From: gregkh at linuxfoundation.org (Greg KH)
Subject: [Linux-kernel-mentees] Analyze syzbot report technisat_usb2_rc_query KASAN
Date: Tue, 2 Jul 2019 06:45:10 +0200 [thread overview]
Message-ID: <20190702044510.GA1045@kroah.com> (raw)
In-Reply-To: <ede75d50-7475-3478-b30f-ef9077b6bf48@gmail.com>
On Tue, Jul 02, 2019 at 07:49:26AM +0700, Phong Tran wrote:
> Hello,
>
> I did a checking for this report of syzbot [1]
> From the call stack of dump log:
>
> There shows that a problem within technisat_usb2_get_ir()
>
> BUG: KASAN: slab-out-of-bounds in technisat_usb2_get_ir
> drivers/media/usb/dvb-usb/technisat-usb2.c:664 [inline]
> BUG: KASAN: slab-out-of-bounds in technisat_usb2_rc_query+0x5fa/0x660
> drivers/media/usb/dvb-usb/technisat-usb2.c:679
> Read of size 1 at addr ffff8880a8791ea8 by task kworker/0:1/12
>
> Take a look into while loop in technisat_usb2_get_ir().
> I recognized that a problem. The loop will not break out with the condition
> doesn't reach. Then "b++" will go wrong and buffer will be overflow.
>
> while (1) {
> [...]
> b++;
> if (*b == 0xff) {
> ev.pulse = 0;
> ev.duration = 888888*2;
> ir_raw_event_store(d->rc_dev, &ev);
> break;
> }
> }
>
> I would propose changing the loop condition by checking the address of the
> buffer. If acceptable, I will send this patch to the mailing-list.
> eg:
>
> - while (1) {
> + while (b != (buf + 63)) {
> [...]
> }
>
> Tested with syzbot, result is good [2].
>
> [1] https://syzkaller.appspot.com/bug?extid=eaaaf38a95427be88f4b
> [2] https://groups.google.com/d/msg/syzkaller-bugs/CySBCKuUOOs/0hKq1CdjCwAJ
Great, can you submit a patch for this?
thanks,
greg k-h
WARNING: multiple messages have this Message-ID (diff)
From: gregkh@linuxfoundation.org (Greg KH)
Subject: [Linux-kernel-mentees] Analyze syzbot report technisat_usb2_rc_query KASAN
Date: Tue, 2 Jul 2019 06:45:10 +0200 [thread overview]
Message-ID: <20190702044510.GA1045@kroah.com> (raw)
Message-ID: <20190702044510.agRHtGbqPuUi_ho7WGEFlu_knj-GCV-sqZW-uHJ0tvk@z> (raw)
In-Reply-To: <ede75d50-7475-3478-b30f-ef9077b6bf48@gmail.com>
On Tue, Jul 02, 2019 at 07:49:26AM +0700, Phong Tran wrote:
> Hello,
>
> I did a checking for this report of syzbot [1]
> From the call stack of dump log:
>
> There shows that a problem within technisat_usb2_get_ir()
>
> BUG: KASAN: slab-out-of-bounds in technisat_usb2_get_ir
> drivers/media/usb/dvb-usb/technisat-usb2.c:664 [inline]
> BUG: KASAN: slab-out-of-bounds in technisat_usb2_rc_query+0x5fa/0x660
> drivers/media/usb/dvb-usb/technisat-usb2.c:679
> Read of size 1 at addr ffff8880a8791ea8 by task kworker/0:1/12
>
> Take a look into while loop in technisat_usb2_get_ir().
> I recognized that a problem. The loop will not break out with the condition
> doesn't reach. Then "b++" will go wrong and buffer will be overflow.
>
> while (1) {
> [...]
> b++;
> if (*b == 0xff) {
> ev.pulse = 0;
> ev.duration = 888888*2;
> ir_raw_event_store(d->rc_dev, &ev);
> break;
> }
> }
>
> I would propose changing the loop condition by checking the address of the
> buffer. If acceptable, I will send this patch to the mailing-list.
> eg:
>
> - while (1) {
> + while (b != (buf + 63)) {
> [...]
> }
>
> Tested with syzbot, result is good [2].
>
> [1] https://syzkaller.appspot.com/bug?extid=eaaaf38a95427be88f4b
> [2] https://groups.google.com/d/msg/syzkaller-bugs/CySBCKuUOOs/0hKq1CdjCwAJ
Great, can you submit a patch for this?
thanks,
greg k-h
WARNING: multiple messages have this Message-ID (diff)
From: Greg KH <gregkh@linuxfoundation.org>
To: Phong Tran <tranmanphong@gmail.com>
Cc: mchehab@kernel.org, hans.verkuil@cisco.com,
keescook@chromium.org, skhan@linuxfoundation.org,
linux-kernel-mentees@lists.linuxfoundation.org,
linux-media@vger.kernel.org
Subject: Re: [Linux-kernel-mentees] Analyze syzbot report technisat_usb2_rc_query KASAN
Date: Tue, 2 Jul 2019 06:45:10 +0200 [thread overview]
Message-ID: <20190702044510.GA1045@kroah.com> (raw)
In-Reply-To: <ede75d50-7475-3478-b30f-ef9077b6bf48@gmail.com>
On Tue, Jul 02, 2019 at 07:49:26AM +0700, Phong Tran wrote:
> Hello,
>
> I did a checking for this report of syzbot [1]
> From the call stack of dump log:
>
> There shows that a problem within technisat_usb2_get_ir()
>
> BUG: KASAN: slab-out-of-bounds in technisat_usb2_get_ir
> drivers/media/usb/dvb-usb/technisat-usb2.c:664 [inline]
> BUG: KASAN: slab-out-of-bounds in technisat_usb2_rc_query+0x5fa/0x660
> drivers/media/usb/dvb-usb/technisat-usb2.c:679
> Read of size 1 at addr ffff8880a8791ea8 by task kworker/0:1/12
>
> Take a look into while loop in technisat_usb2_get_ir().
> I recognized that a problem. The loop will not break out with the condition
> doesn't reach. Then "b++" will go wrong and buffer will be overflow.
>
> while (1) {
> [...]
> b++;
> if (*b == 0xff) {
> ev.pulse = 0;
> ev.duration = 888888*2;
> ir_raw_event_store(d->rc_dev, &ev);
> break;
> }
> }
>
> I would propose changing the loop condition by checking the address of the
> buffer. If acceptable, I will send this patch to the mailing-list.
> eg:
>
> - while (1) {
> + while (b != (buf + 63)) {
> [...]
> }
>
> Tested with syzbot, result is good [2].
>
> [1] https://syzkaller.appspot.com/bug?extid=eaaaf38a95427be88f4b
> [2] https://groups.google.com/d/msg/syzkaller-bugs/CySBCKuUOOs/0hKq1CdjCwAJ
Great, can you submit a patch for this?
thanks,
greg k-h
next prev parent reply other threads:[~2019-07-02 4:45 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-02 0:49 [Linux-kernel-mentees] Analyze syzbot report technisat_usb2_rc_query KASAN tranmanphong
2019-07-02 0:49 ` Phong Tran
2019-07-02 0:49 ` [Linux-kernel-mentees] " Phong Tran
2019-07-02 4:45 ` gregkh [this message]
2019-07-02 4:45 ` Greg KH
2019-07-02 4:45 ` Greg KH
2019-07-02 14:06 ` tranmanphong
2019-07-02 14:06 ` Phong Tran
2019-07-02 14:06 ` Phong Tran
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190702044510.GA1045@kroah.com \
--to=unknown@example.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.