KASAN: slab-out-of-bounds Read in usb_reset_and_verify_device

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: eea39f24 usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=174761b6600000
kernel config: https://syzkaller.appspot.com/x/.config?x=d0c62209eedfd54e
dashboard link: https://syzkaller.appspot.com/bug?extid=35f4d916c623118d576e
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1706275a600000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+35f4d9...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-out-of-bounds in memcmp+0xa6/0xb0 lib/string.c:904
Read of size 1 at addr ffff8881d175bed6 by task kworker/0:3/2746

CPU: 0 PID: 2746 Comm: kworker/0:3 Not tainted 5.3.0-rc5+ #28
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
print_address_description+0x6a/0x32c mm/kasan/report.c:351
__kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
kasan_report+0xe/0x12 mm/kasan/common.c:612
memcmp+0xa6/0xb0 lib/string.c:904
memcmp include/linux/string.h:400 [inline]
descriptors_changed drivers/usb/core/hub.c:5579 [inline]
usb_reset_and_verify_device+0x564/0x1300 drivers/usb/core/hub.c:5729
usb_reset_device+0x4c1/0x920 drivers/usb/core/hub.c:5898
rt2x00usb_probe+0x53/0x7af
drivers/net/wireless/ralink/rt2x00/rt2x00usb.c:806
usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
really_probe+0x281/0x6d0 drivers/base/dd.c:548
driver_probe_device+0x101/0x1b0 drivers/base/dd.c:721
__device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:454
__device_attach+0x217/0x360 drivers/base/dd.c:894
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
device_add+0xae6/0x16f0 drivers/base/core.c:2165
usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
really_probe+0x281/0x6d0 drivers/base/dd.c:548
driver_probe_device+0x101/0x1b0 drivers/base/dd.c:721
__device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:454
__device_attach+0x217/0x360 drivers/base/dd.c:894
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
device_add+0xae6/0x16f0 drivers/base/core.c:2165
usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
hub_port_connect drivers/usb/core/hub.c:5098 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
port_event drivers/usb/core/hub.c:5359 [inline]
hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441
process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
worker_thread+0x96/0xe20 kernel/workqueue.c:2415
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 2746:
save_stack+0x1b/0x80 mm/kasan/common.c:69
set_track mm/kasan/common.c:77 [inline]
__kasan_kmalloc mm/kasan/common.c:487 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460
kmalloc include/linux/slab.h:557 [inline]
kzalloc include/linux/slab.h:748 [inline]
usb_get_bos_descriptor+0x1fd/0x8f2 drivers/usb/core/config.c:955
hub_port_init+0x169a/0x2d30 drivers/usb/core/hub.c:4837
usb_reset_and_verify_device+0x3aa/0x1300 drivers/usb/core/hub.c:5720
usb_reset_device+0x4c1/0x920 drivers/usb/core/hub.c:5898
rt2x00usb_probe+0x53/0x7af
drivers/net/wireless/ralink/rt2x00/rt2x00usb.c:806
usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
really_probe+0x281/0x6d0 drivers/base/dd.c:548
driver_probe_device+0x101/0x1b0 drivers/base/dd.c:721
__device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:454
__device_attach+0x217/0x360 drivers/base/dd.c:894
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
device_add+0xae6/0x16f0 drivers/base/core.c:2165
usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
really_probe+0x281/0x6d0 drivers/base/dd.c:548
driver_probe_device+0x101/0x1b0 drivers/base/dd.c:721
__device_attach_driver+0x1c2/0x220 drivers/base/dd.c:828
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:454
__device_attach+0x217/0x360 drivers/base/dd.c:894
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
device_add+0xae6/0x16f0 drivers/base/core.c:2165
usb_new_device.cold+0x6a4/0xe79 drivers/usb/core/hub.c:2536
hub_port_connect drivers/usb/core/hub.c:5098 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
port_event drivers/usb/core/hub.c:5359 [inline]
hub_event+0x1b5c/0x3640 drivers/usb/core/hub.c:5441
process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
worker_thread+0x96/0xe20 kernel/workqueue.c:2415
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Freed by task 1751:
save_stack+0x1b/0x80 mm/kasan/common.c:69
set_track mm/kasan/common.c:77 [inline]
__kasan_slab_free+0x130/0x180 mm/kasan/common.c:449
slab_free_hook mm/slub.c:1423 [inline]
slab_free_freelist_hook mm/slub.c:1474 [inline]
slab_free mm/slub.c:3016 [inline]
kfree+0xe4/0x2f0 mm/slub.c:3957
__vunmap+0x6d5/0x930 mm/vmalloc.c:2258
__vfree+0x3c/0xd0 mm/vmalloc.c:2299
vfree+0x5a/0x90 mm/vmalloc.c:2329
copy_entries_to_user net/ipv4/netfilter/ip_tables.c:867 [inline]
get_entries net/ipv4/netfilter/ip_tables.c:1024 [inline]
do_ipt_get_ctl+0x6a0/0x890 net/ipv4/netfilter/ip_tables.c:1700
nf_sockopt net/netfilter/nf_sockopt.c:104 [inline]
nf_getsockopt+0x72/0xd0 net/netfilter/nf_sockopt.c:122
ip_getsockopt net/ipv4/ip_sockglue.c:1576 [inline]
ip_getsockopt+0x165/0x1c0 net/ipv4/ip_sockglue.c:1556
tcp_getsockopt net/ipv4/tcp.c:3662 [inline]
tcp_getsockopt+0x86/0xd0 net/ipv4/tcp.c:3656
__sys_getsockopt+0x135/0x210 net/socket.c:2129
__do_sys_getsockopt net/socket.c:2144 [inline]
__se_sys_getsockopt net/socket.c:2141 [inline]
__x64_sys_getsockopt+0xba/0x150 net/socket.c:2141
do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8881d175bea0
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 54 bytes inside of
64-byte region [ffff8881d175bea0, ffff8881d175bee0)
The buggy address belongs to the page:
page:ffffea000745d6c0 refcount:1 mapcount:0 mapping:ffff8881da003180
index:0x0
flags: 0x200000000000200(slab)
raw: 0200000000000200 ffffea00075eda00 0000000300000003 ffff8881da003180
raw: 0000000000000000 00000000802a002a 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff8881d175bd80: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb
ffff8881d175be00: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb
> ffff8881d175be80: fc fc fc fc 00 00 00 00 00 00 06 fc fc fc fc fc
^
ffff8881d175bf00: 00 00 00 00 00 00 fc fc fc fc fc fc fb fb fb fb
ffff8881d175bf80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

