[syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse

[syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    ad7f1baed071 Merge tag 'acpi-6.6-rc6' of git://git.kernel...
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1056d5c5680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=32d0b9b42ceb8b10
dashboard link: https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1081f1e5680000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16c7bc4d680000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e3074ad3ff92/disk-ad7f1bae.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/94b298a1e285/vmlinux-ad7f1bae.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1ad5cd9c2a48/bzImage-ad7f1bae.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c52569baf0c843f35495@syzkaller.appspotmail.com

usb 1-1: string descriptor 0 read error: -22
usb 1-1: New USB device found, idVendor=080e, idProduct=4eb9, bcdDevice=d7.f6
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
================================================================================
UBSAN: array-index-out-of-bounds in drivers/hid/usbhid/hid-core.c:1024:18
index 1 is out of range for type 'hid_class_descriptor [1]'
CPU: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.6.0-rc5-syzkaller-00227-gad7f1baed071 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x125/0x1b0 lib/dump_stack.c:106
 ubsan_epilogue lib/ubsan.c:217 [inline]
 __ubsan_handle_out_of_bounds+0x111/0x150 lib/ubsan.c:348
 usbhid_parse+0x94a/0xa20 drivers/hid/usbhid/hid-core.c:1024
 hid_add_device+0x189/0xa60 drivers/hid/hid-core.c:2783
 usbhid_probe+0xd0a/0x1360 drivers/hid/usbhid/hid-core.c:1429
 usb_probe_interface+0x307/0x930 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x234/0xc90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830
 __device_attach_driver+0x1d4/0x300 drivers/base/dd.c:958
 bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457
 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
 bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532
 device_add+0x117e/0x1aa0 drivers/base/core.c:3624
 usb_set_configuration+0x10cb/0x1c40 drivers/usb/core/message.c:2207
 usb_generic_driver_probe+0xca/0x130 drivers/usb/core/generic.c:238
 usb_probe_device+0xda/0x2c0 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x234/0xc90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830
 __device_attach_driver+0x1d4/0x300 drivers/base/dd.c:958
 bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457
 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
 bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532
 device_add+0x117e/0x1aa0 drivers/base/core.c:3624
 usb_new_device+0xd80/0x1960 drivers/usb/core/hub.c:2589
 hub_port_connect drivers/usb/core/hub.c:5440 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5580 [inline]
 port_event drivers/usb/core/hub.c:5740 [inline]
 hub_event+0x2daf/0x4e00 drivers/usb/core/hub.c:5822
 process_one_work+0x884/0x15c0 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x8b9/0x1290 kernel/workqueue.c:2784
 kthread+0x33c/0x440 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
 </TASK>
================================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] Test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Test
Author: tintinm2017@gmail.com

#syz test:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Re: [syzbot] [PATCH] Tried to correct

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [PATCH] Tried to correct
Author: tintinm2017@gmail.com

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Signed-off-by: attreyee-muk <tintinm2017@gmail.com>
---
 drivers/hid/usbhid/hid-core.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index a90ed2ceae84..582ddbef448f 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -1021,6 +1021,8 @@ static int usbhid_parse(struct hid_device *hid)
 	       (hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));
 
 	for (n = 0; n < num_descriptors; n++)
+		if (n >= ARRAY_SIZE(hdesc->desc))
+			break;
 		if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
 			rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength);
 
-- 
2.34.1

Re: [PATCH] Tried to correct

[kernel test robot]

Hi syzbot,

kernel test robot noticed the following build warnings:

[auto build test WARNING on hid/for-next]
[also build test WARNING on linus/master v6.7-rc2 next-20231122]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/syzbot/Tried-to-correct/20231122-032130
base:   https://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git for-next
patch link:    https://lore.kernel.org/r/000000000000c0be0d060aae7c5b%40google.com
patch subject: [PATCH] Tried to correct
config: x86_64-rhel-8.3-rust (https://download.01.org/0day-ci/archive/20231122/202311221446.bQ7tsWmE-lkp@intel.com/config)
compiler: clang version 16.0.4 (https://github.com/llvm/llvm-project.git ae42196bc493ffe877a7e3dff8be32035dea4d07)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20231122/202311221446.bQ7tsWmE-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202311221446.bQ7tsWmE-lkp@intel.com/

All warnings (new ones prefixed by >>):

>> drivers/hid/usbhid/hid-core.c:1026:3: warning: misleading indentation; statement is not part of the previous 'for' [-Wmisleading-indentation]
                   if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
                   ^
   drivers/hid/usbhid/hid-core.c:1023:2: note: previous statement is here
           for (n = 0; n < num_descriptors; n++)
           ^
   1 warning generated.


