* Re: KASAN: slab-out-of-bounds Read in hfa384x_usbin_callback
2020-03-20 19:28 KASAN: slab-out-of-bounds Read in hfa384x_usbin_callback syzbot
@ 2020-03-25 8:45 ` Qiujun Huang
2020-03-25 8:58 ` syzbot
[not found] ` <20200325131309.12792-1-hdanton@sina.com>
2020-05-05 11:55 ` Oliver Neukum
2020-05-06 8:53 ` Oliver Neukum
2 siblings, 2 replies; 14+ messages in thread
From: Qiujun Huang @ 2020-03-25 8:45 UTC (permalink / raw)
To: syzbot
Cc: Andrey Konovalov, devel, Greg KH, linux-kernel, linux-usb,
nishkadg.linux, syzkaller-bugs
[-- Attachment #1: Type: text/plain, Size: 5552 bytes --]
#syz test: https://github.com/google/kasan.git e17994d1
On Sat, Mar 21, 2020 at 3:28 AM syzbot
<syzbot+7d42d68643a35f71ac8a@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=11d74573e00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
> dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fa561de00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d74573e00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+7d42d68643a35f71ac8a@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:381 [inline]
> BUG: KASAN: slab-out-of-bounds in skb_put_data include/linux/skbuff.h:2284 [inline]
> BUG: KASAN: slab-out-of-bounds in hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
> BUG: KASAN: slab-out-of-bounds in hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
> BUG: KASAN: slab-out-of-bounds in hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
> Read of size 19671 at addr ffff8881d226413c by task swapper/0/0
>
> CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc5-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
> <IRQ>
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0xef/0x16e lib/dump_stack.c:118
> print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
> __kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
> kasan_report+0xe/0x20 mm/kasan/common.c:641
> check_memory_region_inline mm/kasan/generic.c:185 [inline]
> check_memory_region+0x152/0x1c0 mm/kasan/generic.c:192
> memcpy+0x20/0x50 mm/kasan/common.c:127
> memcpy include/linux/string.h:381 [inline]
> skb_put_data include/linux/skbuff.h:2284 [inline]
> hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
> hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
> hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
> __usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
> usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
> dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
> call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
> expire_timers kernel/time/timer.c:1449 [inline]
> __run_timers kernel/time/timer.c:1773 [inline]
> __run_timers kernel/time/timer.c:1740 [inline]
> run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
> __do_softirq+0x21e/0x950 kernel/softirq.c:292
> invoke_softirq kernel/softirq.c:373 [inline]
> irq_exit+0x178/0x1a0 kernel/softirq.c:413
> exiting_irq arch/x86/include/asm/apic.h:546 [inline]
> smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
> apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
> </IRQ>
> RIP: 0010:default_idle+0x28/0x300 arch/x86/kernel/process.c:696
> Code: cc cc 41 56 41 55 65 44 8b 2d 44 77 72 7a 41 54 55 53 0f 1f 44 00 00 e8 b6 62 b5 fb e9 07 00 00 00 0f 00 2d ea 0c 53 00 fb f4 <65> 44 8b 2d 20 77 72 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
> RSP: 0018:ffffffff87007d80 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
> RAX: 0000000000000007 RBX: ffffffff8702cc40 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff8702d48c
> RBP: fffffbfff0e05988 R08: ffffffff8702cc40 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> R13: 0000000000000000 R14: ffffffff87e607c0 R15: 0000000000000000
> cpuidle_idle_call kernel/sched/idle.c:154 [inline]
> do_idle+0x3e0/0x500 kernel/sched/idle.c:269
> cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
> start_kernel+0xe16/0xe5a init/main.c:998
> secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:242
>
> The buggy address belongs to the page:
> page:ffffea0007489800 refcount:32744 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0
> flags: 0x200000000010000(head)
> raw: 0200000000010000 dead000000000100 dead000000000122 0000000000000000
> raw: 0000000000000000 0000000000000000 00007fe8ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff8881d2268000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8881d2268080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >ffff8881d2268100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
> ^
> ffff8881d2268180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8881d2268200: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
> ==================================================================
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
[-- Attachment #2: 0002-staging-wlan-ng-fix-ODEBUG-bug-in-prism2sta_disconne.patch --]
[-- Type: application/octet-stream, Size: 993 bytes --]
From 84a31ba326f4b802b22a8d28251b881bf4c7290d Mon Sep 17 00:00:00 2001
From: Qiujun Huang <hqjagain@gmail.com>
Date: Wed, 25 Mar 2020 14:55:25 +0800
Subject: [PATCH 2/3] staging: wlan-ng: fix ODEBUG bug in
prism2sta_disconnect_usb
We should cancel hw->usb_work before kfree(hw).
Reported-by: syzbot+6d2e7f6fa90e27be9d62@syzkaller.appspotmail.com
Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
---
drivers/staging/wlan-ng/prism2usb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/staging/wlan-ng/prism2usb.c b/drivers/staging/wlan-ng/prism2usb.c
index 352556f..4689b21 100644
--- a/drivers/staging/wlan-ng/prism2usb.c
+++ b/drivers/staging/wlan-ng/prism2usb.c
@@ -180,6 +180,7 @@ static void prism2sta_disconnect_usb(struct usb_interface *interface)
cancel_work_sync(&hw->link_bh);
cancel_work_sync(&hw->commsqual_bh);
+ cancel_work_sync(&hw->usb_work);
/* Now we complete any outstanding commands
* and tell everyone who is waiting for their
--
1.8.3.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in hfa384x_usbin_callback
2020-03-25 8:45 ` Qiujun Huang
@ 2020-03-25 8:58 ` syzbot
[not found] ` <20200325131309.12792-1-hdanton@sina.com>
1 sibling, 0 replies; 14+ messages in thread
From: syzbot @ 2020-03-25 8:58 UTC (permalink / raw)
To: andreyknvl, anenbupt, devel, gregkh, linux-kernel, linux-usb,
nishkadg.linux, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Read in hfa384x_usbin_callback
==================================================================
BUG: KASAN: use-after-free in memcpy include/linux/string.h:381 [inline]
BUG: KASAN: use-after-free in skb_put_data include/linux/skbuff.h:2284 [inline]
BUG: KASAN: use-after-free in hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
