From: Alan Stern <stern@rowland.harvard.edu>
To: syzbot <syzbot+a9fefd18c7b240f19c54@syzkaller.appspotmail.com>
Cc: andreyknvl@google.com, gregkh@linuxfoundation.org,
linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
rafael@kernel.org, syzkaller-bugs@googlegroups.com
Subject: KASAN: slab-out-of-bounds Read in hex_string
Date: Mon, 29 Apr 2019 16:07:04 -0400 (EDT) [thread overview]
Message-ID: <Pine.LNX.4.44L0.1904291604510.1632-100000@iolanthe.rowland.org> (raw)
On Mon, 29 Apr 2019, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 43151d6c usb-fuzzer: main usb gadget fuzzer driver
> git tree: https://github.com/google/kasan/tree/usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=139ac37f200000
> kernel config: https://syzkaller.appspot.com/x/.config?x=4183eeef650d1234
> dashboard link: https://syzkaller.appspot.com/bug?extid=a9fefd18c7b240f19c54
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17f3b338a00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+a9fefd18c7b240f19c54@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in hex_string+0x418/0x4b0 lib/vsprintf.c:975
> Read of size 1 at addr ffff88821a41bd38 by task kworker/0:1/12
>
> CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc3-319004-g43151d6 #6
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Workqueue: usb_hub_wq hub_event
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0xe8/0x16e lib/dump_stack.c:113
> print_address_description+0x6c/0x236 mm/kasan/report.c:187
> kasan_report.cold+0x1a/0x3c mm/kasan/report.c:317
> hex_string+0x418/0x4b0 lib/vsprintf.c:975
> pointer+0x460/0x910 lib/vsprintf.c:1985
> vsnprintf+0x5a0/0x16b0 lib/vsprintf.c:2400
> pointer+0x60b/0x910 lib/vsprintf.c:2038
> vsnprintf+0x5a0/0x16b0 lib/vsprintf.c:2400
> vscnprintf+0x29/0x80 lib/vsprintf.c:2499
> vprintk_store+0x45/0x4b0 kernel/printk/printk.c:1900
> vprintk_emit+0x210/0x5a0 kernel/printk/printk.c:1957
> dev_vprintk_emit+0x50e/0x553 drivers/base/core.c:3185
> dev_printk_emit+0xbf/0xf6 drivers/base/core.c:3196
> __dev_printk+0x1ed/0x215 drivers/base/core.c:3208
> _dev_info+0xdc/0x10e drivers/base/core.c:3254
> dlfb_parse_vendor_descriptor drivers/video/fbdev/udlfb.c:1532 [inline]
Accessing beyond the end of the descriptor.
#syz test: https://github.com/google/kasan.git usb-fuzzer
--- a/drivers/video/fbdev/udlfb.c
+++ b/drivers/video/fbdev/udlfb.c
@@ -1511,6 +1511,7 @@ static int dlfb_parse_vendor_descriptor(
char *buf;
char *desc_end;
int total_len;
+ int width;
buf = kzalloc(MAX_VENDOR_DESCRIPTOR_SIZE, GFP_KERNEL);
if (!buf)
@@ -1529,9 +1530,10 @@ static int dlfb_parse_vendor_descriptor(
}
if (total_len > 5) {
+ width = min(total_len, 11);
dev_info(&intf->dev,
- "vendor descriptor length: %d data: %11ph\n",
- total_len, desc);
+ "vendor descriptor length: %d data: %*ph\n",
+ total_len, width, desc);
if ((desc[0] != total_len) || /* descriptor length */
(desc[1] != 0x5f) || /* vendor descriptor type */
WARNING: multiple messages have this Message-ID (diff)
From: Alan Stern <stern@rowland.harvard.edu>
To: syzbot <syzbot+a9fefd18c7b240f19c54@syzkaller.appspotmail.com>
Cc: andreyknvl@google.com, <gregkh@linuxfoundation.org>,
<linux-kernel@vger.kernel.org>, <linux-usb@vger.kernel.org>,
<rafael@kernel.org>, <syzkaller-bugs@googlegroups.com>
Subject: Re: KASAN: slab-out-of-bounds Read in hex_string
Date: Mon, 29 Apr 2019 16:07:04 -0400 (EDT) [thread overview]
Message-ID: <Pine.LNX.4.44L0.1904291604510.1632-100000@iolanthe.rowland.org> (raw)
