lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20200120082335.GD21151@kadam>
Date:   Mon, 20 Jan 2020 11:23:36 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     syzbot <syzbot+afeecc39f502a8681560@...kaller.appspotmail.com>,
        dhowells@...hat.com
Cc:     arnd@...db.de, dmitry.torokhov@...il.com, ebiederm@...ssion.com,
        gregkh@...uxfoundation.org, linux-kernel@...r.kernel.org,
        linux-usb@...r.kernel.org, stern@...land.harvard.edu,
        syzkaller-bugs@...glegroups.com
Subject: Re: linux-next boot error: KASAN: slab-out-of-bounds Read in
 post_usb_notification

Hey David,

This crash was from commit 72cc88648972 ("usb: Add USB subsystem
notifications").

drivers/usb/core/devio.c
  2752  static noinline void post_usb_notification(const char *devname,
  2753                                             enum usb_notification_type subtype,
  2754                                             u32 error)
  2755  {
  2756          unsigned int name_len, n_len;
  2757          u64 id = 0; /* We can put a device ID here for separate dev watches */
  2758  
  2759          struct {
  2760                  struct usb_notification n;
  2761                  char more_name[USB_NOTIFICATION_MAX_NAME_LEN -
  2762                                 (sizeof(struct usb_notification) -
  2763                                  offsetof(struct usb_notification, name))];
  2764          } n;
  2765  
  2766          name_len = strlen(devname);
  2767          name_len = min_t(size_t, name_len, USB_NOTIFICATION_MAX_NAME_LEN);
                                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This limit is too high.  It should be USB_NOTIFICATION_MAX_NAME_LEN -
sizeof(struct usb_notification). or just
"min_t(size_t, name_len, sizeof(n.more_name));".  The n.n.name[] is a
zero size array.

  2768          n_len = offsetof(struct usb_notification, name) + name_len;
  2769  
  2770          memset(&n, 0, sizeof(n));
  2771          memcpy(n.n.name, devname, n_len);
                                          ^^^^^
name_len was intended here.

  2772  
  2773          n.n.watch.type          = WATCH_TYPE_USB_NOTIFY;
  2774          n.n.watch.subtype       = subtype;
  2775          n.n.watch.info          = n_len;
  2776          n.n.error               = error;
  2777          n.n.name_len            = name_len;
  2778  
  2779          post_device_notification(&n.n.watch, id);
  2780  }

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