Re: BUG: bad usercopy in ld_usb_read

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Johan Hovold <johan@kernel.org>
To: Andrey Konovalov <andreyknvl@google.com>
Cc: syzbot <syzbot+45b2f40f0778cfa7634e@syzkaller.appspotmail.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Kees Cook <keescook@chromium.org>,
	LKML <linux-kernel@vger.kernel.org>,
	USB list <linux-usb@vger.kernel.org>,
	syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Subject: Re: BUG: bad usercopy in ld_usb_read
Date: Fri, 18 Oct 2019 16:39:16 +0200	[thread overview]
Message-ID: <20191018143916.GF21827@localhost> (raw)
In-Reply-To: <CAAeHK+wcAgqNvEO_S_EXgdvhBN2qkQbPii8XVT_7UVnS1WaB6g@mail.gmail.com>

On Mon, Aug 12, 2019 at 02:06:08PM +0200, Andrey Konovalov wrote:
> On Thu, Aug 8, 2019 at 2:38 PM syzbot
> <syzbot+45b2f40f0778cfa7634e@syzkaller.appspotmail.com> wrote:
> >
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit:    e96407b4 usb-fuzzer: main usb gadget fuzzer driver
> > git tree:       https://github.com/google/kasan.git usb-fuzzer
> > console output: https://syzkaller.appspot.com/x/log.txt?x=13aeaece600000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=cfa2c18fb6a8068e
> > dashboard link: https://syzkaller.appspot.com/bug?extid=45b2f40f0778cfa7634e
> > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> >
> > Unfortunately, I don't have any reproducer for this crash yet.
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+45b2f40f0778cfa7634e@syzkaller.appspotmail.com
> >
> > ldusb 6-1:0.124: Read buffer overflow, -131383996186150 bytes dropped
> > usercopy: Kernel memory exposure attempt detected from SLUB
> > object 'kmalloc-2k' (offset 8, size 65062)!
> > ------------[ cut here ]------------
> > kernel BUG at mm/usercopy.c:98!
> > invalid opcode: 0000 [#1] SMP KASAN
> > CPU: 0 PID: 15185 Comm: syz-executor.2 Not tainted 5.3.0-rc2+ #25
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > RIP: 0010:usercopy_abort+0xb9/0xbb mm/usercopy.c:98
> > Code: e8 c1 f7 d6 ff 49 89 d9 4d 89 e8 4c 89 e1 41 56 48 89 ee 48 c7 c7 e0
> > f3 cd 85 ff 74 24 08 41 57 48 8b 54 24 20 e8 15 98 c1 ff <0f> 0b e8 95 f7
> > d6 ff e8 80 9f fd ff 8b 54 24 04 49 89 d8 4c 89 e1
> > RSP: 0018:ffff8881ccb3fc38 EFLAGS: 00010286
> > RAX: 0000000000000067 RBX: ffffffff86a659d4 RCX: 0000000000000000
> > RDX: 0000000000000000 RSI: ffffffff8128a0fd RDI: ffffed1039967f79
> > RBP: ffffffff85cdf2c0 R08: 0000000000000067 R09: fffffbfff11acdaa
> > R10: fffffbfff11acda9 R11: ffffffff88d66d4f R12: ffffffff86a696e8
> > R13: ffffffff85cdf180 R14: 000000000000fe26 R15: ffffffff85cdf140
> > FS:  00007ff6daf91700(0000) GS:ffff8881db200000(0000) knlGS:0000000000000000
> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 00007f1de6600000 CR3: 00000001ca554000 CR4: 00000000001406f0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > Call Trace:
> >   __check_heap_object+0xdd/0x110 mm/slub.c:3914
> >   check_heap_object mm/usercopy.c:234 [inline]
> >   __check_object_size mm/usercopy.c:280 [inline]
> >   __check_object_size+0x32d/0x39b mm/usercopy.c:250
> >   check_object_size include/linux/thread_info.h:119 [inline]
> >   check_copy_size include/linux/thread_info.h:150 [inline]
> >   copy_to_user include/linux/uaccess.h:151 [inline]
> >   ld_usb_read+0x304/0x780 drivers/usb/misc/ldusb.c:495
> 
> #syz dup: KASAN: use-after-free Read in ld_usb_release

This was a different bug. Mark as dup of the latest report:

#syz dup: KASAN: slab-out-of-bounds Read in ld_usb_read (3)

Johan

     prev parent reply	other threads:[~2019-10-18 14:39 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-08 12:38 BUG: bad usercopy in ld_usb_read syzbot
2019-08-08 12:46 ` Greg KH
2019-08-08 23:06   ` Kees Cook
2019-08-09  8:55     ` Greg KH
2019-08-09 15:13       ` Alan Stern
2019-08-10 18:23         ` Kees Cook
2019-08-10 18:15 ` syzbot
2019-08-12 12:06 ` Andrey Konovalov
2019-10-18 14:39   ` Johan Hovold [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191018143916.GF21827@localhost \
    --to=johan@kernel.org \
    --cc=andreyknvl@google.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=syzbot+45b2f40f0778cfa7634e@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.