[Alan Stern]

Diagnostic patch.

#syz test: https://github.com/google/kasan.git eea39f24

Index: usb-devel/drivers/usb/core/hub.c
===================================================================
--- usb-devel.orig/drivers/usb/core/hub.c
+++ usb-devel/drivers/usb/core/hub.c
@@ -5721,6 +5721,13 @@ static int usb_reset_and_verify_device(s
if (ret < 0)
goto re_enumerate;

+ if (bos)
+ dev_info(&udev->dev, "Old BOS %p Len 0x%x\n",
+ bos, le16_to_cpu(bos->desc->wTotalLength));
+ if (udev->bos)
+ dev_info(&udev->dev, "New BOS %p Len 0x%x\n",
+ udev->bos, le16_to_cpu(udev->bos->desc->wTotalLength));
+
/* Device might have changed firmware (DFU or similar) */
if (descriptors_changed(udev, &descriptor, bos)) {
dev_info(&udev->dev, "device firmware changed\n");

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:
KASAN: slab-out-of-bounds Read in usb_reset_and_verify_device

usb 4-1: Old BOS 00000000ffd70172 Len 0xa8
usb 4-1: New BOS 00000000b6d58371 Len 0xa8

==================================================================
BUG: KASAN: slab-out-of-bounds in memcmp+0xa6/0xb0 lib/string.c:904

