From: Johan Hovold <johan@kernel.org>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: syzbot <syzbot+53f029db71c19a47325a@syzkaller.appspotmail.com>,
andreyknvl@google.com, linux-kernel@vger.kernel.org,
linux-media@vger.kernel.org, linux-usb@vger.kernel.org,
mchehab@kernel.org, syzkaller-bugs@googlegroups.com,
wen.yang99@zte.com.cn
Subject: Re: general protection fault in smsusb_init_device
Date: Tue, 7 May 2019 10:34:30 +0200 [thread overview]
Message-ID: <20190507083430.GD4333@localhost> (raw)
In-Reply-To: <Pine.LNX.4.44L0.1905061638380.1585-100000@iolanthe.rowland.org>
On Mon, May 06, 2019 at 04:41:41PM -0400, Alan Stern wrote:
> On Thu, 18 Apr 2019, syzbot wrote:
>
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit: d34f9519 usb-fuzzer: main usb gadget fuzzer driver
> > git tree: https://github.com/google/kasan/tree/usb-fuzzer
> > console output: https://syzkaller.appspot.com/x/log.txt?x=128ec3fd200000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=c73d1bb5aeaeae20
> > dashboard link: https://syzkaller.appspot.com/bug?extid=53f029db71c19a47325a
> > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16138e67200000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=128dddbf200000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+53f029db71c19a47325a@syzkaller.appspotmail.com
> >
> > usb 1-1: config 0 descriptor??
> > usb 1-1: string descriptor 0 read error: -71
> > smsusb:smsusb_probe: board id=18, interface number 0
> > kasan: CONFIG_KASAN_INLINE enabled
> > kasan: GPF could be caused by NULL-ptr deref or user memory access
> > general protection fault: 0000 [#1] SMP KASAN PTI
> > CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 5.1.0-rc5-319617-gd34f951 #4
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Workqueue: usb_hub_wq hub_event
> > RIP: 0010:smsusb_init_device+0x366/0x937
> > drivers/media/usb/siano/smsusb.c:429
>
> The driver assumes endpoint 1in exists, and doesn't check the existence
> of the endpoints it uses.
>
> Alan Stern
>
>
> #syz test: https://github.com/google/kasan.git usb-fuzzer
>
> drivers/media/usb/siano/smsusb.c | 32 +++++++++++++++++++-------------
> 1 file changed, 19 insertions(+), 13 deletions(-)
>
> Index: usb-devel/drivers/media/usb/siano/smsusb.c
> ===================================================================
> --- usb-devel.orig/drivers/media/usb/siano/smsusb.c
> +++ usb-devel/drivers/media/usb/siano/smsusb.c
> @@ -400,6 +400,7 @@ static int smsusb_init_device(struct usb
> struct smsusb_device_t *dev;
> void *mdev;
> int i, rc;
> + int in_maxp;
>
> /* create device object */
> dev = kzalloc(sizeof(struct smsusb_device_t), GFP_KERNEL);
> @@ -411,6 +412,23 @@ static int smsusb_init_device(struct usb
> dev->udev = interface_to_usbdev(intf);
> dev->state = SMSUSB_DISCONNECTED;
>
> + for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {
> + struct usb_endpoint_descriptor *desc =
> + &intf->cur_altsetting->endpoint[i].desc;
> +
> + if (desc->bEndpointAddress & USB_DIR_IN) {
> + dev->in_ep = desc->bEndpointAddress;
> + in_maxp = usb_endpoint_maxp(desc);
> + } else {
> + dev->out_ep = desc->bEndpointAddress;
> + }
> + }
> +
> + pr_debug("in_ep = %02x, out_ep = %02x\n",
> + dev->in_ep, dev->out_ep);
> + if (!dev->in_ep || !dev->out_ep) /* Missing endpoints? */
> + return -EINVAL;
Looks like you're now leaking dev here, and so is the current code in
the later error paths.
Since this return value will be returned from probe, you may want to use
-ENXIO or -ENODEV instead of -EINVAL.
Looks good otherwise.
Johan
next prev parent reply other threads:[~2019-05-07 8:34 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-18 12:06 general protection fault in smsusb_init_device syzbot
2019-04-19 20:29 ` Alan Stern
2019-05-06 20:41 ` Alan Stern
2019-05-06 21:21 ` syzbot
2019-05-07 16:39 ` [PATCH] media: usb: siano: Fix general protection fault in smsusb Alan Stern
2019-05-08 6:01 ` Johan Hovold
2019-05-24 13:35 ` Mauro Carvalho Chehab
2019-05-24 13:54 ` Alan Stern
2019-05-07 8:34 ` Johan Hovold [this message]
2019-05-07 14:42 ` general protection fault in smsusb_init_device Alan Stern
2019-05-07 15:07 ` Johan Hovold
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190507083430.GD4333@localhost \
--to=johan@kernel.org \
--cc=andreyknvl@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=syzbot+53f029db71c19a47325a@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=wen.yang99@zte.com.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).