[syzbot] [input?] [usb?] KMSAN: uninit-value in asus_report_fixup

[syzbot] [input?] [usb?] KMSAN: uninit-value in asus_report_fixup

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    70ec81c2e2b4 Merge tag 'linux_kselftest-next-6.10-rc1-fixe..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1477c6dc980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=48a63c58ee55467e
dashboard link: https://syzkaller.appspot.com/bug?extid=07762f019fd03d01f04c
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1609f92a980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15b85ca4980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6f3592f38ad8/disk-70ec81c2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5987dcdede63/vmlinux-70ec81c2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f31717c1621a/bzImage-70ec81c2.xz

The issue was bisected to:

commit 59d2f5b7392e988a391e6924e177c1a68d50223d
Author: Luke D. Jones <luke@ljones.dev>
Date:   Tue Apr 16 09:03:59 2024 +0000

    HID: asus: fix more n-key report descriptors if n-key quirked

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=154fd644980000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=174fd644980000
console output: https://syzkaller.appspot.com/x/log.txt?x=134fd644980000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+07762f019fd03d01f04c@syzkaller.appspotmail.com
Fixes: 59d2f5b7392e ("HID: asus: fix more n-key report descriptors if n-key quirked")

usb 1-1: config 0 descriptor??
==================================================================
BUG: KASAN: slab-out-of-bounds in asus_report_fixup+0x857/0xed0 drivers/hid/hid-asus.c:1210
Read of size 1 at addr ffff88802472ad45 by task kworker/0:1/9