Read of size 1 at addr ffff8881cd95d876 by task kworker/0:4/2841

CPU: 0 PID: 2841 Comm: kworker/0:4 Not tainted 5.3.0-rc5+ #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
print_address_description+0x6a/0x32c mm/kasan/report.c:351
__kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
kasan_report+0xe/0x12 mm/kasan/common.c:612
memcmp+0xa6/0xb0 lib/string.c:904
memcmp include/linux/string.h:400 [inline]
descriptors_changed drivers/usb/core/hub.c:5579 [inline]

usb_reset_and_verify_device+0x5a8/0x1350 drivers/usb/core/hub.c:5736
usb_reset_device+0x4c1/0x920 drivers/usb/core/hub.c:5905

Allocated by task 2841:

save_stack+0x1b/0x80 mm/kasan/common.c:69
set_track mm/kasan/common.c:77 [inline]
__kasan_kmalloc mm/kasan/common.c:487 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460
kmalloc include/linux/slab.h:557 [inline]
kzalloc include/linux/slab.h:748 [inline]
usb_get_bos_descriptor+0x1fd/0x8f2 drivers/usb/core/config.c:955
hub_port_init+0x169a/0x2d30 drivers/usb/core/hub.c:4837

usb_reset_and_verify_device+0x3aa/0x1350 drivers/usb/core/hub.c:5720
usb_reset_device+0x4c1/0x920 drivers/usb/core/hub.c:5905

Freed by task 1862:

save_stack+0x1b/0x80 mm/kasan/common.c:69
set_track mm/kasan/common.c:77 [inline]
__kasan_slab_free+0x130/0x180 mm/kasan/common.c:449
slab_free_hook mm/slub.c:1423 [inline]
slab_free_freelist_hook mm/slub.c:1474 [inline]
slab_free mm/slub.c:3016 [inline]
kfree+0xe4/0x2f0 mm/slub.c:3957

call_usermodehelper_freeinfo kernel/umh.c:47 [inline]
call_usermodehelper_exec+0x235/0x4d0 kernel/umh.c:598
call_modprobe kernel/kmod.c:99 [inline]
__request_module+0x459/0xb20 kernel/kmod.c:171
dev_load+0x1e8/0x200 net/core/dev_ioctl.c:354
dev_ioctl+0x29c/0xc68 drivers/usb/gadget/legacy/inode.c:2050
sock_do_ioctl+0x1b7/0x2f0 net/socket.c:1061
sock_ioctl+0x3ed/0x790 net/socket.c:1189
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:509 [inline]
do_vfs_ioctl+0xd2d/0x1330 fs/ioctl.c:696
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:713
__do_sys_ioctl fs/ioctl.c:720 [inline]
__se_sys_ioctl fs/ioctl.c:718 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718
do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8881cd95d840

which belongs to the cache kmalloc-64 of size 64
The buggy address is located 54 bytes inside of

64-byte region [ffff8881cd95d840, ffff8881cd95d880)

The buggy address belongs to the page:

page:ffffea0007365740 refcount:1 mapcount:0 mapping:ffff8881da003180
index:0xffff8881cd95df00
flags: 0x200000000000200(slab)
raw: 0200000000000200 ffffea000734e3c0 0000000800000008 ffff8881da003180
raw: ffff8881cd95df00 00000000802a0026 00000001ffffffff 0000000000000000

page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff8881cd95d700: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc
ffff8881cd95d780: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb
> ffff8881cd95d800: fb fb fb fb fc fc fc fc 00 00 00 00 00 00 06 fc
^
ffff8881cd95d880: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc
ffff8881cd95d900: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb
==================================================================


Tested on:

commit: eea39f24 usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git

console output: https://syzkaller.appspot.com/x/log.txt?x=10b38c76600000

kernel config: https://syzkaller.appspot.com/x/.config?x=d0c62209eedfd54e
dashboard link: https://syzkaller.appspot.com/bug?extid=35f4d916c623118d576e
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=13dba871600000

[Alan Stern]

On Tue, 3 Sep 2019, syzbot wrote:

> Hello,
>
> syzbot has tested the proposed patch but the reproducer still triggered
> crash:
> KASAN: slab-out-of-bounds Read in usb_reset_and_verify_device
>
> usb 4-1: Old BOS 00000000ffd70172 Len 0xa8
> usb 4-1: New BOS 00000000b6d58371 Len 0xa8
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in memcmp+0xa6/0xb0 lib/string.c:904
> Read of size 1 at addr ffff8881cd95d876 by task kworker/0:4/2841

Argh -- I forgot about printk's kernel-address mangling. Let's try
again.

