[syzbot] UBSAN: shift-out-of-bounds in hid_report_raw_event (2)
9 views
Skip to first unread message
syzbot
Nov 15, 2022, 12:41:42 PM11/15/22
to benjamin....@redhat.com, ji...@kernel.org, linux...@vger.kernel.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 4bbf3422df78 Merge tag 'net-6.1-rc5' of git://git.kernel.o..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1001828e880000
kernel config: https://syzkaller.appspot.com/x/.config?x=480ba0fb2fd243ac
dashboard link: https://syzkaller.appspot.com/bug?extid=8b1641d2f14732407e23
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13556dfe880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16de4db9880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3f5450859d5d/disk-4bbf3422.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d5ef9126ce18/vmlinux-4bbf3422.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a806f631e533/bzImage-4bbf3422.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8b1641...@syzkaller.appspotmail.com
microsoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) > 32! (swapper/0)
================================================================================
UBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20
shift exponent 127 is too large for 32-bit type 'int'
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rc4-syzkaller-00159-g4bbf3422df78 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:151 [inline]
__ubsan_handle_shift_out_of_bounds+0x3a6/0x420 lib/ubsan.c:322
snto32 drivers/hid/hid-core.c:1323 [inline]
hid_input_fetch_field drivers/hid/hid-core.c:1572 [inline]
hid_process_report drivers/hid/hid-core.c:1665 [inline]
hid_report_raw_event+0xd56/0x18b0 drivers/hid/hid-core.c:1998
hid_input_report+0x408/0x4f0 drivers/hid/hid-core.c:2066
hid_irq_in+0x459/0x690 drivers/hid/usbhid/hid-core.c:284
__usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1671
dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988
call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474
expire_timers kernel/time/timer.c:1519 [inline]
__run_timers+0x76a/0x980 kernel/time/timer.c:1790
run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803
__do_softirq+0x277/0x75b kernel/softirq.c:571
__irq_exit_rcu+0xec/0x170 kernel/softirq.c:650
irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:22 [inline]
RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:70 [inline]
RIP: 0010:arch_irqs_disabled arch/x86/include/asm/irqflags.h:130 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:113 [inline]
RIP: 0010:acpi_idle_do_entry drivers/acpi/processor_idle.c:572 [inline]
RIP: 0010:acpi_idle_enter+0x43d/0x800 drivers/acpi/processor_idle.c:709
Code: ff e8 a7 8d 38 f7 48 83 e3 08 44 8b 7c 24 04 0f 85 00 01 00 00 e8 33 4d 3f f7 66 90 e8 cc 88 38 f7 0f 00 2d f5 af c4 00 fb f4 <4c> 89 e3 48 c1 eb 03 42 80 3c 2b 00 74 08 4c 89 e7 e8 7d 64 8d f7
RSP: 0018:ffffffff8ca07b80 EFLAGS: 000002d3
RAX: ffffffff8a512d84 RBX: 0000000000000000 RCX: ffffffff8cabb7c0
RDX: 0000000000000000 RSI: ffffffff8aad68a0 RDI: ffffffff8b0ac540
RBP: ffffffff8ca07c30 R08: ffffffff8a512d69 R09: fffffbfff19576f9
R10: fffffbfff19576f9 R11: 1ffffffff19576f8 R12: ffffffff8ca07bc0
R13: dffffc0000000000 R14: ffff8880121c6800 R15: 0000000000000001
cpuidle_enter_state+0x50b/0xf50 drivers/cpuidle/cpuidle.c:239
cpuidle_enter+0x59/0x90 drivers/cpuidle/cpuidle.c:356
call_cpuidle kernel/sched/idle.c:155 [inline]
cpuidle_idle_call kernel/sched/idle.c:236 [inline]
do_idle+0x3da/0x680 kernel/sched/idle.c:303
cpu_startup_entry+0x15/0x20 kernel/sched/idle.c:400
rest_init+0x24f/0x270 init/main.c:729
arch_call_rest_init+0xa/0xa init/main.c:890
start_kernel+0x4b6/0x565 init/main.c:1145
secondary_startup_64_no_verify+0xcf/0xdb
</TASK>
================================================================================
----------------
Code disassembly (best guess), 1 bytes skipped:
0: e8 a7 8d 38 f7 callq 0xf7388dac
5: 48 83 e3 08 and $0x8,%rbx
9: 44 8b 7c 24 04 mov 0x4(%rsp),%r15d
e: 0f 85 00 01 00 00 jne 0x114
14: e8 33 4d 3f f7 callq 0xf73f4d4c
19: 66 90 xchg %ax,%ax
1b: e8 cc 88 38 f7 callq 0xf73888ec
20: 0f 00 2d f5 af c4 00 verw 0xc4aff5(%rip) # 0xc4b01c
27: fb sti
28: f4 hlt
* 29: 4c 89 e3 mov %r12,%rbx <-- trapping instruction
2c: 48 c1 eb 03 shr $0x3,%rbx
30: 42 80 3c 2b 00 cmpb $0x0,(%rbx,%r13,1)