CPU: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.9.0-syzkaller-10219-g70ec81c2e2b4 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 asus_report_fixup+0x857/0xed0 drivers/hid/hid-asus.c:1210
 hid_open_report+0x1ba/0x14a0 drivers/hid/hid-core.c:1235
 hid_parse include/linux/hid.h:1118 [inline]
 asus_probe+0x82e/0xc90 drivers/hid/hid-asus.c:1065
 __hid_device_probe drivers/hid/hid-core.c:2633 [inline]
 hid_device_probe+0x26e/0x4f0 drivers/hid/hid-core.c:2670
 really_probe+0x2b8/0xad0 drivers/base/dd.c:656
 __driver_probe_device+0x1a2/0x390 drivers/base/dd.c:798
 driver_probe_device+0x50/0x430 drivers/base/dd.c:828
 __device_attach_driver+0x2d6/0x530 drivers/base/dd.c:956
 bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:457
 __device_attach+0x333/0x520 drivers/base/dd.c:1028
 bus_probe_device+0x189/0x260 drivers/base/bus.c:532
 device_add+0x8ff/0xca0 drivers/base/core.c:3720
 hid_add_device+0x3b6/0x520 drivers/hid/hid-core.c:2816
 usbhid_probe+0xb38/0xea0 drivers/hid/usbhid/hid-core.c:1429
 usb_probe_interface+0x645/0xbb0 drivers/usb/core/driver.c:399
 really_probe+0x2b8/0xad0 drivers/base/dd.c:656
 __driver_probe_device+0x1a2/0x390 drivers/base/dd.c:798
 driver_probe_device+0x50/0x430 drivers/base/dd.c:828
 __device_attach_driver+0x2d6/0x530 drivers/base/dd.c:956
 bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:457
 __device_attach+0x333/0x520 drivers/base/dd.c:1028
 bus_probe_device+0x189/0x260 drivers/base/bus.c:532
 device_add+0x8ff/0xca0 drivers/base/core.c:3720
 usb_set_configuration+0x1976/0x1fb0 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0x88/0x140 drivers/usb/core/generic.c:254
 usb_probe_device+0x1b8/0x380 drivers/usb/core/driver.c:294
 really_probe+0x2b8/0xad0 drivers/base/dd.c:656
 __driver_probe_device+0x1a2/0x390 drivers/base/dd.c:798
 driver_probe_device+0x50/0x430 drivers/base/dd.c:828
 __device_attach_driver+0x2d6/0x530 drivers/base/dd.c:956
 bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:457
 __device_attach+0x333/0x520 drivers/base/dd.c:1028
 bus_probe_device+0x189/0x260 drivers/base/bus.c:532
 device_add+0x8ff/0xca0 drivers/base/core.c:3720
 usb_new_device+0x104a/0x19a0 drivers/usb/core/hub.c:2652
 hub_port_connect drivers/usb/core/hub.c:5522 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5662 [inline]
 port_event drivers/usb/core/hub.c:5822 [inline]
 hub_event+0x2d6a/0x5150 drivers/usb/core/hub.c:5904
 process_one_work kernel/workqueue.c:3231 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
 worker_thread+0x86d/0xd70 kernel/workqueue.c:3393
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 9:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:4121 [inline]
 kmalloc_node_track_caller_noprof+0x22a/0x450 mm/slub.c:4141
 kmemdup_noprof+0x2a/0x60 mm/util.c:131
 hid_open_report+0x156/0x14a0 drivers/hid/hid-core.c:1230
 hid_parse include/linux/hid.h:1118 [inline]
 asus_probe+0x82e/0xc90 drivers/hid/hid-asus.c:1065
 __hid_device_probe drivers/hid/hid-core.c:2633 [inline]
 hid_device_probe+0x26e/0x4f0 drivers/hid/hid-core.c:2670
 really_probe+0x2b8/0xad0 drivers/base/dd.c:656
 __driver_probe_device+0x1a2/0x390 drivers/base/dd.c:798
 driver_probe_device+0x50/0x430 drivers/base/dd.c:828
 __device_attach_driver+0x2d6/0x530 drivers/base/dd.c:956
 bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:457
 __device_attach+0x333/0x520 drivers/base/dd.c:1028
 bus_probe_device+0x189/0x260 drivers/base/bus.c:532
 device_add+0x8ff/0xca0 drivers/base/core.c:3720
 hid_add_device+0x3b6/0x520 drivers/hid/hid-core.c:2816
 usbhid_probe+0xb38/0xea0 drivers/hid/usbhid/hid-core.c:1429
 usb_probe_interface+0x645/0xbb0 drivers/usb/core/driver.c:399
 really_probe+0x2b8/0xad0 drivers/base/dd.c:656
 __driver_probe_device+0x1a2/0x390 drivers/base/dd.c:798
 driver_probe_device+0x50/0x430 drivers/base/dd.c:828
 __device_attach_driver+0x2d6/0x530 drivers/base/dd.c:956
 bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:457
 __device_attach+0x333/0x520 drivers/base/dd.c:1028
 bus_probe_device+0x189/0x260 drivers/base/bus.c:532
 device_add+0x8ff/0xca0 drivers/base/core.c:3720
 usb_set_configuration+0x1976/0x1fb0 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0x88/0x140 drivers/usb/core/generic.c:254
 usb_probe_device+0x1b8/0x380 drivers/usb/core/driver.c:294
 really_probe+0x2b8/0xad0 drivers/base/dd.c:656
 __driver_probe_device+0x1a2/0x390 drivers/base/dd.c:798
 driver_probe_device+0x50/0x430 drivers/base/dd.c:828
 __device_attach_driver+0x2d6/0x530 drivers/base/dd.c:956
 bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:457
 __device_attach+0x333/0x520 drivers/base/dd.c:1028
 bus_probe_device+0x189/0x260 drivers/base/bus.c:532
 device_add+0x8ff/0xca0 drivers/base/core.c:3720
 usb_new_device+0x104a/0x19a0 drivers/usb/core/hub.c:2652
 hub_port_connect drivers/usb/core/hub.c:5522 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5662 [inline]
 port_event drivers/usb/core/hub.c:5822 [inline]
 hub_event+0x2d6a/0x5150 drivers/usb/core/hub.c:5904
 process_one_work kernel/workqueue.c:3231 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
 worker_thread+0x86d/0xd70 kernel/workqueue.c:3393
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

