/vmalloc.c:2111
_vm_unmap_aliases mm/vmalloc.c:2085 [inline]
vm_unmap_aliases+0x45/0x50 mm/vmalloc.c:2134
change_page_attr_set_clr+0x241/0x500 arch/x86/mm/pat/set_memory.c:1743
change_page_attr_set arch/x86/mm/pat/set_memory.c:1793 [inline]
set_memory_nx+0xb2/0x110 arch/x86/mm/pat/set_memory.c:1941
free_init_pages+0x73/0xc0 arch/x86/mm/init.c:894
kernel_init+0x2e/0x1d0 init/main.c:1508
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Memory state around the buggy address:
ffff88801da40280: fb fc fc fc fc fb fc fc fc fc fb fc fc fc fc fa
ffff88801da40300: fc fc fc fc fa fc fc fc fc fa fc fc fc fc fa fc
>ffff88801da40380: fc fc fc 00 fc fc fc fc 01 fc fc fc fc fb fc fc
^
ffff88801da40400: fc fc fb fc fc fc fc fb fc fc fc fc fb fc fc fc
ffff88801da40480: fc fb fc fc fc fc fa fc fc fc fc fb fc fc fc fc
==================================================================
----------------
Code disassembly (best guess):
0: 74 24 je 0x26
2: 10 e8 adc %ch,%al
4: ca db 15 lret $0x15db
7: f8 clc
8: 48 89 ef mov %rbp,%rdi
b: e8 82 51 16 f8 callq 0xf8165192
10: 81 e3 00 02 00 00 and $0x200,%ebx
16: 75 25 jne 0x3d
18: 9c pushfq
19: 58 pop %rax
1a: f6 c4 02 test $0x2,%ah
1d: 75 2d jne 0x4c
1f: 48 85 db test %rbx,%rbx
22: 74 01 je 0x25
24: fb sti
25: bf 01 00 00 00 mov $0x1,%edi
* 2a: e8 c3 1b 09 f8 callq 0xf8091bf2 <-- trapping instruction
2f: 65 8b 05 dc a0 bb 76 mov %gs:0x76bba0dc(%rip),%eax # 0x76bba112
36: 85 c0 test %eax,%eax
38: 74 0a je 0x44
3a: 5b pop %rbx
3b: 5d pop %rbp
3c: c3 retq
3d: e8 .byte 0xe8
3e: f0 lock
3f: 02 .byte 0x2
Tested on:
commit: eec4df26 Merge tag 's390-5.16-6' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=1562008db00000
kernel config: https://syzkaller.appspot.com/x/.config?x=1a86c22260afac2f
dashboard link: https://syzkaller.appspot.com/bug?extid=3ae6a2b06f131ab9849f
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=177bd55db00000
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [syzbot] KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2)
2021-12-31 17:44 ` syzbot
@ 2021-12-31 20:30 ` Alan Stern
2021-12-31 20:44 ` syzbot
0 siblings, 1 reply; 12+ messages in thread
From: Alan Stern @ 2021-12-31 20:30 UTC (permalink / raw)
To: syzbot
Cc: andreyknvl, dvyukov, gregkh, linux-kernel, linux-usb, syzkaller-bugs
On Fri, Dec 31, 2021 at 09:44:06AM -0800, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status
>
> vhci_hcd vhci_hcd.0: poll_rh_status: len 2 maxch 0 tblen 1
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
> BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x5f4/0x780 drivers/usb/core/hcd.c:776
> Write of size 2 at addr ffff88801da403c0 by task syz-executor133/4062
I think I understand the problem. This patch is intended to fix it.
