From: Kees Cook <keescook@chromium.org>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: syzbot <syzbot+45b2f40f0778cfa7634e@syzkaller.appspotmail.com>,
Michael Hund <mhund@ld-didactic.de>,
akpm@linux-foundation.org, andreyknvl@google.com, cai@lca.pw,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
linux-usb@vger.kernel.org, syzkaller-bugs@googlegroups.com,
tglx@linutronix.de
Subject: Re: BUG: bad usercopy in ld_usb_read
Date: Thu, 8 Aug 2019 16:06:32 -0700 [thread overview]
Message-ID: <201908081604.D1203D408@keescook> (raw)
In-Reply-To: <20190808124654.GB32144@kroah.com>
On Thu, Aug 08, 2019 at 02:46:54PM +0200, Greg KH wrote:
> On Thu, Aug 08, 2019 at 05:38:06AM -0700, syzbot wrote:
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit: e96407b4 usb-fuzzer: main usb gadget fuzzer driver
> > git tree: https://github.com/google/kasan.git usb-fuzzer
> > console output: https://syzkaller.appspot.com/x/log.txt?x=13aeaece600000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=cfa2c18fb6a8068e
> > dashboard link: https://syzkaller.appspot.com/bug?extid=45b2f40f0778cfa7634e
> > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> >
> > Unfortunately, I don't have any reproducer for this crash yet.
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+45b2f40f0778cfa7634e@syzkaller.appspotmail.com
> >
> > ldusb 6-1:0.124: Read buffer overflow, -131383996186150 bytes dropped
>
> That's a funny number :)
>
> Nice overflow found, I see you are now starting to fuzz the char device
> nodes of usb drivers...
>
> Michael, care to fix this up?
This looks like the length in the read-from-device buffer is unchecked:
/* actual_buffer contains actual_length + interrupt_in_buffer */
actual_buffer = (size_t *)(dev->ring_buffer + dev->ring_tail * (sizeof(size_t)+dev->interrupt_in_endpoint_size));
bytes_to_read = min(count, *actual_buffer);
if (bytes_to_read < *actual_buffer)
dev_warn(&dev->intf->dev, "Read buffer overflow, %zd bytes dropped\n",
*actual_buffer-bytes_to_read);
/* copy one interrupt_in_buffer from ring_buffer into userspace */
if (copy_to_user(buffer, actual_buffer+1, bytes_to_read)) {
retval = -EFAULT;
goto unlock_exit;
}
I assume what's stored at actual_buffer is bogus and needs validation
somewhere before it's actually used. (If not here, maybe where ever the
write into the buffer originally happens?)
--
Kees Cook
next prev parent reply other threads:[~2019-08-08 23:06 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-08 12:38 BUG: bad usercopy in ld_usb_read syzbot
2019-08-08 12:46 ` Greg KH
2019-08-08 23:06 ` Kees Cook [this message]
2019-08-09 8:55 ` Greg KH
2019-08-09 15:13 ` Alan Stern
2019-08-10 18:23 ` Kees Cook
2019-08-10 18:15 ` syzbot
2019-08-12 12:06 ` Andrey Konovalov
2019-10-18 14:39 ` Johan Hovold
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201908081604.D1203D408@keescook \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@google.com \
--cc=cai@lca.pw \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-usb@vger.kernel.org \
--cc=mhund@ld-didactic.de \
--cc=syzbot+45b2f40f0778cfa7634e@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.