The buggy address belongs to the object at ffff88802472ad40
 which belongs to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes to the right of
 allocated 5-byte region [ffff88802472ad40, ffff88802472ad45)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2472a
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffefff(slab)
raw: 00fff00000000000 ffff888015041500 dead000000000100 dead000000000122
raw: 0000000000000000 0000000080800080 00000001ffffefff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 12879192655, free_ts 12811137824
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1468
 prep_new_page mm/page_alloc.c:1476 [inline]
 get_page_from_freelist+0x2e2d/0x2ee0 mm/page_alloc.c:3402
 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4660
 __alloc_pages_node_noprof include/linux/gfp.h:244 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:271 [inline]
 alloc_slab_page+0x5f/0x120 mm/slub.c:2264
 allocate_slab+0x5a/0x2e0 mm/slub.c:2427
 new_slab mm/slub.c:2480 [inline]
 ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3666
 __slab_alloc+0x58/0xa0 mm/slub.c:3756
 __slab_alloc_node mm/slub.c:3809 [inline]
 slab_alloc_node mm/slub.c:3988 [inline]
 kmalloc_trace_noprof+0x1d5/0x2c0 mm/slub.c:4147
 kmalloc_noprof include/linux/slab.h:660 [inline]
 usb_control_msg+0xbb/0x4c0 drivers/usb/core/message.c:144
 hub_power_on+0x1de/0x460
 hub_activate+0x3cd/0x1c70 drivers/usb/core/hub.c:1135
 hub_configure drivers/usb/core/hub.c:1742 [inline]
 hub_probe+0x274f/0x3640 drivers/usb/core/hub.c:1965
 usb_probe_interface+0x645/0xbb0 drivers/usb/core/driver.c:399
 really_probe+0x2b8/0xad0 drivers/base/dd.c:656
 __driver_probe_device+0x1a2/0x390 drivers/base/dd.c:798
 driver_probe_device+0x50/0x430 drivers/base/dd.c:828
page last free pid 785 tgid 785 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1088 [inline]
 free_unref_page+0xd22/0xea0 mm/page_alloc.c:2565
 vfree+0x186/0x2e0 mm/vmalloc.c:3346
 delayed_vfree_work+0x56/0x80 mm/vmalloc.c:3267
 process_one_work kernel/workqueue.c:3231 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
 worker_thread+0x86d/0xd70 kernel/workqueue.c:3393
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Memory state around the buggy address:
 ffff88802472ac00: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc
 ffff88802472ac80: 06 fc fc fc 06 fc fc fc fa fc fc fc fa fc fc fc
>ffff88802472ad00: fa fc fc fc fa fc fc fc 05 fc fc fc 05 fc fc fc
                                           ^
 ffff88802472ad80: fa fc fc fc fa fc fc fc 06 fc fc fc 06 fc fc fc
 ffff88802472ae00: 07 fc fc fc 06 fc fc fc fa fc fc fc 00 fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[PATCH] hid: asus: asus_report_fixup: fix potential read out of bounds

[Andrew Ballance]

#syz test

there may be a read out of the bounds of rdesc.
this adds bounds checks

Signed-off-by: Andrew Ballance <andrewjballance@gmail.com>
---
 drivers/hid/hid-asus.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c
index 02de2bf4f790..37e6d25593c2 100644
--- a/drivers/hid/hid-asus.c
+++ b/drivers/hid/hid-asus.c
@@ -1204,8 +1204,8 @@ static __u8 *asus_report_fixup(struct hid_device *hdev, __u8 *rdesc,
 	}
 
 	/* match many more n-key devices */
-	if (drvdata->quirks & QUIRK_ROG_NKEY_KEYBOARD) {
-		for (int i = 0; i < *rsize + 1; i++) {
+	if (drvdata->quirks & QUIRK_ROG_NKEY_KEYBOARD && *rsize > 15) {
+		for (int i = 0; i < *rsize - 15; i++) {
 			/* offset to the count from 0x5a report part always 14 */
 			if (rdesc[i] == 0x85 && rdesc[i + 1] == 0x5a &&
 			    rdesc[i + 14] == 0x95 && rdesc[i + 15] == 0x05) {
-- 
2.45.1