vim +/for +1026 drivers/hid/usbhid/hid-core.c

^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16   978  
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16   979  static int usbhid_parse(struct hid_device *hid)
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16   980  {
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16   981  	struct usb_interface *intf = to_usb_interface(hid->dev.parent);
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16   982  	struct usb_host_interface *interface = intf->cur_altsetting;
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16   983  	struct usb_device *dev = interface_to_usbdev (intf);
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16   984  	struct hid_descriptor *hdesc;
2eb5dc30eb87aa drivers/hid/usbhid/hid-core.c Paul Walmsley      2007-04-19   985  	u32 quirks = 0;
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16   986  	unsigned int rsize = 0;
c5b7c7c395a34f drivers/usb/input/hid-core.c  Dmitry Torokhov    2005-09-15   987  	char *rdesc;
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16   988  	int ret, n;
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28   989  	int num_descriptors;
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28   990  	size_t offset = offsetof(struct hid_descriptor, desc);
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16   991  
d5d3e202753cc0 drivers/hid/usbhid/hid-core.c Benjamin Tissoires 2017-11-20   992  	quirks = hid_lookup_quirk(hid);
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16   993  
6f4303fb2ec680 drivers/hid/usbhid/hid-core.c Jiri Kosina        2009-01-29   994  	if (quirks & HID_QUIRK_IGNORE)
6f4303fb2ec680 drivers/hid/usbhid/hid-core.c Jiri Kosina        2009-01-29   995  		return -ENODEV;
6f4303fb2ec680 drivers/hid/usbhid/hid-core.c Jiri Kosina        2009-01-29   996  
0f28b55db54300 drivers/usb/input/hid-core.c  Alan Stern         2006-05-15   997  	/* Many keyboards and mice don't like to be polled for reports,
0f28b55db54300 drivers/usb/input/hid-core.c  Alan Stern         2006-05-15   998  	 * so we will always set the HID_QUIRK_NOGET flag for them. */
0f28b55db54300 drivers/usb/input/hid-core.c  Alan Stern         2006-05-15   999  	if (interface->desc.bInterfaceSubClass == USB_INTERFACE_SUBCLASS_BOOT) {
0f28b55db54300 drivers/usb/input/hid-core.c  Alan Stern         2006-05-15  1000  		if (interface->desc.bInterfaceProtocol == USB_INTERFACE_PROTOCOL_KEYBOARD ||
0f28b55db54300 drivers/usb/input/hid-core.c  Alan Stern         2006-05-15  1001  			interface->desc.bInterfaceProtocol == USB_INTERFACE_PROTOCOL_MOUSE)
0f28b55db54300 drivers/usb/input/hid-core.c  Alan Stern         2006-05-15  1002  				quirks |= HID_QUIRK_NOGET;
0f28b55db54300 drivers/usb/input/hid-core.c  Alan Stern         2006-05-15  1003  	}
0f28b55db54300 drivers/usb/input/hid-core.c  Alan Stern         2006-05-15  1004  
c5b7c7c395a34f drivers/usb/input/hid-core.c  Dmitry Torokhov    2005-09-15  1005  	if (usb_get_extra_descriptor(interface, HID_DT_HID, &hdesc) &&
c5b7c7c395a34f drivers/usb/input/hid-core.c  Dmitry Torokhov    2005-09-15  1006  	    (!interface->desc.bNumEndpoints ||
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16  1007  	     usb_get_extra_descriptor(&interface->endpoint[0], HID_DT_HID, &hdesc))) {
58037eb961f859 drivers/hid/usbhid/hid-core.c Jiri Kosina        2007-05-30  1008  		dbg_hid("class descriptor not present\n");
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16  1009  		return -ENODEV;
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16  1010  	}
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16  1011  
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28  1012  	if (hdesc->bLength < sizeof(struct hid_descriptor)) {
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28  1013  		dbg_hid("hid descriptor is too short\n");
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28  1014  		return -EINVAL;
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28  1015  	}
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28  1016  
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16  1017  	hid->version = le16_to_cpu(hdesc->bcdHID);
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16  1018  	hid->country = hdesc->bCountryCode;
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16  1019  
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28  1020  	num_descriptors = min_t(int, hdesc->bNumDescriptors,
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28  1021  	       (hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28  1022  
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28  1023  	for (n = 0; n < num_descriptors; n++)
6d33ae790f1855 drivers/hid/usbhid/hid-core.c syzbot             2023-11-21  1024  		if (n >= ARRAY_SIZE(hdesc->desc))
6d33ae790f1855 drivers/hid/usbhid/hid-core.c syzbot             2023-11-21  1025  			break;
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16 @1026  		if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16  1027  			rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength);
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16  1028  
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16  1029  	if (!rsize || rsize > HID_MAX_DESCRIPTOR_SIZE) {
58037eb961f859 drivers/hid/usbhid/hid-core.c Jiri Kosina        2007-05-30  1030  		dbg_hid("weird size of report descriptor (%u)\n", rsize);
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16  1031  		return -EINVAL;
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16  1032  	}
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16  1033  
52150c78270db5 drivers/hid/usbhid/hid-core.c Joe Perches        2017-03-01  1034  	rdesc = kmalloc(rsize, GFP_KERNEL);
52150c78270db5 drivers/hid/usbhid/hid-core.c Joe Perches        2017-03-01  1035  	if (!rdesc)
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16  1036  		return -ENOMEM;
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16  1037  
854561b019285a drivers/usb/input/hid-core.c  Vojtech Pavlik     2005-05-29  1038  	hid_set_idle(dev, interface->desc.bInterfaceNumber, 0, 0);
854561b019285a drivers/usb/input/hid-core.c  Vojtech Pavlik     2005-05-29  1039  
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16  1040  	ret = hid_get_class_descriptor(dev, interface->desc.bInterfaceNumber,
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16  1041  			HID_DT_REPORT, rdesc, rsize);
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16  1042  	if (ret < 0) {
58037eb961f859 drivers/hid/usbhid/hid-core.c Jiri Kosina        2007-05-30  1043  		dbg_hid("reading report descriptor failed\n");
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16  1044  		kfree(rdesc);
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16  1045  		goto err;
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16  1046  	}
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16  1047  
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16  1048  	ret = hid_parse_report(hid, rdesc, rsize);
85cdaf524b7dda drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16  1049  	kfree(rdesc);
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16  1050  	if (ret) {
58037eb961f859 drivers/hid/usbhid/hid-core.c Jiri Kosina        2007-05-30  1051  		dbg_hid("parsing report descriptor failed\n");
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16  1052  		goto err;
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16  1053  	}
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16  1054  
f5208997087e6e drivers/hid/usbhid/hid-core.c Zoltan Karcagi     2009-05-06  1055  	hid->quirks |= quirks;
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16  1056  
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16  1057  	return 0;
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16  1058  err:
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16  1059  	return ret;
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16  1060  }
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16  1061  

