Linux-USB Archive on lore.kernel.org
 help / color / Atom feed
WARNING: multiple messages refer to this Message-ID
From: Andrey Konovalov <andreyknvl@google.com>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: syzbot <syzbot+a9fefd18c7b240f19c54@syzkaller.appspotmail.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	LKML <linux-kernel@vger.kernel.org>,
	USB list <linux-usb@vger.kernel.org>,
	rafael@kernel.org,
	syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Subject: KASAN: slab-out-of-bounds Read in hex_string
Date: Mon, 29 Apr 2019 22:24:59 +0200
Message-ID: <CAAeHK+w2YKjSuTT39Rvb9mkdD=HuaYLhgZu4==hK18f=7fNxvQ@mail.gmail.com> (raw)

On Mon, Apr 29, 2019 at 10:07 PM Alan Stern <stern@rowland.harvard.edu> wrote:
>
> On Mon, 29 Apr 2019, syzbot wrote:
>
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit:    43151d6c usb-fuzzer: main usb gadget fuzzer driver
> > git tree:       https://github.com/google/kasan/tree/usb-fuzzer
> > console output: https://syzkaller.appspot.com/x/log.txt?x=139ac37f200000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=4183eeef650d1234
> > dashboard link: https://syzkaller.appspot.com/bug?extid=a9fefd18c7b240f19c54
> > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17f3b338a00000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+a9fefd18c7b240f19c54@syzkaller.appspotmail.com
> >
> > ==================================================================
> > BUG: KASAN: slab-out-of-bounds in hex_string+0x418/0x4b0 lib/vsprintf.c:975
> > Read of size 1 at addr ffff88821a41bd38 by task kworker/0:1/12
> >
> > CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc3-319004-g43151d6 #6
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Workqueue: usb_hub_wq hub_event
> > Call Trace:
> >   __dump_stack lib/dump_stack.c:77 [inline]
> >   dump_stack+0xe8/0x16e lib/dump_stack.c:113
> >   print_address_description+0x6c/0x236 mm/kasan/report.c:187
> >   kasan_report.cold+0x1a/0x3c mm/kasan/report.c:317
> >   hex_string+0x418/0x4b0 lib/vsprintf.c:975
> >   pointer+0x460/0x910 lib/vsprintf.c:1985
> >   vsnprintf+0x5a0/0x16b0 lib/vsprintf.c:2400
> >   pointer+0x60b/0x910 lib/vsprintf.c:2038
> >   vsnprintf+0x5a0/0x16b0 lib/vsprintf.c:2400
> >   vscnprintf+0x29/0x80 lib/vsprintf.c:2499
> >   vprintk_store+0x45/0x4b0 kernel/printk/printk.c:1900
> >   vprintk_emit+0x210/0x5a0 kernel/printk/printk.c:1957
> >   dev_vprintk_emit+0x50e/0x553 drivers/base/core.c:3185
> >   dev_printk_emit+0xbf/0xf6 drivers/base/core.c:3196
> >   __dev_printk+0x1ed/0x215 drivers/base/core.c:3208
> >   _dev_info+0xdc/0x10e drivers/base/core.c:3254
> >   dlfb_parse_vendor_descriptor drivers/video/fbdev/udlfb.c:1532 [inline]
>
> Accessing beyond the end of the descriptor.
>
> #syz test: https://github.com/google/kasan.git usb-fuzzer

Hi Alan,

Thanks for the patch!

syzbot should now be able to understand the quilt patch format that
you use, feel free to give it a try next time :)

>
> --- a/drivers/video/fbdev/udlfb.c
> +++ b/drivers/video/fbdev/udlfb.c
> @@ -1511,6 +1511,7 @@ static int dlfb_parse_vendor_descriptor(
>         char *buf;
>         char *desc_end;
>         int total_len;
> +       int width;
>
>         buf = kzalloc(MAX_VENDOR_DESCRIPTOR_SIZE, GFP_KERNEL);
>         if (!buf)
> @@ -1529,9 +1530,10 @@ static int dlfb_parse_vendor_descriptor(
>         }
>
>         if (total_len > 5) {
> +               width = min(total_len, 11);
>                 dev_info(&intf->dev,
> -                        "vendor descriptor length: %d data: %11ph\n",
> -                        total_len, desc);
> +                        "vendor descriptor length: %d data: %*ph\n",
> +                        total_len, width, desc);
>
>                 if ((desc[0] != total_len) || /* descriptor length */
>                     (desc[1] != 0x5f) ||   /* vendor descriptor type */
>
>

From: Andrey Konovalov <andreyknvl@google.com>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: syzbot <syzbot+a9fefd18c7b240f19c54@syzkaller.appspotmail.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	LKML <linux-kernel@vger.kernel.org>,
	USB list <linux-usb@vger.kernel.org>,
	rafael@kernel.org,
	syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Subject: Re: KASAN: slab-out-of-bounds Read in hex_string
Date: Mon, 29 Apr 2019 22:24:59 +0200
Message-ID: <CAAeHK+w2YKjSuTT39Rvb9mkdD=HuaYLhgZu4==hK18f=7fNxvQ@mail.gmail.com> (raw)
Message-ID: <20190429202459.nh84tbjrua2Ofq8EZ8u3nRSUsdBn2amuU-Y27Ts-c_E@z> (raw)
In-Reply-To: <Pine.LNX.4.44L0.1904291604510.1632-100000@iolanthe.rowland.org>