Re: [syzbot] [input?] [usb?] KMSAN: uninit-value in asus_report_fixup

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

sert=on, ref-verify=on, zoned=yes, fsverity=yes
[   50.230614][    T1] Key type encrypted registered
[   50.235891][    T1] AppArmor: AppArmor sha256 policy hashing enabled
[   50.242800][    T1] ima: No TPM chip found, activating TPM-bypass!
[   50.249865][    T1] Loading compiled-in module X.509 certificates
[   50.292391][    T1] Loaded X.509 cert 'Build time autogenerated kernel key: 2ef82123926fa34f508acba9911fce577bb4fe8a'
[   50.303920][    T1] ima: Allocated hash algorithm: sha256
[   50.310144][    T1] ima: No architecture policies found
[   50.316925][    T1] evm: Initialising EVM extended attributes:
[   50.322973][    T1] evm: security.selinux (disabled)
[   50.328526][    T1] evm: security.SMACK64 (disabled)
[   50.334013][    T1] evm: security.SMACK64EXEC (disabled)
[   50.339602][    T1] evm: security.SMACK64TRANSMUTE (disabled)
[   50.345640][    T1] evm: security.SMACK64MMAP (disabled)
[   50.351386][    T1] evm: security.apparmor
[   50.355851][    T1] evm: security.ima
[   50.359745][    T1] evm: security.capability
[   50.364417][    T1] evm: HMAC attrs: 0x1
[   50.373466][    T1] PM:   Magic number: 8:208:619
[   50.379889][    T1] usb usb14-port4: hash matches
[   50.386279][    T1] net ifb0: hash matches
[   50.391057][    T1] tty ptye9: hash matches
[   50.396054][    T1] tty ptybc: hash matches
[   50.401524][    T1] printk: legacy console [netcon0] enabled
[   50.407774][    T1] netconsole: network logging started
[   50.414999][    T1] gtp: GTP module loaded (pdp ctx size 128 bytes)
[   50.424381][    T1] rdma_rxe: loaded
[   50.430039][    T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[   50.451536][    T1] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[   50.469189][    T1] Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600'
[   50.477773][    T1] clk: Disabling unused clocks
[   50.482816][    T1] ALSA device list:
[   50.486809][    T1]   #0: Dummy 1
[   50.490724][    T1]   #1: Loopback 1
[   50.494616][    T1]   #2: Virtual MIDI Card 1
[   50.505678][   T10] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[   50.506128][    T1] md: Waiting for all devices to be available before autodetect
[   50.517296][   T10] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[   50.524217][    T1] md: If you don't use raid, use raid=noautodetect
[   50.540178][    T1] md: Autodetecting RAID arrays.
[   50.545383][    T1] md: autorun ...
[   50.549388][    T1] md: ... autorun DONE.
[   50.671837][    T1] EXT4-fs (sda1): mounted filesystem 5941fea2-f5fa-4b4e-b5ef-9af118b27b95 ro with ordered data mode. Quota mode: none.
[   50.685698][    T1] VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
[   50.779387][    T1] devtmpfs: mounted
[   51.037410][    T1] Freeing unused kernel image (initmem) memory: 37032K
[   51.049223][    T1] Write protecting the kernel read-only data: 262144k
[   51.096766][    T1] Freeing unused kernel image (rodata/data gap) memory: 1808K
[   52.746982][    T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[   52.757511][    T1] x86/mm: Checking user space page tables
[   54.254031][    T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[   54.263213][    T1] Failed to set sysctl parameter 'kernel.hung_task_all_cpu_backtrace=1': parameter not found
[   54.285036][    T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[   54.296902][    T1] Run /sbin/init as init process
[   55.866548][ T4446] mount (4446) used greatest stack depth: 8144 bytes left
[   55.941342][ T4447] EXT4-fs (sda1): re-mounted 5941fea2-f5fa-4b4e-b5ef-9af118b27b95 r/w. Quota mode: none.
mount: mounting smackfs on /sys/fs/smackfs failed: No such file or directory
mount: mounting selinuxfs on /sys/fs/selinux failed: No such file or directory
[   56.283370][ T4450] mount (4450) used greatest stack depth: 5568 bytes left
Starting syslogd: OK
Starting acpid: OK
Starting klogd: OK
Running sysctl: OK
Populating /dev using udev: [   60.169672][ T4480] udevd[4480]: starting version 3.2.11
[   63.755909][ T4481] udevd[4481]: starting eudev-3.2.11
[   63.769352][ T4480] udevd (4480) used greatest stack depth: 5272 bytes left
done
Starting system message bus: done
Starting iptables: OK
Starting network: OK
Starting dhcpcd...
dhcpcd-9.4.1 starting
dev: loaded udev
DUID 00:04:c7:fd:4a:df:9d:a6:e9:60:55:7b:b4:5b:1f:77:00:5c
forked to background, child pid 4693
[  111.458895][ T4694] 8021q: adding VLAN 0 to HW filter on device bond0
[  111.496440][ T4694] eql: remember to turn off Van-Jacobson compression on your slave devices
[  111.697880][   T10] cfg80211: failed to load regulatory.db
Starting sshd: [  113.751142][ T4779] sshd (4779) used greatest stack depth: 4720 bytes left
[  113.792885][    C0] =====================================================
[  113.800595][    C0] BUG: KMSAN: uninit-value in receive_buf+0x25e3/0x5fd0
[  113.807866][    C0]  receive_buf+0x25e3/0x5fd0
[  113.812660][    C0]  virtnet_poll+0xd1c/0x23c0
[  113.817511][    C0]  __napi_poll+0xe7/0x980
[  113.822060][    C0]  net_rx_action+0x82a/0x1850
[  113.827121][    C0]  handle_softirqs+0x1ce/0x800
[  113.832171][    C0]  __irq_exit_rcu+0x68/0x120
[  113.837029][    C0]  irq_exit_rcu+0x12/0x20
[  113.841544][    C0]  common_interrupt+0x94/0xa0
[  113.846507][    C0]  asm_common_interrupt+0x2b/0x40
[  113.851825][    C0]  kmsan_internal_set_shadow_origin+0x76/0xe0
[  113.858320][    C0]  kmsan_internal_unpoison_memory+0x14/0x20
[  113.864659][    C0]  kmsan_unpoison_memory+0x28/0x40
[  113.869970][    C0]  prep_new_page+0x115/0x540
[  113.874876][    C0]  get_page_from_freelist+0x1578/0x15f0
[  113.880730][    C0]  __alloc_pages_noprof+0x8a7/0xe70
[  113.886250][    C0]  alloc_pages_mpol_noprof+0x299/0x990
[  113.892181][    C0]  vma_alloc_folio_noprof+0x412/0x750
[  113.898206][    C0]  handle_mm_fault+0x907c/0xe610
[  113.903457][    C0]  exc_page_fault+0x41b/0x700
[  113.908439][    C0]  asm_exc_page_fault+0x2b/0x30
[  113.913577][    C0] 
[  113.916067][    C0] Uninit was created at:
OK[  113.920879][    C0]  __alloc_pages_noprof+0x9d6/0xe70

