From: Dan Carpenter <dan.carpenter@oracle.com>
To: syzbot <syzbot+afeecc39f502a8681560@syzkaller.appspotmail.com>,
dhowells@redhat.com
Cc: arnd@arndb.de, dmitry.torokhov@gmail.com, ebiederm@xmission.com,
gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org,
linux-usb@vger.kernel.org, stern@rowland.harvard.edu,
syzkaller-bugs@googlegroups.com
Subject: Re: linux-next boot error: KASAN: slab-out-of-bounds Read in post_usb_notification
Date: Mon, 20 Jan 2020 11:23:36 +0300 [thread overview]
Message-ID: <20200120082335.GD21151@kadam> (raw)
In-Reply-To: <0000000000001a91f9059c52f727@google.com>
Hey David,
This crash was from commit 72cc88648972 ("usb: Add USB subsystem
notifications").
drivers/usb/core/devio.c
2752 static noinline void post_usb_notification(const char *devname,
2753 enum usb_notification_type subtype,
2754 u32 error)
2755 {
2756 unsigned int name_len, n_len;
2757 u64 id = 0; /* We can put a device ID here for separate dev watches */
2758
2759 struct {
2760 struct usb_notification n;
2761 char more_name[USB_NOTIFICATION_MAX_NAME_LEN -
2762 (sizeof(struct usb_notification) -
2763 offsetof(struct usb_notification, name))];
2764 } n;
2765
2766 name_len = strlen(devname);
2767 name_len = min_t(size_t, name_len, USB_NOTIFICATION_MAX_NAME_LEN);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This limit is too high. It should be USB_NOTIFICATION_MAX_NAME_LEN -
sizeof(struct usb_notification). or just
"min_t(size_t, name_len, sizeof(n.more_name));". The n.n.name[] is a
zero size array.
2768 n_len = offsetof(struct usb_notification, name) + name_len;
2769
2770 memset(&n, 0, sizeof(n));
2771 memcpy(n.n.name, devname, n_len);
^^^^^
name_len was intended here.
2772
2773 n.n.watch.type = WATCH_TYPE_USB_NOTIFY;
2774 n.n.watch.subtype = subtype;
2775 n.n.watch.info = n_len;
2776 n.n.error = error;
2777 n.n.name_len = name_len;
2778
2779 post_device_notification(&n.n.watch, id);
2780 }
regards,
dan carpenter
next prev parent reply other threads:[~2020-01-20 8:20 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-17 9:57 linux-next boot error: KASAN: slab-out-of-bounds Read in post_usb_notification syzbot
2020-01-20 8:23 ` Dan Carpenter [this message]
2020-01-20 13:15 ` David Howells
2020-01-20 13:37 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200120082335.GD21151@kadam \
--to=dan.carpenter@oracle.com \
--cc=arnd@arndb.de \
--cc=dhowells@redhat.com \
--cc=dmitry.torokhov@gmail.com \
--cc=ebiederm@xmission.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=syzbot+afeecc39f502a8681560@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).