KASAN: slab-out-of-bounds Read in hfa384x_usbin_callback
28 views
Skip to first unread message
syzbot
Mar 20, 2020, 3:28:12 PM3/20/20
to andre...@google.com, de...@driverdev.osuosl.org, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, nishkad...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=11d74573e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fa561de00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d74573e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+7d42d6...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:381 [inline]
BUG: KASAN: slab-out-of-bounds in skb_put_data include/linux/skbuff.h:2284 [inline]
BUG: KASAN: slab-out-of-bounds in hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
BUG: KASAN: slab-out-of-bounds in hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
BUG: KASAN: slab-out-of-bounds in hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
Read of size 19671 at addr ffff8881d226413c by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
__kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x152/0x1c0 mm/kasan/generic.c:192
memcpy+0x20/0x50 mm/kasan/common.c:127
memcpy include/linux/string.h:381 [inline]
skb_put_data include/linux/skbuff.h:2284 [inline]
hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
__usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:default_idle+0x28/0x300 arch/x86/kernel/process.c:696
Code: cc cc 41 56 41 55 65 44 8b 2d 44 77 72 7a 41 54 55 53 0f 1f 44 00 00 e8 b6 62 b5 fb e9 07 00 00 00 0f 00 2d ea 0c 53 00 fb f4 <65> 44 8b 2d 20 77 72 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
RSP: 0018:ffffffff87007d80 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: ffffffff8702cc40 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff8702d48c
RBP: fffffbfff0e05988 R08: ffffffff8702cc40 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: ffffffff87e607c0 R15: 0000000000000000
cpuidle_idle_call kernel/sched/idle.c:154 [inline]
do_idle+0x3e0/0x500 kernel/sched/idle.c:269
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
start_kernel+0xe16/0xe5a init/main.c:998
secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:242
The buggy address belongs to the page:
page:ffffea0007489800 refcount:32744 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0
flags: 0x200000000010000(head)
raw: 0200000000010000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00007fe8ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881d2268000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8881d2268080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8881d2268100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
^
ffff8881d2268180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8881d2268200: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=11d74573e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fa561de00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d74573e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+7d42d6...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:381 [inline]
BUG: KASAN: slab-out-of-bounds in skb_put_data include/linux/skbuff.h:2284 [inline]
BUG: KASAN: slab-out-of-bounds in hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
BUG: KASAN: slab-out-of-bounds in hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
BUG: KASAN: slab-out-of-bounds in hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
Read of size 19671 at addr ffff8881d226413c by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
__kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x152/0x1c0 mm/kasan/generic.c:192
memcpy+0x20/0x50 mm/kasan/common.c:127
memcpy include/linux/string.h:381 [inline]
skb_put_data include/linux/skbuff.h:2284 [inline]
hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
__usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:default_idle+0x28/0x300 arch/x86/kernel/process.c:696
Code: cc cc 41 56 41 55 65 44 8b 2d 44 77 72 7a 41 54 55 53 0f 1f 44 00 00 e8 b6 62 b5 fb e9 07 00 00 00 0f 00 2d ea 0c 53 00 fb f4 <65> 44 8b 2d 20 77 72 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
RSP: 0018:ffffffff87007d80 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: ffffffff8702cc40 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff8702d48c
RBP: fffffbfff0e05988 R08: ffffffff8702cc40 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: ffffffff87e607c0 R15: 0000000000000000
cpuidle_idle_call kernel/sched/idle.c:154 [inline]
do_idle+0x3e0/0x500 kernel/sched/idle.c:269
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
start_kernel+0xe16/0xe5a init/main.c:998
secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:242
The buggy address belongs to the page:
page:ffffea0007489800 refcount:32744 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0
flags: 0x200000000010000(head)
raw: 0200000000010000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00007fe8ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881d2268000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8881d2268080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8881d2268100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
^
ffff8881d2268180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8881d2268200: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Qiujun Huang
Mar 25, 2020, 4:46:09 AM3/25/20
to syzbot, Andrey Konovalov, de...@driverdev.osuosl.org, Greg KH, linux-...@vger.kernel.org, linu...@vger.kernel.org, nishkad...@gmail.com, syzkall...@googlegroups.com
syzbot
Mar 25, 2020, 4:58:04 AM3/25/20
to andre...@google.com, anen...@gmail.com, de...@driverdev.osuosl.org, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, nishkad...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Read in hfa384x_usbin_callback
==================================================================
BUG: KASAN: use-after-free in memcpy include/linux/string.h:381 [inline]
BUG: KASAN: use-after-free in skb_put_data include/linux/skbuff.h:2284 [inline]
BUG: KASAN: use-after-free in hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
BUG: KASAN: use-after-free in hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
BUG: KASAN: use-after-free in hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
Read of size 19671 at addr ffff8881cda7b33c by task kworker/1:2/95
CPU: 1 PID: 95 Comm: kworker/1:2 Not tainted 5.6.0-rc5-syzkaller #0
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x3b/0x40 kernel/locking/spinlock.c:191
Code: e8 2a e8 96 fb 48 89 ef e8 f2 c9 97 fb f6 c7 02 75 11 53 9d e8 16 50 b5 fb 65 ff 0d f7 bd 72 7a 5b 5d c3 e8 07 4e b5 fb 53 9d <eb> ed 0f 1f 00 55 48 89 fd 65 ff 05 dd bd 72 7a 45 31 c9 41 b8 01
RSP: 0018:ffff8881d56b6f40 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: 0000000000000293 RCX: 0000000000000006
RDX: 0000000000000000 RSI: ffff8881d56a88f0 RDI: ffff8881d56a884c
RBP: ffff8881c0c64b80 R08: ffff8881d56a8000 R09: fffffbfff1266e8f
R10: fffffbfff1266e8e R11: ffffffff89337477 R12: 0000000000000000
R13: ffff8881c0c64bb8 R14: ffff8881c0c64b80 R15: ffff8881c0c64bb8
hfa384x_usbctlx_submit+0x1cb/0x260 drivers/staging/wlan-ng/hfa384x_usb.c:3834
hfa384x_docmd drivers/staging/wlan-ng/hfa384x_usb.c:1233 [inline]
hfa384x_cmd_initialize+0x290/0x4f0 drivers/staging/wlan-ng/hfa384x_usb.c:846
hfa384x_drvr_start+0x1f1/0x480 drivers/staging/wlan-ng/hfa384x_usb.c:2380
prism2sta_ifstate+0x24e/0x510 drivers/staging/wlan-ng/prism2sta.c:471
prism2sta_probe_usb.cold+0x1c8/0x49e drivers/staging/wlan-ng/prism2usb.c:112
usb_probe_interface+0x310/0x800 drivers/usb/core/driver.c:374
really_probe+0x290/0xac0 drivers/base/dd.c:551
driver_probe_device+0x223/0x350 drivers/base/dd.c:724
__device_attach_driver+0x1d1/0x290 drivers/base/dd.c:831
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:431
__device_attach+0x217/0x390 drivers/base/dd.c:897
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
device_add+0x1459/0x1bf0 drivers/base/core.c:2500
usb_set_configuration+0xe47/0x17d0 drivers/usb/core/message.c:2023
usb_generic_driver_probe+0x9d/0xe0 drivers/usb/core/generic.c:241
usb_probe_device+0xd9/0x230 drivers/usb/core/driver.c:272
really_probe+0x290/0xac0 drivers/base/dd.c:551
driver_probe_device+0x223/0x350 drivers/base/dd.c:724
__device_attach_driver+0x1d1/0x290 drivers/base/dd.c:831
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:431
__device_attach+0x217/0x390 drivers/base/dd.c:897
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
device_add+0x1459/0x1bf0 drivers/base/core.c:2500
usb_new_device.cold+0x540/0xcd0 drivers/usb/core/hub.c:2548
hub_port_connect drivers/usb/core/hub.c:5195 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5335 [inline]
port_event drivers/usb/core/hub.c:5481 [inline]
hub_event+0x21cb/0x4300 drivers/usb/core/hub.c:5563
process_one_work+0x94b/0x1620 kernel/workqueue.c:2264
worker_thread+0x96/0xe20 kernel/workqueue.c:2410
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
The buggy address belongs to the page:
page:ffffea0007369e00 refcount:32737 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0
ffff8881cda7ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8881cda80000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881cda80080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881cda80100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
git tree: https://github.com/google/kasan.git
console output: https://syzkaller.appspot.com/x/log.txt?x=139ea05be00000
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Read in hfa384x_usbin_callback
==================================================================
BUG: KASAN: use-after-free in memcpy include/linux/string.h:381 [inline]
BUG: KASAN: use-after-free in skb_put_data include/linux/skbuff.h:2284 [inline]
BUG: KASAN: use-after-free in hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
BUG: KASAN: use-after-free in hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
BUG: KASAN: use-after-free in hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
Read of size 19671 at addr ffff8881cda7b33c by task kworker/1:2/95
CPU: 1 PID: 95 Comm: kworker/1:2 Not tainted 5.6.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x3b/0x40 kernel/locking/spinlock.c:191
Code: e8 2a e8 96 fb 48 89 ef e8 f2 c9 97 fb f6 c7 02 75 11 53 9d e8 16 50 b5 fb 65 ff 0d f7 bd 72 7a 5b 5d c3 e8 07 4e b5 fb 53 9d <eb> ed 0f 1f 00 55 48 89 fd 65 ff 05 dd bd 72 7a 45 31 c9 41 b8 01
RSP: 0018:ffff8881d56b6f40 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: 0000000000000293 RCX: 0000000000000006
RDX: 0000000000000000 RSI: ffff8881d56a88f0 RDI: ffff8881d56a884c
RBP: ffff8881c0c64b80 R08: ffff8881d56a8000 R09: fffffbfff1266e8f
R10: fffffbfff1266e8e R11: ffffffff89337477 R12: 0000000000000000
R13: ffff8881c0c64bb8 R14: ffff8881c0c64b80 R15: ffff8881c0c64bb8
hfa384x_usbctlx_submit+0x1cb/0x260 drivers/staging/wlan-ng/hfa384x_usb.c:3834
hfa384x_docmd drivers/staging/wlan-ng/hfa384x_usb.c:1233 [inline]
hfa384x_cmd_initialize+0x290/0x4f0 drivers/staging/wlan-ng/hfa384x_usb.c:846
hfa384x_drvr_start+0x1f1/0x480 drivers/staging/wlan-ng/hfa384x_usb.c:2380
prism2sta_ifstate+0x24e/0x510 drivers/staging/wlan-ng/prism2sta.c:471
prism2sta_probe_usb.cold+0x1c8/0x49e drivers/staging/wlan-ng/prism2usb.c:112
usb_probe_interface+0x310/0x800 drivers/usb/core/driver.c:374
really_probe+0x290/0xac0 drivers/base/dd.c:551
driver_probe_device+0x223/0x350 drivers/base/dd.c:724
__device_attach_driver+0x1d1/0x290 drivers/base/dd.c:831
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:431
__device_attach+0x217/0x390 drivers/base/dd.c:897
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
device_add+0x1459/0x1bf0 drivers/base/core.c:2500
usb_set_configuration+0xe47/0x17d0 drivers/usb/core/message.c:2023
usb_generic_driver_probe+0x9d/0xe0 drivers/usb/core/generic.c:241
usb_probe_device+0xd9/0x230 drivers/usb/core/driver.c:272
really_probe+0x290/0xac0 drivers/base/dd.c:551
driver_probe_device+0x223/0x350 drivers/base/dd.c:724
__device_attach_driver+0x1d1/0x290 drivers/base/dd.c:831
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:431
__device_attach+0x217/0x390 drivers/base/dd.c:897
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
device_add+0x1459/0x1bf0 drivers/base/core.c:2500
usb_new_device.cold+0x540/0xcd0 drivers/usb/core/hub.c:2548
hub_port_connect drivers/usb/core/hub.c:5195 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5335 [inline]
port_event drivers/usb/core/hub.c:5481 [inline]
hub_event+0x21cb/0x4300 drivers/usb/core/hub.c:5563
process_one_work+0x94b/0x1620 kernel/workqueue.c:2264
worker_thread+0x96/0xe20 kernel/workqueue.c:2410
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
The buggy address belongs to the page:
flags: 0x200000000010000(head)
raw: 0200000000010000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00007fe1ffffffff 0000000000000000
raw: 0200000000010000 dead000000000100 dead000000000122 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881cda7ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Memory state around the buggy address:
ffff8881cda7ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8881cda80000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881cda80080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881cda80100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
git tree: https://github.com/google/kasan.git
kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=16d52b19e00000
dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Hillf Danton
Mar 25, 2020, 9:13:26 AM3/25/20
to syzbot, andre...@google.com, anen...@gmail.com, de...@driverdev.osuosl.org, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, nishkad...@gmail.com, syzkall...@googlegroups.com
On Wed, 25 Mar 2020 01:58:03 -0700
> syzbot has tested the proposed patch but the reproducer still triggered crash:
> KASAN: use-after-free Read in hfa384x_usbin_callback
>
> ==================================================================
> BUG: KASAN: use-after-free in memcpy include/linux/string.h:381 [inline]
> BUG: KASAN: use-after-free in skb_put_data include/linux/skbuff.h:2284 [inline]
> BUG: KASAN: use-after-free in hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
> BUG: KASAN: use-after-free in hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
> BUG: KASAN: use-after-free in hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
> Read of size 19671 at addr ffff8881cda7b33c by task kworker/1:2/95
>
> CPU: 1 PID: 95 Comm: kworker/1:2 Not tainted 5.6.0-rc5-syzkaller #0
> KASAN: use-after-free Read in hfa384x_usbin_callback
>
> ==================================================================
> BUG: KASAN: use-after-free in memcpy include/linux/string.h:381 [inline]
> BUG: KASAN: use-after-free in skb_put_data include/linux/skbuff.h:2284 [inline]
> BUG: KASAN: use-after-free in hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
> BUG: KASAN: use-after-free in hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
> BUG: KASAN: use-after-free in hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
> Read of size 19671 at addr ffff8881cda7b33c by task kworker/1:2/95
>
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Workqueue: usb_hub_wq hub_event
> The buggy address belongs to the page:
> page:ffffea0007369e00 refcount:32737 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0
> flags: 0x200000000010000(head)
> raw: 0200000000010000 dead000000000100 dead000000000122 0000000000000000
> raw: 0000000000000000 0000000000000000 00007fe1ffffffff 0000000000000000
> raw: 0200000000010000 dead000000000100 dead000000000122 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
>
> Memory state around the buggy address:
> ffff8881cda7ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8881cda7ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >ffff8881cda80000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ^
> ffff8881cda80080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8881cda80100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
>
>
> Tested on:
>
> ffff8881cda7ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >ffff8881cda80000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ^
> ffff8881cda80080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8881cda80100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
>
>
> Tested on:
>
> commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
> git tree: https://github.com/google/kasan.git
> console output: https://syzkaller.appspot.com/x/log.txt?x=139ea05be00000
> git tree: https://github.com/google/kasan.git
> kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
> dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> patch: https://syzkaller.appspot.com/x/patch.diff?x=16d52b19e00000
> dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Add a line of debug info.
--- a/drivers/staging/wlan-ng/hfa384x_usb.c
+++ b/drivers/staging/wlan-ng/hfa384x_usb.c
@@ -3374,6 +3374,11 @@ static void hfa384x_int_rxmonitor(struct
skblen - sizeof(struct p80211_caphdr));
}
+ if (datalen > WLAN_DATA_MAXLEN) {
+ pr_debug("%s datalen %u > WLAN_DATA_MAXLEN %u\n", __func__,
+ datalen, WLAN_DATA_MAXLEN);
+ return;
+ }
skb = dev_alloc_skb(skblen);
if (!skb)
return;
Andrey Konovalov
Mar 25, 2020, 9:29:25 AM3/25/20
to Hillf Danton, syzbot, anen...@gmail.com, de...@driverdev.osuosl.org, Greg Kroah-Hartman, LKML, USB list, nishkad...@gmail.com, syzkaller-bugs
You need to issue a syz test command if you want your patch to be
tested. See how Qiujun did it just above.
Thanks!
>
> --- a/drivers/staging/wlan-ng/hfa384x_usb.c
> +++ b/drivers/staging/wlan-ng/hfa384x_usb.c
> @@ -3374,6 +3374,11 @@ static void hfa384x_int_rxmonitor(struct
> skblen - sizeof(struct p80211_caphdr));
> }
>
> + if (datalen > WLAN_DATA_MAXLEN) {
> + pr_debug("%s datalen %u > WLAN_DATA_MAXLEN %u\n", __func__,
> + datalen, WLAN_DATA_MAXLEN);
> + return;
> + }
> skb = dev_alloc_skb(skblen);
> if (!skb)
> return;
>
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/20200325131309.12792-1-hdanton%40sina.com.
syzbot
Mar 25, 2020, 1:28:05 PM3/25/20
to anen...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered crash:
general protection fault in hfa384x_usbin_callback
[1] skb 0xffff8881d8d968c0. hfa384x_usbin_callback, 2939
[1] skb 0xffff8881d8d96a00. submit_rx_urb, 345
[1] skb 0xffff8881d8d968c0. hfa384x_usbin_callback, 3012
overlen frm: len=19675
general protection fault, probably for non-canonical address 0xdffffc000000099a: 0000 [#1] SMP KASAN
KASAN: probably user-memory-access in range [0x0000000000004cd0-0x0000000000004cd7]
CPU: 1 PID: 149 Comm: systemd-journal Not tainted 5.6.0-rc5-syzkaller #0
Code: 8d 34 07 29 ee e8 45 e1 b3 fb 48 3b 6c 24 10 74 3e e8 99 df b3 fb 48 89 df 48 83 c3 01 48 89 f8 48 89 fa 48 c1 e8 03 83 e2 07 <42> 0f b6 04 30 38 d0 7f 04 84 c0 75 71 44 0f b6 63 ff 31 ff 44 89
RSP: 0000:ffff8881db309648 EFLAGS: 00010002
RAX: 000000000000099a RBX: 0000000000004cd8 RCX: ffffffff858b75bf
RDX: 0000000000000007 RSI: ffffffff858b7647 RDI: 0000000000004cd7
RBP: ffffffff89663be4 R08: ffff8881d1e18000 R09: fffffbfff12cc77d
R10: fffffbfff12cc77c R11: ffffffff89663be3 R12: ffffffff89663f90
R13: 0000000000000000 R14: dffffc0000000000 R15: 00000000ffffffff
FS: 00007efcc57f08c0(0000) GS:ffff8881db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f637d020d40 CR3: 00000001d27f7000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
string+0xe5/0xf0 lib/vsprintf.c:689
vsnprintf+0x7d3/0x14f0 lib/vsprintf.c:2574
vscnprintf+0x29/0x80 lib/vsprintf.c:2677
vprintk_store+0x40/0x4b0 kernel/printk/printk.c:1917
vprintk_emit+0xc8/0x3d0 kernel/printk/printk.c:1978
vprintk_func+0x75/0x113 kernel/printk/printk_safe.c:386
printk+0xba/0xed kernel/printk/printk.c:2056
hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3388 [inline]
hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3319 [inline]
hfa384x_usbin_callback+0x12e7/0x2120 drivers/staging/wlan-ng/hfa384x_usb.c:3032
Code: 40 0f b6 c6 48 89 fa f3 aa 48 89 d0 c3 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 48 39 d1 0f 82 f7 e0 fc ff 0f 1f 80 00 00 00 00 <c5> f9 6e c6 48 89 f8 c4 e2 7d 78 c0 48 83 fa 20 0f 82 a4 00 00 00
RSP: 002b:00007fffbf7840c8 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13
RAX: 00007efcc55d5160 RBX: 0000555c32817258 RCX: 0000555c32817258
RDX: 0000000000000018 RSI: 0000000000000000 RDI: 0000555c32817258
RBP: 0000000000000001 R08: 0000000000000041 R09: 0000000000000018
R10: 0000000000000069 R11: 0000000000000246 R12: 0000000000000018
R13: 00000000fffffffe R14: 00007fffbf784400 R15: 0000555c32823de0
Modules linked in:
---[ end trace 7524412d0e9cfbaf ]---
RIP: 0010:string_nocheck+0x16b/0x220 lib/vsprintf.c:607
Code: 8d 34 07 29 ee e8 45 e1 b3 fb 48 3b 6c 24 10 74 3e e8 99 df b3 fb 48 89 df 48 83 c3 01 48 89 f8 48 89 fa 48 c1 e8 03 83 e2 07 <42> 0f b6 04 30 38 d0 7f 04 84 c0 75 71 44 0f b6 63 ff 31 ff 44 89
RSP: 0000:ffff8881db309648 EFLAGS: 00010002
RAX: 000000000000099a RBX: 0000000000004cd8 RCX: ffffffff858b75bf
RDX: 0000000000000007 RSI: ffffffff858b7647 RDI: 0000000000004cd7
RBP: ffffffff89663be4 R08: ffff8881d1e18000 R09: fffffbfff12cc77d
R10: fffffbfff12cc77c R11: ffffffff89663be3 R12: ffffffff89663f90
R13: 0000000000000000 R14: dffffc0000000000 R15: 00000000ffffffff
FS: 00007efcc57f08c0(0000) GS:ffff8881db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f637d020d40 CR3: 00000001d27f7000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Tested on:
commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
git tree: https://github.com/google/kasan.git
console output: https://syzkaller.appspot.com/x/log.txt?x=14b92bf9e00000
syzbot has tested the proposed patch but the reproducer still triggered crash:
[1] skb 0xffff8881d8d968c0. hfa384x_usbin_callback, 2939
[1] skb 0xffff8881d8d96a00. submit_rx_urb, 345
[1] skb 0xffff8881d8d968c0. hfa384x_usbin_callback, 3012
overlen frm: len=19675
general protection fault, probably for non-canonical address 0xdffffc000000099a: 0000 [#1] SMP KASAN
KASAN: probably user-memory-access in range [0x0000000000004cd0-0x0000000000004cd7]
CPU: 1 PID: 149 Comm: systemd-journal Not tainted 5.6.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:string_nocheck+0x16b/0x220 lib/vsprintf.c:607
Code: 8d 34 07 29 ee e8 45 e1 b3 fb 48 3b 6c 24 10 74 3e e8 99 df b3 fb 48 89 df 48 83 c3 01 48 89 f8 48 89 fa 48 c1 e8 03 83 e2 07 <42> 0f b6 04 30 38 d0 7f 04 84 c0 75 71 44 0f b6 63 ff 31 ff 44 89
RSP: 0000:ffff8881db309648 EFLAGS: 00010002
RAX: 000000000000099a RBX: 0000000000004cd8 RCX: ffffffff858b75bf
RDX: 0000000000000007 RSI: ffffffff858b7647 RDI: 0000000000004cd7
RBP: ffffffff89663be4 R08: ffff8881d1e18000 R09: fffffbfff12cc77d
R10: fffffbfff12cc77c R11: ffffffff89663be3 R12: ffffffff89663f90
R13: 0000000000000000 R14: dffffc0000000000 R15: 00000000ffffffff
FS: 00007efcc57f08c0(0000) GS:ffff8881db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f637d020d40 CR3: 00000001d27f7000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
string+0xe5/0xf0 lib/vsprintf.c:689
vsnprintf+0x7d3/0x14f0 lib/vsprintf.c:2574
vscnprintf+0x29/0x80 lib/vsprintf.c:2677
vprintk_store+0x40/0x4b0 kernel/printk/printk.c:1917
vprintk_emit+0xc8/0x3d0 kernel/printk/printk.c:1978
vprintk_func+0x75/0x113 kernel/printk/printk_safe.c:386
printk+0xba/0xed kernel/printk/printk.c:2056
hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3388 [inline]
hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3319 [inline]
hfa384x_usbin_callback+0x12e7/0x2120 drivers/staging/wlan-ng/hfa384x_usb.c:3032
__usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0033:0x7efcc4afa470
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
Code: 40 0f b6 c6 48 89 fa f3 aa 48 89 d0 c3 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 48 39 d1 0f 82 f7 e0 fc ff 0f 1f 80 00 00 00 00 <c5> f9 6e c6 48 89 f8 c4 e2 7d 78 c0 48 83 fa 20 0f 82 a4 00 00 00
RSP: 002b:00007fffbf7840c8 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13
RAX: 00007efcc55d5160 RBX: 0000555c32817258 RCX: 0000555c32817258
RDX: 0000000000000018 RSI: 0000000000000000 RDI: 0000555c32817258
RBP: 0000000000000001 R08: 0000000000000041 R09: 0000000000000018
R10: 0000000000000069 R11: 0000000000000246 R12: 0000000000000018
R13: 00000000fffffffe R14: 00007fffbf784400 R15: 0000555c32823de0
Modules linked in:
---[ end trace 7524412d0e9cfbaf ]---
RIP: 0010:string_nocheck+0x16b/0x220 lib/vsprintf.c:607
Code: 8d 34 07 29 ee e8 45 e1 b3 fb 48 3b 6c 24 10 74 3e e8 99 df b3 fb 48 89 df 48 83 c3 01 48 89 f8 48 89 fa 48 c1 e8 03 83 e2 07 <42> 0f b6 04 30 38 d0 7f 04 84 c0 75 71 44 0f b6 63 ff 31 ff 44 89
RSP: 0000:ffff8881db309648 EFLAGS: 00010002
RAX: 000000000000099a RBX: 0000000000004cd8 RCX: ffffffff858b75bf
RDX: 0000000000000007 RSI: ffffffff858b7647 RDI: 0000000000004cd7
RBP: ffffffff89663be4 R08: ffff8881d1e18000 R09: fffffbfff12cc77d
R10: fffffbfff12cc77c R11: ffffffff89663be3 R12: ffffffff89663f90
R13: 0000000000000000 R14: dffffc0000000000 R15: 00000000ffffffff
FS: 00007efcc57f08c0(0000) GS:ffff8881db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f637d020d40 CR3: 00000001d27f7000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Tested on:
commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
git tree: https://github.com/google/kasan.git
kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=1578c719e00000
dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syzbot
Mar 25, 2020, 8:52:05 PM3/25/20
to anen...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Read in skb_put_data
syzbot has tested the proposed patch but the reproducer still triggered crash:
[0] skb 0xffff8881d13fe000 datalen 19671. hfa384x_int_rxmonitor, 3388
==================================================================
BUG: KASAN: use-after-free in memcpy include/linux/string.h:381 [inline]
BUG: KASAN: use-after-free in skb_put_data+0x28/0x30 include/linux/skbuff.h:2284
BUG: KASAN: use-after-free in memcpy include/linux/string.h:381 [inline]
Read of size 19671 at addr ffff8881c3fc653c by task systemd-udevd/154
CPU: 0 PID: 154 Comm: systemd-udevd Not tainted 5.6.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
__kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x152/0x1c0 mm/kasan/generic.c:192
memcpy+0x20/0x50 mm/kasan/common.c:127
memcpy include/linux/string.h:381 [inline]
skb_put_data+0x28/0x30 include/linux/skbuff.h:2284
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
__kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x152/0x1c0 mm/kasan/generic.c:192
memcpy+0x20/0x50 mm/kasan/common.c:127
memcpy include/linux/string.h:381 [inline]
hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3421 [inline]
hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3319 [inline]
hfa384x_usbin_callback+0x1426/0x2120 drivers/staging/wlan-ng/hfa384x_usb.c:3032
__usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:_raw_spin_unlock_irq+0x27/0x30 kernel/locking/spinlock.c:200
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
Code: 44 00 00 55 48 8b 74 24 08 48 89 fd 48 8d 7f 18 e8 5e e8 96 fb 48 89 ef e8 26 ca 97 fb e8 51 4e b5 fb fb 65 ff 0d 31 be 72 7a <5d> c3 0f 1f 80 00 00 00 00 55 48 89 fd 48 83 c7 18 53 48 89 f3 48
RSP: 0018:ffff8881cf4bf930 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: ffffffff8712d1e0 RCX: 0000000000000006
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881d12851cc
RBP: ffffffff871e1fe0 R08: ffff8881d1284980 R09: fffffbfff1266e92
R10: fffffbfff1266e91 R11: ffffffff8933748f R12: 0000000000000000
R13: dffffc0000000000 R14: 1ffff11039f55d09 R15: ffff8881cccdc400
spin_unlock_irq include/linux/spinlock.h:388 [inline]
kernfs_get_open_node fs/kernfs/file.c:562 [inline]
kernfs_fop_open+0x90a/0xdb0 fs/kernfs/file.c:717
do_dentry_open+0x494/0x1120 fs/open.c:797
do_last fs/namei.c:3490 [inline]
path_openat+0x1222/0x32a0 fs/namei.c:3607
do_filp_open+0x192/0x260 fs/namei.c:3637
do_sys_openat2+0x54c/0x740 fs/open.c:1149
do_sys_open+0xc3/0x140 fs/open.c:1165
do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f1ded2ee6f0
Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 19 30 2c 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe 9d 01 00 48 89 04 24
RSP: 002b:00007ffecce20548 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 0000558f33095dc0 RCX: 00007f1ded2ee6f0
RDX: 00000000000001b6 RSI: 0000000000080000 RDI: 0000558f33081050
RBP: 0000000000000008 R08: 0000000000000008 R09: 0000000000000001
R10: 0000000000080000 R11: 0000000000000246 R12: 0000558f318c068a
R13: 0000000000000001 R14: 0000558f33080650 R15: 0000000000000001
The buggy address belongs to the page:
flags: 0x200000000010000(head)
raw: 0200000000010000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00007ffaffffffff 0000000000000000
raw: 0200000000010000 dead000000000100 dead000000000122 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881c3fc7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Memory state around the buggy address:
ffff8881c3fc7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8881c3fc8000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881c3fc8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881c3fc8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
git tree: https://github.com/google/kasan.git
kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=11c76b91e00000
dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syzbot
Mar 25, 2020, 10:43:03 PM3/25/20
to andre...@google.com, anen...@gmail.com, de...@driverdev.osuosl.org, gre...@linuxfoundation.org, hda...@sina.com, linux-...@vger.kernel.org, linu...@vger.kernel.org, nishkad...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger crash:
Reported-and-tested-by: syzbot+7d42d6...@syzkaller.appspotmail.com
Tested on:
commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
git tree: https://github.com/google/kasan.git
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger crash:
Reported-and-tested-by: syzbot+7d42d6...@syzkaller.appspotmail.com
Tested on:
commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
git tree: https://github.com/google/kasan.git
kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=1406d1d3e00000
dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Note: testing is done by a robot and is best-effort only.
Hillf Danton
Mar 26, 2020, 12:09:13 AM3/26/20
to Qiujun Huang, syzbot, Andrey Konovalov, de...@driverdev.osuosl.org, Greg KH, linux-...@vger.kernel.org, linu...@vger.kernel.org, nishkad...@gmail.com, syzkall...@googlegroups.com
On Thu, Mar 26, 2020 at 10:24 AM Qiujun Huang wrote:
>
>#syz test: https://github.com/google/kasan.git e17994d1
>
>forgot to trigger:(
>
Care to take a look at
in spare cycle?
Thanks
Hillf
Oliver Neukum
May 5, 2020, 7:56:20 AM5/5/20
to syzbot, andre...@google.com, de...@driverdev.osuosl.org, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, nishkad...@gmail.com, syzkall...@googlegroups.com
Am Freitag, den 20.03.2020, 12:28 -0700 schrieb syzbot:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=11d74573e00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
> dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fa561de00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d74573e00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+7d42d6...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:381 [inline]
> BUG: KASAN: slab-out-of-bounds in skb_put_data include/linux/skbuff.h:2284 [inline]
> BUG: KASAN: slab-out-of-bounds in hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
> BUG: KASAN: slab-out-of-bounds in hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
> BUG: KASAN: slab-out-of-bounds in hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
> Read of size 19671 at addr ffff8881d226413c by task swapper/0/0
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=11d74573e00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
> dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fa561de00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d74573e00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+7d42d6...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:381 [inline]
> BUG: KASAN: slab-out-of-bounds in skb_put_data include/linux/skbuff.h:2284 [inline]
> BUG: KASAN: slab-out-of-bounds in hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
> BUG: KASAN: slab-out-of-bounds in hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
> BUG: KASAN: slab-out-of-bounds in hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
> Read of size 19671 at addr ffff8881d226413c by task swapper/0/0
Oliver Neukum
May 5, 2020, 9:45:05 AM5/5/20
to syzbot, andre...@google.com, de...@driverdev.osuosl.org, syzkall...@googlegroups.com, one...@suse.com
Am Freitag, den 20.03.2020, 12:28 -0700 schrieb syzbot:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=11d74573e00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
> dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fa561de00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d74573e00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+7d42d6...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:381 [inline]
> BUG: KASAN: slab-out-of-bounds in skb_put_data include/linux/skbuff.h:2284 [inline]
> BUG: KASAN: slab-out-of-bounds in hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
> BUG: KASAN: slab-out-of-bounds in hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
> BUG: KASAN: slab-out-of-bounds in hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
> Read of size 19671 at addr ffff8881d226413c by task swapper/0/0
>
> syzbot found the following crash on:
>
> HEAD commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=11d74573e00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
> dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fa561de00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d74573e00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+7d42d6...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:381 [inline]
> BUG: KASAN: slab-out-of-bounds in skb_put_data include/linux/skbuff.h:2284 [inline]
> BUG: KASAN: slab-out-of-bounds in hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
> BUG: KASAN: slab-out-of-bounds in hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
> BUG: KASAN: slab-out-of-bounds in hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
> Read of size 19671 at addr ffff8881d226413c by task swapper/0/0
Oliver Neukum
May 6, 2020, 4:54:19 AM5/6/20
to syzbot, andre...@google.com, de...@driverdev.osuosl.org, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, nishkad...@gmail.com, syzkall...@googlegroups.com
Am Freitag, den 20.03.2020, 12:28 -0700 schrieb syzbot:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=11d74573e00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
> dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fa561de00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d74573e00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+7d42d6...@syzkaller.appspotmail.com
>
Hi,
>
> syzbot found the following crash on:
>
> HEAD commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=11d74573e00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
> dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fa561de00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d74573e00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+7d42d6...@syzkaller.appspotmail.com
>
is this bug still active and can a test be run on it? I requested one
yesterday. If my analysis is correct this bug has security
implications, so it is kind of important.
Regards
Oliver
Andrey Konovalov
May 6, 2020, 7:51:04 AM5/6/20
to Oliver Neukum, syzbot, de...@driverdev.osuosl.org, Greg Kroah-Hartman, LKML, USB list, nishkad...@gmail.com, syzkaller-bugs
completed, but for some reason syzbot didn't send an email with a
response.
Let me try this once again:
Andrey Konovalov
May 7, 2020, 11:56:49 AM5/7/20
to Oliver Neukum, Dmitry Vyukov, syzbot, de...@driverdev.osuosl.org, Greg Kroah-Hartman, LKML, USB list, nishkad...@gmail.com, syzkaller-bugs
Dmitry Vyukov
May 8, 2020, 5:33:25 AM5/8/20
to Andrey Konovalov, syzkaller, Oliver Neukum, syzbot, open list:ANDROID DRIVERS, Greg Kroah-Hartman, LKML, USB list, nishkad...@gmail.com, syzkaller-bugs
fixed (has a fixing commit).
...right, it was broken by:
https://github.com/google/syzkaller/commit/f8368f999a1964df6d39a225cd3f5ab3942dd755
and we lack a test for this scenario. It was supposed to only disable
mailing of bisection jobs.
Dmitry Vyukov
May 8, 2020, 6:31:49 AM5/8/20
to Andrey Konovalov, syzkaller, Oliver Neukum, syzbot, open list:ANDROID DRIVERS, Greg Kroah-Hartman, LKML, USB list, nishkad...@gmail.com, syzkaller-bugs
and added a test to fix this behavior for future.
Thanks for the report.
Dmitry Vyukov
May 8, 2020, 9:51:15 AM5/8/20
to Andrey Konovalov, syzkaller, Oliver Neukum, syzbot, open list:ANDROID DRIVERS, Greg Kroah-Hartman, LKML, USB list, nishkad...@gmail.com, syzkaller-bugs
page for better transparency, see e.g. for this bug:
https://syzkaller.appspot.com/bug?id=093ce698cf84160a66868dcac5394e105342f8c5#jobs
FTR, implemented in:
https://github.com/google/syzkaller/commit/e97b06d3cef9296e9d0e827c42bccdd36b555986
Reply all
Reply to author
Forward
0 new messages