From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: KASAN: slab-out-of-bounds Read in hex_string From: Eric Biggers Message-Id: <20190429210917.GA251866@gmail.com> Date: Mon, 29 Apr 2019 14:09:18 -0700 To: Alan Stern Cc: syzbot , andreyknvl@google.com, gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, rafael@kernel.org, syzkaller-bugs@googlegroups.com List-ID: T24gTW9uLCBBcHIgMjksIDIwMTkgYXQgMDQ6MDc6MDRQTSAtMDQwMCwgQWxhbiBTdGVybiB3cm90 ZToKPiBPbiBNb24sIDI5IEFwciAyMDE5LCBzeXpib3Qgd3JvdGU6Cj4gCj4gPiBIZWxsbywKPiA+ IAo+ID4gc3l6Ym90IGZvdW5kIHRoZSBmb2xsb3dpbmcgY3Jhc2ggb246Cj4gPiAKPiA+IEhFQUQg Y29tbWl0OiAgICA0MzE1MWQ2YyB1c2ItZnV6emVyOiBtYWluIHVzYiBnYWRnZXQgZnV6emVyIGRy aXZlcgo+ID4gZ2l0IHRyZWU6ICAgICAgIGh0dHBzOi8vZ2l0aHViLmNvbS9nb29nbGUva2FzYW4v dHJlZS91c2ItZnV6emVyCj4gPiBjb25zb2xlIG91dHB1dDogaHR0cHM6Ly9zeXprYWxsZXIuYXBw c3BvdC5jb20veC9sb2cudHh0P3g9MTM5YWMzN2YyMDAwMDAKPiA+IGtlcm5lbCBjb25maWc6ICBo dHRwczovL3N5emthbGxlci5hcHBzcG90LmNvbS94Ly5jb25maWc/eD00MTgzZWVlZjY1MGQxMjM0 Cj4gPiBkYXNoYm9hcmQgbGluazogaHR0cHM6Ly9zeXprYWxsZXIuYXBwc3BvdC5jb20vYnVnP2V4 dGlkPWE5ZmVmZDE4YzdiMjQwZjE5YzU0Cj4gPiBjb21waWxlcjogICAgICAgZ2NjIChHQ0MpIDku MC4wIDIwMTgxMjMxIChleHBlcmltZW50YWwpCj4gPiBzeXogcmVwcm86ICAgICAgaHR0cHM6Ly9z eXprYWxsZXIuYXBwc3BvdC5jb20veC9yZXByby5zeXo/eD0xN2YzYjMzOGEwMDAwMAo+ID4gCj4g PiBJTVBPUlRBTlQ6IGlmIHlvdSBmaXggdGhlIGJ1ZywgcGxlYXNlIGFkZCB0aGUgZm9sbG93aW5n IHRhZyB0byB0aGUgY29tbWl0Ogo+ID4gUmVwb3J0ZWQtYnk6IHN5emJvdCthOWZlZmQxOGM3YjI0 MGYxOWM1NEBzeXprYWxsZXIuYXBwc3BvdG1haWwuY29tCj4gPiAKPiA+ID09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQo+ID4g QlVHOiBLQVNBTjogc2xhYi1vdXQtb2YtYm91bmRzIGluIGhleF9zdHJpbmcrMHg0MTgvMHg0YjAg bGliL3ZzcHJpbnRmLmM6OTc1Cj4gPiBSZWFkIG9mIHNpemUgMSBhdCBhZGRyIGZmZmY4ODgyMWE0 MWJkMzggYnkgdGFzayBrd29ya2VyLzA6MS8xMgo+ID4gCj4gPiBDUFU6IDAgUElEOiAxMiBDb21t OiBrd29ya2VyLzA6MSBOb3QgdGFpbnRlZCA1LjEuMC1yYzMtMzE5MDA0LWc0MzE1MWQ2ICM2Cj4g PiBIYXJkd2FyZSBuYW1lOiBHb29nbGUgR29vZ2xlIENvbXB1dGUgRW5naW5lL0dvb2dsZSBDb21w dXRlIEVuZ2luZSwgQklPUyAgCj4gPiBHb29nbGUgMDEvMDEvMjAxMQo+ID4gV29ya3F1ZXVlOiB1 c2JfaHViX3dxIGh1Yl9ldmVudAo+ID4gQ2FsbCBUcmFjZToKPiA+ICAgX19kdW1wX3N0YWNrIGxp Yi9kdW1wX3N0YWNrLmM6NzcgW2lubGluZV0KPiA+ICAgZHVtcF9zdGFjaysweGU4LzB4MTZlIGxp Yi9kdW1wX3N0YWNrLmM6MTEzCj4gPiAgIHByaW50X2FkZHJlc3NfZGVzY3JpcHRpb24rMHg2Yy8w