From: Andrey Konovalov <andreyknvl@google.com> To: Alan Stern <stern@rowland.harvard.edu> Cc: syzbot <syzbot+a9fefd18c7b240f19c54@syzkaller.appspotmail.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, LKML <linux-kernel@vger.kernel.org>, USB list <linux-usb@vger.kernel.org>, rafael@kernel.org, syzkaller-bugs <syzkaller-bugs@googlegroups.com> Subject: KASAN: slab-out-of-bounds Read in hex_string Date: Mon, 29 Apr 2019 22:24:59 +0200 [thread overview] Message-ID: <CAAeHK+w2YKjSuTT39Rvb9mkdD=HuaYLhgZu4==hK18f=7fNxvQ@mail.gmail.com> (raw) On Mon, Apr 29, 2019 at 10:07 PM Alan Stern <stern@rowland.harvard.edu> wrote: > > On Mon, 29 Apr 2019, syzbot wrote: > > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit: 43151d6c usb-fuzzer: main usb gadget fuzzer driver > > git tree: https://github.com/google/kasan/tree/usb-fuzzer > > console output: https://syzkaller.appspot.com/x/log.txt?x=139ac37f200000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=4183eeef650d1234 > > dashboard link: https://syzkaller.appspot.com/bug?extid=a9fefd18c7b240f19c54 > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17f3b338a00000 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+a9fefd18c7b240f19c54@syzkaller.appspotmail.com > > > > ================================================================== > > BUG: KASAN: slab-out-of-bounds in hex_string+0x418/0x4b0 lib/vsprintf.c:975 > > Read of size 1 at addr ffff88821a41bd38 by task kworker/0:1/12 > > > > CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc3-319004-g43151d6 #6 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > Google 01/01/2011 > > Workqueue: usb_hub_wq hub_event > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0xe8/0x16e lib/dump_stack.c:113 > > print_address_description+0x6c/0x236 mm/kasan/report.c:187 > > kasan_report.cold+0x1a/0x3c mm/kasan/report.c:317 > > hex_string+0x418/0x4b0 lib/vsprintf.c:975 > > pointer+0x460/0x910 lib/vsprintf.c:1985 > > vsnprintf+0x5a0/0x16b0 lib/vsprintf.c:2400 > > pointer+0x60b/0x910 lib/vsprintf.c:2038 > > vsnprintf+0x5a0/0x16b0 lib/vsprintf.c:2400 > > vscnprintf+0x29/0x80 lib/vsprintf.c:2499 > > vprintk_store+0x45/0x4b0 kernel/printk/printk.c:1900 > > vprintk_emit+0x210/0x5a0 kernel/printk/printk.c:1957 > > dev_vprintk_emit+0x50e/0x553 drivers/base/core.c:3185 > > dev_printk_emit+0xbf/0xf6 drivers/base/core.c:3196 > > __dev_printk+0x1ed/0x215 drivers/base/core.c:3208 > > _dev_info+0xdc/0x10e drivers/base/core.c:3254 > > dlfb_parse_vendor_descriptor drivers/video/fbdev/udlfb.c:1532 [inline] > > Accessing beyond the end of the descriptor. > > #syz test: https://github.com/google/kasan.git usb-fuzzer Hi Alan, Thanks for the patch! syzbot should now be able to understand the quilt patch format that you use, feel free to give it a try next time :) > > --- a/drivers/video/fbdev/udlfb.c > +++ b/drivers/video/fbdev/udlfb.c > @@ -1511,6 +1511,7 @@ static int dlfb_parse_vendor_descriptor( > char *buf; > char *desc_end; > int total_len; > + int width; > > buf = kzalloc(MAX_VENDOR_DESCRIPTOR_SIZE, GFP_KERNEL); > if (!buf) > @@ -1529,9 +1530,10 @@ static int dlfb_parse_vendor_descriptor( > } > > if (total_len > 5) { > + width = min(total_len, 11); > dev_info(&intf->dev, > - "vendor descriptor length: %d data: %11ph\n", > - total_len, desc); > + "vendor descriptor length: %d data: %*ph\n", > + total_len, width, desc); > > if ((desc[0] != total_len) || /* descriptor length */ > (desc[1] != 0x5f) || /* vendor descriptor type */ > >
WARNING: multiple messages have this Message-ID (diff)