Alan Stern

#syz test: https://github.com/google/kasan.git eea39f24

Index: usb-devel/drivers/usb/core/hub.c
===================================================================
--- usb-devel.orig/drivers/usb/core/hub.c
+++ usb-devel/drivers/usb/core/hub.c
@@ -5721,6 +5721,13 @@ static int usb_reset_and_verify_device(s
if (ret < 0)
goto re_enumerate;

+ if (bos)

+ dev_info(&udev->dev, "Old BOS %px Len 0x%x\n",

+ bos, le16_to_cpu(bos->desc->wTotalLength));
+ if (udev->bos)

+ dev_info(&udev->dev, "New BOS %px Len 0x%x\n",

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:
KASAN: slab-out-of-bounds Read in usb_reset_and_verify_device

usb 4-1: Using ep0 maxpacket: 16
usb 4-1: Old BOS ffff8881d516b780 Len 0xa8
usb 4-1: New BOS ffff8881d5dd6d20 Len 0xa8

==================================================================
BUG: KASAN: slab-out-of-bounds in memcmp+0xa6/0xb0 lib/string.c:904

Read of size 1 at addr ffff8881d5dd6db6 by task kworker/0:1/12

CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.3.0-rc5+ #0

Allocated by task 12:

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff8881d5dd6d80

which belongs to the cache kmalloc-64 of size 64
The buggy address is located 54 bytes inside of

64-byte region [ffff8881d5dd6d80, ffff8881d5dd6dc0)

The buggy address belongs to the page:

page:ffffea0007577580 refcount:1 mapcount:0 mapping:ffff8881da003180
index:0x0
flags: 0x200000000000200(slab)
raw: 0200000000000200 dead000000000100 dead000000000122 ffff8881da003180
raw: 0000000000000000 00000000802a002a 00000001ffffffff 0000000000000000

page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff8881d5dd6c80: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb
ffff8881d5dd6d00: fc fc fc fc 00 00 00 00 00 00 fc fc fc fc fc fc
> ffff8881d5dd6d80: 00 00 00 00 00 00 06 fc fc fc fc fc fc fc fc fc
^
ffff8881d5dd6e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881d5dd6e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

==================================================================


Tested on:

commit: eea39f24 usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git

console output: https://syzkaller.appspot.com/x/log.txt?x=11366b8e600000

kernel config: https://syzkaller.appspot.com/x/.config?x=d0c62209eedfd54e
dashboard link: https://syzkaller.appspot.com/bug?extid=35f4d916c623118d576e
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=1740de51600000

[Alan Stern]

On Tue, 3 Sep 2019, syzbot wrote:

> Hello,
>
> syzbot has tested the proposed patch but the reproducer still triggered
> crash:
> KASAN: slab-out-of-bounds Read in usb_reset_and_verify_device
>
> usb 4-1: Using ep0 maxpacket: 16
> usb 4-1: Old BOS ffff8881d516b780 Len 0xa8
> usb 4-1: New BOS ffff8881d5dd6d20 Len 0xa8
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in memcmp+0xa6/0xb0 lib/string.c:904
> Read of size 1 at addr ffff8881d5dd6db6 by task kworker/0:1/12

More debugging. If my guess is right, this is pretty malicious...