Alan Stern
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ eec4df26e24e
Index: usb-devel/drivers/usb/core/hcd.c
===================================================================
--- usb-devel.orig/drivers/usb/core/hcd.c
+++ usb-devel/drivers/usb/core/hcd.c
@@ -753,6 +753,7 @@ void usb_hcd_poll_rh_status(struct usb_h
{
struct urb *urb;
int length;
+ int status;
unsigned long flags;
char buffer[6]; /* Any root hubs with > 31 ports? */
@@ -770,11 +771,17 @@ void usb_hcd_poll_rh_status(struct usb_h
if (urb) {
clear_bit(HCD_FLAG_POLL_PENDING, &hcd->flags);
hcd->status_urb = NULL;
+ if (urb->transfer_buffer_length >= length) {
+ status = 0;
+ } else {
+ status = -EOVERFLOW;
+ length = urb->transfer_buffer_length;
+ }
urb->actual_length = length;
memcpy(urb->transfer_buffer, buffer, length);
usb_hcd_unlink_urb_from_ep(hcd, urb);
- usb_hcd_giveback_urb(hcd, urb, 0);
+ usb_hcd_giveback_urb(hcd, urb, status);
} else {
length = 0;
set_bit(HCD_FLAG_POLL_PENDING, &hcd->flags);
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [syzbot] KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2)
2021-12-31 20:30 ` Alan Stern
@ 2021-12-31 20:44 ` syzbot
2022-01-01 2:07 ` [PATCH] USB: Fix "slab-out-of-bounds Write" bug in usb_hcd_poll_rh_status Alan Stern
0 siblings, 1 reply; 12+ messages in thread
From: syzbot @ 2021-12-31 20:44 UTC (permalink / raw)
To: andreyknvl, dvyukov, gregkh, linux-kernel, linux-usb, stern,
syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+3ae6a2b06f131ab9849f@syzkaller.appspotmail.com
Tested on:
commit: eec4df26 Merge tag 's390-5.16-6' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
kernel config: https://syzkaller.appspot.com/x/.config?x=1a86c22260afac2f
dashboard link: https://syzkaller.appspot.com/bug?extid=3ae6a2b06f131ab9849f
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=148e8e35b00000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH] USB: Fix "slab-out-of-bounds Write" bug in usb_hcd_poll_rh_status
2021-12-31 20:44 ` syzbot
@ 2022-01-01 2:07 ` Alan Stern
0 siblings, 0 replies; 12+ messages in thread
From: Alan Stern @ 2022-01-01 2:07 UTC (permalink / raw)
To: Greg KH; +Cc: USB mailing list, Kernel development list, syzkaller-bugs
When the USB core code for getting root-hub status reports was
originally written, it was assumed that the hub driver would be its
only caller. But this isn't true now; user programs can use usbfs to
communicate with root hubs and get status reports. When they do this,
they may use a transfer_buffer that is smaller than the data returned
by the HCD, which will lead to a buffer overflow error when
usb_hcd_poll_rh_status() tries to store the status data. This was
discovered by syzbot:
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x5f4/0x780 drivers/usb/core/hcd.c:776
Write of size 2 at addr ffff88801da403c0 by task syz-executor133/4062
This patch fixes the bug by reducing the amount of status data if it
won't fit in the transfer_buffer. If some data gets discarded then
the URB's completion status is set to -EOVERFLOW rather than 0, to let
the user know what happened.
Reported-and-tested-by: syzbot+3ae6a2b06f131ab9849f@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Cc: <stable@vger.kernel.org>
---
[as1966]
drivers/usb/core/hcd.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
Index: usb-devel/drivers/usb/core/hcd.c
===================================================================
--- usb-devel.orig/drivers/usb/core/hcd.c
+++ usb-devel/drivers/usb/core/hcd.c
@@ -753,6 +753,7 @@ void usb_hcd_poll_rh_status(struct usb_h
{
struct urb *urb;
int length;
+ int status;
unsigned long flags;
char buffer[6]; /* Any root hubs with > 31 ports? */
@@ -770,11 +771,17 @@ void usb_hcd_poll_rh_status(struct usb_h
if (urb) {
clear_bit(HCD_FLAG_POLL_PENDING, &hcd->flags);
hcd->status_urb = NULL;
+ if (urb->transfer_buffer_length >= length) {
+ status = 0;
+ } else {
+ status = -EOVERFLOW;
+ length = urb->transfer_buffer_length;
+ }
urb->actual_length = length;
memcpy(urb->transfer_buffer, buffer, length);
usb_hcd_unlink_urb_from_ep(hcd, urb);
- usb_hcd_giveback_urb(hcd, urb, 0);
+ usb_hcd_giveback_urb(hcd, urb, status);
} else {
length = 0;
set_bit(HCD_FLAG_POLL_PENDING, &hcd->flags);
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [syzbot] KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2)
2021-12-31 2:31 ` Alan Stern
2021-12-31 5:24 ` syzbot
@ 2022-05-19 12:51 ` Dmitry Vyukov
1 sibling, 0 replies; 12+ messages in thread
From: Dmitry Vyukov @ 2022-05-19 12:51 UTC (permalink / raw)
To: Alan Stern
Cc: syzbot, andreyknvl, gregkh, linux-kernel, linux-usb, syzkaller-bugs
On Fri, 31 Dec 2021 at 03:31, Alan Stern <stern@rowland.harvard.edu> wrote:
>
> [Trimmed CC: list]
>
> On Thu, Dec 30, 2021 at 04:49:18PM -0800, syzbot wrote:
> > Hello,
> >
> > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status
> ...
> > Tested on:
> >
> > commit: eec4df26 Merge tag 's390-5.16-6' of git://git.kernel.o..
> > git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
>
> I'm glad to see that the git tree is reported properly, but the commit
> label is too short. The reproducer bug report had exactly the opposite
> problems! It said:
>
> > syzbot has found a reproducer for the following issue on:
> >
> > HEAD commit: eec4df26e24e Merge tag 's390-5.16-6' of git://git.kernel.o..
> > git tree: upstream
>
> Andrey or Dmitry? Can you guys unify these two outputs to make both
> lines correct always?
Hi Alan,
This got lost on the mailing list. Filed
https://github.com/google/syzkaller/issues/3147 to track this request.
Thanks
> Moving on... Important lines from the console log:
>
> [ 76.919138][ T4081] usb usb9: usbdev_do_ioctl: BULK
> [ 76.924966][ T4081] usb usb9: usbfs: process 4081 (syz-executor189) did not claim interface 0 before use
> [ 76.935186][ T4081] usb usb9: ep1 int-in, length 1, timeout 9
> [ 76.941355][ T4099] usb usb9: opened by process 4099: syz-executor189
> [ 76.942606][ T4087] usb usb9: usbdev_do_ioctl: BULK
> [ 76.949968][ C1]
> ==================================================================
> [ 76.950070][ C1] BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x376/0x780
> [ 76.950102][ C1] Write of size 2 at addr ffff8880121ae230 by task syz-executor189/4087
>
> It's hard to tell what's really happening. The suspicious part is the
> "length 1" combined with the "Write of size 2" -- but they refer to
> different processes!
>
> Maybe this diagnostic patch will help a little.
>
> Alan Stern
>
> #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ eec4df26e24e
>
> Index: usb-devel/drivers/usb/core/devio.c
> ===================================================================
> --- usb-devel.orig/drivers/usb/core/devio.c
> +++ usb-devel/drivers/usb/core/devio.c
> @@ -109,7 +109,7 @@ struct async {
> u8 bulk_status;
> };
>
> -static bool usbfs_snoop;
> +static bool usbfs_snoop = true;
> module_param(usbfs_snoop, bool, S_IRUGO | S_IWUSR);
> MODULE_PARM_DESC(usbfs_snoop, "true to log all usbfs traffic");
>
> Index: usb-devel/drivers/usb/core/hcd.c
> ===================================================================
> --- usb-devel.orig/drivers/usb/core/hcd.c
> +++ usb-devel/drivers/usb/core/hcd.c
> @@ -809,8 +809,10 @@ static int rh_queue_status (struct usb_h
> unsigned len = 1 + (urb->dev->maxchild / 8);
>
> spin_lock_irqsave (&hcd_root_hub_lock, flags);
> + dev_info(hcd->self.controller, "rh_queue_status: len %d tblen %d\n",
> + len, urb->transfer_buffer_length);
> if (hcd->status_urb || urb->transfer_buffer_length < len) {
> - dev_dbg (hcd->self.controller, "not queuing rh status urb\n");
> + dev_info(hcd->self.controller, "not queuing rh status urb\n");
> retval = -EINVAL;
> goto done;
> }
>
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2022-05-19 12:51 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-08 7:37 KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2) syzbot
2021-12-30 15:47 ` [syzbot] " syzbot
2021-12-30 20:08 ` Alan Stern
2021-12-31 0:49 ` syzbot
2021-12-31 2:31 ` Alan Stern
2021-12-31 5:24 ` syzbot
2021-12-31 17:33 ` Alan Stern
2021-12-31 17:44 ` syzbot
2021-12-31 20:30 ` Alan Stern
2021-12-31 20:44 ` syzbot
2022-01-01 2:07 ` [PATCH] USB: Fix "slab-out-of-bounds Write" bug in usb_hcd_poll_rh_status Alan Stern
2022-05-19 12:51 ` [syzbot] KASAN: slab-out-of-bounds Write in usb_hcd_poll_rh_status (2) Dmitry Vyukov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.