lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 17 May 2024 10:17:04 +0800
From: Sam Sun <samsun1006219@...il.com>
To: linux-kernel@...r.kernel.org, linux-input@...r.kernel.org
Cc: syzkaller-bugs@...glegroups.com, bentiss@...nel.org, jikos@...nel.org, 
	xrivendell7@...il.com
Subject: [Linux kernel bug] KASAN: slab-out-of-bounds Read in asus_report_fixup

Dear developers and maintainers,

We encountered a slab-out-of-bounds bug while using our modified
syzkaller. It was tested against the latest upstream kernel (6.9). The
kernel was compiled by clang 14.0.0, and kernel config and C repro are
attached to this email. Kernel crash log is listed below.
==================================================================
BUG: KASAN: slab-out-of-bounds in asus_report_fixup+0x855/0xfe0
drivers/hid/hid-asus.c:1210
Read of size 1 at addr ffff888066e5a4cb by task kworker/1:2/783

CPU: 1 PID: 783 Comm: kworker/1:2 Not tainted 6.9.0-05151-g1b294a1f3561 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114
 print_address_description+0x7b/0x360 mm/kasan/report.c:377
 print_report+0xfd/0x1e0 mm/kasan/report.c:488
 kasan_report+0xce/0x100 mm/kasan/report.c:601
 asus_report_fixup+0x855/0xfe0 drivers/hid/hid-asus.c:1210
 hid_open_report+0x1ab/0x1540 drivers/hid/hid-core.c:1235
 hid_parse include/linux/hid.h:1118 [inline]
 asus_probe+0x844/0xcd0 drivers/hid/hid-asus.c:1065
 __hid_device_probe drivers/hid/hid-core.c:2633 [inline]
 hid_device_probe+0x2cd/0x4c0 drivers/hid/hid-core.c:2670
 call_driver_probe+0x98/0x1c0
 really_probe+0x278/0x8e0 drivers/base/dd.c:656
 __driver_probe_device+0x199/0x390 drivers/base/dd.c:798
 driver_probe_device+0x50/0x240 drivers/base/dd.c:828
 __device_attach_driver+0x279/0x3d0 drivers/base/dd.c:956
 bus_for_each_drv+0x2d9/0x330 drivers/base/bus.c:457
 __device_attach+0x317/0x500 drivers/base/dd.c:1028
 bus_probe_device+0x1b5/0x290 drivers/base/bus.c:532
 device_add+0x8fc/0xca0 drivers/base/core.c:3720
 hid_add_device+0x3a7/0x510 drivers/hid/hid-core.c:2816
 usbhid_probe+0xdc7/0x1220 drivers/hid/usbhid/hid-core.c:1429
 usb_probe_interface+0x6ad/0xc60 drivers/usb/core/driver.c:399
 call_driver_probe+0x98/0x1c0
 really_probe+0x278/0x8e0 drivers/base/dd.c:656
 __driver_probe_device+0x199/0x390 drivers/base/dd.c:798
 driver_probe_device+0x50/0x240 drivers/base/dd.c:828
 __device_attach_driver+0x279/0x3d0 drivers/base/dd.c:956
 bus_for_each_drv+0x2d9/0x330 drivers/base/bus.c:457
 __device_attach+0x317/0x500 drivers/base/dd.c:1028
 bus_probe_device+0x1b5/0x290 drivers/base/bus.c:532
 device_add+0x8fc/0xca0 drivers/base/core.c:3720
 usb_set_configuration+0x1a53/0x20b0 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0x86/0x140 drivers/usb/core/generic.c:254
 usb_probe_device+0x1a8/0x360 drivers/usb/core/driver.c:294
 call_driver_probe+0x98/0x1c0
 really_probe+0x278/0x8e0 drivers/base/dd.c:656
 __driver_probe_device+0x199/0x390 drivers/base/dd.c:798
 driver_probe_device+0x50/0x240 drivers/base/dd.c:828
 __device_attach_driver+0x279/0x3d0 drivers/base/dd.c:956
 bus_for_each_drv+0x2d9/0x330 drivers/base/bus.c:457
 __device_attach+0x317/0x500 drivers/base/dd.c:1028
 bus_probe_device+0x1b5/0x290 drivers/base/bus.c:532
 device_add+0x8fc/0xca0 drivers/base/core.c:3720
 usb_new_device+0x1015/0x1950 drivers/usb/core/hub.c:2652
 hub_port_connect+0xf28/0x2090 drivers/usb/core/hub.c:5522
