Re: KASAN: slab-out-of-bounds Read in technisat_usb2_rc_query

36 views
Skip to first unread message

syzbot

unread,
Jul 1, 2019, 11:30:01 AM7/1/19
to syzkall...@googlegroups.com, tranma...@gmail.com
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger
crash:

Reported-and-tested-by:
syzbot+eaaaf3...@syzkaller.appspotmail.com

Tested on:

commit: 7829a896 usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=662450485a75f217
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=141badc5a00000

Note: testing is done by a robot and is best-effort only.

syzbot

unread,
Jul 1, 2019, 7:08:01 PM7/1/19
to syzkall...@googlegroups.com, tranma...@gmail.com
Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:
KASAN: slab-out-of-bounds Read in technisat_usb2_rc_query

dvb-usb: Technisat SkyStar USB HD (DVB-S/S2) successfully initialized and
connected.
usb 1-1: new low-speed USB device number 2 using dummy_hcd
usb 4-1: new low-speed USB device number 2 using dummy_hcd
usb 5-1: new low-speed USB device number 2 using dummy_hcd
==================================================================
BUG: KASAN: slab-out-of-bounds in technisat_usb2_get_ir
drivers/media/usb/dvb-usb/technisat-usb2.c:664 [inline]
BUG: KASAN: slab-out-of-bounds in technisat_usb2_rc_query+0x5fa/0x660
drivers/media/usb/dvb-usb/technisat-usb2.c:679
Read of size 1 at addr ffff88809bf73d68 by task kworker/0:1/7

CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.2.0-rc6-g7829a89 #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: events dvb_usb_read_remote_control
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xe8/0x16e lib/dump_stack.c:113
print_address_description+0x6c/0x236 mm/kasan/report.c:188
__kasan_report.cold+0x1a/0x39 mm/kasan/report.c:317
kasan_report+0xe/0x20 mm/kasan/common.c:614
technisat_usb2_get_ir drivers/media/usb/dvb-usb/technisat-usb2.c:664
[inline]
technisat_usb2_rc_query+0x5fa/0x660
drivers/media/usb/dvb-usb/technisat-usb2.c:679
dvb_usb_read_remote_control
drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:115 [inline]
dvb_usb_read_remote_control+0xe5/0x1c0
drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:92
process_one_work+0x90f/0x1580 kernel/workqueue.c:2269
worker_thread+0x9b/0xe20 kernel/workqueue.c:2415
kthread+0x315/0x420 kernel/kthread.c:255
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Allocated by task 7:
save_stack+0x1b/0x80 mm/kasan/common.c:71
set_track mm/kasan/common.c:79 [inline]
__kasan_kmalloc mm/kasan/common.c:489 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:462
dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:149 [inline]
dvb_usb_device_init.cold+0x317/0x10b3
drivers/media/usb/dvb-usb/dvb-usb-init.c:274
technisat_usb2_probe+0x82/0x2d0
drivers/media/usb/dvb-usb/technisat-usb2.c:763
usb_probe_interface+0x31b/0x810 drivers/usb/core/driver.c:361
really_probe+0x2cb/0xaf0 drivers/base/dd.c:509
driver_probe_device+0x228/0x360 drivers/base/dd.c:670
__device_attach_driver+0x1d8/0x290 drivers/base/dd.c:777
bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
__device_attach+0x21c/0x390 drivers/base/dd.c:843
bus_probe_device+0x1eb/0x2a0 drivers/base/bus.c:514
device_add+0xac4/0x16d0 drivers/base/core.c:2111
usb_set_configuration+0xdfb/0x1750 drivers/usb/core/message.c:2023
generic_probe+0xa2/0xda drivers/usb/core/generic.c:210
usb_probe_device+0xba/0x150 drivers/usb/core/driver.c:266
really_probe+0x2cb/0xaf0 drivers/base/dd.c:509
driver_probe_device+0x228/0x360 drivers/base/dd.c:670
__device_attach_driver+0x1d8/0x290 drivers/base/dd.c:777
bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
__device_attach+0x21c/0x390 drivers/base/dd.c:843
bus_probe_device+0x1eb/0x2a0 drivers/base/bus.c:514
device_add+0xac4/0x16d0 drivers/base/core.c:2111
usb_new_device.cold+0x540/0xcb7 drivers/usb/core/hub.c:2534
hub_port_connect drivers/usb/core/hub.c:5089 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5204 [inline]
port_event drivers/usb/core/hub.c:5350 [inline]
hub_event+0x1398/0x3b00 drivers/usb/core/hub.c:5432
process_one_work+0x90f/0x1580 kernel/workqueue.c:2269
worker_thread+0x9b/0xe20 kernel/workqueue.c:2415
kthread+0x315/0x420 kernel/kthread.c:255
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Freed by task 4333:
save_stack+0x1b/0x80 mm/kasan/common.c:71
set_track mm/kasan/common.c:79 [inline]
__kasan_slab_free+0x130/0x180 mm/kasan/common.c:451
slab_free_hook mm/slub.c:1421 [inline]
slab_free_freelist_hook+0x5e/0x140 mm/slub.c:1448
slab_free mm/slub.c:2994 [inline]
kfree+0xce/0x280 mm/slub.c:3949
do_new_mount fs/namespace.c:2795 [inline]
do_mount+0x6a7/0x1ab0 fs/namespace.c:3111
ksys_mount+0xdc/0x150 fs/namespace.c:3320
__do_sys_mount fs/namespace.c:3334 [inline]
__se_sys_mount fs/namespace.c:3331 [inline]
__x64_sys_mount+0xbf/0x160 fs/namespace.c:3331
do_syscall_64+0xcf/0x560 arch/x86/entry/common.c:301
entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff88809bf73c80
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 232 bytes inside of
256-byte region [ffff88809bf73c80, ffff88809bf73d80)
The buggy address belongs to the page:
page:ffffea00026fdcc0 refcount:1 mapcount:0 mapping:ffff8880a8c02e00
index:0x0
flags: 0xfff00000000200(slab)
raw: 00fff00000000200 0000000000000000 0000000100000001 ffff8880a8c02e00
raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff88809bf73c00: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88809bf73c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff88809bf73d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
^
ffff88809bf73d80: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
ffff88809bf73e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================


