lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <2025101225-lisp-monkhood-af34@gregkh>
Date: Sun, 12 Oct 2025 13:18:12 +0200
From: Greg KH <gregkh@...uxfoundation.org>
To: Jiaming Zhang <r772577952@...il.com>
Cc: linux-sound@...r.kernel.org, perex@...ex.cz, tiwai@...e.com,
	broonie@...nel.org, cryolitia@...ontech.com,
	linux-kernel@...r.kernel.org, pierre-louis.bossart@...ux.dev,
	quic_wcheng@...cinc.com, syzkaller@...glegroups.com
Subject: Re: [Linux Kernel Bug] general protection fault in
 try_to_register_card

On Sun, Oct 12, 2025 at 07:11:53PM +0800, Jiaming Zhang wrote:
> Dear Linux kernel developers and maintainers:
> 
> We are writing to report a general protection fault discovered in the
> kernel with our modified syzkaller. This bug is reproducible on the
> latest version (commit 67029a49db6c1f21106a1b5fcdd0ea234a6e0711).
> 
> The kernel console output, kernel config, syzkaller reproducer, and C
> reproducer are attached to this email to help analysis. The KASAN
> report from kernel (commit 67029a49), formatted by syz-symbolize, is
> listed below:
> 
> ==================================================================
> e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
> usb 1-1: new full-speed USB device number 2 using dummy_hcd
> usb 1-1: not running at top speed; connect to a high speed hub
> usb 1-1: config 2 has an invalid interface number: 131 but max is 3
> usb 1-1: config 2 has an invalid interface number: 160 but max is 3
> usb 1-1: config 2 has an invalid descriptor of length 0, skipping
> remainder of the config
> usb 1-1: config 2 has 2 interfaces, different from the descriptor's value: 4
> usb 1-1: config 2 has no interface number 0
> usb 1-1: config 2 has no interface number 1
> usb 1-1: config 2 interface 160 altsetting 9 has an invalid descriptor
> for endpoint zero, skipping
> usb 1-1: config 2 interface 160 altsetting 9 has 2 endpoint
> descriptors, different from the interface descriptor's value: 16
> usb 1-1: config 2 interface 131 has no altsetting 0
> usb 1-1: config 2 interface 160 has no altsetting 0
> usb 1-1: New USB device found, idVendor=0dba, idProduct=5000, bcdDevice=3a.c9
> usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
> usb 1-1: Product: syz
> usb 1-1: Manufacturer: syz
> usb 1-1: SerialNumber: syz
> usb 1-1: MBOX3: Initialized.
> Oops: general protection fault, probably for non-canonical address
> 0xdffffc000000001c: 0000 [#1] SMP KASAN NOPTI
> KASAN: null-ptr-deref in range [0x00000000000000e0-0x00000000000000e7]
> CPU: 1 UID: 0 PID: 793 Comm: kworker/1:2 Not tainted
> 6.17.0-12904-g67029a49db6c #1 PREEMPT(full)
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> Workqueue: usb_hub_wq hub_event
> RIP: 0010:usb_interface_claimed include/linux/usb.h:918 [inline]
> RIP: 0010:try_to_register_card+0x248/0x300 sound/usb/card.c:896
> Code: de cd 30 f9 49 8b 3f 44 89 f6 e8 43 e5 fa fd 49 89 c6 49 81 c6
> e0 00 00 00 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c
> 08 00 74 08 4c 89 f7 e8 aa cd 30 f9 49 83 3e 00 74 73 e8 ff
> RSP: 0018:ffffc9000462eb80 EFLAGS: 00010202
> RAX: 000000000000001c RBX: ffff888049b02a30 RCX: dffffc0000000000
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000000000a0
> RBP: ffffc9000462ec30 R08: ffffc9000462e9e7 R09: 1ffff920008c5d3c
> R10: dffffc0000000000 R11: ffffffff88f59950 R12: 00000000000000f8
> R13: 1ffff11009360559 R14: 00000000000000e0 R15: ffff888049b02a38
> FS:  0000000000000000(0000) GS:ffff8880ec976000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f86fb0e16f8 CR3: 0000000028a6b000 CR4: 0000000000752ef0
> PKRU: 55555554
> Call Trace:
>  <TASK>
>  usb_audio_probe+0x143f/0x1e60 sound/usb/card.c:1039


So you are probably creating an invalid usb audio device without a
proper interface here, right?  Care to make up a simple patch for this
so that you get the credit for fixing the issue as you can test it
easily?

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