eDIzNiBtbS9rYXNhbi9yZXBvcnQuYzoxODcKPiA+ICAga2FzYW5fcmVwb3J0LmNvbGQrMHgxYS8w eDNjIG1tL2thc2FuL3JlcG9ydC5jOjMxNwo+ID4gICBoZXhfc3RyaW5nKzB4NDE4LzB4NGIwIGxp Yi92c3ByaW50Zi5jOjk3NQo+ID4gICBwb2ludGVyKzB4NDYwLzB4OTEwIGxpYi92c3ByaW50Zi5j OjE5ODUKPiA+ICAgdnNucHJpbnRmKzB4NWEwLzB4MTZiMCBsaWIvdnNwcmludGYuYzoyNDAwCj4g PiAgIHBvaW50ZXIrMHg2MGIvMHg5MTAgbGliL3ZzcHJpbnRmLmM6MjAzOAo+ID4gICB2c25wcmlu dGYrMHg1YTAvMHgxNmIwIGxpYi92c3ByaW50Zi5jOjI0MDAKPiA+ICAgdnNjbnByaW50ZisweDI5 LzB4ODAgbGliL3ZzcHJpbnRmLmM6MjQ5OQo+ID4gICB2cHJpbnRrX3N0b3JlKzB4NDUvMHg0YjAg a2VybmVsL3ByaW50ay9wcmludGsuYzoxOTAwCj4gPiAgIHZwcmludGtfZW1pdCsweDIxMC8weDVh MCBrZXJuZWwvcHJpbnRrL3ByaW50ay5jOjE5NTcKPiA+ICAgZGV2X3ZwcmludGtfZW1pdCsweDUw ZS8weDU1MyBkcml2ZXJzL2Jhc2UvY29yZS5jOjMxODUKPiA+ICAgZGV2X3ByaW50a19lbWl0KzB4 YmYvMHhmNiBkcml2ZXJzL2Jhc2UvY29yZS5jOjMxOTYKPiA+ICAgX19kZXZfcHJpbnRrKzB4MWVk LzB4MjE1IGRyaXZlcnMvYmFzZS9jb3JlLmM6MzIwOAo+ID4gICBfZGV2X2luZm8rMHhkYy8weDEw ZSBkcml2ZXJzL2Jhc2UvY29yZS5jOjMyNTQKPiA+ICAgZGxmYl9wYXJzZV92ZW5kb3JfZGVzY3Jp cHRvciBkcml2ZXJzL3ZpZGVvL2ZiZGV2L3VkbGZiLmM6MTUzMiBbaW5saW5lXQo+IAo+IEFjY2Vz c2luZyBiZXlvbmQgdGhlIGVuZCBvZiB0aGUgZGVzY3JpcHRvci4KPiAKPiAjc3l6IHRlc3Q6IGh0 dHBzOi8vZ2l0aHViLmNvbS9nb29nbGUva2FzYW4uZ2l0IHVzYi1mdXp6ZXIKPiAKPiAtLS0gYS9k cml2ZXJzL3ZpZGVvL2ZiZGV2L3VkbGZiLmMKPiArKysgYi9kcml2ZXJzL3ZpZGVvL2ZiZGV2L3Vk bGZiLmMKPiBAQCAtMTUxMSw2ICsxNTExLDcgQEAgc3RhdGljIGludCBkbGZiX3BhcnNlX3ZlbmRv cl9kZXNjcmlwdG9yKAo+ICAJY2hhciAqYnVmOwo+ICAJY2hhciAqZGVzY19lbmQ7Cj4gIAlpbnQg dG90YWxfbGVuOwo+ICsJaW50IHdpZHRoOwo+ICAKPiAgCWJ1ZiA9IGt6YWxsb2MoTUFYX1ZFTkRP Ul9ERVNDUklQVE9SX1NJWkUsIEdGUF9LRVJORUwpOwo+ICAJaWYgKCFidWYpCj4gQEAgLTE1Mjks OSArMTUzMCwxMCBAQCBzdGF0aWMgaW50IGRsZmJfcGFyc2VfdmVuZG9yX2Rlc2NyaXB0b3IoCj4g IAl9Cj4gIAo+ICAJaWYgKHRvdGFsX2xlbiA+IDUpIHsKPiArCQl3aWR0aCA9IG1pbih0b3RhbF9s ZW4sIDExKTsKPiAgCQlkZXZfaW5mbygmaW50Zi0+ZGV2LAo+IC0JCQkgInZlbmRvciBkZXNjcmlw dG9yIGxlbmd0aDogJWQgZGF0YTogJTExcGhcbiIsCj4gLQkJCSB0b3RhbF9sZW4sIGRlc2MpOwo+ ICsJCQkgInZlbmRvciBkZXNjcmlwdG9yIGxlbmd0aDogJWQgZGF0YTogJSpwaFxuIiwKPiArCQkJ IHRvdGFsX2xlbiwgd2lkdGgsIGRlc2MpOwo+ICAKPiAgCQlpZiAoKGRlc2NbMF0gIT0gdG90YWxf bGVuKSB8fCAvKiBkZXNjcmlwdG9yIGxlbmd0aCAqLwo+ICAJCSAgICAoZGVzY1sxXSAhPSAweDVm KSB8fCAgIC8qIHZlbmRvciBkZXNjcmlwdG9yIHR5cGUgKi8KPiAKPiAKCldoeSBub3Qgd3JpdGUg