BUG: KASAN: use-after-free in hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
BUG: KASAN: use-after-free in hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
Read of size 19671 at addr ffff8881cda7b33c by task kworker/1:2/95
CPU: 1 PID: 95 Comm: kworker/1:2 Not tainted 5.6.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
__kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x152/0x1c0 mm/kasan/generic.c:192
memcpy+0x20/0x50 mm/kasan/common.c:127
memcpy include/linux/string.h:381 [inline]
skb_put_data include/linux/skbuff.h:2284 [inline]
hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
__usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x3b/0x40 kernel/locking/spinlock.c:191
Code: e8 2a e8 96 fb 48 89 ef e8 f2 c9 97 fb f6 c7 02 75 11 53 9d e8 16 50 b5 fb 65 ff 0d f7 bd 72 7a 5b 5d c3 e8 07 4e b5 fb 53 9d <eb> ed 0f 1f 00 55 48 89 fd 65 ff 05 dd bd 72 7a 45 31 c9 41 b8 01
RSP: 0018:ffff8881d56b6f40 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: 0000000000000293 RCX: 0000000000000006
RDX: 0000000000000000 RSI: ffff8881d56a88f0 RDI: ffff8881d56a884c
RBP: ffff8881c0c64b80 R08: ffff8881d56a8000 R09: fffffbfff1266e8f
R10: fffffbfff1266e8e R11: ffffffff89337477 R12: 0000000000000000
R13: ffff8881c0c64bb8 R14: ffff8881c0c64b80 R15: ffff8881c0c64bb8
hfa384x_usbctlx_submit+0x1cb/0x260 drivers/staging/wlan-ng/hfa384x_usb.c:3834
hfa384x_docmd drivers/staging/wlan-ng/hfa384x_usb.c:1233 [inline]
hfa384x_cmd_initialize+0x290/0x4f0 drivers/staging/wlan-ng/hfa384x_usb.c:846
hfa384x_drvr_start+0x1f1/0x480 drivers/staging/wlan-ng/hfa384x_usb.c:2380
prism2sta_ifstate+0x24e/0x510 drivers/staging/wlan-ng/prism2sta.c:471
prism2sta_probe_usb.cold+0x1c8/0x49e drivers/staging/wlan-ng/prism2usb.c:112
usb_probe_interface+0x310/0x800 drivers/usb/core/driver.c:374
really_probe+0x290/0xac0 drivers/base/dd.c:551
driver_probe_device+0x223/0x350 drivers/base/dd.c:724
__device_attach_driver+0x1d1/0x290 drivers/base/dd.c:831
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:431
__device_attach+0x217/0x390 drivers/base/dd.c:897
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
device_add+0x1459/0x1bf0 drivers/base/core.c:2500
usb_set_configuration+0xe47/0x17d0 drivers/usb/core/message.c:2023
usb_generic_driver_probe+0x9d/0xe0 drivers/usb/core/generic.c:241
usb_probe_device+0xd9/0x230 drivers/usb/core/driver.c:272
really_probe+0x290/0xac0 drivers/base/dd.c:551
driver_probe_device+0x223/0x350 drivers/base/dd.c:724
__device_attach_driver+0x1d1/0x290 drivers/base/dd.c:831
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:431
__device_attach+0x217/0x390 drivers/base/dd.c:897
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
device_add+0x1459/0x1bf0 drivers/base/core.c:2500
usb_new_device.cold+0x540/0xcd0 drivers/usb/core/hub.c:2548
hub_port_connect drivers/usb/core/hub.c:5195 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5335 [inline]
port_event drivers/usb/core/hub.c:5481 [inline]
hub_event+0x21cb/0x4300 drivers/usb/core/hub.c:5563
process_one_work+0x94b/0x1620 kernel/workqueue.c:2264
worker_thread+0x96/0xe20 kernel/workqueue.c:2410
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
The buggy address belongs to the page:
page:ffffea0007369e00 refcount:32737 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0
flags: 0x200000000010000(head)
raw: 0200000000010000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00007fe1ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881cda7ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8881cda7ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8881cda80000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881cda80080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881cda80100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
git tree: https://github.com/google/kasan.git
console output: https://syzkaller.appspot.com/x/log.txt?x=139ea05be00000
kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=16d52b19e00000
^ permalink raw reply [flat|nested] 14+ messages in thread
[parent not found: <20200325131309.12792-1-hdanton@sina.com>]
* Re: KASAN: slab-out-of-bounds Read in hfa384x_usbin_callback
[not found] ` <20200325131309.12792-1-hdanton@sina.com>
@ 2020-03-25 13:29 ` Andrey Konovalov
2020-03-26 2:22 ` Qiujun Huang
1 sibling, 0 replies; 14+ messages in thread
From: Andrey Konovalov @ 2020-03-25 13:29 UTC (permalink / raw)
To: Hillf Danton
Cc: syzbot, anenbupt, devel, Greg Kroah-Hartman, LKML, USB list,
nishkadg.linux, syzkaller-bugs
On Wed, Mar 25, 2020 at 2:13 PM Hillf Danton <hdanton@sina.com> wrote:
>
>
> On Wed, 25 Mar 2020 01:58:03 -0700
> > syzbot has tested the proposed patch but the reproducer still triggered crash:
> > KASAN: use-after-free Read in hfa384x_usbin_callback
> >
> > ==================================================================
> > BUG: KASAN: use-after-free in memcpy include/linux/string.h:381 [inline]
> > BUG: KASAN: use-after-free in skb_put_data include/linux/skbuff.h:2284 [inline]
> > BUG: KASAN: use-after-free in hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
> > BUG: KASAN: use-after-free in hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
> > BUG: KASAN: use-after-free in hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
> > Read of size 19671 at addr ffff8881cda7b33c by task kworker/1:2/95
> >
> > CPU: 1 PID: 95 Comm: kworker/1:2 Not tainted 5.6.0-rc5-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > Workqueue: usb_hub_wq hub_event
> > Call Trace:
> > <IRQ>
> > __dump_stack lib/dump_stack.c:77 [inline]
> > dump_stack+0xef/0x16e lib/dump_stack.c:118
> > print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
> > __kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
> > kasan_report+0xe/0x20 mm/kasan/common.c:641
> > check_memory_region_inline mm/kasan/generic.c:185 [inline]
> > check_memory_region+0x152/0x1c0 mm/kasan/generic.c:192
> > memcpy+0x20/0x50 mm/kasan/common.c:127
> > memcpy include/linux/string.h:381 [inline]
> > skb_put_data include/linux/skbuff.h:2284 [inline]
> > hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
> > hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
> > hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
> > __usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
> > usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
> > dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
> > call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
> > expire_timers kernel/time/timer.c:1449 [inline]
> > __run_timers kernel/time/timer.c:1773 [inline]
> > __run_timers kernel/time/timer.c:1740 [inline]
> > run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