 hub_port_connect_change+0x53f/0x8f0 drivers/usb/core/hub.c:5662
 port_event+0xdcf/0x12c0 drivers/usb/core/hub.c:5822
 hub_event+0x55a/0xc70 drivers/usb/core/hub.c:5904
 process_one_work kernel/workqueue.c:3267 [inline]
 process_scheduled_works+0x9c9/0x14a0 kernel/workqueue.c:3348
 worker_thread+0x85c/0xd50 kernel/workqueue.c:3429
 kthread+0x2ed/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 783:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x30/0x70 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:4039 [inline]
 __kmalloc_node_track_caller+0x254/0x4f0 mm/slub.c:4059
 kmemdup+0x2a/0x70 mm/util.c:131
 _Z7kmemdupPKvU25pass_dynamic_object_size0mj
include/linux/fortify-string.h:743 [inline]
 call_hid_bpf_rdesc_fixup include/linux/hid_bpf.h:157 [inline]
 hid_open_report+0x140/0x1540 drivers/hid/hid-core.c:1230
 hid_parse include/linux/hid.h:1118 [inline]
 asus_probe+0x844/0xcd0 drivers/hid/hid-asus.c:1065
 __hid_device_probe drivers/hid/hid-core.c:2633 [inline]
 hid_device_probe+0x2cd/0x4c0 drivers/hid/hid-core.c:2670
 call_driver_probe+0x98/0x1c0
 really_probe+0x278/0x8e0 drivers/base/dd.c:656
 __driver_probe_device+0x199/0x390 drivers/base/dd.c:798
 driver_probe_device+0x50/0x240 drivers/base/dd.c:828
 __device_attach_driver+0x279/0x3d0 drivers/base/dd.c:956
 bus_for_each_drv+0x2d9/0x330 drivers/base/bus.c:457
 __device_attach+0x317/0x500 drivers/base/dd.c:1028
 bus_probe_device+0x1b5/0x290 drivers/base/bus.c:532
 device_add+0x8fc/0xca0 drivers/base/core.c:3720
 hid_add_device+0x3a7/0x510 drivers/hid/hid-core.c:2816
 usbhid_probe+0xdc7/0x1220 drivers/hid/usbhid/hid-core.c:1429
 usb_probe_interface+0x6ad/0xc60 drivers/usb/core/driver.c:399
 call_driver_probe+0x98/0x1c0
 really_probe+0x278/0x8e0 drivers/base/dd.c:656
 __driver_probe_device+0x199/0x390 drivers/base/dd.c:798
 driver_probe_device+0x50/0x240 drivers/base/dd.c:828
 __device_attach_driver+0x279/0x3d0 drivers/base/dd.c:956
 bus_for_each_drv+0x2d9/0x330 drivers/base/bus.c:457
 __device_attach+0x317/0x500 drivers/base/dd.c:1028
 bus_probe_device+0x1b5/0x290 drivers/base/bus.c:532
 device_add+0x8fc/0xca0 drivers/base/core.c:3720
 usb_set_configuration+0x1a53/0x20b0 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0x86/0x140 drivers/usb/core/generic.c:254
 usb_probe_device+0x1a8/0x360 drivers/usb/core/driver.c:294
 call_driver_probe+0x98/0x1c0
 really_probe+0x278/0x8e0 drivers/base/dd.c:656
 __driver_probe_device+0x199/0x390 drivers/base/dd.c:798
 driver_probe_device+0x50/0x240 drivers/base/dd.c:828
 __device_attach_driver+0x279/0x3d0 drivers/base/dd.c:956
 bus_for_each_drv+0x2d9/0x330 drivers/base/bus.c:457
 __device_attach+0x317/0x500 drivers/base/dd.c:1028
 bus_probe_device+0x1b5/0x290 drivers/base/bus.c:532
 device_add+0x8fc/0xca0 drivers/base/core.c:3720
 usb_new_device+0x1015/0x1950 drivers/usb/core/hub.c:2652
 hub_port_connect+0xf28/0x2090 drivers/usb/core/hub.c:5522
 hub_port_connect_change+0x53f/0x8f0 drivers/usb/core/hub.c:5662
 port_event+0xdcf/0x12c0 drivers/usb/core/hub.c:5822
 hub_event+0x55a/0xc70 drivers/usb/core/hub.c:5904
 process_one_work kernel/workqueue.c:3267 [inline]
 process_scheduled_works+0x9c9/0x14a0 kernel/workqueue.c:3348
 worker_thread+0x85c/0xd50 kernel/workqueue.c:3429
 kthread+0x2ed/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244