On Mon, Apr 29, 2019 at 10:07 PM Alan Stern <stern@rowland.harvard.edu> wrote:
>
> On Mon, 29 Apr 2019, syzbot wrote:
>
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit:    43151d6c usb-fuzzer: main usb gadget fuzzer driver
> > git tree:       https://github.com/google/kasan/tree/usb-fuzzer
> > console output: https://syzkaller.appspot.com/x/log.txt?x=139ac37f200000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=4183eeef650d1234
> > dashboard link: https://syzkaller.appspot.com/bug?extid=a9fefd18c7b240f19c54
> > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17f3b338a00000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+a9fefd18c7b240f19c54@syzkaller.appspotmail.com
> >
> > ==================================================================
> > BUG: KASAN: slab-out-of-bounds in hex_string+0x418/0x4b0 lib/vsprintf.c:975
> > Read of size 1 at addr ffff88821a41bd38 by task kworker/0:1/12
> >
> > CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc3-319004-g43151d6 #6
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Workqueue: usb_hub_wq hub_event
> > Call Trace:
> >   __dump_stack lib/dump_stack.c:77 [inline]
> >   dump_stack+0xe8/0x16e lib/dump_stack.c:113
> >   print_address_description+0x6c/0x236 mm/kasan/report.c:187
> >   kasan_report.cold+0x1a/0x3c mm/kasan/report.c:317
> >   hex_string+0x418/0x4b0 lib/vsprintf.c:975
> >   pointer+0x460/0x910 lib/vsprintf.c:1985
> >   vsnprintf+0x5a0/0x16b0 lib/vsprintf.c:2400
> >   pointer+0x60b/0x910 lib/vsprintf.c:2038
> >   vsnprintf+0x5a0/0x16b0 lib/vsprintf.c:2400
> >   vscnprintf+0x29/0x80 lib/vsprintf.c:2499
> >   vprintk_store+0x45/0x4b0 kernel/printk/printk.c:1900
> >   vprintk_emit+0x210/0x5a0 kernel/printk/printk.c:1957
> >   dev_vprintk_emit+0x50e/0x553 drivers/base/core.c:3185
> >   dev_printk_emit+0xbf/0xf6 drivers/base/core.c:3196
> >   __dev_printk+0x1ed/0x215 drivers/base/core.c:3208
> >   _dev_info+0xdc/0x10e drivers/base/core.c:3254
> >   dlfb_parse_vendor_descriptor drivers/video/fbdev/udlfb.c:1532 [inline]
>
> Accessing beyond the end of the descriptor.
>
> #syz test: https://github.com/google/kasan.git usb-fuzzer

Hi Alan,

Thanks for the patch!

syzbot should now be able to understand the quilt patch format that
you use, feel free to give it a try next time :)

>
> --- a/drivers/video/fbdev/udlfb.c
> +++ b/drivers/video/fbdev/udlfb.c
> @@ -1511,6 +1511,7 @@ static int dlfb_parse_vendor_descriptor(
>         char *buf;
>         char *desc_end;
>         int total_len;
> +       int width;
>
>         buf = kzalloc(MAX_VENDOR_DESCRIPTOR_SIZE, GFP_KERNEL);
>         if (!buf)
> @@ -1529,9 +1530,10 @@ static int dlfb_parse_vendor_descriptor(
>         }
>
>         if (total_len > 5) {
> +               width = min(total_len, 11);
>                 dev_info(&intf->dev,
> -                        "vendor descriptor length: %d data: %11ph\n",
> -                        total_len, desc);
> +                        "vendor descriptor length: %d data: %*ph\n",
> +                        total_len, width, desc);
>
>                 if ((desc[0] != total_len) || /* descriptor length */
>                     (desc[1] != 0x5f) ||   /* vendor descriptor type */
>
>

         reply index

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-29 12:06 syzbot
2019-04-29 20:07 ` Alan Stern
2019-04-29 20:07   ` Alan Stern
2019-04-29 20:24   ` Andrey Konovalov [this message]
2019-04-29 20:24     ` Andrey Konovalov
2019-04-29 20:52   ` syzbot
2019-04-29 20:52     ` syzbot
2019-04-29 21:09   ` Eric Biggers
2019-04-29 21:09     ` Eric Biggers
2019-04-30 14:13     ` Alan Stern
2019-04-30 14:13       ` Alan Stern
2019-08-13 12:55       ` Andrey Konovalov

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAAeHK+w2YKjSuTT39Rvb9mkdD=HuaYLhgZu4==hK18f=7fNxvQ@mail.gmail.com' \
    --to=andreyknvl@google.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=rafael@kernel.org \
    --cc=stern@rowland.harvard.edu \
    --cc=syzbot+a9fefd18c7b240f19c54@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-USB Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-usb/0 linux-usb/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-usb linux-usb/ https://lore.kernel.org/linux-usb \
		linux-usb@vger.kernel.org linux-usb@archiver.kernel.org
	public-inbox-index linux-usb


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-usb


AGPL code for this site: git clone https://public-inbox.org/ public-inbox