lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20251106021039.8866-1-hdanton@sina.com>
Date: Thu,  6 Nov 2025 10:10:38 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+bfd77469c8966de076f7@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [sound?] [usb?] KASAN: slab-out-of-bounds Write in copy_to_urb

> Date: Wed, 05 Nov 2025 07:20:38 -0800
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    ba36dd5ee6fd Merge tag 'bpf-fixes' of git://git.kernel.org..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1759afe2580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=929790bc044e87d7
> dashboard link: https://syzkaller.appspot.com/bug?extid=bfd77469c8966de076f7
> compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11c74292580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=107bffe2580000

#syz test

--- x/sound/usb/pcm.c
+++ y/sound/usb/pcm.c
@@ -1470,6 +1470,21 @@ static void fill_playback_urb_dsd_bitrev
 	urb_ctx_queue_advance(subs, urb, bytes);
 }
 
+static int copy_to_urb_prepare(struct snd_usb_substream *subs, struct urb *urb,
+			int offset, int stride, unsigned int bytes)
+{
+	if (subs->hwptr_done + bytes > subs->buffer_bytes) {
+		;
+	} else {
+		struct snd_urb_ctx *ctx = urb->context;
+
+		if (bytes > ctx->buffer_size ||
+		    offset > ctx->buffer_size - bytes)
+			return -EAGAIN;
+	}
+	return 0;
+}
+
 static void copy_to_urb(struct snd_usb_substream *subs, struct urb *urb,
 			int offset, int stride, unsigned int bytes)
 {
@@ -1607,9 +1622,12 @@ static int prepare_playback_urb(struct s
 			fill_playback_urb_dsd_bitrev(subs, urb, bytes);
 		} else {
 			/* usual PCM */
-			if (!subs->tx_length_quirk)
+			if (!subs->tx_length_quirk) {
+				int ret = copy_to_urb_prepare(subs, urb, 0, stride, bytes);
+				if (ret)
+					return ret;
 				copy_to_urb(subs, urb, 0, stride, bytes);
-			else
+			} else
 				bytes = copy_to_urb_quirk(subs, urb, stride, bytes);
 			/* bytes is now amount of outgoing data */
 		}
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