The buggy address belongs to the object at ffff888066e5a480
 which belongs to the cache kmalloc-96 of size 96
The buggy address is located 0 bytes to the right of
 allocated 75-byte region [ffff888066e5a480, ffff888066e5a4cb)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x66e5a
flags: 0x4fff00000000800(slab|node=1|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 04fff00000000800 ffff888013441280 ffffea0001949700 dead000000000002
raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask
0x252800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_THISNODE), pid
4804, tgid 4804 (systemd-udevd), ts 38895358525, free_ts 37534477740
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1534
 prep_new_page mm/page_alloc.c:1541 [inline]
 get_page_from_freelist+0x7d2/0x850 mm/page_alloc.c:3317
 __alloc_pages+0x25e/0x580 mm/page_alloc.c:4575
 __alloc_pages_node include/linux/gfp.h:238 [inline]
 alloc_pages_node include/linux/gfp.h:261 [inline]
 alloc_slab_page+0x6b/0x1a0 mm/slub.c:2190
 allocate_slab+0x5d/0x200 mm/slub.c:2353
 new_slab mm/slub.c:2406 [inline]
 ___slab_alloc+0xa95/0xf20 mm/slub.c:3592
 __slab_alloc mm/slub.c:3682 [inline]
 __slab_alloc_node mm/slub.c:3735 [inline]
 slab_alloc_node mm/slub.c:3908 [inline]
 __do_kmalloc_node mm/slub.c:4038 [inline]
 __kmalloc_node+0x2dd/0x4f0 mm/slub.c:4046
 kmalloc_array_node include/linux/slab.h:726 [inline]
 kcalloc_node include/linux/slab.h:731 [inline]
 memcg_alloc_slab_cgroups+0x80/0x120 mm/memcontrol.c:3015
 account_slab mm/slub.c:2316 [inline]
 allocate_slab+0x99/0x200 mm/slub.c:2371
 new_slab mm/slub.c:2406 [inline]
 ___slab_alloc+0xa95/0xf20 mm/slub.c:3592
 __slab_alloc mm/slub.c:3682 [inline]
 __slab_alloc_node mm/slub.c:3735 [inline]
 slab_alloc_node mm/slub.c:3908 [inline]
 kmem_cache_alloc_lru+0x24d/0x370 mm/slub.c:3937
 alloc_inode_sb include/linux/fs.h:3107 [inline]
 alloc_inode fs/inode.c:263 [inline]
 iget_locked+0x1f2/0x810 fs/inode.c:1280
 kernfs_get_inode+0x51/0x750 fs/kernfs/inode.c:251
 kernfs_iop_lookup+0x263/0x380 fs/kernfs/dir.c:1214
 __lookup_slow+0x274/0x3b0 fs/namei.c:1692
 lookup_slow+0x53/0x70 fs/namei.c:1709
page last free pid 4804 tgid 4804 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1141 [inline]
 free_unref_page_prepare+0x72f/0x7c0 mm/page_alloc.c:2347
 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2487
 __folio_put_small mm/swap.c:119 [inline]
 __folio_put+0x20b/0x360 mm/swap.c:142
 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x75/0xf0 mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2535 [inline]
 rcu_core+0xa43/0x1740 kernel/rcu/tree.c:2809
 handle_softirqs+0x274/0x730 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xd7/0x1a0 kernel/softirq.c:637
 irq_exit_rcu+0x9/0x20 kernel/softirq.c:649
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702

Memory state around the buggy address:
 ffff888066e5a380: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff888066e5a400: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
>ffff888066e5a480: 00 00 00 00 00 00 00 00 00 03 fc fc fc fc fc fc
                                              ^
 ffff888066e5a500: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff888066e5a580: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
==================================================================
If you have any questions, please contact us.

Reported by Yue Sun <samsun1006219@...il.com>
Reported by xingwei lee <xrivendell7@...il.com>

Best Regards,
Yue

Download attachment "config" of type "application/octet-stream" (248322 bytes)

View attachment "asus_report_fixup.c" of type "text/x-csrc" (22861 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