| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <bc2fb22a-f759-4664-b06c-4c30a535419a@rowland.harvard.edu>
Date: Mon, 27 Jan 2025 10:59:12 -0500
From: Alan Stern <stern@...land.harvard.edu>
To: syzbot <syzbot+9c9179ac46169c56c1ad@...kaller.appspotmail.com>,
Karol Przybylski <karprzy7@...il.com>,
Jiri Kosina <jikos@...nel.org>
Cc: gregkh@...uxfoundation.org, linux-kernel@...r.kernel.org,
linux-usb@...r.kernel.org, syzkaller-bugs@...glegroups.com,
linux-input@...r.kernel.org
Subject: Re: [syzbot] [usb?] KASAN: stack-out-of-bounds Read in
usb_check_int_endpoints
On Sun, Jan 26, 2025 at 08:10:22PM -0800, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 21266b8df522 Merge tag 'AT_EXECVE_CHECK-v6.14-rc1' of git:..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=14bd9c24580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=f9e008bfc27b14db
> dashboard link: https://syzkaller.appspot.com/bug?extid=9c9179ac46169c56c1ad
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/5249b29d55f2/disk-21266b8d.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/8413507597a1/vmlinux-21266b8d.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/9c84998b8cfb/bzImage-21266b8d.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+9c9179ac46169c56c1ad@...kaller.appspotmail.com
>
> hid-thrustmaster 0003:044F:B65D.0004: hidraw0: USB HID v0.00 Device [HID 044f:b65d] on usb-dummy_hcd.2-1/input0
> ==================================================================
> BUG: KASAN: stack-out-of-bounds in usb_check_int_endpoints+0x1fe/0x280 drivers/usb/core/usb.c:277
> Read of size 1 at addr ffffc9000213e831 by task kworker/1:1/80
>
> CPU: 1 UID: 0 PID: 80 Comm: kworker/1:1 Not tainted 6.13.0-syzkaller-04858-g21266b8df522 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
> Workqueue: usb_hub_wq hub_event
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:94 [inline]
> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
> print_address_description mm/kasan/report.c:378 [inline]
> print_report+0x169/0x550 mm/kasan/report.c:489
> kasan_report+0x143/0x180 mm/kasan/report.c:602
> usb_check_int_endpoints+0x1fe/0x280 drivers/usb/core/usb.c:277
> thrustmaster_interrupts drivers/hid/hid-thrustmaster.c:176 [inline]
> thrustmaster_probe+0x47d/0xcb0 drivers/hid/hid-thrustmaster.c:347
Karol:
Your commit 50420d7c79c3 ("HID: hid-thrustmaster: Fix warning in
thrustmaster_probe by adding endpoint check") does this:
+ /* Are the expected endpoints present? */
+ u8 ep_addr[1] = {b_ep};
+
+ if (!usb_check_int_endpoints(usbif, ep_addr)) {
+ hid_err(hdev, "Unexpected non-int endpoint\n");
+ return;
+ }
usb_check_int_endpoints() expects its second argument to be a
0-terminated byte array (see the kerneldoc). Lack of the terminating 0
is what caused the syzbot error reported above.
Also, usb_check_int_endpoints() is meant to be used by drivers in which
the endpoint number is a compile-time constant. It's not appropriate
here. You should have written the test as:
if (!usb_endpoint_is_int_out(&ep->desc)) {
Alternatively, you could have called usb_find_common_endpoints().
Would you like to submit a patch to fix this error?
Alan Stern
Powered by blists - more mailing lists