lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2025071748-unlovely-citadel-3dc8@gregkh>
Date: Thu, 17 Jul 2025 16:37:39 +0200
From: Greg KH <gregkh@...uxfoundation.org>
To: cen zhang <zzzccc427@...il.com>
Cc: mathias.nyman@...el.com, linux-kernel@...r.kernel.org,
	baijiaju1990@...il.com, zhenghaoran154@...il.com, r33s3n6@...il.com,
	linux-usb@...r.kernel.org, gality365@...il.com
Subject: Re: [BUG] KASAN: slab-use-after-free Read in xhci_hub_control

On Thu, Jul 17, 2025 at 08:24:17PM +0800, cen zhang wrote:
> Hi maintainers,
> 
> I've encountered a kernel crash in the xhci driver, which was found by
> Syzkaller on kernel version 6.16.0-rc6 (commit 155a3c003e55).
> 
> The KASAN report points to a slab-use-after-free read within
> xhci_hub_control. What we find puzzling is that the free operation
> occurred in a completely different module, as indicated by the free
> stack trace.
> 
> We suspect this might not be a false positive, but rather a complex
> bug whose root cause is not a simple UAF within the same driver. We've
> tried to trace how this could happen but are struggling to understand
> the connection.
> 
> Could you possibly offer your expertise and help us understand if this
> is a known issue or a new bug? Any insight you could provide would be
> immensely helpful.
> 
> The full crash log and a C reproducer are attached. Please let me know
> if any further information is needed.
> 
> The full KASAN crash report is attached. Below is the C reproducer.

You are talking to a specific USB hub in your system, I guess a xhci
root hub?  Or one that is external?  Can you clean up your reproducer to
be readable so we can try to run it locally with any USB hub as the
option?

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