Re: [syzbot] [usb?] KASAN: stack-out-of-bounds Read in usb_check_int_endpoints

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+9c9179ac46169c56c1ad@syzkaller.appspotmail.com>
To: gregkh@linuxfoundation.org, jikos@kernel.org, karprzy7@gmail.com,
	 linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
	 linux-usb@vger.kernel.org, stern@rowland.harvard.edu,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [usb?] KASAN: stack-out-of-bounds Read in usb_check_int_endpoints
Date: Tue, 28 Jan 2025 01:16:25 -0800	[thread overview]
Message-ID: <6798a069.050a0220.ac840.0244.GAE@google.com> (raw)
In-Reply-To: <6797072e.050a0220.2eae65.003f.GAE@google.com>

syzbot has found a reproducer for the following issue on:

HEAD commit:    6d61a53dd6f5 Merge tag 'f2fs-for-6.14-rc1' of git://git.ke..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=13786e24580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=a4ddc212efe12f88
dashboard link: https://syzkaller.appspot.com/bug?extid=9c9179ac46169c56c1ad
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1514cddf980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=143c85f8580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/65684dc6d116/disk-6d61a53d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/aa2e2ce680d3/vmlinux-6d61a53d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ebbf8bd929a6/bzImage-6d61a53d.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9c9179ac46169c56c1ad@syzkaller.appspotmail.com

usb 1-1: config 0 interface 0 has no altsetting 0
usb 1-1: New USB device found, idVendor=044f, idProduct=b65d, bcdDevice= 0.00
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1: config 0 descriptor??
hid-thrustmaster 0003:044F:B65D.0001: hidraw0: USB HID v0.00 Device [HID 044f:b65d] on usb-dummy_hcd.0-1/input0
==================================================================
BUG: KASAN: stack-out-of-bounds in usb_check_int_endpoints+0x247/0x270 drivers/usb/core/usb.c:277
Read of size 1 at addr ffffc9000009ebb9 by task kworker/0:1/9

CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.13.0-syzkaller-09030-g6d61a53dd6f5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:489
 kasan_report+0xd9/0x110 mm/kasan/report.c:602
 usb_check_int_endpoints+0x247/0x270 drivers/usb/core/usb.c:277
 thrustmaster_interrupts drivers/hid/hid-thrustmaster.c:176 [inline]
 thrustmaster_probe drivers/hid/hid-thrustmaster.c:347 [inline]
 thrustmaster_probe+0x499/0xe10 drivers/hid/hid-thrustmaster.c:289
 __hid_device_probe drivers/hid/hid-core.c:2713 [inline]
 hid_device_probe+0x349/0x700 drivers/hid/hid-core.c:2750
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x23e/0xa90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459
 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534
 device_add+0x114b/0x1a70 drivers/base/core.c:3665
 hid_add_device+0x374/0xa60 drivers/hid/hid-core.c:2896
 usbhid_probe+0xd32/0x1400 drivers/hid/usbhid/hid-core.c:1431
 usb_probe_interface+0x300/0x9c0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x23e/0xa90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459
 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534
 device_add+0x114b/0x1a70 drivers/base/core.c:3665
 usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
 usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x23e/0xa90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459
 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534
 device_add+0x114b/0x1a70 drivers/base/core.c:3665
 usb_new_device+0xd09/0x1a20 drivers/usb/core/hub.c:2652
 hub_port_connect drivers/usb/core/hub.c:5523 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5663 [inline]
 port_event drivers/usb/core/hub.c:5823 [inline]
 hub_event+0x2e58/0x4f40 drivers/usb/core/hub.c:5905
 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3317 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
 kthread+0x3af/0x750 kernel/kthread.c:464
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

The buggy address belongs to stack of task kworker/0:1/9
 and is located at offset 65 in frame:
 thrustmaster_probe+0x0/0xe10 drivers/hid/hid-thrustmaster.c:203

This frame has 2 objects:
 [48, 52) 'trans'
 [64, 65) 'ep_addr'

The buggy address belongs to the virtual mapping at
 [ffffc90000098000, ffffc900000a1000) created by:
 kernel_clone+0xfd/0x960 kernel/fork.c:2804

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1016f1
flags: 0x200000000000000(node=0|zone=2)
raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 2, tgid 2 (kthreadd), ts 2826831682, free_ts 0
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x181/0x1b0 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0xe76/0x2b90 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x21c/0x2290 mm/page_alloc.c:4739
 __alloc_pages_noprof+0xb/0x1b0 mm/page_alloc.c:4773
 __alloc_pages_node_noprof include/linux/gfp.h:265 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:292 [inline]
 vm_area_alloc_pages mm/vmalloc.c:3593 [inline]
 __vmalloc_area_node mm/vmalloc.c:3669 [inline]
 __vmalloc_node_range_noprof+0x63d/0x1530 mm/vmalloc.c:3846
 alloc_thread_stack_node kernel/fork.c:314 [inline]
 dup_task_struct kernel/fork.c:1116 [inline]
 copy_process+0x2e42/0x8c60 kernel/fork.c:2222
 kernel_clone+0xfd/0x960 kernel/fork.c:2804
 kernel_thread+0xc0/0x100 kernel/fork.c:2866
 create_kthread kernel/kthread.c:487 [inline]
 kthreadd+0x4ef/0x7d0 kernel/kthread.c:847
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
page_owner free stack trace missing

Memory state around the buggy address:
 ffffc9000009ea80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc9000009eb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1
>ffffc9000009eb80: f1 f1 f1 f1 f1 04 f2 01 f3 f3 f3 00 00 00 00 00
                                        ^
 ffffc9000009ec00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc9000009ec80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

next prev parent reply	other threads:[~2025-01-28  9:16 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-01-27  4:10 [syzbot] [usb?] KASAN: stack-out-of-bounds Read in usb_check_int_endpoints syzbot
2025-01-27 15:59 ` Alan Stern
2025-01-28  9:16 ` syzbot [this message]
2025-02-03 19:35 ` [syzbot] " syzbot
     [not found] <CABMo7LJJOLC81RsPAu=TikqFD8QcOAYNeAPuK4cgakDKN9UAXQ@mail.gmail.com>
2025-02-03 20:07 ` [syzbot] [usb?] " syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6798a069.050a0220.ac840.0244.GAE@google.com \
    --to=syzbot+9c9179ac46169c56c1ad@syzkaller.appspotmail.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=jikos@kernel.org \
    --cc=karprzy7@gmail.com \
    --cc=linux-input@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=stern@rowland.harvard.edu \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.