usb/misc/usbtest: null-ptr-deref in usbtest_probe/get_endpoints

162 views
Skip to first unread message

Andrey Konovalov

unread,
Sep 28, 2017, 7:35:58 AM9/28/17
to Greg Kroah-Hartman, Alan Stern, Gustavo A. R. Silva, Felipe Balbi, Peter Chen, Colin Ian King, USB list, LKML, Dmitry Vyukov, Kostya Serebryany, syzkaller
Hi!

I've got the following report while fuzzing the kernel with syzkaller.

On commit dc972a67cc54585bd83ad811c4e9b6ab3dcd427e (4.14-rc2+).

It seems that out pointer ends up being NULL and kernel crashes on
access to out->desc.bEndpointAddress.

gadgetfs: bound to dummy_udc driver
usb 1-1: new full-speed USB device number 2 using dummy_hcd
gadgetfs: connected
gadgetfs: disconnected
gadgetfs: connected
usb 1-1: config 2 interface 0 altsetting 206 endpoint 0x81 has invalid
maxpacket 2040, setting to 64
usb 1-1: config 2 interface 0 altsetting 206 has an invalid endpoint
with address 0xFF, skipping
usb 1-1: config 2 interface 0 altsetting 206 endpoint 0x5 has an
invalid bInterval 255, changing to 4
usb 1-1: config 2 interface 0 has no altsetting 0
usb 1-1: New USB device found, idVendor=0525, idProduct=a4a0
usb 1-1: New USB device strings: Mfr=0, Product=185, SerialNumber=1
usb 1-1: Product: a
usb 1-1: SerialNumber: a
gadgetfs: configuration #2
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 1845 Comm: kworker/1:2 Not tainted
4.14.0-rc2-42664-gaf7d1481b3cb #297
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
task: ffff880064328000 task.stack: ffff880064398000
RIP: 0010:get_endpoints drivers/usb/misc/usbtest.c:208
RIP: 0010:usbtest_probe+0x114f/0x1ef0 drivers/usb/misc/usbtest.c:2706
RSP: 0018:ffff88006439e358 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 1ffff1000c873c33
RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000002
RBP: ffff88006439e5e8 R08: ffff88006439dd60 R09: 1ffff1000c873bc5
R10: ffff880064328000 R11: 0000000000000005 R12: ffff88006197e698
R13: ffff880067755d28 R14: ffff88006439e5c0 R15: ffff88006782ddc0
FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020002e07 CR3: 00000000639a9000 CR4: 00000000000006e0
Call Trace:
usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
really_probe drivers/base/dd.c:413
driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
device_add+0xd0b/0x1660 drivers/base/core.c:1835
usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932
generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
really_probe drivers/base/dd.c:413
driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
__device_attach_driver+0x230/0x290 drivers/base/dd.c:653
bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463
__device_attach+0x26e/0x3d0 drivers/base/dd.c:710
device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523
device_add+0xd0b/0x1660 drivers/base/core.c:1835
usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
hub_port_connect drivers/usb/core/hub.c:4903
hub_port_connect_change drivers/usb/core/hub.c:5009
port_event drivers/usb/core/hub.c:5115
hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
worker_thread+0x221/0x1850 kernel/workqueue.c:2253
kthread+0x3a1/0x470 kernel/kthread.c:231
ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
Code: 8b bd 30 fe ff ff e8 d1 60 05 fe 48 b8 00 00 00 00 00 fc ff df
41 89 5f 10 49 8b 9e c0 fe ff ff 48 8d 7b 02 48 89 fa 48 c1 ea 03 <0f>
b6 04 02 48 89 fa 83 e2 07 38 d0 7f 09 84 c0 74 05 e8 ba 5f
RIP: usbtest_probe+0x114f/0x1ef0 RSP: ffff88006439e358
---[ end trace 005817b8c41d50d0 ]---

Alan Stern

unread,
Sep 28, 2017, 1:01:27 PM9/28/17
to Andrey Konovalov, Greg Kroah-Hartman, Gustavo A. R. Silva, Felipe Balbi, Peter Chen, Colin Ian King, USB list, LKML, Dmitry Vyukov, Kostya Serebryany, syzkaller
This looks like a simple logic error.

Alan Stern



Index: usb-4.x/drivers/usb/misc/usbtest.c
===================================================================
--- usb-4.x.orig/drivers/usb/misc/usbtest.c
+++ usb-4.x/drivers/usb/misc/usbtest.c
@@ -202,12 +202,13 @@ found:
return tmp;
}

- if (in) {
+ if (in)
dev->in_pipe = usb_rcvbulkpipe(udev,
in->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK);
+ if (out)
dev->out_pipe = usb_sndbulkpipe(udev,
out->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK);
- }
+
if (iso_in) {
dev->iso_in = &iso_in->desc;
dev->in_iso_pipe = usb_rcvisocpipe(udev,

Andrey Konovalov

unread,
Sep 29, 2017, 7:43:03 AM9/29/17
to Alan Stern, Greg Kroah-Hartman, Gustavo A. R. Silva, Felipe Balbi, Peter Chen, Colin Ian King, USB list, LKML, Dmitry Vyukov, Kostya Serebryany, syzkaller
Hi Alan,

This fixes it.

Tested-by: Andrey Konovalov <andre...@google.com>

Thanks!
Reply all
Reply to author
Forward
0 new messages