anVzdDoKCiAgICAgICAgICAgICAgICBkZXZfaW5mbygmaW50Zi0+ZGV2LAogICAgICAgICAgICAg ICAgICAgICAgICAgInZlbmRvciBkZXNjcmlwdG9yIGxlbmd0aDogJWQgZGF0YTogJSpwaFxuIiwK ICAgICAgICAgICAgICAgICAgICAgICAgIHRvdGFsX2xlbiwgbWluKHRvdGFsX2xlbiwgMTEpLCBk ZXNjKTsKCkFsc28sIGFyZW4ndCB0aGVyZSBtb3JlIG91dC1vZi1ib3VuZHMgcmVhZHMgaW4gdGhl IGNvZGUganVzdCBhZnRlcj8gIEl0IG9ubHkKY2hlY2tzIGZvciBhdCBsZWFzdCAxIGJ5dGUgYXZh aWxhYmxlLCBidXQgdGhlbiBpdCByZWFkcyB1cCB0byA3IGJ5dGVzOgoKCQl3aGlsZSAoZGVzYyA8 IGRlc2NfZW5kKSB7CgkJCXU4IGxlbmd0aDsKCQkJdTE2IGtleTsKCgkJCWtleSA9ICpkZXNjKys7 CgkJCWtleSB8PSAodTE2KSpkZXNjKysgPDwgODsKCQkJbGVuZ3RoID0gKmRlc2MrKzsKCgkJCXN3 aXRjaCAoa2V5KSB7CgkJCWNhc2UgMHgwMjAwOiB7IC8qIG1heF9hcmVhICovCgkJCQl1MzIgbWF4 X2FyZWEgPSAqZGVzYysrOwoJCQkJbWF4X2FyZWEgfD0gKHUzMikqZGVzYysrIDw8IDg7CgkJCQlt YXhfYXJlYSB8PSAodTMyKSpkZXNjKysgPDwgMTY7CgkJCQltYXhfYXJlYSB8PSAodTMyKSpkZXNj KysgPDwgMjQ7CgkJCQlkZXZfd2FybigmaW50Zi0+ZGV2LAoJCQkJCSAiREwgY2hpcCBsaW1pdGVk IHRvICVkIHBpeGVsIG1vZGVzXG4iLAoJCQkJCSBtYXhfYXJlYSk7CgkJCQlkbGZiLT5za3VfcGl4 ZWxfbGltaXQgPSBtYXhfYXJlYTsKCQkJCWJyZWFrOwoJCQl9CgkJCWRlZmF1bHQ6CgkJCQlicmVh azsKCQkJfQoJCQlkZXNjICs9IGxlbmd0aDsKCQl9CgoKQWxzbyBJIGNvdWxkbid0IGhlbHAgYnV0 IG5vdGljZSBpdCdzIGFsc28gdXNpbmcgJ2NoYXInIHJhdGhlciB0aGFuICd1OCcsCnNvIGJ5dGVz ID49IDB4ODAgYXJlIHJlYWQgaW5jb3JyZWN0bHkgYXMgdGhleSdyZSBzaWduIGV4dGVuZGVkLi4u CgotIEVyaWMK From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,SPF_PASS, T_DKIMWL_WL_HIGH,USER_AGENT_MUTT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9B224C43219 for ; Mon, 29 Apr 2019 21:09:27 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 6917E215EA for ; Mon, 29 Apr 2019 21:09:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556572167; bh=pOpnxOmLj6jZaokHGolQKkRzuK516xtMuJlZUb+qn9w=; h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From; b=n9Q/Gco02mJ1gK0pzdZjwLmj61HRjw2n7V9zN4M18hkRI5Lxx2c898fiTmJbEVpRL rg56hXHQc1cdycsNiSIcsRdSdxjkhiBEx/qlUX1Y2KeJbi8my/BzMLKgywzBhpGLVG yL55IW5m/mZXMlLupTFAXNbkslxDZbrl2lrmARhc= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728928AbfD2VJV (ORCPT ); Mon, 29 Apr 2019 17:09:21 -0400 Received: from mail.kernel.org ([198.145.29.99]:39406 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728071AbfD2VJV (ORCPT ); Mon, 29 Apr 2019 17:09:21 -0400 Received: from gmail.com (unknown [104.132.1.