> > __do_softirq+0x21e/0x950 kernel/softirq.c:292
> > invoke_softirq kernel/softirq.c:373 [inline]
> > irq_exit+0x178/0x1a0 kernel/softirq.c:413
> > exiting_irq arch/x86/include/asm/apic.h:546 [inline]
> > smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
> > apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
> > </IRQ>
> > RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
> > RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
> > RIP: 0010:_raw_spin_unlock_irqrestore+0x3b/0x40 kernel/locking/spinlock.c:191
> > Code: e8 2a e8 96 fb 48 89 ef e8 f2 c9 97 fb f6 c7 02 75 11 53 9d e8 16 50 b5 fb 65 ff 0d f7 bd 72 7a 5b 5d c3 e8 07 4e b5 fb 53 9d <eb> ed 0f 1f 00 55 48 89 fd 65 ff 05 dd bd 72 7a 45 31 c9 41 b8 01
> > RSP: 0018:ffff8881d56b6f40 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff13
> > RAX: 0000000000000007 RBX: 0000000000000293 RCX: 0000000000000006
> > RDX: 0000000000000000 RSI: ffff8881d56a88f0 RDI: ffff8881d56a884c
> > RBP: ffff8881c0c64b80 R08: ffff8881d56a8000 R09: fffffbfff1266e8f
> > R10: fffffbfff1266e8e R11: ffffffff89337477 R12: 0000000000000000
> > R13: ffff8881c0c64bb8 R14: ffff8881c0c64b80 R15: ffff8881c0c64bb8
> > hfa384x_usbctlx_submit+0x1cb/0x260 drivers/staging/wlan-ng/hfa384x_usb.c:3834
> > hfa384x_docmd drivers/staging/wlan-ng/hfa384x_usb.c:1233 [inline]
> > hfa384x_cmd_initialize+0x290/0x4f0 drivers/staging/wlan-ng/hfa384x_usb.c:846
> > hfa384x_drvr_start+0x1f1/0x480 drivers/staging/wlan-ng/hfa384x_usb.c:2380
> > prism2sta_ifstate+0x24e/0x510 drivers/staging/wlan-ng/prism2sta.c:471
> > prism2sta_probe_usb.cold+0x1c8/0x49e drivers/staging/wlan-ng/prism2usb.c:112
> > usb_probe_interface+0x310/0x800 drivers/usb/core/driver.c:374
> > really_probe+0x290/0xac0 drivers/base/dd.c:551
> > driver_probe_device+0x223/0x350 drivers/base/dd.c:724
> > __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:831
> > bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:431
> > __device_attach+0x217/0x390 drivers/base/dd.c:897
> > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
> > device_add+0x1459/0x1bf0 drivers/base/core.c:2500
> > usb_set_configuration+0xe47/0x17d0 drivers/usb/core/message.c:2023
> > usb_generic_driver_probe+0x9d/0xe0 drivers/usb/core/generic.c:241
> > usb_probe_device+0xd9/0x230 drivers/usb/core/driver.c:272
> > really_probe+0x290/0xac0 drivers/base/dd.c:551
> > driver_probe_device+0x223/0x350 drivers/base/dd.c:724
> > __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:831
> > bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:431
> > __device_attach+0x217/0x390 drivers/base/dd.c:897
> > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
> > device_add+0x1459/0x1bf0 drivers/base/core.c:2500
> > usb_new_device.cold+0x540/0xcd0 drivers/usb/core/hub.c:2548
> > hub_port_connect drivers/usb/core/hub.c:5195 [inline]
> > hub_port_connect_change drivers/usb/core/hub.c:5335 [inline]
> > port_event drivers/usb/core/hub.c:5481 [inline]
> > hub_event+0x21cb/0x4300 drivers/usb/core/hub.c:5563
> > process_one_work+0x94b/0x1620 kernel/workqueue.c:2264
> > worker_thread+0x96/0xe20 kernel/workqueue.c:2410
> > kthread+0x318/0x420 kernel/kthread.c:255
> > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
> >
> > The buggy address belongs to the page:
> > page:ffffea0007369e00 refcount:32737 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0
> > flags: 0x200000000010000(head)
> > raw: 0200000000010000 dead000000000100 dead000000000122 0000000000000000
> > raw: 0000000000000000 0000000000000000 00007fe1ffffffff 0000000000000000
> > page dumped because: kasan: bad access detected
> >
> > Memory state around the buggy address:
> > ffff8881cda7ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > ffff8881cda7ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > >ffff8881cda80000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > ^
> > ffff8881cda80080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > ffff8881cda80100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > ==================================================================
> >
> >
> > Tested on:
> >
> > commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
> > git tree: https://github.com/google/kasan.git
> > console output: https://syzkaller.appspot.com/x/log.txt?x=139ea05be00000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
> > dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
> > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > patch: https://syzkaller.appspot.com/x/patch.diff?x=16d52b19e00000
>
> Add a line of debug info.
Hi Hillf,
You need to issue a syz test command if you want your patch to be
tested. See how Qiujun did it just above.
Thanks!
>
> --- a/drivers/staging/wlan-ng/hfa384x_usb.c
> +++ b/drivers/staging/wlan-ng/hfa384x_usb.c
> @@ -3374,6 +3374,11 @@ static void hfa384x_int_rxmonitor(struct
> skblen - sizeof(struct p80211_caphdr));
> }
>
> + if (datalen > WLAN_DATA_MAXLEN) {
> + pr_debug("%s datalen %u > WLAN_DATA_MAXLEN %u\n", __func__,
> + datalen, WLAN_DATA_MAXLEN);
> + return;
> + }
> skb = dev_alloc_skb(skblen);
> if (!skb)
> return;
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/20200325131309.12792-1-hdanton%40sina.com.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in hfa384x_usbin_callback
[not found] ` <20200325131309.12792-1-hdanton@sina.com>
2020-03-25 13:29 ` Andrey Konovalov
@ 2020-03-26 2:22 ` Qiujun Huang
2020-03-26 2:24 ` Qiujun Huang
1 sibling, 1 reply; 14+ messages in thread
From: Qiujun Huang @ 2020-03-26 2:22 UTC (permalink / raw)
To: Hillf Danton, syzbot
Cc: Andrey Konovalov, devel, Greg KH, linux-kernel, linux-usb,
nishkadg.linux, syzkaller-bugs
[-- Attachment #1: Type: text/plain, Size: 7722 bytes --]
On Wed, Mar 25, 2020 at 9:13 PM Hillf Danton <hdanton@sina.com> wrote:
>
>
> On Wed, 25 Mar 2020 01:58:03 -0700
> > syzbot has tested the proposed patch but the reproducer still triggered crash:
> > KASAN: use-after-free Read in hfa384x_usbin_callback
> >
> > ==================================================================
> > BUG: KASAN: use-after-free in memcpy include/linux/string.h:381 [inline]
> > BUG: KASAN: use-after-free in skb_put_data include/linux/skbuff.h:2284 [inline]
> > BUG: KASAN: use-after-free in hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
> > BUG: KASAN: use-after-free in hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
> > BUG: KASAN: use-after-free in hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
> > Read of size 19671 at addr ffff8881cda7b33c by task kworker/1:2/95
> >
> > CPU: 1 PID: 95 Comm: kworker/1:2 Not tainted 5.6.0-rc5-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > Workqueue: usb_hub_wq hub_event