35: 74 08 je 0x3f
37: 4c 89 e7 mov %r12,%rdi
3a: e8 7d 64 8d f7 callq 0xf78d64bc
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 4bbf3422df78 Merge tag 'net-6.1-rc5' of git://git.kernel.o..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1001828e880000
kernel config: https://syzkaller.appspot.com/x/.config?x=480ba0fb2fd243ac
dashboard link: https://syzkaller.appspot.com/bug?extid=8b1641d2f14732407e23
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13556dfe880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16de4db9880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3f5450859d5d/disk-4bbf3422.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d5ef9126ce18/vmlinux-4bbf3422.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a806f631e533/bzImage-4bbf3422.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8b1641...@syzkaller.appspotmail.com
microsoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) > 32! (swapper/0)
================================================================================
UBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20
shift exponent 127 is too large for 32-bit type 'int'
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rc4-syzkaller-00159-g4bbf3422df78 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:151 [inline]
__ubsan_handle_shift_out_of_bounds+0x3a6/0x420 lib/ubsan.c:322
snto32 drivers/hid/hid-core.c:1323 [inline]
hid_input_fetch_field drivers/hid/hid-core.c:1572 [inline]
hid_process_report drivers/hid/hid-core.c:1665 [inline]
hid_report_raw_event+0xd56/0x18b0 drivers/hid/hid-core.c:1998
hid_input_report+0x408/0x4f0 drivers/hid/hid-core.c:2066
hid_irq_in+0x459/0x690 drivers/hid/usbhid/hid-core.c:284
__usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1671
dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988
call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474
expire_timers kernel/time/timer.c:1519 [inline]
__run_timers+0x76a/0x980 kernel/time/timer.c:1790
run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803
__do_softirq+0x277/0x75b kernel/softirq.c:571
__irq_exit_rcu+0xec/0x170 kernel/softirq.c:650
irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:22 [inline]
RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:70 [inline]
RIP: 0010:arch_irqs_disabled arch/x86/include/asm/irqflags.h:130 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:113 [inline]
RIP: 0010:acpi_idle_do_entry drivers/acpi/processor_idle.c:572 [inline]
RIP: 0010:acpi_idle_enter+0x43d/0x800 drivers/acpi/processor_idle.c:709
Code: ff e8 a7 8d 38 f7 48 83 e3 08 44 8b 7c 24 04 0f 85 00 01 00 00 e8 33 4d 3f f7 66 90 e8 cc 88 38 f7 0f 00 2d f5 af c4 00 fb f4 <4c> 89 e3 48 c1 eb 03 42 80 3c 2b 00 74 08 4c 89 e7 e8 7d 64 8d f7
RSP: 0018:ffffffff8ca07b80 EFLAGS: 000002d3
RAX: ffffffff8a512d84 RBX: 0000000000000000 RCX: ffffffff8cabb7c0
RDX: 0000000000000000 RSI: ffffffff8aad68a0 RDI: ffffffff8b0ac540
RBP: ffffffff8ca07c30 R08: ffffffff8a512d69 R09: fffffbfff19576f9
R10: fffffbfff19576f9 R11: 1ffffffff19576f8 R12: ffffffff8ca07bc0
R13: dffffc0000000000 R14: ffff8880121c6800 R15: 0000000000000001
cpuidle_enter_state+0x50b/0xf50 drivers/cpuidle/cpuidle.c:239
cpuidle_enter+0x59/0x90 drivers/cpuidle/cpuidle.c:356
call_cpuidle kernel/sched/idle.c:155 [inline]
cpuidle_idle_call kernel/sched/idle.c:236 [inline]
do_idle+0x3da/0x680 kernel/sched/idle.c:303
cpu_startup_entry+0x15/0x20 kernel/sched/idle.c:400
rest_init+0x24f/0x270 init/main.c:729
arch_call_rest_init+0xa/0xa init/main.c:890
start_kernel+0x4b6/0x565 init/main.c:1145
secondary_startup_64_no_verify+0xcf/0xdb
</TASK>
================================================================================
----------------
Code disassembly (best guess), 1 bytes skipped:
0: e8 a7 8d 38 f7 callq 0xf7388dac
5: 48 83 e3 08 and $0x8,%rbx
9: 44 8b 7c 24 04 mov 0x4(%rsp),%r15d
e: 0f 85 00 01 00 00 jne 0x114
14: e8 33 4d 3f f7 callq 0xf73f4d4c
19: 66 90 xchg %ax,%ax
1b: e8 cc 88 38 f7 callq 0xf73888ec
20: 0f 00 2d f5 af c4 00 verw 0xc4aff5(%rip) # 0xc4b01c
27: fb sti
28: f4 hlt
* 29: 4c 89 e3 mov %r12,%rbx <-- trapping instruction
2c: 48 c1 eb 03 shr $0x3,%rbx
30: 42 80 3c 2b 00 cmpb $0x0,(%rbx,%r13,1)
35: 74 08 je 0x3f
37: 4c 89 e7 mov %r12,%rdi
3a: e8 7d 64 8d f7 callq 0xf78d64bc
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages