Andrey Konovalov
unread,Sep 27, 2017, 10:36:12 AM9/27/17Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Johan Hovold, Greg Kroah-Hartman, USB list, LKML, Dmitry Vyukov, Kostya Serebryany, syzkaller
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit e19b205be43d11bff638cad4487008c48d21c103 (4.14-rc2).
gadgetfs: bound to dummy_udc driver
usb 1-1: new full-speed USB device number 2 using dummy_hcd
gadgetfs: connected
gadgetfs: disconnected
gadgetfs: connected
usb 1-1: config 4 has an invalid interface number: 1 but max is 0
usb 1-1: config 4 has an invalid interface number: 153 but max is 0
usb 1-1: config 4 has 2 interfaces, different from the descriptor's value: 1
usb 1-1: config 4 has no interface number 0
usb 1-1: config 4 interface 1 altsetting 255 has an invalid endpoint
with address 0x0, skipping
usb 1-1: config 4 interface 1 altsetting 255 has an invalid endpoint
with address 0xFF, skipping
usb 1-1: config 4 interface 1 altsetting 255 has an invalid endpoint
with address 0x56, skipping
usb 1-1: too many endpoints for config 4 interface 153 altsetting 67:
174, using maximum allowed: 30
usb 1-1: config 4 interface 153 altsetting 67 has 0 endpoint
descriptors, different from the interface d
escriptor's value: 174
usb 1-1: config 4 interface 1 has no altsetting 0
usb 1-1: config 4 interface 153 has no altsetting 0
usb 1-1: New USB device found, idVendor=1199, idProduct=6832
usb 1-1: New USB device strings: Mfr=4, Product=20, SerialNumber=3
usb 1-1: Product: a
usb 1-1: Manufacturer: a
usb 1-1: SerialNumber: a
gadgetfs: configuration #4
sierra 1-1:4.1: Sierra USB modem converter detected
usb 1-1: Sierra USB modem converter now attached to ttyUSB0
sierra 1-1:4.153: Sierra USB modem converter detected
gadgetfs: disconnected
usb 1-1: USB disconnect, device number 2
sierra ttyUSB0: Sierra USB modem converter now disconnected from ttyUSB0
sierra 1-1:4.1: device disconnected
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x4504/0x4550
Read of size 8 at addr ffff8800674df790 by task kworker/1:2/1846
CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted
4.14.0-rc2-42660-g24b7bd59eec0 #277
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:16
dump_stack+0x292/0x395 lib/dump_stack.c:52
print_address_description+0x78/0x280 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351
kasan_report+0x23d/0x350 mm/kasan/report.c:409
__asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
__lock_acquire+0x4504/0x4550 kernel/locking/lockdep.c:3376
lock_acquire+0x259/0x620 kernel/locking/lockdep.c:4002
__mutex_lock_common kernel/locking/mutex.c:756
__mutex_lock+0x18e/0x1a50 kernel/locking/mutex.c:893
mutex_lock_nested+0x1b/0x20 kernel/locking/mutex.c:908
usb_serial_disconnect+0x69/0x2e0 drivers/usb/serial/usb-serial.c:1084
usb_unbind_interface+0x21c/0xa90 drivers/usb/core/driver.c:423
__device_release_driver drivers/base/dd.c:861
device_release_driver_internal+0x4f4/0x5c0 drivers/base/dd.c:893
device_release_driver+0x1e/0x30 drivers/base/dd.c:918
bus_remove_device+0x2f4/0x4b0 drivers/base/bus.c:565
device_del+0x5c4/0xab0 drivers/base/core.c:1985
usb_disable_device+0x1e9/0x680 drivers/usb/core/message.c:1170
usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124
hub_port_connect drivers/usb/core/hub.c:4754
hub_port_connect_change drivers/usb/core/hub.c:5009
port_event drivers/usb/core/hub.c:5115
hub_event+0x1318/0x3740 drivers/usb/core/hub.c:5195
process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
worker_thread+0x221/0x1850 kernel/workqueue.c:2253
kthread+0x3a1/0x470 kernel/kthread.c:231
ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
Allocated by task 1846:
save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772
kmalloc ./include/linux/slab.h:493
kzalloc ./include/linux/slab.h:666
create_serial drivers/usb/serial/usb-serial.c:605
usb_serial_probe+0x36f/0x4090 drivers/usb/serial/usb-serial.c:892
usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
really_probe drivers/base/dd.c:413
driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
device_add+0xd0b/0x1660 drivers/base/core.c:1835
usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
really_probe drivers/base/dd.c:413
driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
device_add+0xd0b/0x1660 drivers/base/core.c:1835
usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
hub_port_connect drivers/usb/core/hub.c:4903
hub_port_connect_change drivers/usb/core/hub.c:5009
port_event drivers/usb/core/hub.c:5115
hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
worker_thread+0x221/0x1850 kernel/workqueue.c:2253
kthread+0x3a1/0x470 kernel/kthread.c:231
ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
Freed by task 1846:
save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459
kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
slab_free_hook mm/slub.c:1390
slab_free_freelist_hook mm/slub.c:1412
slab_free mm/slub.c:2988
kfree+0xf6/0x2f0 mm/slub.c:3919
destroy_serial drivers/usb/serial/usb-serial.c:153
kref_put ./include/linux/kref.h:70
usb_serial_put+0x218/0x430 drivers/usb/serial/usb-serial.c:158
usb_serial_console_disconnect+0xb2/0xd0 drivers/usb/serial/console.c:270
usb_serial_disconnect+0x5f/0x2e0 drivers/usb/serial/usb-serial.c:1082
usb_unbind_interface+0x21c/0xa90 drivers/usb/core/driver.c:423
__device_release_driver drivers/base/dd.c:861
device_release_driver_internal+0x4f4/0x5c0 drivers/base/dd.c:893
device_release_driver+0x1e/0x30 drivers/base/dd.c:918
bus_remove_device+0x2f4/0x4b0 drivers/base/bus.c:565
device_del+0x5c4/0xab0 drivers/base/core.c:1985
usb_disable_device+0x1e9/0x680 drivers/usb/core/message.c:1170
usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124
hub_port_connect drivers/usb/core/hub.c:4754
hub_port_connect_change drivers/usb/core/hub.c:5009
port_event drivers/usb/core/hub.c:5115
hub_event+0x1318/0x3740 drivers/usb/core/hub.c:5195
process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
worker_thread+0x221/0x1850 kernel/workqueue.c:2253
kthread+0x3a1/0x470 kernel/kthread.c:231
ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
The buggy address belongs to the object at ffff8800674df680
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 272 bytes inside of
512-byte region [ffff8800674df680, ffff8800674df880)
The buggy address belongs to the page:
page:ffffea00019d3780 count:1 mapcount:0 mapping: (null)
index:0xffff8800674def00 compound_mapcount: 0
flags: 0x100000000008100(slab|head)
raw: 0100000000008100 0000000000000000 ffff8800674def00 00000001800c0008
raw: 0000000000000000 0000000100000001 ffff88006c403080 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8800674df680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8800674df700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8800674df780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8800674df800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8800674df880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================