Tested on:

commit: 7829a896 usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=149c05d5a00000

syzbot

unread,
Jul 1, 2019, 8:17:01 PM7/1/19
to syzkall...@googlegroups.com, tranma...@gmail.com
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger
crash:

Reported-and-tested-by:
syzbot+eaaaf3...@syzkaller.appspotmail.com

Tested on:

commit: 7829a896 usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=662450485a75f217
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=1194e52ba00000

syzbot

unread,
Jul 2, 2019, 2:29:01 PM7/2/19
to syzkall...@googlegroups.com, tranma...@gmail.com
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger
crash:

Reported-and-tested-by:
syzbot+eaaaf3...@syzkaller.appspotmail.com

Tested on:

commit: 7829a896 usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=662450485a75f217
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=11613a93a00000

syzbot

unread,
Jul 2, 2019, 9:25:02 PM7/2/19
to syzkall...@googlegroups.com, tranma...@gmail.com
Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:
KASAN: slab-out-of-bounds Read in technisat_usb2_rc_query

technisat-usb2: i2c-error: out failed 53 = -22
rc rc2: lirc_dev: driver technisat-usb2 registered at minor = 2, raw IR
receiver, no transmitter
dvb-usb: MAC address reading failed.
dvbdev: dvb_create_media_entity: media entity 'dvb-demux' registered.
==================================================================
BUG: KASAN: slab-out-of-bounds in technisat_usb2_get_ir
drivers/media/usb/dvb-usb/technisat-usb2.c:664 [inline]
BUG: KASAN: slab-out-of-bounds in technisat_usb2_rc_query+0x5fa/0x660
drivers/media/usb/dvb-usb/technisat-usb2.c:679
Read of size 1 at addr ffff8880919585e8 by task kworker/0:2/534

CPU: 0 PID: 534 Comm: kworker/0:2 Not tainted 5.2.0-rc6-g7829a89 #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: events dvb_usb_read_remote_control
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xe8/0x16e lib/dump_stack.c:113
print_address_description+0x6c/0x236 mm/kasan/report.c:188
__kasan_report.cold+0x1a/0x39 mm/kasan/report.c:317
kasan_report+0xe/0x20 mm/kasan/common.c:614
technisat_usb2_get_ir drivers/media/usb/dvb-usb/technisat-usb2.c:664
[inline]
technisat_usb2_rc_query+0x5fa/0x660
drivers/media/usb/dvb-usb/technisat-usb2.c:679
dvb_usb_read_remote_control
drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:115 [inline]
dvb_usb_read_remote_control+0xe5/0x1c0
drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:92
process_one_work+0x90f/0x1580 kernel/workqueue.c:2269
worker_thread+0x9b/0xe20 kernel/workqueue.c:2415
kthread+0x315/0x420 kernel/kthread.c:255
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Allocated by task 534:
Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff888091958500
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 232 bytes inside of
256-byte region [ffff888091958500, ffff888091958600)
The buggy address belongs to the page:
page:ffffea0002465600 refcount:1 mapcount:0 mapping:ffff8880a8c02e00
index:0x0
flags: 0xfff00000000200(slab)
raw: 00fff00000000200 dead000000000100 dead000000000200 ffff8880a8c02e00
raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff888091958480: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888091958500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff888091958580: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
^
ffff888091958600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
ffff888091958680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================


Tested on:

commit: 7829a896 usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=10d93e1ba00000

syzbot

unread,
Jul 2, 2019, 10:01:01 PM7/2/19
to syzkall...@googlegroups.com, tranma...@gmail.com
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger
crash:

Reported-and-tested-by:
syzbot+eaaaf3...@syzkaller.appspotmail.com

Tested on:

commit: 7829a896 usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git usb-fuzzer
kernel config: https://syzkaller.appspot.com/x/.config?x=662450485a75f217
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=165fa7f5a00000
Reply all
Reply to author
Forward
0 new messages