lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAAeHK+xrFhG=Lirn_hPboH98EFCToyD0cWMJqRmAewgDLUo_6A@mail.gmail.com>
Date:   Wed, 18 Sep 2019 13:04:18 +0200
From:   Andrey Konovalov <andreyknvl@...gle.com>
To:     "Rafael J. Wysocki" <rafael@...nel.org>
Cc:     syzbot <syzbot+cd157359d82e8d98c17b@...kaller.appspotmail.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Len Brown <len.brown@...el.com>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Linux PM <linux-pm@...r.kernel.org>,
        "open list:ULTRA-WIDEBAND (UWB) SUBSYSTEM:" 
        <linux-usb@...r.kernel.org>, Pavel Machek <pavel@....cz>,
        "Rafael J. Wysocki" <rjw@...ysocki.net>,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>
Subject: Re: KASAN: global-out-of-bounds Read in __pm_runtime_resume

On Tue, Sep 17, 2019 at 11:44 PM Rafael J. Wysocki <rafael@...nel.org> wrote:
>
> On Mon, Sep 16, 2019 at 8:49 PM syzbot
> <syzbot+cd157359d82e8d98c17b@...kaller.appspotmail.com> wrote:
> >
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit:    f0df5c1b usb-fuzzer: main usb gadget fuzzer driver
> > git tree:       https://github.com/google/kasan.git usb-fuzzer
> > console output: https://syzkaller.appspot.com/x/log.txt?x=10efb5fa600000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=5c6633fa4ed00be5
> > dashboard link: https://syzkaller.appspot.com/bug?extid=cd157359d82e8d98c17b
> > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> >
> > Unfortunately, I don't have any reproducer for this crash yet.
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+cd157359d82e8d98c17b@...kaller.appspotmail.com
> >
> > ==================================================================
> > BUG: KASAN: global-out-of-bounds in __pm_runtime_resume+0x162/0x180
> > drivers/base/power/runtime.c:1069
>
> This means that the caller of __pm_runtime_resume() did something odd.
>
> > Read of size 1 at addr ffffffff863d87b1 by task syz-executor.2/13622
> >
> > CPU: 0 PID: 13622 Comm: syz-executor.2 Not tainted 5.3.0-rc7+ #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Call Trace:
> >   __dump_stack lib/dump_stack.c:77 [inline]
> >   dump_stack+0xca/0x13e lib/dump_stack.c:113
> >   print_address_description+0x6a/0x32c mm/kasan/report.c:351
> >   __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
> >   kasan_report+0xe/0x12 mm/kasan/common.c:618
> >   __pm_runtime_resume+0x162/0x180 drivers/base/power/runtime.c:1069
> >   pm_runtime_get_sync include/linux/pm_runtime.h:226 [inline]
> >   usb_autopm_get_interface+0x1b/0x50 drivers/usb/core/driver.c:1709
> >   usbhid_power+0x7c/0xe0 drivers/hid/usbhid/hid-core.c:1234
>
> In this particular case usbhid_power() probably shouldn't have called
> pm_runtime_get_sync() or it shouldn't have been called itself or
> similar.

Hi Rafael,

This report is caused by a major memory corruption that can lead to
all kinds of weird things. Let's wait for the fix to be in the
mainline and then see if these bugs are still occurring.

Thanks!

>
> >   hid_hw_power include/linux/hid.h:1038 [inline]
> >   hidraw_open+0x20d/0x740 drivers/hid/hidraw.c:282
> >   chrdev_open+0x219/0x5c0 fs/char_dev.c:414
> >   do_dentry_open+0x494/0x1120 fs/open.c:797
> >   do_last fs/namei.c:3416 [inline]
> >   path_openat+0x1430/0x3f50 fs/namei.c:3533
> >   do_filp_open+0x1a1/0x280 fs/namei.c:3563
> >   do_sys_open+0x3c0/0x580 fs/open.c:1089
> >   do_syscall_64+0xb7/0x580 arch/x86/entry/common.c:296
> >   entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > RIP: 0033:0x4137d1
> > Code: 75 14 b8 02 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 19 00 00 c3 48
> > 83 ec 08 e8 0a fa ff ff 48 89 04 24 b8 02 00 00 00 0f 05 <48> 8b 3c 24 48
> > 89 c2 e8 53 fa ff ff 48 89 d0 48 83 c4 08 48 3d 01
> > RSP: 002b:00007faea59927a0 EFLAGS: 00000293 ORIG_RAX: 0000000000000002
> > RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 00000000004137d1
> > RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007faea5992850
> > RBP: 000000000075bf20 R08: 000000000000000f R09: 0000000000000000
> > R10: 0000000000000000 R11: 0000000000000293 R12: 00007faea59936d4
> > R13: 00000000004c8cbf R14: 00000000004dfc90 R15: 00000000ffffffff
> >
> > The buggy address belongs to the variable:
> >   __param_str_xfer_debug+0x91/0x4a0
> >
> > Memory state around the buggy address:
> >   ffffffff863d8680: fa fa fa fa 00 00 00 02 fa fa fa fa 00 00 00 00
> >   ffffffff863d8700: fa fa fa fa 00 00 00 02 fa fa fa fa 00 07 fa fa
> > > ffffffff863d8780: fa fa fa fa 00 00 fa fa fa fa fa fa 00 00 07 fa
> >                                       ^
> >   ffffffff863d8800: fa fa fa fa 00 00 00 00 00 00 fa fa fa fa fa fa
> >   ffffffff863d8880: 00 07 fa fa fa fa fa fa 00 00 06 fa fa fa fa fa
> > ==================================================================
> >
> >
> > ---
> > This bug is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at syzkaller@...glegroups.com.
> >
> > syzbot will keep track of this bug report. See:
> > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