[  113.926417][    C0]  alloc_pages_mpol_noprof+0x299/0x990
[  113.932200][    C0]  alloc_pages_noprof+0x1bf/0x1e0
[  113.937655][    C0]  skb_page_frag_refill+0x2bf/0x7c0
[  113.943288][    C0]  virtnet_rq_alloc+0x43/0xbb0
[  113.948380][    C0]  try_fill_recv+0x3f0/0x2f50
[  113.953224][    C0]  virtnet_open+0x1cc/0xb00
[  113.958077][    C0]  __dev_open+0x546/0x6f0
[  113.962708][    C0]  __dev_change_flags+0x309/0x9a0
[  113.968302][    C0]  dev_change_flags+0x8e/0x1d0
[  113.973240][    C0]  devinet_ioctl+0x13ec/0x22c0
[  113.978437][    C0]  inet_ioctl+0x4bd/0x6d0
[  113.983181][    C0]  sock_do_ioctl+0xb7/0x540
[  113.987928][    C0]  sock_ioctl+0x727/0xd70
[  113.992433][    C0]  __se_sys_ioctl+0x261/0x450
[  113.997393][    C0]  __x64_sys_ioctl+0x96/0xe0
[  114.002313][    C0]  x64_sys_call+0x18c0/0x3b90
[  114.007248][    C0]  do_syscall_64+0xcd/0x1e0
[  114.011927][    C0]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  114.018164][    C0] 
[  114.020697][    C0] CPU: 0 PID: 4786 Comm: rm Not tainted 6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5-dirty #0
[  114.031264][    C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
[  114.041826][    C0] =====================================================
[  114.049359][    C0] Disabling lock debugging due to kernel taint
[  114.055708][    C0] Kernel panic - not syncing: kmsan.panic set ...
[  114.062795][    C0] CPU: 0 PID: 4786 Comm: rm Tainted: G    B              6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5-dirty #0
[  114.075000][    C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
[  114.085286][    C0] Call Trace:
[  114.088865][    C0]  <IRQ>
[  114.091913][    C0]  dump_stack_lvl+0x216/0x2d0
[  114.096785][    C0]  ? kmsan_get_shadow_origin_ptr+0x4d/0xb0
[  114.102924][    C0]  dump_stack+0x1e/0x30
[  114.107269][    C0]  panic+0x4e2/0xcd0
[  114.111426][    C0]  ? kmsan_get_metadata+0x111/0x1d0
[  114.116837][    C0]  kmsan_report+0x2d5/0x2e0
[  114.121549][    C0]  ? kmsan_alloc_page+0x182/0x220
[  114.126772][    C0]  ? kmsan_get_metadata+0x146/0x1d0
[  114.132180][    C0]  ? __msan_warning+0x95/0x120
[  114.137205][    C0]  ? receive_buf+0x25e3/0x5fd0
[  114.142074][    C0]  ? virtnet_poll+0xd1c/0x23c0
[  114.147049][    C0]  ? __napi_poll+0xe7/0x980
[  114.151760][    C0]  ? net_rx_action+0x82a/0x1850
[  114.156910][    C0]  ? handle_softirqs+0x1ce/0x800
[  114.161958][    C0]  ? __irq_exit_rcu+0x68/0x120
[  114.166911][    C0]  ? irq_exit_rcu+0x12/0x20
[  114.171601][    C0]  ? common_interrupt+0x94/0xa0
[  114.176565][    C0]  ? asm_common_interrupt+0x2b/0x40
[  114.181863][    C0]  ? kmsan_internal_set_shadow_origin+0x76/0xe0
[  114.188207][    C0]  ? kmsan_internal_unpoison_memory+0x14/0x20
[  114.194391][    C0]  ? kmsan_unpoison_memory+0x28/0x40
[  114.199793][    C0]  ? prep_new_page+0x115/0x540
[  114.204666][    C0]  ? get_page_from_freelist+0x1578/0x15f0
[  114.210579][    C0]  ? __alloc_pages_noprof+0x8a7/0xe70
[  114.216060][    C0]  ? alloc_pages_mpol_noprof+0x299/0x990
[  114.221983][    C0]  ? vma_alloc_folio_noprof+0x412/0x750
[  114.227836][    C0]  ? handle_mm_fault+0x907c/0xe610
[  114.233178][    C0]  ? exc_page_fault+0x41b/0x700


[  114.238164][    C0]  ? asm_exc_page_fault+0x2b/0x30
[  114.243578][    C0]  ? kmsan_internal_memmove_metadata+0x17b/0x230
syzkaller[  114.250182][    C0]  ? kmsan_get_metadata+0x146/0x1d0

[  114.256633][    C0]  ? kmsan_get_metadata+0x146/0x1d0
[  114.262332][    C0]  ? page_to_skb+0xdae/0x1620
[  114.267233][    C0]  __msan_warning+0x95/0x120
[  114.272275][    C0]  receive_buf+0x25e3/0x5fd0
[  114.277094][    C0]  ? kmsan_get_metadata+0x146/0x1d0
[  114.282402][    C0]  ? kmsan_get_shadow_origin_ptr+0x4d/0xb0
[  114.288519][    C0]  virtnet_poll+0xd1c/0x23c0
[  114.293235][    C0]  ? __pfx_virtnet_poll+0x10/0x10
[  114.298573][    C0]  __napi_poll+0xe7/0x980
[  114.303042][    C0]  ? kmsan_get_metadata+0x146/0x1d0
[  114.308529][    C0]  net_rx_action+0x82a/0x1850
[  114.313443][    C0]  ? sched_clock_cpu+0x55/0x870
[  114.318434][    C0]  ? __pfx_net_rx_action+0x10/0x10
[  114.323766][    C0]  handle_softirqs+0x1ce/0x800
[  114.328788][    C0]  __irq_exit_rcu+0x68/0x120
[  114.333488][    C0]  irq_exit_rcu+0x12/0x20
[  114.337976][    C0]  common_interrupt+0x94/0xa0
[  114.343068][    C0]  </IRQ>
[  114.346080][    C0]  <TASK>
[  114.349188][    C0]  asm_common_interrupt+0x2b/0x40
[  114.354554][    C0] RIP: 0010:kmsan_internal_set_shadow_origin+0x76/0xe0
[  114.361736][    C0] Code: f0 83 e0 03 49 83 e6 fc 49 8d 5c 07 03 4c 89 f7 be 01 00 00 00 e8 3a 35 00 00 48 83 fb 04 72 1a 48 c1 eb 02 31 c9 44 89 2c 88 <ff> c1 48 63 c9 48 39 cb 77 f2 eb 04 84 db 75 0f 5b 41 5c 41 5d 41
[  114.382246][    C0] RSP: 0000:ffff88812094b8b0 EFLAGS: 00000216
[  114.388520][    C0] RAX: ffff8881212ed000 RBX: 0000000000000400 RCX: 000000000000019b
[  114.396599][    C0] RDX: 00000001216ed000 RSI: ffff88813fff9240 RDI: ffff8881216ed000
[  114.404856][    C0] RBP: ffff88812094b8d8 R08: ffffea000000000f R09: 0000000000000000
[  114.413096][    C0] R10: ffff888120eed000 R11: 0000000000000004 R12: 0000000000000000
[  114.421164][    C0] R13: 0000000000000000 R14: ffff8881216ed000 R15: 0000000000001000
[  114.429361][    C0]  kmsan_internal_unpoison_memory+0x14/0x20
[  114.435481][    C0]  kmsan_unpoison_memory+0x28/0x40
[  114.441106][    C0]  prep_new_page+0x115/0x540
[  114.445833][    C0]  ? kmsan_get_shadow_origin_ptr+0x4d/0xb0
[  114.451866][    C0]  get_page_from_freelist+0x1578/0x15f0
[  114.457804][    C0]  __alloc_pages_noprof+0x8a7/0xe70
[  114.463144][    C0]  alloc_pages_mpol_noprof+0x299/0x990
[  114.469050][    C0]  ? kmsan_get_metadata+0x146/0x1d0
[  114.474479][    C0]  vma_alloc_folio_noprof+0x412/0x750
[  114.480070][    C0]  ? kmsan_get_metadata+0x146/0x1d0
[  114.485509][    C0]  handle_mm_fault+0x907c/0xe610
[  114.491145][    C0]  ? kmsan_get_metadata+0x146/0x1d0
[  114.496501][    C0]  ? kmsan_get_metadata+0x146/0x1d0
[  114.501877][    C0]  exc_page_fault+0x41b/0x700
[  114.506694][    C0]  asm_exc_page_fault+0x2b/0x30
[  114.511959][    C0] RIP: 0033:0x7fbc8aec8b9d
[  114.517011][    C0] Code: 8b 90 c8 01 00 00 48 81 e2 00 ff ff ff 7e 14 48 89 d1 48 89 15 94 e6 10 00 48 d1 f9 48 89 0d 92 e6 10 00 48 8b 90 d0 01 00 00 <48> 89 15 24 58 11 00 48 8b 90 d8 01 00 00 48 89 15 66 e6 10 00 48
[  114.536844][    C0] RSP: 002b:00007fffd2152068 EFLAGS: 00010206
[  114.543432][    C0] RAX: 00007fbc8b0dfa80 RBX: 00007fbc8ae35000 RCX: 0000000000dc0000
[  114.551697][    C0] RDX: 00000000014a0000 RSI: 00007fbc8ae53540 RDI: 0000000000000000
[  114.559908][    C0] RBP: 00007fffd2152170 R08: 00007fffd2150000 R09: 00007fbc8b0e0ab0
[  114.568160][    C0] R10: 00007fbc8ae39ab8 R11: 0000000000000025 R12: 00007fbc8b0a95c0
[  114.576260][    C0] R13: 00007fbc8b0d4eda R14: 00007fbc8afd68c8 R15: 00007fbc8ae39ab8
[  114.584358][    C0]  </TASK>
[  114.587837][    C0] Kernel Offset: disabled
[  114.592358][    C0] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1371669175=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at c0f1611a3
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0f1611a36d66bb0bb8e2f294b97fb685bfc5f9c -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240517-125934'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0f1611a36d66bb0bb8e2f294b97fb685bfc5f9c -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240517-125934'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -std=c++11 -I. -Iexecutor/_include -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"c0f1611a36d66bb0bb8e2f294b97fb685bfc5f9c\"


