* Re: [syzbot] [usb?] KASAN: slab-out-of-bounds Read in mon_copy_to_buff [not found] ` <72fea4f2-40d7-4f9f-a08d-b1ada781256e@rowland.harvard.edu> @ 2025-07-09 15:28 ` Alan Stern 2025-07-09 15:56 ` syzbot 2025-07-09 17:52 ` Alan Stern 0 siblings, 2 replies; 4+ messages in thread From: Alan Stern @ 2025-07-09 15:28 UTC (permalink / raw) To: syzbot Cc: Benjamin Tissoires, Jiri Kosina, linux-input, linux-kernel, linux-usb, syzkaller-bugs Here's Benjamin Tissoires's patch. Let's see if it really fixes the problem. Alan Stern #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ d7b8f8e20813 The low level transport driver expects the first byte to be the report ID, even when the report ID is not use (in which case they just shift the buffer). However, __hid_request() whas not offsetting the buffer it used by one in this case, meaning that the raw_request() callback emitted by the transport driver would be stripped of the first byte. Reported-by: Alan Stern <stern@rowland.harvard.edu> Closes: https://lore.kernel.org/linux-input/c75433e0-9b47-4072-bbe8-b1d14ea97b13@rowland.harvard.edu/ Reported-by: syzbot+8258d5439c49d4c35f43@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=8258d5439c49d4c35f43 Fixes: 4fa5a7f76cc7 ("HID: core: implement generic .request()") Cc: stable@vger.kernel.org Signed-off-by: Benjamin Tissoires <bentiss@kernel.org> --- drivers/hid/hid-core.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index 1a231dd9e4bc83202f2cbcd8b3a21e8c82b9deec..320887c365f7a36f7376556ffd19f99e52b7d732 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1976,7 +1976,7 @@ static struct hid_report *hid_get_report(struct hid_report_enum *report_enum, int __hid_request(struct hid_device *hid, struct hid_report *report, enum hid_class_request reqtype) { - char *buf; + char *buf, *data_buf; int ret; u32 len; @@ -1984,10 +1984,17 @@ int __hid_request(struct hid_device *hid, struct hid_report *report, if (!buf) return -ENOMEM; + data_buf = buf; len = hid_report_len(report); + if (report->id == 0) { + /* reserve the first byte for the report ID */ + data_buf++; + len++; + } + if (reqtype == HID_REQ_SET_REPORT) - hid_output_report(report, buf); + hid_output_report(report, data_buf); ret = hid->ll_driver->raw_request(hid, report->id, buf, len, report->type, reqtype); -- 2.49.0 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [syzbot] [usb?] KASAN: slab-out-of-bounds Read in mon_copy_to_buff 2025-07-09 15:28 ` [syzbot] [usb?] KASAN: slab-out-of-bounds Read in mon_copy_to_buff Alan Stern @ 2025-07-09 15:56 ` syzbot 2025-07-09 17:52 ` Alan Stern 1 sibling, 0 replies; 4+ messages in thread From: syzbot @ 2025-07-09 15:56 UTC (permalink / raw) To: bentiss, jikos, linux-input, linux-kernel, linux-usb, stern, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+8258d5439c49d4c35f43@syzkaller.appspotmail.com Tested-by: syzbot+8258d5439c49d4c35f43@syzkaller.appspotmail.com Tested on: commit: d7b8f8e2 Linux 6.16-rc5 git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ console output: https://syzkaller.appspot.com/x/log.txt?x=1155ebd4580000 kernel config: https://syzkaller.appspot.com/x/.config?x=f51185bd4f40ad44 dashboard link: https://syzkaller.appspot.com/bug?extid=8258d5439c49d4c35f43 compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 patch: https://syzkaller.appspot.com/x/patch.diff?x=1113ff70580000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [syzbot] [usb?] KASAN: slab-out-of-bounds Read in mon_copy_to_buff 2025-07-09 15:28 ` [syzbot] [usb?] KASAN: slab-out-of-bounds Read in mon_copy_to_buff Alan Stern 2025-07-09 15:56 ` syzbot @ 2025-07-09 17:52 ` Alan Stern 2025-07-09 18:29 ` syzbot 1 sibling, 1 reply; 4+ messages in thread From: Alan Stern @ 2025-07-09 17:52 UTC (permalink / raw) To: syzbot Cc: Benjamin Tissoires, Jiri Kosina, linux-input, linux-kernel, linux-usb, syzkaller-bugs Test patch to see the contents of the report descriptor. Alan Stern #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ d7b8f8e20813 Index: usb-devel/drivers/hid/usbhid/hid-core.c =================================================================== --- usb-devel.orig/drivers/hid/usbhid/hid-core.c +++ usb-devel/drivers/hid/usbhid/hid-core.c @@ -1043,6 +1043,10 @@ static int usbhid_parse(struct hid_devic goto err; } + dev_info(&intf->dev, "Report descriptor:\n"); + print_hex_dump(KERN_INFO, " * ", DUMP_PREFIX_NONE, 16, 1, + rdesc, rsize, false); + ret = hid_parse_report(hid, rdesc, rsize); kfree(rdesc); if (ret) { ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [syzbot] [usb?] KASAN: slab-out-of-bounds Read in mon_copy_to_buff 2025-07-09 17:52 ` Alan Stern @ 2025-07-09 18:29 ` syzbot 0 siblings, 0 replies; 4+ messages in thread From: syzbot @ 2025-07-09 18:29 UTC (permalink / raw) To: bentiss, jikos, linux-input, linux-kernel, linux-usb, stern, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KASAN: slab-out-of-bounds Read in mon_copy_to_buff * 00 00 00 b3 81 3e 25 03 1b dd e8 40 50 3b 5d 8c * 3d da microsoft 0003:045E:07DA.0001: unknown main item tag 0x0 microsoft 0003:045E:07DA.0001: ignoring exceeding usage max ================================================================== BUG: KASAN: slab-out-of-bounds in mon_copy_to_buff+0xc2/0x170 drivers/usb/mon/mon_bin.c:252 Read of size 3904 at addr ffff88802a9b20a1 by task kworker/1:2/3087 CPU: 1 UID: 0 PID: 3087 Comm: kworker/1:2 Not tainted 6.16.0-rc5-syzkaller-dirty #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xcd/0x680 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:189 __asan_memcpy+0x23/0x60 mm/kasan/shadow.c:105 mon_copy_to_buff+0xc2/0x170 drivers/usb/mon/mon_bin.c:252 mon_bin_get_data drivers/usb/mon/mon_bin.c:420 [inline] mon_bin_event+0x1071/0x2050 drivers/usb/mon/mon_bin.c:606 mon_bus_submit+0xcf/0x140 drivers/usb/mon/mon_main.c:89 usbmon_urb_submit include/linux/usb/hcd.h:724 [inline] usb_hcd_submit_urb+0x12d/0x1c60 drivers/usb/core/hcd.c:1518 usb_submit_urb+0x87c/0x1790 drivers/usb/core/urb.c:581 usb_start_wait_urb+0x104/0x4b0 drivers/usb/core/message.c:59 usb_internal_control_msg drivers/usb/core/message.c:103 [inline] usb_control_msg+0x326/0x4a0 drivers/usb/core/message.c:154 usbhid_set_raw_report drivers/hid/usbhid/hid-core.c:928 [inline] usbhid_raw_request+0x58f/0x700 drivers/hid/usbhid/hid-core.c:1303 __hid_request+0x296/0x3c0 drivers/hid/hid-core.c:1989 hidinput_change_resolution_multipliers drivers/hid/hid-input.c:1950 [inline] hidinput_connect+0x1ada/0x2bd0 drivers/hid/hid-input.c:2327 hid_connect+0x13f3/0x1a60 drivers/hid/hid-core.c:2239 hid_hw_start drivers/hid/hid-core.c:2354 [inline] hid_hw_start+0xaa/0x140 drivers/hid/hid-core.c:2345 ms_probe+0x195/0x500 drivers/hid/hid-microsoft.c:391 __hid_device_probe drivers/hid/hid-core.c:2724 [inline] hid_device_probe+0x360/0x720 drivers/hid/hid-core.c:2761 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:657 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:799 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:829 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:957 bus_for_each_drv+0x156/0x1e0 drivers/base/bus.c:462 __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1029 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537 device_add+0x1148/0x1a70 drivers/base/core.c:3692 hid_add_device+0x373/0xa60 drivers/hid/hid-core.c:2907 usbhid_probe+0xd38/0x13f0 drivers/hid/usbhid/hid-core.c:1439 usb_probe_interface+0x303/0x9c0 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:657 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:799 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:829 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:957 bus_for_each_drv+0x156/0x1e0 drivers/base/bus.c:462 __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1029 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537 device_add+0x1148/0x1a70 drivers/base/core.c:3692 usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250 usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:657 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:799 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:829 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:957 bus_for_each_drv+0x156/0x1e0 drivers/base/bus.c:462 __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1029 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537 device_add+0x1148/0x1a70 drivers/base/core.c:3692 usb_new_device+0xd07/0x1a20 drivers/usb/core/hub.c:2694 hub_port_connect drivers/usb/core/hub.c:5566 [inline] hub_port_connect_change drivers/usb/core/hub.c:5706 [inline] port_event drivers/usb/core/hub.c:5866 [inline] hub_event+0x2eb7/0x4fa0 drivers/usb/core/hub.c:5948 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3321 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3402 kthread+0x3c5/0x780 kernel/kthread.c:464 ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 3087: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4328 [inline] __kmalloc_noprof+0x223/0x510 mm/slub.c:4340 __hid_request+0x2c/0x3c0 drivers/hid/hid-core.c:1980 hidinput_change_resolution_multipliers drivers/hid/hid-input.c:1950 [inline] hidinput_connect+0x1ada/0x2bd0 drivers/hid/hid-input.c:2327 hid_connect+0x13f3/0x1a60 drivers/hid/hid-core.c:2239 hid_hw_start drivers/hid/hid-core.c:2354 [inline] hid_hw_start+0xaa/0x140 drivers/hid/hid-core.c:2345 ms_probe+0x195/0x500 drivers/hid/hid-microsoft.c:391 __hid_device_probe drivers/hid/hid-core.c:2724 [inline] hid_device_probe+0x360/0x720 drivers/hid/hid-core.c:2761 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:657 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:799 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:829 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:957 bus_for_each_drv+0x156/0x1e0 drivers/base/bus.c:462 __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1029 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537 device_add+0x1148/0x1a70 drivers/base/core.c:3692 hid_add_device+0x373/0xa60 drivers/hid/hid-core.c:2907 usbhid_probe+0xd38/0x13f0 