From: David Howells <dhowells@redhat.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: dhowells@redhat.com,
syzbot <syzbot+afeecc39f502a8681560@syzkaller.appspotmail.com>,
arnd@arndb.de, dmitry.torokhov@gmail.com, ebiederm@xmission.com,
gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org,
linux-usb@vger.kernel.org, stern@rowland.harvard.edu,
syzkaller-bugs@googlegroups.com
Subject: Re: linux-next boot error: KASAN: slab-out-of-bounds Read in post_usb_notification
Date: Mon, 20 Jan 2020 13:15:41 +0000 [thread overview]
Message-ID: <929068.1579526141@warthog.procyon.org.uk> (raw)
In-Reply-To: <20200120082335.GD21151@kadam>
Dan Carpenter <dan.carpenter@oracle.com> wrote:
> 2759 struct {
> 2760 struct usb_notification n;
> 2761 char more_name[USB_NOTIFICATION_MAX_NAME_LEN -
> 2762 (sizeof(struct usb_notification) -
> 2763 offsetof(struct usb_notification, name))];
> 2764 } n;
> 2765
> 2766 name_len = strlen(devname);
> 2767 name_len = min_t(size_t, name_len, USB_NOTIFICATION_MAX_NAME_LEN);
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> This limit is too high. It should be USB_NOTIFICATION_MAX_NAME_LEN -
> sizeof(struct usb_notification). or just
> "min_t(size_t, name_len, sizeof(n.more_name));". n.n.name[] is a
> zero size array.
No. It's not that simple. If you look at the struct:
struct usb_notification {
struct watch_notification watch;
__u32 error;
__u32 reserved;
__u8 name_len;
__u8 name[0];
};
There are at least 3, if not 7, bytes of padding after name[] as the struct is
not packed - and isn't necessarily rounded up to a multiple of 8 bytes either.
If you look at the definition of more_name[] above, you'll see:
USB_NOTIFICATION_MAX_NAME_LEN -
(sizeof(struct usb_notification) -
offsetof(struct usb_notification, name))
That calculates the amount of padding and then subtracts it from the amount of
name bufferage required.
USB_NOTIFICATION_MAX_NAME_LEN is 63, which is 64 minus one for the length.
> 2771 memcpy(n.n.name, devname, n_len);
> ^^^^^
> name_len was intended here.
Yeah. I think that's actually the bug. n_len is the length of the entire
notification record.
David
next prev parent reply other threads:[~2020-01-20 13:15 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-17 9:57 linux-next boot error: KASAN: slab-out-of-bounds Read in post_usb_notification syzbot
2020-01-20 8:23 ` Dan Carpenter
2020-01-20 13:15 ` David Howells [this message]
2020-01-20 13:37 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=929068.1579526141@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=arnd@arndb.de \
--cc=dan.carpenter@oracle.com \
--cc=dmitry.torokhov@gmail.com \
--cc=ebiederm@xmission.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=syzbot+afeecc39f502a8681560@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.