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=15a9822c980000


Tested on:

commit:         2bfcfd58 Merge tag 'pmdomain-v6.10-rc1' of git://git.k..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=54d66e52f38a45d8
dashboard link: https://syzkaller.appspot.com/bug?extid=07762f019fd03d01f04c
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1425c62c980000

Re: [PATCH] hid: asus: asus_report_fixup: fix potential read out of bounds

[Dan Carpenter]

On Tue, May 28, 2024 at 12:05:39AM -0500, Andrew Ballance wrote:
> #syz test
> 
> there may be a read out of the bounds of rdesc.
> this adds bounds checks
> 
> Signed-off-by: Andrew Ballance <andrewjballance@gmail.com>
> ---
>  drivers/hid/hid-asus.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c
> index 02de2bf4f790..37e6d25593c2 100644
> --- a/drivers/hid/hid-asus.c
> +++ b/drivers/hid/hid-asus.c
> @@ -1204,8 +1204,8 @@ static __u8 *asus_report_fixup(struct hid_device *hdev, __u8 *rdesc,
>  	}
>  
>  	/* match many more n-key devices */
> -	if (drvdata->quirks & QUIRK_ROG_NKEY_KEYBOARD) {
> -		for (int i = 0; i < *rsize + 1; i++) {
> +	if (drvdata->quirks & QUIRK_ROG_NKEY_KEYBOARD && *rsize > 15) {
> +		for (int i = 0; i < *rsize - 15; i++) {

Yep.  This looks correct.  Please resend with a complete commit message
and a fixes tag etc.