Alan Stern

#syz test: https://github.com/google/kasan.git eea39f24

drivers/usb/core/config.c | 2 ++
drivers/usb/core/hub.c | 7 +++++++
2 files changed, 9 insertions(+)

Index: usb-devel/drivers/usb/core/hub.c
===================================================================
--- usb-devel.orig/drivers/usb/core/hub.c
+++ usb-devel/drivers/usb/core/hub.c
@@ -5721,6 +5721,13 @@ static int usb_reset_and_verify_device(s
if (ret < 0)
goto re_enumerate;

+ if (bos)
+ dev_info(&udev->dev, "Old BOS %px Len 0x%x\n",
+ bos, le16_to_cpu(bos->desc->wTotalLength));
+ if (udev->bos)
+ dev_info(&udev->dev, "New BOS %px Len 0x%x\n",
+ udev->bos, le16_to_cpu(udev->bos->desc->wTotalLength));
+
/* Device might have changed firmware (DFU or similar) */
if (descriptors_changed(udev, &descriptor, bos)) {
dev_info(&udev->dev, "device firmware changed\n");

Index: usb-devel/drivers/usb/core/config.c
===================================================================
--- usb-devel.orig/drivers/usb/core/config.c
+++ usb-devel/drivers/usb/core/config.c
@@ -966,6 +966,8 @@ int usb_get_bos_descriptor(struct usb_de
ret = -ENOMSG;
goto err;
}
+ dev_info(ddev, "BOS total length %d, descriptor %d\n", total_len,
+ le16_to_cpu(dev->bos->desc->wTotalLength));
total_len -= length;

for (i = 0; i < num; i++) {

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:
KASAN: slab-out-of-bounds Read in usb_reset_and_verify_device

usb 6-1: Using ep0 maxpacket: 16
usb 6-1: BOS total length 54, descriptor 168
usb 6-1: Old BOS ffff8881cd814f60 Len 0xa8
usb 6-1: New BOS ffff8881cd257ae0 Len 0xa8

==================================================================
BUG: KASAN: slab-out-of-bounds in memcmp+0xa6/0xb0 lib/string.c:904

Read of size 1 at addr ffff8881cd257c36 by task kworker/1:0/17

CPU: 1 PID: 17 Comm: kworker/1:0 Not tainted 5.3.0-rc5+ #0

Allocated by task 17:

save_stack+0x1b/0x80 mm/kasan/common.c:69
set_track mm/kasan/common.c:77 [inline]
__kasan_kmalloc mm/kasan/common.c:487 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460
kmalloc include/linux/slab.h:557 [inline]
kzalloc include/linux/slab.h:748 [inline]

usb_get_bos_descriptor+0x1e4/0x315 drivers/usb/core/config.c:955

Freed by task 2190:

save_stack+0x1b/0x80 mm/kasan/common.c:69
set_track mm/kasan/common.c:77 [inline]

__kasan_slab_free+0x130/0x180 mm/kasan/common.c:449
slab_free_hook mm/slub.c:1423 [inline]
slab_free_freelist_hook mm/slub.c:1474 [inline]
slab_free mm/slub.c:3016 [inline]
kfree+0xe4/0x2f0 mm/slub.c:3957

free_rb_tree_fname+0x7f/0xe0 fs/ext4/dir.c:404
ext4_htree_free_dir_info fs/ext4/dir.c:426 [inline]
ext4_release_dir+0x41/0x60 fs/ext4/dir.c:624
__fput+0x2d7/0x840 fs/file_table.c:280
task_work_run+0x13f/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8881cd257c00

which belongs to the cache kmalloc-64 of size 64
The buggy address is located 54 bytes inside of

64-byte region [ffff8881cd257c00, ffff8881cd257c40)

The buggy address belongs to the page:

page:ffffea00073495c0 refcount:1 mapcount:0 mapping:ffff8881da003180
index:0xffff8881cd257f00
flags: 0x200000000000200(slab)
raw: 0200000000000200 ffffea00073442c0 0000001d0000001d ffff8881da003180
raw: ffff8881cd257f00 00000000802a0028 00000001ffffffff 0000000000000000

page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff8881cd257b00: 00 00 fc fc fc fc fc fc fb fb fb fb fb fb fb fb
ffff8881cd257b80: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc
> ffff8881cd257c00: 00 00 00 00 00 00 06 fc fc fc fc fc fb fb fb fb
^
ffff8881cd257c80: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb
ffff8881cd257d00: fc fc fc fc 00 00 00 00 00 00 00 00 fc fc fc fc