Message-ID: <20190429200704._G_xtfLZdGbQi0FjYnBTwDojtAfwQczjuQQtuhFn6fo@z> (raw)
In-Reply-To: <000000000000f69c3b0587aa1bc5@google.com>
On Mon, 29 Apr 2019, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 43151d6c usb-fuzzer: main usb gadget fuzzer driver
> git tree: https://github.com/google/kasan/tree/usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=139ac37f200000
> kernel config: https://syzkaller.appspot.com/x/.config?x=4183eeef650d1234
> dashboard link: https://syzkaller.appspot.com/bug?extid=a9fefd18c7b240f19c54
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17f3b338a00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+a9fefd18c7b240f19c54@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in hex_string+0x418/0x4b0 lib/vsprintf.c:975
> Read of size 1 at addr ffff88821a41bd38 by task kworker/0:1/12
>
> CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc3-319004-g43151d6 #6
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Workqueue: usb_hub_wq hub_event
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0xe8/0x16e lib/dump_stack.c:113
> print_address_description+0x6c/0x236 mm/kasan/report.c:187
> kasan_report.cold+0x1a/0x3c mm/kasan/report.c:317
> hex_string+0x418/0x4b0 lib/vsprintf.c:975
> pointer+0x460/0x910 lib/vsprintf.c:1985
> vsnprintf+0x5a0/0x16b0 lib/vsprintf.c:2400
> pointer+0x60b/0x910 lib/vsprintf.c:2038
> vsnprintf+0x5a0/0x16b0 lib/vsprintf.c:2400
> vscnprintf+0x29/0x80 lib/vsprintf.c:2499
> vprintk_store+0x45/0x4b0 kernel/printk/printk.c:1900
> vprintk_emit+0x210/0x5a0 kernel/printk/printk.c:1957
> dev_vprintk_emit+0x50e/0x553 drivers/base/core.c:3185
> dev_printk_emit+0xbf/0xf6 drivers/base/core.c:3196
> __dev_printk+0x1ed/0x215 drivers/base/core.c:3208
> _dev_info+0xdc/0x10e drivers/base/core.c:3254
> dlfb_parse_vendor_descriptor drivers/video/fbdev/udlfb.c:1532 [inline]
Accessing beyond the end of the descriptor.
#syz test: https://github.com/google/kasan.git usb-fuzzer
--- a/drivers/video/fbdev/udlfb.c
+++ b/drivers/video/fbdev/udlfb.c
@@ -1511,6 +1511,7 @@ static int dlfb_parse_vendor_descriptor(
char *buf;
char *desc_end;
int total_len;
+ int width;
buf = kzalloc(MAX_VENDOR_DESCRIPTOR_SIZE, GFP_KERNEL);
if (!buf)
@@ -1529,9 +1530,10 @@ static int dlfb_parse_vendor_descriptor(
}
if (total_len > 5) {
+ width = min(total_len, 11);
dev_info(&intf->dev,
- "vendor descriptor length: %d data: %11ph\n",
- total_len, desc);
+ "vendor descriptor length: %d data: %*ph\n",
+ total_len, width, desc);
if ((desc[0] != total_len) || /* descriptor length */
(desc[1] != 0x5f) || /* vendor descriptor type */
next prev reply other threads:[~2019-04-29 20:07 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-29 12:06 KASAN: slab-out-of-bounds Read in hex_string syzbot
2019-04-29 20:07 ` Alan Stern [this message]
2019-04-29 20:07 ` Alan Stern
2019-04-29 20:24 ` Andrey Konovalov
2019-04-29 20:24 ` Andrey Konovalov
2019-04-29 20:52 ` syzbot
2019-04-29 20:52 ` syzbot
2019-04-29 21:09 ` Eric Biggers
2019-04-29 21:09 ` Eric Biggers
2019-04-30 14:13 ` Alan Stern
2019-04-30 14:13 ` Alan Stern
2019-08-13 12:55 ` Andrey Konovalov
2020-03-18 15:46 ` Andrey Konovalov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.44L0.1904291604510.1632-100000@iolanthe.rowland.org \
--to=stern@rowland.harvard.edu \
--cc=andreyknvl@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=rafael@kernel.org \
--cc=syzbot+a9fefd18c7b240f19c54@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).