lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <6fa0a6e9-7123-4538-8a98-660a594e72d7@rowland.harvard.edu>
Date: Sun, 17 Mar 2024 16:59:32 -0400
From: Alan Stern <stern@...land.harvard.edu>
To: xingwei lee <xrivendell7@...il.com>
Cc: gregkh@...uxfoundation.org, usb-storage@...ts.one-eyed-alien.net,
  linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org,
  samsun1006219@...il.com, syzkaller-bugs@...glegroups.com
Subject: Re: divide error in alauda_transport

On Sun, Mar 17, 2024 at 11:57:58PM +0800, xingwei lee wrote:
> On Mar 17, 2024, at 23:04, Alan Stern <stern@...land.harvard.edu> wrote:
> 
> On Sun, Mar 17, 2024 at 04:31:01PM +0800, xingwei lee wrote:
> 
> Hello I found a bug in latest upstream titled "divide error in
> alauda_transport", and maybe is realted with usb.
> I comfired in the latest upstream the poc tree can trigger the issue.
> 
> If you fix this issue, please add the following tag to the commit:
> Reported-by: xingwei lee <xrivendell7@...il.com>
> Reported-by: yue sun <samsun1006219@...il.com>
> 
> kernel: upstream 9187210eee7d87eea37b45ea93454a88681894a4
> config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=1c6662240382da2
> with KASAN enabled
> compiler: gcc (Debian 12.2.0-14) 12.2.0
> 
> divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
> CPU: 2 PID: 8229 Comm: usb-storage Not tainted 6.8.0-05202-g9187210eee7d #20
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> 1.16.2-1.fc38 04/01/2014
> RIP: 0010:alauda_read_data drivers/usb/storage/alauda.c:954 [inline]
> RIP: 0010:alauda_transport+0xcaf/0x3830 drivers/usb/storage/alauda.c:1184

> Hi Alan
> 
> I apply your patch in my upstream commit
> 9187210eee7d87eea37b45ea93454a88681894a4

> However, the poc still trigger the bug like below:

> [  146.141945][ T8215] divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
> [  146.143565][ T8215] CPU: 1 PID: 8215 Comm: usb-storage Not tainted
> 6.8.0-05202-g9187210eee7d-dirty #21
> [  146.145319][ T8215] Hardware name: QEMU Standard PC (i440FX + PIIX,
> 1996), BIOS 1.16.2-1.fc38 04/01/2014
> [  146.146720][ T8215] RIP: 0010:alauda_transport+0xc65/0x38b0

The line in your original bug report, alauda.c:954, was a call to 
alauda_ensure_map_for_zone(), which my patch moves to a different 
location so that a test for overflow can run first.  It's hard to tell 
whether the divide error occurs before the function call, within the 
function, or after.

Furthermore, alauda_ensure_map_for_zone() calls alauda_read_map(), and 
it's hard to tell if the divide error occurs before that function call 
or within the function.

Can you try adding some pr_info() statements to those places so we can 
determine exactly where the error occurs?  The only divisions that I see 
are by 2 or by uzonesize, which should always be nonzero.  Maybe you can 
print out the value of uzonesize so we can verify this.

Thanks,

Alan Stern

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