>  			/* offset to the count from 0x5a report part always 14 */
>  			if (rdesc[i] == 0x85 && rdesc[i + 1] == 0x5a &&
>  			    rdesc[i + 14] == 0x95 && rdesc[i + 15] == 0x05) {

regards,
dan carpenter

[PATCH v2] hid: asus: asus_report_fixup: fix potential read out of bounds

[Andrew Ballance]

syzbot reported a potential read out of bounds in asus_report_fixup.

this patch adds checks so that a read out of bounds will not occur

Signed-off-by: Andrew Ballance <andrewjballance@gmail.com>
Reported-by: syzbot+07762f019fd03d01f04c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=07762f019fd03d01f04c
Fixes: 59d2f5b73921 ("HID: asus: fix more n-key report descriptors if n-key quirked")
---
 drivers/hid/hid-asus.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c
index 02de2bf4f790..37e6d25593c2 100644
--- a/drivers/hid/hid-asus.c
+++ b/drivers/hid/hid-asus.c
@@ -1204,8 +1204,8 @@ static __u8 *asus_report_fixup(struct hid_device *hdev, __u8 *rdesc,
 	}
 
 	/* match many more n-key devices */
-	if (drvdata->quirks & QUIRK_ROG_NKEY_KEYBOARD) {
-		for (int i = 0; i < *rsize + 1; i++) {
+	if (drvdata->quirks & QUIRK_ROG_NKEY_KEYBOARD && *rsize > 15) {
+		for (int i = 0; i < *rsize - 15; i++) {
 			/* offset to the count from 0x5a report part always 14 */
 			if (rdesc[i] == 0x85 && rdesc[i + 1] == 0x5a &&
 			    rdesc[i + 14] == 0x95 && rdesc[i + 15] == 0x05) {
-- 
2.45.1

Re: [PATCH v2] hid: asus: asus_report_fixup: fix potential read out of bounds

[Greg KH]

On Sun, Jun 02, 2024 at 03:50:23AM -0500, Andrew Ballance wrote:
> syzbot reported a potential read out of bounds in asus_report_fixup.
> 
> this patch adds checks so that a read out of bounds will not occur
> 
> Signed-off-by: Andrew Ballance <andrewjballance@gmail.com>
> Reported-by: syzbot+07762f019fd03d01f04c@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=07762f019fd03d01f04c
> Fixes: 59d2f5b73921 ("HID: asus: fix more n-key report descriptors if n-key quirked")
> ---
>  drivers/hid/hid-asus.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c
> index 02de2bf4f790..37e6d25593c2 100644
> --- a/drivers/hid/hid-asus.c
> +++ b/drivers/hid/hid-asus.c
> @@ -1204,8 +1204,8 @@ static __u8 *asus_report_fixup(struct hid_device *hdev, __u8 *rdesc,
>  	}
>  
>  	/* match many more n-key devices */
> -	if (drvdata->quirks & QUIRK_ROG_NKEY_KEYBOARD) {
> -		for (int i = 0; i < *rsize + 1; i++) {
> +	if (drvdata->quirks & QUIRK_ROG_NKEY_KEYBOARD && *rsize > 15) {
> +		for (int i = 0; i < *rsize - 15; i++) {
>  			/* offset to the count from 0x5a report part always 14 */
>  			if (rdesc[i] == 0x85 && rdesc[i + 1] == 0x5a &&
>  			    rdesc[i + 14] == 0x95 && rdesc[i + 15] == 0x05) {
> -- 
> 2.45.1
> 
> 

Hi,

This is the friendly patch-bot of Greg Kroah-Hartman.  You have sent him
a patch that has triggered this response.  He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created.  Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.

You are receiving this message because of the following common error(s)
as indicated below:

- This looks like a new version of a previously submitted patch, but you
  did not list below the --- line any changes from the previous version.
  Please read the section entitled "The canonical patch format" in the
  kernel file, Documentation/process/submitting-patches.rst for what
  needs to be done here to properly describe this.

If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.

thanks,

greg k-h's patch email bot

Re: [PATCH v2] hid: asus: asus_report_fixup: fix potential read out of bounds

[Benjamin Tissoires]

On Sun, 02 Jun 2024 03:50:23 -0500, Andrew Ballance wrote:
> syzbot reported a potential read out of bounds in asus_report_fixup.
> 
> this patch adds checks so that a read out of bounds will not occur
> 
> 

Applied to hid/hid.git (for-6.10/upstream-fixes), thanks!

[1/1] hid: asus: asus_report_fixup: fix potential read out of bounds
      https://git.kernel.org/hid/hid/c/cfacaaf33cd7

Cheers,
-- 
Benjamin Tissoires <bentiss@kernel.org>