KASAN: use-after-free Write in betop_probe
9 views
Skip to first unread message
syzbot
Dec 14, 2020, 5:36:11 PM12/14/20
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 2149aa11 ANDROID: mm/memblock: export memblock_end_of_DRAM
git tree: android12-5.4
console output: https://syzkaller.appspot.com/x/log.txt?x=11df5f07500000
kernel config: https://syzkaller.appspot.com/x/.config?x=3f87a6a62e174867
dashboard link: https://syzkaller.appspot.com/bug?extid=611409b182b57e4563da
compiler: Android (6032204 based on r370808) clang version 10.0.1 (https://android.googlesource.com/toolchain/llvm-project 6e765c10313d15c02ab29977a82938f66742c3a9)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14f3cb9b500000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1385046b500000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+611409...@syzkaller.appspotmail.com
usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 9
usb 1-1: New USB device found, idVendor=11c0, idProduct=5506, bcdDevice= 0.00
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1: config 0 descriptor??
==================================================================
BUG: KASAN: use-after-free in set_bit include/asm-generic/bitops-instrumented.h:28 [inline]
BUG: KASAN: use-after-free in betopff_init drivers/hid/hid-betopff.c:99 [inline]
BUG: KASAN: use-after-free in betop_probe+0x3d4/0x5c0 drivers/hid/hid-betopff.c:134
Write of size 8 at addr ffff8881e9519440 by task kworker/1:1/67
CPU: 1 PID: 67 Comm: kworker/1:1 Not tainted 5.4.83-syzkaller-00109-g2149aa11b029 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1dd/0x24e lib/dump_stack.c:118
print_address_description+0x96/0x640 mm/kasan/report.c:374
__kasan_report+0x177/0x1f0 mm/kasan/report.c:506
kasan_report+0x30/0x60 mm/kasan/common.c:634
check_memory_region_inline mm/kasan/generic.c:181 [inline]
check_memory_region+0x2b5/0x2f0 mm/kasan/generic.c:191
set_bit include/asm-generic/bitops-instrumented.h:28 [inline]
betopff_init drivers/hid/hid-betopff.c:99 [inline]
betop_probe+0x3d4/0x5c0 drivers/hid/hid-betopff.c:134
hid_device_probe+0x27a/0x420 drivers/hid/hid-core.c:2274
really_probe+0x70f/0x1120 drivers/base/dd.c:564
driver_probe_device+0xe6/0x230 drivers/base/dd.c:746
bus_for_each_drv+0x17a/0x200 drivers/base/bus.c:430
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 2149aa11 ANDROID: mm/memblock: export memblock_end_of_DRAM
git tree: android12-5.4
console output: https://syzkaller.appspot.com/x/log.txt?x=11df5f07500000
kernel config: https://syzkaller.appspot.com/x/.config?x=3f87a6a62e174867
dashboard link: https://syzkaller.appspot.com/bug?extid=611409b182b57e4563da
compiler: Android (6032204 based on r370808) clang version 10.0.1 (https://android.googlesource.com/toolchain/llvm-project 6e765c10313d15c02ab29977a82938f66742c3a9)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14f3cb9b500000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1385046b500000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+611409...@syzkaller.appspotmail.com
usb 1-1: config 0 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 9
usb 1-1: New USB device found, idVendor=11c0, idProduct=5506, bcdDevice= 0.00
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1: config 0 descriptor??
==================================================================
BUG: KASAN: use-after-free in set_bit include/asm-generic/bitops-instrumented.h:28 [inline]
BUG: KASAN: use-after-free in betopff_init drivers/hid/hid-betopff.c:99 [inline]
BUG: KASAN: use-after-free in betop_probe+0x3d4/0x5c0 drivers/hid/hid-betopff.c:134
Write of size 8 at addr ffff8881e9519440 by task kworker/1:1/67
CPU: 1 PID: 67 Comm: kworker/1:1 Not tainted 5.4.83-syzkaller-00109-g2149aa11b029 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1dd/0x24e lib/dump_stack.c:118
print_address_description+0x96/0x640 mm/kasan/report.c:374
__kasan_report+0x177/0x1f0 mm/kasan/report.c:506
kasan_report+0x30/0x60 mm/kasan/common.c:634
check_memory_region_inline mm/kasan/generic.c:181 [inline]
check_memory_region+0x2b5/0x2f0 mm/kasan/generic.c:191
set_bit include/asm-generic/bitops-instrumented.h:28 [inline]
betopff_init drivers/hid/hid-betopff.c:99 [inline]
betop_probe+0x3d4/0x5c0 drivers/hid/hid-betopff.c:134
hid_device_probe+0x27a/0x420 drivers/hid/hid-core.c:2274
really_probe+0x70f/0x1120 drivers/base/dd.c:564
driver_probe_device+0xe6/0x230 drivers/base/dd.c:746
bus_for_each_drv+0x17a/0x200 drivers/base/bus.c:430
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Apr 17, 2023, 5:54:34 AM4/17/23
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages