usb 1-1: new high-speed USB device number 2 using dummy_hcd
usb 1-1: Using ep0 maxpacket: 8
usb 1-1: New USB device found, idVendor=12d1, idProduct=14f1,
bcdDevice=d4.d9
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1: config 0 descriptor??
==================================================================
BUG: KASAN: global-out-of-bounds in qmi_wwan_probe+0x342/0x360
drivers/net/usb/qmi_wwan.c:1417
Read of size 8 at addr ffffffff8618c140 by task kworker/1:1/22
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Kristian Evensen, syzbot, andre...@google.com, da...@davemloft.net, linux-...@vger.kernel.org, linu...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com
Hello Kristian!
I need some help understanding this... IIUC syzbot is claiming an
out-of-bounds access at line 1417 in v5.2-rc5. Or whatever - I'm having
a hard time deciphering what kernel version the bot is actually
testing. The claimed HEAD is not a kernel commit. At least not in my
kernel...
But if this is correct, then it points to the info->data access you
recently added:
822e44b45eb99 (Kristian Evensen 2019-03-02 13:32:26 +0100 1409) /* Several Quectel modems supports dynamic interface configuration, so
7c5cca3588545 (Kristian Evensen 2018-09-08 13:50:48 +0200 1410) * we need to match on class/subclass/protocol. These values are
7c5cca3588545 (Kristian Evensen 2018-09-08 13:50:48 +0200 1411) * identical for the diagnostic- and QMI-interface, but bNumEndpoints is
7c5cca3588545 (Kristian Evensen 2018-09-08 13:50:48 +0200 1412) * different. Ignore the current interface if the number of endpoints
e4bf63482c309 (Kristian Evensen 2019-04-07 15:39:09 +0200 1413) * equals the number for the diag interface (two).
7c5cca3588545 (Kristian Evensen 2018-09-08 13:50:48 +0200 1414) */
e4bf63482c309 (Kristian Evensen 2019-04-07 15:39:09 +0200 1415) info = (void *)&id->driver_info;
e4bf63482c309 (Kristian Evensen 2019-04-07 15:39:09 +0200 1416)
e4bf63482c309 (Kristian Evensen 2019-04-07 15:39:09 +0200 1417) if (info->data & QMI_WWAN_QUIRK_QUECTEL_DYNCFG) {
e4bf63482c309 (Kristian Evensen 2019-04-07 15:39:09 +0200 1418) if (desc->bNumEndpoints == 2)
e4bf63482c309 (Kristian Evensen 2019-04-07 15:39:09 +0200 1419) return -ENODEV;
e4bf63482c309 (Kristian Evensen 2019-04-07 15:39:09 +0200 1420) }
I must be blind. I cannot see how this could end up failing.
id->driver_info is always set to one of qmi_wwan_info,
qmi_wwan_info_quirk_dtr or qmi_wwan_info_quirk_quectel_dyncfg at this
point. How does that end up out-of-bounds?
Bjørn
Andrey Konovalov
unread,
Jun 24, 2019, 11:29:39 AM6/24/19
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Bjørn Mork, Kristian Evensen, syzbot, David S. Miller, LKML, USB list, netdev, syzkaller-bugs
>
>
> But if this is correct, then it points to the info->data access you
> recently added:
>
> 822e44b45eb99 (Kristian Evensen 2019-03-02 13:32:26 +0100 1409) /* Several Quectel modems supports dynamic interface configuration, so
> 7c5cca3588545 (Kristian Evensen 2018-09-08 13:50:48 +0200 1410) * we need to match on class/subclass/protocol. These values are
> 7c5cca3588545 (Kristian Evensen 2018-09-08 13:50:48 +0200 1411) * identical for the diagnostic- and QMI-interface, but bNumEndpoints is
> 7c5cca3588545 (Kristian Evensen 2018-09-08 13:50:48 +0200 1412) * different. Ignore the current interface if the number of endpoints
> e4bf63482c309 (Kristian Evensen 2019-04-07 15:39:09 +0200 1413) * equals the number for the diag interface (two).
> 7c5cca3588545 (Kristian Evensen 2018-09-08 13:50:48 +0200 1414) */
> e4bf63482c309 (Kristian Evensen 2019-04-07 15:39:09 +0200 1415) info = (void *)&id->driver_info;
> e4bf63482c309 (Kristian Evensen 2019-04-07 15:39:09 +0200 1416)
> e4bf63482c309 (Kristian Evensen 2019-04-07 15:39:09 +0200 1417) if (info->data & QMI_WWAN_QUIRK_QUECTEL_DYNCFG) {
> e4bf63482c309 (Kristian Evensen 2019-04-07 15:39:09 +0200 1418) if (desc->bNumEndpoints == 2)
> e4bf63482c309 (Kristian Evensen 2019-04-07 15:39:09 +0200 1419) return -ENODEV;
> e4bf63482c309 (Kristian Evensen 2019-04-07 15:39:09 +0200 1420) }
>
>
> I must be blind. I cannot see how this could end up failing.
> id->driver_info is always set to one of qmi_wwan_info,
> qmi_wwan_info_quirk_dtr or qmi_wwan_info_quirk_quectel_dyncfg at this
> point. How does that end up out-of-bounds?
I've run the reproducer locally and checked the addresses. The
structures that you mentioned are at:
And the bad access for me happens on address 0xffffffff85d32ce0, so it
seems that driver_info somehow ended up lying below
qmi_wwan_info_quirk_quectel_dyncfg.
You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Bjørn Mork, Hillf Danton, syzbot, andre...@google.com, David Miller, linux-...@vger.kernel.org, linu...@vger.kernel.org, Network Development, syzkall...@googlegroups.com
Hi,
On Mon, Jun 24, 2019 at 6:26 PM Bjørn Mork <bj...@mork.no> wrote:
> Doh! Right you are. Thanks to both you and Andrey for quick and good
> help.
>
> We obviously have some bad code patterns here, since this apparently
> worked for Kristian by pure luck.
Thanks a lot to everyone for spotting and fixing my mistake, and sorry
for not replying earlier. The patch from Bjørn is probably a candidate
for stable as well. I don't remember exactly when the quirk was
accepted in the kernel, but I recently submitted and got the quirk
accepted into 4.14.