lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <00000000000073512b0588c24d09@google.com> Date: Mon, 13 May 2019 03:23:07 -0700 From: syzbot <syzbot+200d4bb11b23d929335f@...kaller.appspotmail.com> To: andreyknvl@...gle.com, chunkeey@...glemail.com, davem@...emloft.net, kvalo@...eaurora.org, linux-kernel@...r.kernel.org, linux-usb@...r.kernel.org, linux-wireless@...r.kernel.org, netdev@...r.kernel.org, syzkaller-bugs@...glegroups.com Subject: Re: KASAN: use-after-free Read in p54u_load_firmware_cb syzbot has found a reproducer for the following crash on: HEAD commit: 43151d6c usb-fuzzer: main usb gadget fuzzer driver git tree: https://github.com/google/kasan.git usb-fuzzer console output: https://syzkaller.appspot.com/x/log.txt?x=16b64110a00000 kernel config: https://syzkaller.appspot.com/x/.config?x=4183eeef650d1234 dashboard link: https://syzkaller.appspot.com/bug?extid=200d4bb11b23d929335f compiler: gcc (GCC) 9.0.0 20181231 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1634c900a00000 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+200d4bb11b23d929335f@...kaller.appspotmail.com usb 1-1: config 0 descriptor?? usb 1-1: reset high-speed USB device number 2 using dummy_hcd usb 1-1: device descriptor read/64, error -71 usb 1-1: Using ep0 maxpacket: 8 usb 1-1: Loading firmware file isl3887usb usb 1-1: Direct firmware load for isl3887usb failed with error -2 usb 1-1: Firmware not found. ================================================================== BUG: KASAN: use-after-free in p54u_load_firmware_cb.cold+0x97/0x13a drivers/net/wireless/intersil/p54/p54usb.c:936 Read of size 8 at addr ffff88809803f588 by task kworker/1:0/17 CPU: 1 PID: 17 Comm: kworker/1:0 Not tainted 5.1.0-rc3-319004-g43151d6 #6 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events request_firmware_work_func Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xe8/0x16e lib/dump_stack.c:113 print_address_description+0x6c/0x236 mm/kasan/report.c:187 kasan_report.cold+0x1a/0x3c mm/kasan/report.c:317 p54u_load_firmware_cb.cold+0x97/0x13a drivers/net/wireless/intersil/p54/p54usb.c:936 request_firmware_work_func+0x12d/0x249 drivers/base/firmware_loader/main.c:785 process_one_work+0x90f/0x1580 kernel/workqueue.c:2269 worker_thread+0x9b/0xe20 kernel/workqueue.c:2415 kthread+0x313/0x420 kernel/kthread.c:253 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 Allocated by task 0: (stack is not available) Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff88809803f180 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 8 bytes to the right of 1024-byte region [ffff88809803f180, ffff88809803f580) The buggy address belongs to the page: page:ffffea0002600f00 count:1 mapcount:0 mapping:ffff88812c3f4a00 index:0x0 compound_mapcount: 0 flags: 0xfff00000010200(slab|head) raw: 00fff00000010200 dead000000000100 dead000000000200 ffff88812c3f4a00 raw: 0000000000000000 00000000800e000e 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88809803f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88809803f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ffff88809803f580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88809803f600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88809803f680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================
Powered by blists - more mailing lists