> > Call Trace:
> > <IRQ>
> > __dump_stack lib/dump_stack.c:77 [inline]
> > dump_stack+0xef/0x16e lib/dump_stack.c:118
> > print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
> > __kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
> > kasan_report+0xe/0x20 mm/kasan/common.c:641
> > check_memory_region_inline mm/kasan/generic.c:185 [inline]
> > check_memory_region+0x152/0x1c0 mm/kasan/generic.c:192
> > memcpy+0x20/0x50 mm/kasan/common.c:127
> > memcpy include/linux/string.h:381 [inline]
> > skb_put_data include/linux/skbuff.h:2284 [inline]
> > hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
> > hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
> > hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
> > __usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
> > usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
> > dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
> > call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
> > expire_timers kernel/time/timer.c:1449 [inline]
> > __run_timers kernel/time/timer.c:1773 [inline]
> > __run_timers kernel/time/timer.c:1740 [inline]
> > run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
> > __do_softirq+0x21e/0x950 kernel/softirq.c:292
> > invoke_softirq kernel/softirq.c:373 [inline]
> > irq_exit+0x178/0x1a0 kernel/softirq.c:413
> > exiting_irq arch/x86/include/asm/apic.h:546 [inline]
> > smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
> > apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
> > </IRQ>
> > RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
> > RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
> > RIP: 0010:_raw_spin_unlock_irqrestore+0x3b/0x40 kernel/locking/spinlock.c:191
> > Code: e8 2a e8 96 fb 48 89 ef e8 f2 c9 97 fb f6 c7 02 75 11 53 9d e8 16 50 b5 fb 65 ff 0d f7 bd 72 7a 5b 5d c3 e8 07 4e b5 fb 53 9d <eb> ed 0f 1f 00 55 48 89 fd 65 ff 05 dd bd 72 7a 45 31 c9 41 b8 01
> > RSP: 0018:ffff8881d56b6f40 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff13
> > RAX: 0000000000000007 RBX: 0000000000000293 RCX: 0000000000000006
> > RDX: 0000000000000000 RSI: ffff8881d56a88f0 RDI: ffff8881d56a884c
> > RBP: ffff8881c0c64b80 R08: ffff8881d56a8000 R09: fffffbfff1266e8f
> > R10: fffffbfff1266e8e R11: ffffffff89337477 R12: 0000000000000000
> > R13: ffff8881c0c64bb8 R14: ffff8881c0c64b80 R15: ffff8881c0c64bb8
> > hfa384x_usbctlx_submit+0x1cb/0x260 drivers/staging/wlan-ng/hfa384x_usb.c:3834
> > hfa384x_docmd drivers/staging/wlan-ng/hfa384x_usb.c:1233 [inline]
> > hfa384x_cmd_initialize+0x290/0x4f0 drivers/staging/wlan-ng/hfa384x_usb.c:846
> > hfa384x_drvr_start+0x1f1/0x480 drivers/staging/wlan-ng/hfa384x_usb.c:2380
> > prism2sta_ifstate+0x24e/0x510 drivers/staging/wlan-ng/prism2sta.c:471
> > prism2sta_probe_usb.cold+0x1c8/0x49e drivers/staging/wlan-ng/prism2usb.c:112
> > usb_probe_interface+0x310/0x800 drivers/usb/core/driver.c:374
> > really_probe+0x290/0xac0 drivers/base/dd.c:551
> > driver_probe_device+0x223/0x350 drivers/base/dd.c:724
> > __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:831
> > bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:431
> > __device_attach+0x217/0x390 drivers/base/dd.c:897
> > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
> > device_add+0x1459/0x1bf0 drivers/base/core.c:2500
> > usb_set_configuration+0xe47/0x17d0 drivers/usb/core/message.c:2023
> > usb_generic_driver_probe+0x9d/0xe0 drivers/usb/core/generic.c:241
> > usb_probe_device+0xd9/0x230 drivers/usb/core/driver.c:272
> > really_probe+0x290/0xac0 drivers/base/dd.c:551
> > driver_probe_device+0x223/0x350 drivers/base/dd.c:724
> > __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:831
> > bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:431
> > __device_attach+0x217/0x390 drivers/base/dd.c:897
> > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
> > device_add+0x1459/0x1bf0 drivers/base/core.c:2500
> > usb_new_device.cold+0x540/0xcd0 drivers/usb/core/hub.c:2548
> > hub_port_connect drivers/usb/core/hub.c:5195 [inline]
> > hub_port_connect_change drivers/usb/core/hub.c:5335 [inline]
> > port_event drivers/usb/core/hub.c:5481 [inline]
> > hub_event+0x21cb/0x4300 drivers/usb/core/hub.c:5563
> > process_one_work+0x94b/0x1620 kernel/workqueue.c:2264
> > worker_thread+0x96/0xe20 kernel/workqueue.c:2410
> > kthread+0x318/0x420 kernel/kthread.c:255
> > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
> >
> > The buggy address belongs to the page:
> > page:ffffea0007369e00 refcount:32737 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0
> > flags: 0x200000000010000(head)
> > raw: 0200000000010000 dead000000000100 dead000000000122 0000000000000000
> > raw: 0000000000000000 0000000000000000 00007fe1ffffffff 0000000000000000
> > page dumped because: kasan: bad access detected
> >
> > Memory state around the buggy address:
> > ffff8881cda7ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > ffff8881cda7ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > >ffff8881cda80000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > ^
> > ffff8881cda80080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > ffff8881cda80100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > ==================================================================
> >
> >
> > Tested on:
> >
> > commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
> > git tree: https://github.com/google/kasan.git
> > console output: https://syzkaller.appspot.com/x/log.txt?x=139ea05be00000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
> > dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
> > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > patch: https://syzkaller.appspot.com/x/patch.diff?x=16d52b19e00000
>
> Add a line of debug info.
>
> --- a/drivers/staging/wlan-ng/hfa384x_usb.c
> +++ b/drivers/staging/wlan-ng/hfa384x_usb.c
> @@ -3374,6 +3374,11 @@ static void hfa384x_int_rxmonitor(struct
> skblen - sizeof(struct p80211_caphdr));
> }
>
> + if (datalen > WLAN_DATA_MAXLEN) {
> + pr_debug("%s datalen %u > WLAN_DATA_MAXLEN %u\n", __func__,
> + datalen, WLAN_DATA_MAXLEN);
> + return;
> + }
> skb = dev_alloc_skb(skblen);
> if (!skb)
> return;
Great!
>
[-- Attachment #2: 0002-staging-wlan-ng-fix-use-after-free-Read-in-hfa384x_u.patch --]
[-- Type: application/octet-stream, Size: 1069 bytes --]
From 30f5f2182d562b60c35df6483c92c1bf62ed0ec8 Mon Sep 17 00:00:00 2001
From: Qiujun Huang <hqjagain@gmail.com>
Date: Thu, 26 Mar 2020 10:14:12 +0800
Subject: [PATCH 2/2] staging: wlan-ng: fix use-after-free Read in
hfa384x_usbin_callback
Because the size of rxfrm->data is WLAN_DATA_MAXLEN(2312),so skblen
can't be more than that.
Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
---
drivers/staging/wlan-ng/hfa384x_usb.c | 2 ++
1 file changed, 2 insertions(+)
mode change 100644 => 100755 drivers/staging/wlan-ng/hfa384x_usb.c
diff --git a/drivers/staging/wlan-ng/hfa384x_usb.c b/drivers/staging/wlan-ng/hfa384x_usb.c
old mode 100644
new mode 100755
index b71756ab0394..7fe64fcd385d
--- a/drivers/staging/wlan-ng/hfa384x_usb.c
+++ b/drivers/staging/wlan-ng/hfa384x_usb.c
@@ -3372,6 +3372,8 @@ static void hfa384x_int_rxmonitor(struct wlandevice *wlandev,
WLAN_HDR_A4_LEN + WLAN_DATA_MAXLEN + WLAN_CRC_LEN)) {
pr_debug("overlen frm: len=%zd\n",
skblen - sizeof(struct p80211_caphdr));
+
+ return;
}
skb = dev_alloc_skb(skblen);
--
2.17.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in hfa384x_usbin_callback
2020-03-26 2:22 ` Qiujun Huang
@ 2020-03-26 2:24 ` Qiujun Huang
2020-03-26 2:43 ` syzbot
0 siblings, 1 reply; 14+ messages in thread
From: Qiujun Huang @ 2020-03-26 2:24 UTC (permalink / raw)
To: Hillf Danton, syzbot
Cc: Andrey Konovalov, devel, Greg KH, linux-kernel, linux-usb,
nishkadg.linux, syzkaller-bugs
[-- Attachment #1: Type: text/plain, Size: 8153 bytes --]
#syz test: https://github.com/google/kasan.git e17994d1
forgot to trigger:(
On Thu, Mar 26, 2020 at 10:22 AM Qiujun Huang <anenbupt@gmail.com> wrote:
>
> On Wed, Mar 25, 2020 at 9:13 PM Hillf Danton <hdanton@sina.com> wrote:
> >
> >
> > On Wed, 25 Mar 2020 01:58:03 -0700
> > > syzbot has tested the proposed patch but the reproducer still triggered crash:
> > > KASAN: use-after-free Read in hfa384x_usbin_callback
> > >
> > > ==================================================================
> > > BUG: KASAN: use-after-free in memcpy include/linux/string.h:381 [inline]
> > > BUG: KASAN: use-after-free in skb_put_data include/linux/skbuff.h:2284 [inline]
> > > BUG: KASAN: use-after-free in hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
> > > BUG: KASAN: use-after-free in hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
> > > BUG: KASAN: use-after-free in hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
> > > Read of size 19671 at addr ffff8881cda7b33c by task kworker/1:2/95
> > >
> > > CPU: 1 PID: 95 Comm: kworker/1:2 Not tainted 5.6.0-rc5-syzkaller #0
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > > Workqueue: usb_hub_wq hub_event
> > > Call Trace:
> > > <IRQ>
> > > __dump_stack lib/dump_stack.c:77 [inline]
> > > dump_stack+0xef/0x16e lib/dump_stack.c:118
> > > print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
> > > __kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
> > > kasan_report+0xe/0x20 mm/kasan/common.c:641
> > > check_memory_region_inline mm/kasan/generic.c:185 [inline]
> > > check_memory_region+0x152/0x1c0 mm/kasan/generic.c:192
> > > memcpy+0x20/0x50 mm/kasan/common.c:127
> > > memcpy include/linux/string.h:381 [inline]
> > > skb_put_data include/linux/skbuff.h:2284 [inline]
> > > hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
> > > hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
> > > hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
> > > __usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
> > > usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
> > > dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
> > > call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
> > > expire_timers kernel/time/timer.c:1449 [inline]
> > > __run_timers kernel/time/timer.c:1773 [inline]
> > > __run_timers kernel/time/timer.c:1740 [inline]
> > > run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
> > > __do_softirq+0x21e/0x950 kernel/softirq.c:292
> > > invoke_softirq kernel/softirq.c:373 [inline]
> > > irq_exit+0x178/0x1a0 kernel/softirq.c:413
> > > exiting_irq arch/x86/include/asm/apic.h:546 [inline]
> > > smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
> > > apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
> > > </IRQ>
> > > RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
> > > RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
> > > RIP: 0010:_raw_spin_unlock_irqrestore+0x3b/0x40 kernel/locking/spinlock.c:191
> > > Code: e8 2a e8 96 fb 48 89 ef e8 f2 c9 97 fb f6 c7 02 75 11 53 9d e8 16 50 b5 fb 65 ff 0d f7 bd 72 7a 5b 5d c3 e8 07 4e b5 fb 53 9d <eb> ed 0f 1f 00 55 48 89 fd 65 ff 05 dd bd 72 7a 45 31 c9 41 b8 01
> > > RSP: 0018:ffff8881d56b6f40 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff13
> > > RAX: 0000000000000007 RBX: 0000000000000293 RCX: 0000000000000006
> > > RDX: 0000000000000000 RSI: ffff8881d56a88f0 RDI: ffff8881d56a884c
> > > RBP: ffff8881c0c64b80 R08: ffff8881d56a8000 R09: fffffbfff1266e8f
> > > R10: fffffbfff1266e8e R11: ffffffff89337477 R12: 0000000000000000
> > > R13: ffff8881c0c64bb8 R14: ffff8881c0c64b80 R15: ffff8881c0c64bb8
> > > hfa384x_usbctlx_submit+0x1cb/0x260 drivers/staging/wlan-ng/hfa384x_usb.c:3834
> > > hfa384x_docmd drivers/staging/wlan-ng/hfa384x_usb.c:1233 [inline]
> > > hfa384x_cmd_initialize+0x290/0x4f0 drivers/staging/wlan-ng/hfa384x_usb.c:846
> > > hfa384x_drvr_start+0x1f1/0x480 drivers/staging/wlan-ng/hfa384x_usb.c:2380
> > > prism2sta_ifstate+0x24e/0x510 drivers/staging/wlan-ng/prism2sta.c:471
> > > prism2sta_probe_usb.cold+0x1c8/0x49e drivers/staging/wlan-ng/prism2usb.c:112
> > > usb_probe_interface+0x310/0x800 drivers/usb/core/driver.c:374
> > > really_probe+0x290/0xac0 drivers/base/dd.c:551
> > > driver_probe_device+0x223/0x350 drivers/base/dd.c:724
> > > __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:831
> > > bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:431
> > > __device_attach+0x217/0x390 drivers/base/dd.c:897
> > > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
> > > device_add+0x1459/0x1bf0 drivers/base/core.c:2500
> > > usb_set_configuration+0xe47/0x17d0 drivers/usb/core/message.c:2023
> > > usb_generic_driver_probe+0x9d/0xe0 drivers/usb/core/generic.c:241
> > > usb_probe_device+0xd9/0x230 drivers/usb/core/driver.c:272
> > > really_probe+0x290/0xac0 drivers/base/dd.c:551
> > > driver_probe_device+0x223/0x350 drivers/base/dd.c:724
> > > __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:831
> > > bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:431
> > > __device_attach+0x217/0x390 drivers/base/dd.c:897
> > > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
> > > device_add+0x1459/0x1bf0 drivers/base/core.c:2500
> > > usb_new_device.cold+0x540/0xcd0 drivers/usb/core/hub.c:2548
> > > hub_port_connect drivers/usb/core/hub.c:5195 [inline]
> > > hub_port_connect_change drivers/usb/core/hub.c:5335 [inline]
> > > port_event drivers/usb/core/hub.c:5481 [inline]
> > > hub_event+0x21cb/0x4300 drivers/usb/core/hub.c:5563
> > > process_one_work+0x94b/0x1620 kernel/workqueue.c:2264
> > > worker_thread+0x96/0xe20 kernel/workqueue.c:2410
> > > kthread+0x318/0x420 kernel/kthread.c:255
> > > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
> > >
> > > The buggy address belongs to the page:
> > > page:ffffea0007369e00 refcount:32737 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0
> > > flags: 0x200000000010000(head)
> > > raw: 0200000000010000 dead000000000100 dead000000000122 0000000000000000
> > > raw: 0000000000000000 0000000000000000 00007fe1ffffffff 0000000000000000
> > > page dumped because: kasan: bad access detected
> > >
> > > Memory state around the buggy address:
> > > ffff8881cda7ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > > ffff8881cda7ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > > >ffff8881cda80000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > > ^
> > > ffff8881cda80080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > > ffff8881cda80100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > > ==================================================================
> > >
> > >
> > > Tested on:
> > >
> > > commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
> > > git tree: https://github.com/google/kasan.git
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=139ea05be00000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
> > > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > > patch: https://syzkaller.appspot.com/x/patch.diff?x=16d52b19e00000
> >
> > Add a line of debug info.
> >
> > --- a/drivers/staging/wlan-ng/hfa384x_usb.c
> > +++ b/drivers/staging/wlan-ng/hfa384x_usb.c
> > @@ -3374,6 +3374,11 @@ static void hfa384x_int_rxmonitor(struct
> > skblen - sizeof(struct p80211_caphdr));
> > }
> >
> > + if (datalen > WLAN_DATA_MAXLEN) {
> > + pr_debug("%s datalen %u > WLAN_DATA_MAXLEN %u\n", __func__,
> > + datalen, WLAN_DATA_MAXLEN);
> > + return;
> > + }
> > skb = dev_alloc_skb(skblen);
> > if (!skb)
> > return;
>
> Great!
>
> >
[-- Attachment #2: 0002-staging-wlan-ng-fix-use-after-free-Read-in-hfa384x_u.patch --]
[-- Type: application/octet-stream, Size: 1069 bytes --]
From 30f5f2182d562b60c35df6483c92c1bf62ed0ec8 Mon Sep 17 00:00:00 2001
From: Qiujun Huang <hqjagain@gmail.com>
Date: Thu, 26 Mar 2020 10:14:12 +0800
Subject: [PATCH 2/2] staging: wlan-ng: fix use-after-free Read in
hfa384x_usbin_callback
Because the size of rxfrm->data is WLAN_DATA_MAXLEN(2312),so skblen
can't be more than that.
Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
---
drivers/staging/wlan-ng/hfa384x_usb.c | 2 ++
1 file changed, 2 insertions(+)
mode change 100644 => 100755 drivers/staging/wlan-ng/hfa384x_usb.c
diff --git a/drivers/staging/wlan-ng/hfa384x_usb.c b/drivers/staging/wlan-ng/hfa384x_usb.c
old mode 100644
new mode 100755
index b71756ab0394..7fe64fcd385d
--- a/drivers/staging/wlan-ng/hfa384x_usb.c
+++ b/drivers/staging/wlan-ng/hfa384x_usb.c
@@ -3372,6 +3372,8 @@ static void hfa384x_int_rxmonitor(struct wlandevice *wlandev,
WLAN_HDR_A4_LEN + WLAN_DATA_MAXLEN + WLAN_CRC_LEN)) {
pr_debug("overlen frm: len=%zd\n",
skblen - sizeof(struct p80211_caphdr));
+
+ return;
}
skb = dev_alloc_skb(skblen);
--
2.17.1
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in hfa384x_usbin_callback
2020-03-26 2:24 ` Qiujun Huang
@ 2020-03-26 2:43 ` syzbot
0 siblings, 0 replies; 14+ messages in thread
From: syzbot @ 2020-03-26 2:43 UTC (permalink / raw)
To: andreyknvl, anenbupt, devel, gregkh, hdanton, linux-kernel,
linux-usb, nishkadg.linux, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger crash:
Reported-and-tested-by: syzbot+7d42d68643a35f71ac8a@syzkaller.appspotmail.com
Tested on:
commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
git tree: https://github.com/google/kasan.git
kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=1406d1d3e00000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in hfa384x_usbin_callback
2020-03-20 19:28 KASAN: slab-out-of-bounds Read in hfa384x_usbin_callback syzbot
2020-03-25 8:45 ` Qiujun Huang
@ 2020-05-05 11:55 ` Oliver Neukum
2020-05-06 8:53 ` Oliver Neukum
2 siblings, 0 replies; 14+ messages in thread
From: Oliver Neukum @ 2020-05-05 11:55 UTC (permalink / raw)
To: syzbot, andreyknvl, devel, gregkh, linux-kernel, linux-usb,
nishkadg.linux, syzkaller-bugs
[-- Attachment #1: Type: text/plain, Size: 1533 bytes --]
Am Freitag, den 20.03.2020, 12:28 -0700 schrieb syzbot:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=11d74573e00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
> dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fa561de00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d74573e00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+7d42d68643a35f71ac8a@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:381 [inline]
> BUG: KASAN: slab-out-of-bounds in skb_put_data include/linux/skbuff.h:2284 [inline]
> BUG: KASAN: slab-out-of-bounds in hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
> BUG: KASAN: slab-out-of-bounds in hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
> BUG: KASAN: slab-out-of-bounds in hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
> Read of size 19671 at addr ffff8881d226413c by task swapper/0/0
#syz test: https://github.com/google/kasan.git e17994d1
[-- Attachment #2: 0001-hfa384x_usb-fix-buffer-overflow.patch --]
[-- Type: text/x-patch, Size: 1613 bytes --]
From 6dbcac8c4b645600161feafc5576657905f15d65 Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Tue, 5 May 2020 13:46:26 +0200
Subject: [PATCH] hfa384x_usb: fix buffer overflow
The driver trusts the data_len coming from the hardware
without verification. That means that this opens
a vector by which an attacker can smash 64K of the heap.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
drivers/staging/wlan-ng/hfa384x_usb.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/drivers/staging/wlan-ng/hfa384x_usb.c b/drivers/staging/wlan-ng/hfa384x_usb.c
index fa1bf8b069fd..5b6497d8c9e2 100644
--- a/drivers/staging/wlan-ng/hfa384x_usb.c
+++ b/drivers/staging/wlan-ng/hfa384x_usb.c
@@ -3353,9 +3353,9 @@ static void hfa384x_int_rxmonitor(struct wlandevice *wlandev,
struct hfa384x_usb_rxfrm *rxfrm)
{
struct hfa384x_rx_frame *rxdesc = &rxfrm->desc;
- unsigned int hdrlen = 0;
- unsigned int datalen = 0;
- unsigned int skblen = 0;
+ unsigned int hdrlen;
+ unsigned int datalen;
+ unsigned int skblen;
u8 *datap;
u16 fc;
struct sk_buff *skb;
@@ -3413,8 +3413,10 @@ static void hfa384x_int_rxmonitor(struct wlandevice *wlandev,
*/
skb_put_data(skb, &rxdesc->frame_control, hdrlen);
- /* If any, copy the data from the card to the skb */
- if (datalen > 0) {
+ /* If any, copy the data from the card to the skb,
+ * as long as it fits, lest we smash a buffer
+ */
+ if (datalen > 0 && datalen <= skblen - hdrlen) {
datap = skb_put_data(skb, rxfrm->data, datalen);
/* check for unencrypted stuff if WEP bit set. */
--
2.16.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in hfa384x_usbin_callback
2020-03-20 19:28 KASAN: slab-out-of-bounds Read in hfa384x_usbin_callback syzbot
2020-03-25 8:45 ` Qiujun Huang
2020-05-05 11:55 ` Oliver Neukum
@ 2020-05-06 8:53 ` Oliver Neukum
2020-05-06 11:50 ` Andrey Konovalov
2 siblings, 1 reply; 14+ messages in thread
From: Oliver Neukum @ 2020-05-06 8:53 UTC (permalink / raw)
To: syzbot, andreyknvl, devel, gregkh, linux-kernel, linux-usb,
nishkadg.linux, syzkaller-bugs
Am Freitag, den 20.03.2020, 12:28 -0700 schrieb syzbot:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=11d74573e00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
> dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fa561de00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d74573e00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+7d42d68643a35f71ac8a@syzkaller.appspotmail.com
>
Hi,
is this bug still active and can a test be run on it? I requested one
yesterday. If my analysis is correct this bug has security
implications, so it is kind of important.