From: Andrey Konovalov <andreyknvl@google.com> To: Alan Stern <stern@rowland.harvard.edu> Cc: syzbot <syzbot+a9fefd18c7b240f19c54@syzkaller.appspotmail.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, LKML <linux-kernel@vger.kernel.org>, USB list <linux-usb@vger.kernel.org>, rafael@kernel.org, syzkaller-bugs <syzkaller-bugs@googlegroups.com> Subject: Re: KASAN: slab-out-of-bounds Read in hex_string Date: Mon, 29 Apr 2019 22:24:59 +0200 [thread overview] Message-ID: <CAAeHK+w2YKjSuTT39Rvb9mkdD=HuaYLhgZu4==hK18f=7fNxvQ@mail.gmail.com> (raw) Message-ID: <20190429202459.nh84tbjrua2Ofq8EZ8u3nRSUsdBn2amuU-Y27Ts-c_E@z> (raw) In-Reply-To: <Pine.LNX.4.44L0.1904291604510.1632-100000@iolanthe.rowland.org> On Mon, Apr 29, 2019 at 10:07 PM Alan Stern <stern@rowland.harvard.edu> wrote: > > On Mon, 29 Apr 2019, syzbot wrote: > > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit: 43151d6c usb-fuzzer: main usb gadget fuzzer driver > > git tree: https://github.com/google/kasan/tree/usb-fuzzer > > console output: https://syzkaller.appspot.com/x/log.txt?x=139ac37f200000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=4183eeef650d1234 > > dashboard link: https://syzkaller.appspot.com/bug?extid=a9fefd18c7b240f19c54 > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17f3b338a00000 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+a9fefd18c7b240f19c54@syzkaller.appspotmail.com > > > > ================================================================== > > BUG: KASAN: slab-out-of-bounds in hex_string+0x418/0x4b0 lib/vsprintf.c:975 > > Read of size 1 at addr ffff88821a41bd38 by task kworker/0:1/12 > > > > CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc3-319004-g43151d6 #6 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > Google 01/01/2011 > > Workqueue: usb_hub_wq hub_event > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0xe8/0x16e lib/dump_stack.c:113 > > print_address_description+0x6c/0x236 mm/kasan/report.c:187 > > kasan_report.cold+0x1a/0x3c mm/kasan/report.c:317 > > hex_string+0x418/0x4b0 lib/vsprintf.c:975 > > pointer+0x460/0x910 lib/vsprintf.c:1985 > > vsnprintf+0x5a0/0x16b0 lib/vsprintf.c:2400 > > pointer+0x60b/0x910 lib/vsprintf.c:2038 > > vsnprintf+0x5a0/0x16b0 lib/vsprintf.c:2400 > > vscnprintf+0x29/0x80 lib/vsprintf.c:2499 > > vprintk_store+0x45/0x4b0 kernel/printk/printk.c:1900 > > vprintk_emit+0x210/0x5a0 kernel/printk/printk.c:1957 > > dev_vprintk_emit+0x50e/0x553 drivers/base/core.c:3185 > > dev_printk_emit+0xbf/0xf6 drivers/base/core.c:3196 > > __dev_printk+0x1ed/0x215 drivers/base/core.c:3208 > > _dev_info+0xdc/0x10e drivers/base/core.c:3254 > > dlfb_parse_vendor_descriptor drivers/video/fbdev/udlfb.c:1532 [inline] > > Accessing beyond the end of the descriptor. > > #syz test: https://github.com/google/kasan.git usb-fuzzer Hi Alan, Thanks for the patch! syzbot should now be able to understand the quilt patch format that you use, feel free to give it a try next time :) > > --- a/drivers/video/fbdev/udlfb.c > +++ b/drivers/video/fbdev/udlfb.c > @@ -1511,6 +1511,7 @@ static int dlfb_parse_vendor_descriptor( > char *buf; > char *desc_end; > int total_len; > + int width; > > buf = kzalloc(MAX_VENDOR_DESCRIPTOR_SIZE, GFP_KERNEL); > if (!buf) > @@ -1529,9 +1530,10 @@ static int dlfb_parse_vendor_descriptor( > } > > if (total_len > 5) { > + width = min(total_len, 11); > dev_info(&intf->dev, > - "vendor descriptor length: %d data: %11ph\n", > - total_len, desc); > + "vendor descriptor length: %d data: %*ph\n", > + total_len, width, desc); > > if ((desc[0] != total_len) || /* descriptor length */ > (desc[1] != 0x5f) || /* vendor descriptor type */ > >
next prev reply other threads:[~2019-04-29 20:24 UTC|newest] Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-04-29 12:06 KASAN: slab-out-of-bounds Read in hex_string syzbot 2019-04-29 20:07 ` Alan Stern 2019-04-29 20:07 ` Alan Stern 2019-04-29 20:24 ` Andrey Konovalov [this message] 2019-04-29 20:24 ` Andrey Konovalov 2019-04-29 20:52 ` syzbot 2019-04-29 20:52 ` syzbot 2019-04-29 21:09 ` Eric Biggers 2019-04-29 21:09 ` Eric Biggers 2019-04-30 14:13 ` Alan Stern 2019-04-30 14:13 ` Alan Stern 2019-08-13 12:55 ` Andrey Konovalov 2020-03-18 15:46 ` Andrey Konovalov
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to='CAAeHK+w2YKjSuTT39Rvb9mkdD=HuaYLhgZu4==hK18f=7fNxvQ@mail.gmail.com' \ --to=andreyknvl@google.com \ --cc=gregkh@linuxfoundation.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-usb@vger.kernel.org \ --cc=rafael@kernel.org \ --cc=stern@rowland.harvard.edu \ --cc=syzbot+a9fefd18c7b240f19c54@syzkaller.appspotmail.com \ --cc=syzkaller-bugs@googlegroups.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).