==================================================================


Tested on:

commit: eea39f24 usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git

console output: https://syzkaller.appspot.com/x/log.txt?x=17cc619e600000

kernel config: https://syzkaller.appspot.com/x/.config?x=d0c62209eedfd54e
dashboard link: https://syzkaller.appspot.com/bug?extid=35f4d916c623118d576e
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=10b73476600000

[Alan Stern]

On Tue, 3 Sep 2019, syzbot wrote:

> Hello,
>
> syzbot has tested the proposed patch but the reproducer still triggered
> crash:
> KASAN: slab-out-of-bounds Read in usb_reset_and_verify_device
>
> usb 6-1: Using ep0 maxpacket: 16
> usb 6-1: BOS total length 54, descriptor 168
> usb 6-1: Old BOS ffff8881cd814f60 Len 0xa8
> usb 6-1: New BOS ffff8881cd257ae0 Len 0xa8
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in memcmp+0xa6/0xb0 lib/string.c:904
> Read of size 1 at addr ffff8881cd257c36 by task kworker/1:0/17

Very sneaky! A BOS descriptor whose wTotalLength field varies
depending on how many bytes you read.

This should fix it. It's the same approach we use for the Config
descriptor.

Alan Stern

#syz test: https://github.com/google/kasan.git eea39f24

drivers/usb/core/config.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)

Index: usb-devel/drivers/usb/core/config.c
===================================================================
--- usb-devel.orig/drivers/usb/core/config.c
+++ usb-devel/drivers/usb/core/config.c

@@ -921,7 +921,7 @@ int usb_get_bos_descriptor(struct usb_de
struct usb_bos_descriptor *bos;
struct usb_dev_cap_header *cap;
struct usb_ssp_cap_descriptor *ssp_cap;
- unsigned char *buffer;
+ unsigned char *buffer, *buffer0;
int length, total_len, num, i, ssac;
__u8 cap_type;
int ret;
@@ -966,10 +966,12 @@ int usb_get_bos_descriptor(struct usb_de

ret = -ENOMSG;
goto err;
}
+

+ buffer0 = buffer;
total_len -= length;
+ buffer += length;

for (i = 0; i < num; i++) {

- buffer += length;
cap = (struct usb_dev_cap_header *)buffer;

if (total_len < sizeof(*cap) || total_len < cap->bLength) {
@@ -983,8 +985,6 @@ int usb_get_bos_descriptor(struct usb_de
break;
}

- total_len -= length;
-
if (cap->bDescriptorType != USB_DT_DEVICE_CAPABILITY) {
dev_warn(ddev, "descriptor type invalid, skip\n");
continue;
@@ -1019,7 +1019,11 @@ int usb_get_bos_descriptor(struct usb_de
default:
break;
}
+
+ total_len -= length;
+ buffer += length;
}
+ dev->bos->desc->wTotalLength = cpu_to_le16(buffer - buffer0);

return 0;

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger
crash:

Reported-and-tested-by:
syzbot+35f4d9...@syzkaller.appspotmail.com

Tested on:

commit: eea39f24 usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git

kernel config: https://syzkaller.appspot.com/x/.config?x=d0c62209eedfd54e
dashboard link: https://syzkaller.appspot.com/bug?extid=35f4d916c623118d576e
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=11d694d6600000

Note: testing is done by a robot and is best-effort only.

[Andrey Konovalov]

On Wed, Sep 4, 2019 at 4:41 PM Alan Stern <st...@rowland.harvard.edu> wrote:
>
> On Tue, 3 Sep 2019, syzbot wrote:
>
> > Hello,
> >
> > syzbot has tested the proposed patch but the reproducer still triggered
> > crash:
> > KASAN: slab-out-of-bounds Read in usb_reset_and_verify_device
> >
> > usb 6-1: Using ep0 maxpacket: 16
> > usb 6-1: BOS total length 54, descriptor 168
> > usb 6-1: Old BOS ffff8881cd814f60 Len 0xa8
> > usb 6-1: New BOS ffff8881cd257ae0 Len 0xa8
> > ==================================================================
> > BUG: KASAN: slab-out-of-bounds in memcmp+0xa6/0xb0 lib/string.c:904
> > Read of size 1 at addr ffff8881cd257c36 by task kworker/1:0/17
>
> Very sneaky! A BOS descriptor whose wTotalLength field varies
> depending on how many bytes you read.
>
> This should fix it. It's the same approach we use for the Config
> descriptor.