Regards
Oliver
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in hfa384x_usbin_callback
2020-05-06 8:53 ` Oliver Neukum
@ 2020-05-06 11:50 ` Andrey Konovalov
2020-05-07 15:56 ` Andrey Konovalov
0 siblings, 1 reply; 14+ messages in thread
From: Andrey Konovalov @ 2020-05-06 11:50 UTC (permalink / raw)
To: Oliver Neukum
Cc: syzbot, devel, Greg Kroah-Hartman, LKML, USB list,
nishkadg.linux, syzkaller-bugs
[-- Attachment #1: Type: text/plain, Size: 1361 bytes --]
On Wed, May 6, 2020 at 10:54 AM Oliver Neukum <oneukum@suse.com> wrote:
>
> Am Freitag, den 20.03.2020, 12:28 -0700 schrieb syzbot:
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
> > git tree: https://github.com/google/kasan.git usb-fuzzer
> > console output: https://syzkaller.appspot.com/x/log.txt?x=11d74573e00000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
> > dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
> > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fa561de00000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d74573e00000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+7d42d68643a35f71ac8a@syzkaller.appspotmail.com
> >
>
> Hi,
>
> is this bug still active and can a test be run on it? I requested one
> yesterday. If my analysis is correct this bug has security
> implications, so it is kind of important.
I see your request in the queue and it's been registered and
completed, but for some reason syzbot didn't send an email with a
response.
Let me try this once again:
#syz test: https://github.com/google/kasan.git e17994d1
[-- Attachment #2: 0001-hfa384x_usb-fix-buffer-overflow.patch --]
[-- Type: application/octet-stream, Size: 1613 bytes --]
From 6dbcac8c4b645600161feafc5576657905f15d65 Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Tue, 5 May 2020 13:46:26 +0200
Subject: [PATCH] hfa384x_usb: fix buffer overflow
The driver trusts the data_len coming from the hardware
without verification. That means that this opens
a vector by which an attacker can smash 64K of the heap.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
drivers/staging/wlan-ng/hfa384x_usb.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/drivers/staging/wlan-ng/hfa384x_usb.c b/drivers/staging/wlan-ng/hfa384x_usb.c
index fa1bf8b069fd..5b6497d8c9e2 100644
--- a/drivers/staging/wlan-ng/hfa384x_usb.c
+++ b/drivers/staging/wlan-ng/hfa384x_usb.c
@@ -3353,9 +3353,9 @@ static void hfa384x_int_rxmonitor(struct wlandevice *wlandev,
struct hfa384x_usb_rxfrm *rxfrm)
{
struct hfa384x_rx_frame *rxdesc = &rxfrm->desc;
- unsigned int hdrlen = 0;
- unsigned int datalen = 0;
- unsigned int skblen = 0;
+ unsigned int hdrlen;
+ unsigned int datalen;
+ unsigned int skblen;
u8 *datap;
u16 fc;
struct sk_buff *skb;
@@ -3413,8 +3413,10 @@ static void hfa384x_int_rxmonitor(struct wlandevice *wlandev,
*/
skb_put_data(skb, &rxdesc->frame_control, hdrlen);
- /* If any, copy the data from the card to the skb */
- if (datalen > 0) {
+ /* If any, copy the data from the card to the skb,
+ * as long as it fits, lest we smash a buffer
+ */
+ if (datalen > 0 && datalen <= skblen - hdrlen) {
datap = skb_put_data(skb, rxfrm->data, datalen);
/* check for unencrypted stuff if WEP bit set. */
--
2.16.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in hfa384x_usbin_callback
2020-05-06 11:50 ` Andrey Konovalov
@ 2020-05-07 15:56 ` Andrey Konovalov
2020-05-08 9:33 ` Dmitry Vyukov
0 siblings, 1 reply; 14+ messages in thread
From: Andrey Konovalov @ 2020-05-07 15:56 UTC (permalink / raw)
To: Oliver Neukum, Dmitry Vyukov
Cc: syzbot, devel, Greg Kroah-Hartman, LKML, USB list,
nishkadg.linux, syzkaller-bugs
On Wed, May 6, 2020 at 1:50 PM Andrey Konovalov <andreyknvl@google.com> wrote:
>
> On Wed, May 6, 2020 at 10:54 AM Oliver Neukum <oneukum@suse.com> wrote:
> >
> > Am Freitag, den 20.03.2020, 12:28 -0700 schrieb syzbot:
> > > Hello,
> > >
> > > syzbot found the following crash on:
> > >
> > > HEAD commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
> > > git tree: https://github.com/google/kasan.git usb-fuzzer
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=11d74573e00000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
> > > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fa561de00000
> > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d74573e00000
> > >
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: syzbot+7d42d68643a35f71ac8a@syzkaller.appspotmail.com
> > >
> >
> > Hi,
> >
> > is this bug still active and can a test be run on it? I requested one
> > yesterday. If my analysis is correct this bug has security
> > implications, so it is kind of important.
>
> I see your request in the queue and it's been registered and
> completed, but for some reason syzbot didn't send an email with a
> response.
>
> Let me try this once again:
>
> #syz test: https://github.com/google/kasan.git e17994d1
Still no response. Dmitry, any idea what could be wrong here?
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in hfa384x_usbin_callback
2020-05-07 15:56 ` Andrey Konovalov
@ 2020-05-08 9:33 ` Dmitry Vyukov
2020-05-08 10:31 ` Dmitry Vyukov
0 siblings, 1 reply; 14+ messages in thread
From: Dmitry Vyukov @ 2020-05-08 9:33 UTC (permalink / raw)
To: Andrey Konovalov, syzkaller
Cc: Oliver Neukum, syzbot, open list:ANDROID DRIVERS,
Greg Kroah-Hartman, LKML, USB list, nishkadg.linux,
syzkaller-bugs
On Thu, May 7, 2020 at 5:56 PM 'Andrey Konovalov' via syzkaller-bugs
<syzkaller-bugs@googlegroups.com> wrote:
>
> On Wed, May 6, 2020 at 1:50 PM Andrey Konovalov <andreyknvl@google.com> wrote:
> >
> > On Wed, May 6, 2020 at 10:54 AM Oliver Neukum <oneukum@suse.com> wrote:
> > >
> > > Am Freitag, den 20.03.2020, 12:28 -0700 schrieb syzbot:
> > > > Hello,
> > > >
> > > > syzbot found the following crash on:
> > > >
> > > > HEAD commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
> > > > git tree: https://github.com/google/kasan.git usb-fuzzer
> > > > console output: https://syzkaller.appspot.com/x/log.txt?x=11d74573e00000
> > > > kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
> > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fa561de00000
> > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d74573e00000
> > > >
> > > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > > Reported-by: syzbot+7d42d68643a35f71ac8a@syzkaller.appspotmail.com
> > > >
> > >
> > > Hi,
> > >
> > > is this bug still active and can a test be run on it? I requested one
> > > yesterday. If my analysis is correct this bug has security
> > > implications, so it is kind of important.
