KASAN: slab-out-of-bounds Read in hidinput_hid_event
9 views
Skip to first unread message
syzbot
Dec 18, 2019, 9:45:14 AM12/18/19
to andre...@google.com, benjamin....@redhat.com, ji...@kernel.org, linux...@vger.kernel.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, ryd...@bitmath.org, syzkall...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: d533c992 usb: core: kcov: collect coverage from usb comple..
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=11e440aee00000
kernel config: https://syzkaller.appspot.com/x/.config?x=743b91162e9f9496
dashboard link: https://syzkaller.appspot.com/bug?extid=00eaa791c74b27f5e7b1
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1445d9fae00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12557049e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+00eaa7...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in test_bit
include/asm-generic/bitops/instrumented-non-atomic.h:110 [inline]
BUG: KASAN: slab-out-of-bounds in hidinput_hid_event+0x1111/0x15d3
drivers/hid/hid-input.c:1381
Read of size 8 at addr ffff8881cf4d2cd0 by task swapper/1/0
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.5.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
print_address_description.constprop.0+0x16/0x200 mm/kasan/report.c:374
__kasan_report.cold+0x37/0x7f mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:639
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x152/0x1c0 mm/kasan/generic.c:192
test_bit include/asm-generic/bitops/instrumented-non-atomic.h:110 [inline]
hidinput_hid_event+0x1111/0x15d3 drivers/hid/hid-input.c:1381
hid_process_event+0x4a0/0x580 drivers/hid/hid-core.c:1506
hid_input_field drivers/hid/hid-core.c:1550 [inline]
hid_report_raw_event+0xabb/0xed0 drivers/hid/hid-core.c:1757
hid_input_report+0x315/0x3f0 drivers/hid/hid-core.c:1824
hid_irq_in+0x50e/0x690 drivers/hid/usbhid/hid-core.c:284
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: d533c992 usb: core: kcov: collect coverage from usb comple..
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=11e440aee00000
kernel config: https://syzkaller.appspot.com/x/.config?x=743b91162e9f9496
dashboard link: https://syzkaller.appspot.com/bug?extid=00eaa791c74b27f5e7b1
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1445d9fae00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12557049e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+00eaa7...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in test_bit
include/asm-generic/bitops/instrumented-non-atomic.h:110 [inline]
BUG: KASAN: slab-out-of-bounds in hidinput_hid_event+0x1111/0x15d3
drivers/hid/hid-input.c:1381
Read of size 8 at addr ffff8881cf4d2cd0 by task swapper/1/0
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.5.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
print_address_description.constprop.0+0x16/0x200 mm/kasan/report.c:374
__kasan_report.cold+0x37/0x7f mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:639
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x152/0x1c0 mm/kasan/generic.c:192
test_bit include/asm-generic/bitops/instrumented-non-atomic.h:110 [inline]
hidinput_hid_event+0x1111/0x15d3 drivers/hid/hid-input.c:1381
hid_process_event+0x4a0/0x580 drivers/hid/hid-core.c:1506
hid_input_field drivers/hid/hid-core.c:1550 [inline]
hid_report_raw_event+0xabb/0xed0 drivers/hid/hid-core.c:1757
hid_input_report+0x315/0x3f0 drivers/hid/hid-core.c:1824
hid_irq_in+0x50e/0x690 drivers/hid/usbhid/hid-core.c:284
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Andrey Konovalov
Jun 18, 2020, 8:10:42 AM6/18/20
to syzbot, Benjamin Tissoires, Jiri Kosina, open list:HID CORE LAYER, LKML, USB list, Henrik Rydberg, syzkaller-bugs
Reply all
Reply to author
Forward
0 new messages