Nice, core USB bug :)

Can this potentially lead to something worse than a out-of-bounds memcmp?

[Alan Stern]

On Wed, 4 Sep 2019, Andrey Konovalov wrote:

> On Wed, Sep 4, 2019 at 4:41 PM Alan Stern <st...@rowland.harvard.edu> wrote:
> >
> > On Tue, 3 Sep 2019, syzbot wrote:
> >
> > > Hello,
> > >
> > > syzbot has tested the proposed patch but the reproducer still triggered
> > > crash:
> > > KASAN: slab-out-of-bounds Read in usb_reset_and_verify_device
> > >
> > > usb 6-1: Using ep0 maxpacket: 16
> > > usb 6-1: BOS total length 54, descriptor 168
> > > usb 6-1: Old BOS ffff8881cd814f60 Len 0xa8
> > > usb 6-1: New BOS ffff8881cd257ae0 Len 0xa8
> > > ==================================================================
> > > BUG: KASAN: slab-out-of-bounds in memcmp+0xa6/0xb0 lib/string.c:904
> > > Read of size 1 at addr ffff8881cd257c36 by task kworker/1:0/17
> >
> > Very sneaky! A BOS descriptor whose wTotalLength field varies
> > depending on how many bytes you read.
> >
> > This should fix it. It's the same approach we use for the Config
> > descriptor.
>
> Nice, core USB bug :)
>
> Can this potentially lead to something worse than a out-of-bounds memcmp?

I tend to doubt it. It would require some code that does its own
parsing of the BOS descriptors. If there is any code like that in the
kernel, I'm not aware of it.

Still, you never know...

Alan Stern

[Alan Stern]

The syzbot fuzzer provoked a slab-out-of-bounds error in the USB core:

BUG: KASAN: slab-out-of-bounds in memcmp+0xa6/0xb0 lib/string.c:904
Read of size 1 at addr ffff8881d175bed6 by task kworker/0:3/2746

CPU: 0 PID: 2746 Comm: kworker/0:3 Not tainted 5.3.0-rc5+ #28
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xca/0x13e lib/dump_stack.c:113
print_address_description+0x6a/0x32c mm/kasan/report.c:351
__kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
kasan_report+0xe/0x12 mm/kasan/common.c:612
memcmp+0xa6/0xb0 lib/string.c:904
memcmp include/linux/string.h:400 [inline]
descriptors_changed drivers/usb/core/hub.c:5579 [inline]
usb_reset_and_verify_device+0x564/0x1300 drivers/usb/core/hub.c:5729
usb_reset_device+0x4c1/0x920 drivers/usb/core/hub.c:5898
rt2x00usb_probe+0x53/0x7af
drivers/net/wireless/ralink/rt2x00/rt2x00usb.c:806

The error occurs when the descriptors_changed() routine (called during
a device reset) attempts to compare the old and new BOS and capability
descriptors. The length it uses for the comparison is the
wTotalLength value stored in BOS descriptor, but this value is not
necessarily the same as the length actually allocated for the
descriptors. If it is larger the routine will call memcmp() with a
length that is too big, thus reading beyond the end of the allocated
region and leading to this fault.

The kernel reads the BOS descriptor twice: first to get the total
length of all the capability descriptors, and second to read it along
with all those other descriptors. A malicious (or very faulty) device
may send different values for the BOS descriptor fields each time.
The memory area will be allocated using the wTotalLength value read
the first time, but stored within it will be the value read the second
time.

To prevent this possibility from causing any errors, this patch
modifies the BOS descriptor after it has been read the second time:
It sets the wTotalLength field to the actual length of the descriptors
that were read in and validated. Then the memcpy() call, or any other
code using these descriptors, will be able to rely on wTotalLength
being valid.

Reported-and-tested-by: syzbot+35f4d9...@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <st...@rowland.harvard.edu>
CC: <sta...@vger.kernel.org>

---


[as1912]