| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8033fcb7-e97d-4b6d-a3fb-a9a49f8b69f2@rowland.harvard.edu> Date: Thu, 17 Jul 2025 22:05:16 -0400 From: Alan Stern <stern@...land.harvard.edu> To: cen zhang <zzzccc427@...il.com> Cc: mathias.nyman@...el.com, gregkh@...uxfoundation.org, linux-kernel@...r.kernel.org, baijiaju1990@...il.com, zhenghaoran154@...il.com, r33s3n6@...il.com, linux-usb@...r.kernel.org, gality365@...il.com Subject: Re: [BUG] KASAN: slab-use-after-free Read in xhci_hub_control On Thu, Jul 17, 2025 at 08:24:17PM +0800, cen zhang wrote: > Hi maintainers, > > I've encountered a kernel crash in the xhci driver, which was found by > Syzkaller on kernel version 6.16.0-rc6 (commit 155a3c003e55). > > The KASAN report points to a slab-use-after-free read within > xhci_hub_control. What we find puzzling is that the free operation > occurred in a completely different module, as indicated by the free > stack trace. > > We suspect this might not be a false positive, but rather a complex > bug whose root cause is not a simple UAF within the same driver. We've > tried to trace how this could happen but are struggling to understand > the connection. > > Could you possibly offer your expertise and help us understand if this > is a known issue or a new bug? Any insight you could provide would be > immensely helpful. My initial guess is that you're experiencing pointer corruption. Such bugs are notoriously difficult to locate and pin down. Alan Stern
Powered by blists - more mailing lists