> >
> > I see your request in the queue and it's been registered and
> > completed, but for some reason syzbot didn't send an email with a
> > response.
> >
> > Let me try this once again:
> >
> > #syz test: https://github.com/google/kasan.git e17994d1
>
> Still no response. Dmitry, any idea what could be wrong here?
I suspect it has something to do with the fact that the bug is already
fixed (has a fixing commit).
...right, it was broken by:
https://github.com/google/syzkaller/commit/f8368f999a1964df6d39a225cd3f5ab3942dd755
and we lack a test for this scenario. It was supposed to only disable
mailing of bisection jobs.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in hfa384x_usbin_callback
2020-05-08 9:33 ` Dmitry Vyukov
@ 2020-05-08 10:31 ` Dmitry Vyukov
2020-05-08 13:51 ` Dmitry Vyukov
0 siblings, 1 reply; 14+ messages in thread
From: Dmitry Vyukov @ 2020-05-08 10:31 UTC (permalink / raw)
To: Andrey Konovalov, syzkaller
Cc: Oliver Neukum, syzbot, open list:ANDROID DRIVERS,
Greg Kroah-Hartman, LKML, USB list, nishkadg.linux,
syzkaller-bugs
On Fri, May 8, 2020 at 11:33 AM Dmitry Vyukov <dvyukov@google.com> wrote:
>
> On Thu, May 7, 2020 at 5:56 PM 'Andrey Konovalov' via syzkaller-bugs
> <syzkaller-bugs@googlegroups.com> wrote:
> >
> > On Wed, May 6, 2020 at 1:50 PM Andrey Konovalov <andreyknvl@google.com> wrote:
> > >
> > > On Wed, May 6, 2020 at 10:54 AM Oliver Neukum <oneukum@suse.com> wrote:
> > > >
> > > > Am Freitag, den 20.03.2020, 12:28 -0700 schrieb syzbot:
> > > > > Hello,
> > > > >
> > > > > syzbot found the following crash on:
> > > > >
> > > > > HEAD commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
> > > > > git tree: https://github.com/google/kasan.git usb-fuzzer
> > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=11d74573e00000
> > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
> > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
> > > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fa561de00000
> > > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d74573e00000
> > > > >
> > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > > > Reported-by: syzbot+7d42d68643a35f71ac8a@syzkaller.appspotmail.com
> > > > >
> > > >
> > > > Hi,
> > > >
> > > > is this bug still active and can a test be run on it? I requested one
> > > > yesterday. If my analysis is correct this bug has security
> > > > implications, so it is kind of important.
> > >
> > > I see your request in the queue and it's been registered and
> > > completed, but for some reason syzbot didn't send an email with a
> > > response.
> > >
> > > Let me try this once again:
> > >
> > > #syz test: https://github.com/google/kasan.git e17994d1
> >
> > Still no response. Dmitry, any idea what could be wrong here?
>
> I suspect it has something to do with the fact that the bug is already
> fixed (has a fixing commit).
>
> ...right, it was broken by:
> https://github.com/google/syzkaller/commit/f8368f999a1964df6d39a225cd3f5ab3942dd755
> and we lack a test for this scenario. It was supposed to only disable
> mailing of bisection jobs.
Fixed in https://github.com/google/syzkaller/commit/2b98fdbcbcac6e99d12c88857406ef446bcac872
and added a test to fix this behavior for future.
Thanks for the report.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in hfa384x_usbin_callback
2020-05-08 10:31 ` Dmitry Vyukov
@ 2020-05-08 13:51 ` Dmitry Vyukov
0 siblings, 0 replies; 14+ messages in thread
From: Dmitry Vyukov @ 2020-05-08 13:51 UTC (permalink / raw)
To: Andrey Konovalov, syzkaller
Cc: Oliver Neukum, syzbot, open list:ANDROID DRIVERS,
Greg Kroah-Hartman, LKML, USB list, nishkadg.linux,
syzkaller-bugs
On Fri, May 8, 2020 at 12:31 PM Dmitry Vyukov <dvyukov@google.com> wrote:
> > On Thu, May 7, 2020 at 5:56 PM 'Andrey Konovalov' via syzkaller-bugs
> > <syzkaller-bugs@googlegroups.com> wrote:
> > >
> > > On Wed, May 6, 2020 at 1:50 PM Andrey Konovalov <andreyknvl@google.com> wrote:
> > > >
> > > > On Wed, May 6, 2020 at 10:54 AM Oliver Neukum <oneukum@suse.com> wrote:
> > > > >
> > > > > Am Freitag, den 20.03.2020, 12:28 -0700 schrieb syzbot:
> > > > > > Hello,
> > > > > >
> > > > > > syzbot found the following crash on:
> > > > > >
> > > > > > HEAD commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
> > > > > > git tree: https://github.com/google/kasan.git usb-fuzzer
> > > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=11d74573e00000
> > > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
> > > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
> > > > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fa561de00000
> > > > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d74573e00000
> > > > > >
> > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > > > > Reported-by: syzbot+7d42d68643a35f71ac8a@syzkaller.appspotmail.com
> > > > > >
> > > > >
> > > > > Hi,
> > > > >
> > > > > is this bug still active and can a test be run on it? I requested one
> > > > > yesterday. If my analysis is correct this bug has security
> > > > > implications, so it is kind of important.
> > > >
> > > > I see your request in the queue and it's been registered and
> > > > completed, but for some reason syzbot didn't send an email with a
> > > > response.
> > > >
> > > > Let me try this once again:
> > > >
> > > > #syz test: https://github.com/google/kasan.git e17994d1
> > >
> > > Still no response. Dmitry, any idea what could be wrong here?
> >
> > I suspect it has something to do with the fact that the bug is already
> > fixed (has a fixing commit).
> >
> > ...right, it was broken by:
> > https://github.com/google/syzkaller/commit/f8368f999a1964df6d39a225cd3f5ab3942dd755
> > and we lack a test for this scenario. It was supposed to only disable
> > mailing of bisection jobs.
>
> Fixed in https://github.com/google/syzkaller/commit/2b98fdbcbcac6e99d12c88857406ef446bcac872
> and added a test to fix this behavior for future.
> Thanks for the report.
syzbot dashboard will now also show patch testing requests on the bug
page for better transparency, see e.g. for this bug:
https://syzkaller.appspot.com/bug?id=093ce698cf84160a66868dcac5394e105342f8c5#jobs
FTR, implemented in:
https://github.com/google/syzkaller/commit/e97b06d3cef9296e9d0e827c42bccdd36b555986
^ permalink raw reply [flat|nested] 14+ messages in thread