drivers/hid/usbhid/hid-core.c:1439 usb_probe_interface+0x303/0x9c0 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:657 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:799 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:829 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:957 bus_for_each_drv+0x156/0x1e0 drivers/base/bus.c:462 __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1029 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537 device_add+0x1148/0x1a70 drivers/base/core.c:3692 usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250 usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:657 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:799 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:829 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:957 bus_for_each_drv+0x156/0x1e0 drivers/base/bus.c:462 __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1029 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537 device_add+0x1148/0x1a70 drivers/base/core.c:3692 usb_new_device+0xd07/0x1a20 drivers/usb/core/hub.c:2694 hub_port_connect drivers/usb/core/hub.c:5566 [inline] hub_port_connect_change drivers/usb/core/hub.c:5706 [inline] port_event drivers/usb/core/hub.c:5866 [inline] hub_event+0x2eb7/0x4fa0 drivers/usb/core/hub.c:5948 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3321 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3402 kthread+0x3c5/0x780 kernel/kthread.c:464 ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 The buggy address belongs to the object at ffff88802a9b20a0 which belongs to the cache kmalloc-8 of size 8 The buggy address is located 1 bytes inside of allocated 7-byte region [ffff88802a9b20a0, ffff88802a9b20a7) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2a9b2 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000000 ffff88801b841500 dead000000000100 dead000000000122 raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 10064691813, free_ts 9935982490 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1704 prep_new_page mm/page_alloc.c:1712 [inline] get_page_from_freelist+0x1321/0x3890 mm/page_alloc.c:3669 __alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:4959 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2419 alloc_slab_page mm/slub.c:2451 [inline] allocate_slab mm/slub.c:2619 [inline] new_slab+0x23b/0x330 mm/slub.c:2673 ___slab_alloc+0xd9c/0x1940 mm/slub.c:3859 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3949 __slab_alloc_node mm/slub.c:4024 [inline] slab_alloc_node mm/slub.c:4185 [inline] __kmalloc_cache_noprof+0xfb/0x3e0 mm/slub.c:4354 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] usb_get_bos_descriptor+0x62/0xbb0 drivers/usb/core/config.c:1037 register_root_hub+0x332/0x730 drivers/usb/core/hcd.c:983 usb_add_hcd+0xaf2/0x1730 drivers/usb/core/hcd.c:2976 vhci_hcd_probe+0x1c2/0x490 drivers/usb/usbip/vhci_hcd.c:1377 platform_probe+0x102/0x1f0 drivers/base/platform.c:1404 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:657 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:799 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:829 page last free pid 1206 tgid 1206 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1248 [inline] __free_frozen_pages+0x7fe/0x1180 mm/page_alloc.c:2706 vfree+0x1fd/0xb50 mm/vmalloc.c:3426 delayed_vfree_work+0x56/0x70 mm/vmalloc.c:3345 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3321 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3402 kthread+0x3c5/0x780 kernel/kthread.c:464 ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Memory state around the buggy address: ffff88802a9b1f80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff88802a9b2000: 00 fc fc fc 00 fc fc fc 00 fc fc fc 00 fc fc fc >ffff88802a9b2080: 00 fc fc fc 07 fc fc fc 06 fc fc fc 00 fc fc fc ^ ffff88802a9b2100: fa fc fc fc 00 fc fc fc 06 fc fc fc 06 fc fc fc ffff88802a9b2180: 06 fc fc fc 00 fc fc fc 00 fc fc fc 00 fc fc fc ================================================================== Tested on: commit: d7b8f8e2 Linux 6.16-rc5 git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ console output: https://syzkaller.appspot.com/x/log.txt?x=10bd1a8c580000 kernel config: https://syzkaller.appspot.com/x/.config?x=f51185bd4f40ad44 dashboard link: https://syzkaller.appspot.com/bug?extid=8258d5439c49d4c35f43 compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 patch: https://syzkaller.appspot.com/x/patch.diff?x=135800f0580000 ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-07-09 18:29 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <5de04492-01d3-4b2c-b3f4-8c2237dfed6a@rowland.harvard.edu>
[not found] ` <686c14c0.a00a0220.6237c.0000.GAE@google.com>
[not found] ` <72fea4f2-40d7-4f9f-a08d-b1ada781256e@rowland.harvard.edu>
2025-07-09 15:28 ` [syzbot] [usb?] KASAN: slab-out-of-bounds Read in mon_copy_to_buff Alan Stern
2025-07-09 15:56 ` syzbot
2025-07-09 17:52 ` Alan Stern
2025-07-09 18:29 ` syzbot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).