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 89AA1215EA; Mon, 29 Apr 2019 21:09:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556572159; bh=pOpnxOmLj6jZaokHGolQKkRzuK516xtMuJlZUb+qn9w=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=lsNbacl40arME70zOmem6T6XwPFBdqV0B0MeYH1Nlsh9pu7KfXu3gFGtXjZHd7A3V g1V7xbqNfJKhuJ+8k1P244SBeEHog4ju3+PeSKfG2Sf4mzfezSR7XxWT8PMbEU3wsQ 99IAciulao8DPkzp8w8BJmHZWEUfjn5OdOrU2qQY= Date: Mon, 29 Apr 2019 14:09:18 -0700 From: Eric Biggers To: Alan Stern Cc: syzbot , andreyknvl@google.com, gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, rafael@kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: KASAN: slab-out-of-bounds Read in hex_string Message-ID: <20190429210917.GA251866@gmail.com> References: <000000000000f69c3b0587aa1bc5@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org Message-ID: <20190429210918.JCCxN5wE_4EAiM0l0BsRaQQS2itHVc4HcMX8_L20pVg@z> On Mon, Apr 29, 2019 at 04:07:04PM -0400, Alan Stern wrote: > On Mon, 29 Apr 2019, syzbot wrote: > > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit: 43151d6c usb-fuzzer: main usb gadget fuzzer driver > > git tree: https://github.com/google/kasan/tree/usb-fuzzer > > console output: https://syzkaller.appspot.com/x/log.txt?x=139ac37f200000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=4183eeef650d1234 > > dashboard link: https://syzkaller.appspot.com/bug?extid=a9fefd18c7b240f19c54 > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17f3b338a00000 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+a9fefd18c7b240f19c54@syzkaller.appspotmail.com > > > > ================================================================== > > BUG: KASAN: slab-out-of-bounds in hex_string+0x418/0x4b0 lib/vsprintf.c:975 > > Read of size 1 at addr ffff88821a41bd38 by task kworker/0:1/12 > > > > CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc3-319004-g43151d6 #6 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > Google 01/01/2011 > > Workqueue: usb_hub_wq hub_event > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0xe8/0x16e lib/dump_stack.c:113 > > print_address_description+0x6c/0x236 mm/kasan/report.c:187 > > kasan_report.cold+0x1a/0x3c mm/kasan/report.c:317 > > hex_string+0x418/0x4b0 lib/vsprintf.c:975 > > pointer+0x460/0x910 lib/vsprintf.c:1985 > > vsnprintf+0x5a0/0x16b0 lib/vsprintf.c:2400 > > pointer+0x60b/0x910 lib/vsprintf.c:2038 > > vsnprintf+0x5a0/0x16b0 lib/vsprintf.c:2400 > > vscnprintf+0x29/0x80 lib/vsprintf.c:2499 > > vprintk_store+0x45/0x4b0 kernel/printk/printk.c:1900 > > vprintk_emit+0x210/0x5a0 kernel/printk/printk.c:1957 > > dev_vprintk_emit+0x50e/0x553 drivers/base/core.c:3185 > > dev_printk_emit+0xbf/0xf6 drivers/base/core.c:3196 > > __dev_printk+0x1ed/0x215 drivers/base/core.c:3208 > > _dev_info+0xdc/0x10e drivers/base/core.c:3254 > > dlfb_parse_vendor_descriptor drivers/video/fbdev/udlfb.c:1532 [inline] > > Accessing beyond the end of the descriptor. > > #syz test: https://github.com/google/kasan.git usb-fuzzer > > --- a/drivers/video/fbdev/udlfb.c > +++ b/drivers/video/fbdev/udlfb.c > @@ -1511,6 +1511,7 @@ static int dlfb_parse_vendor_descriptor( > char *buf; > char *desc_end; > int total_len; > + int width; > > buf = kzalloc(MAX_VENDOR_DESCRIPTOR_SIZE, GFP_KERNEL); > if (!buf) > @@ -1529,9 +1530,10 @@ static int dlfb_parse_vendor_descriptor( > } > > if (total_len > 5) { > + width = min(total_len, 11); > dev_info(&intf->dev, > - "vendor descriptor length: %d data: %11ph\n", > - total_len, desc); > + "vendor descriptor length: %d data: %*ph\n", > + total_len, width, desc); > > if ((desc[0] != total_len) || /* descriptor length */ > (desc[1] != 0x5f) || /* vendor descriptor type */ > > Why not write just: dev_info(&intf->dev, "vendor descriptor length: %d data: %*ph\n", total_len, min(total_len, 11), desc); Also, aren't there more out-of-bounds reads in the code just after? It only checks for at least 1 byte available, but then it reads up to 7 bytes: while (desc < desc_end) { u8 length; u16 key; key = *desc++; key |= (u16)*desc++ << 8; length = *desc++; switch (key) { case 0x0200: { /* max_area */ u32 max_area = *desc++; max_area |= (u32)*desc++ << 8; max_area |= (u32)*desc++ << 16; max_area |= (u32)*desc++ << 24; dev_warn(&intf->dev, "DL chip limited to %d pixel modes\n", max_area); dlfb->sku_pixel_limit = max_area; break; } default: break; } desc += length; } Also I couldn't help but notice it's also using 'char' rather than 'u8', so bytes >= 0x80 are read incorrectly as they're sign extended... - Eric