| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CA+HokZrYvNhfGQ7Kf+smO1EzrX2Fvtqm92cEnE0M534kXZKHjA@mail.gmail.com> Date: Tue, 4 Mar 2025 10:21:03 +0800 From: Strforexc yn <strforexc@...il.com> To: Alan Stern <stern@...land.harvard.edu> Cc: Jiri Kosina <jikos@...nel.org>, Benjamin Tissoires <bentiss@...nel.org>, Nikita Zhandarovich <n.zhandarovich@...tech.ru>, linux-usb@...r.kernel.org, linux-input@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [BUG] UBSAN: Array-Index-Out-of-Bounds in usbhid_parse (HID) on 6.14.0-rc4 I hadn’t come across this patch earlier—thanks for sharing it! After reviewing it, I can see that it addresses the UBSAN array-index-out-of-bounds issue Alan Stern <stern@...land.harvard.edu> 于2025年3月4日周二 00:02写道: > > On Mon, Mar 03, 2025 at 04:52:33PM +0800, Strforexc yn wrote: > > Dear Maintainers, When using our customized Syzkaller to fuzz the > > latest Linux kernel, the following crash was triggered. > > > > Kernel commit: v6.14-rc4 (Commits on Feb 24, 2025) > > Kernel Config : https://github.com/Strforexc/LinuxKernelbug/blob/main/.config > > Kernel Log: https://github.com/Strforexc/LinuxKernelbug/blob/main/array-index-out-of-bounds_usbhid_parse/log0 > > Reproduce C: https://github.com/Strforexc/LinuxKernelbug/blob/main/array-index-out-of-bounds_usbhid_parse/repro.cprog > > > > I’ve encountered a UBSAN-reported array-index-out-of-bounds issue in > > the USB HID driver on Linux 6.14.0-rc4 during device probing, likely > > triggered by a malformed USB descriptor. Here are the details: > > > > UBSAN detects an out-of-bounds access at > > drivers/hid/usbhid/hid-core.c:1025:18 in usbhid_parse, where index 1 > > exceeds the bounds of hid_class_descriptor [1] in struct > > hid_descriptor. This occurs when parsing a HID device descriptor > > during USB probing. > > > > Location: The fault occurs in a loop: for (n = 0; n < num_descriptors; > > n++) if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT), accessing > > hdesc->desc[n]. > > > > Cause: struct hid_descriptor defines desc as a fixed-size array [1], > > but the loop iterates up to num_descriptors (based on > > hdesc->bNumDescriptors). UBSAN flags n=1 as out-of-bounds, though the > > underlying descriptor buffer may be larger. > > > > Context: Preceded by a USB descriptor error (-22), suggesting a > > malformed HID device (likely Syzkaller-crafted), triggering the loop > > with bNumDescriptors > 1. > > > > Impact: No immediate crash, but a code hygiene issue flagged by UBSAN. > > Runtime safety depends on descriptor buffer allocation, but it’s a > > potential source of confusion or future bugs. > > > > Could HID maintainers investigate? Suggested fixes: > > 1. Use a flexible array member (desc[]) in struct hid_descriptor and > > adjust parsing to rely on runtime buffer size. > > 2. Add stricter validation of hdesc->bNumDescriptors against bLength > > to reject malformed descriptors earlier. > > > > Our knowledge of the kernel is somewhat limited, and we'd appreciate > > it if you could determine if there is such an issue. If this issue > > doesn't have an impact, please ignore it ☺. > > If you fix this issue, please add the following tag to the commit: > > Reported-by: Zhizhuo Tang <strforexctzzchange@...mail.com>, Jianzhou > > Zhao <xnxc22xnxc22@...com>, Haoran Liu <cherest_san@....com> > > Have you seen this patch or tried to test it? > > https://lore.kernel.org/linux-usb/20250131151600.410242-1-n.zhandarovich@fintech.ru/ > > Alan Stern
Powered by blists - more mailing lists