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Re: [syzbot] [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning
Author: tintinm2017@gmail.com

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Look at the bug https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495 reported by syzbot. Tested a patch through syzbot, which gives an error. 
Requesting help from the maintainers to understand what is really going wrong in the code. 

Based on my understanding, I believe the value of the number of descriptors is calculated incorrectly before the for loop.

Signed-off-by: Attreyee Mukherjee <tintinm2017@gmail.com>
---
 drivers/hid/usbhid/hid-core.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index a90ed2ceae84..582ddbef448f 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -1021,6 +1021,8 @@ static int usbhid_parse(struct hid_device *hid)
 	       (hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));
 
 	for (n = 0; n < num_descriptors; n++)
+		if (n >= ARRAY_SIZE(hdesc->desc))
+			break;
 		if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
 			rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength);
 
-- 
2.34.1

Re: [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning

[Dan Carpenter]

Hi syzbot,

kernel test robot noticed the following build warnings:

https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/syzbot/usbhid-fix-array-index-out-of-bounds-in-usbhid_parse-UBSAN-warning/20231225-153341
base:   https://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git for-next
patch link:    https://lore.kernel.org/r/0000000000009ae37b060d32c643%40google.com
patch subject: [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning
config: x86_64-randconfig-161-20231225 (https://download.01.org/0day-ci/archive/20231226/202312260900.gRDPofL9-lkp@intel.com/config)
compiler: clang version 16.0.4 (https://github.com/llvm/llvm-project.git ae42196bc493ffe877a7e3dff8be32035dea4d07)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
| Closes: https://lore.kernel.org/r/202312260900.gRDPofL9-lkp@intel.com/

smatch warnings:
drivers/hid/usbhid/hid-core.c:1026 usbhid_parse() warn: curly braces intended?
drivers/hid/usbhid/hid-core.c:1029 usbhid_parse() warn: inconsistent indenting

vim +1026 drivers/hid/usbhid/hid-core.c

c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16   979  static int usbhid_parse(struct hid_device *hid)
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16   980  {
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16   981  	struct usb_interface *intf = to_usb_interface(hid->dev.parent);
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16   982  	struct usb_host_interface *interface = intf->cur_altsetting;
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16   983  	struct usb_device *dev = interface_to_usbdev (intf);
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16   984  	struct hid_descriptor *hdesc;
2eb5dc30eb87aa drivers/hid/usbhid/hid-core.c Paul Walmsley      2007-04-19   985  	u32 quirks = 0;
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16   986  	unsigned int rsize = 0;
c5b7c7c395a34f drivers/usb/input/hid-core.c  Dmitry Torokhov    2005-09-15   987  	char *rdesc;
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16   988  	int ret, n;
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28   989  	int num_descriptors;
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28   990  	size_t offset = offsetof(struct hid_descriptor, desc);
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16   991  
d5d3e202753cc0 drivers/hid/usbhid/hid-core.c Benjamin Tissoires 2017-11-20   992  	quirks = hid_lookup_quirk(hid);
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16   993  
6f4303fb2ec680 drivers/hid/usbhid/hid-core.c Jiri Kosina        2009-01-29   994  	if (quirks & HID_QUIRK_IGNORE)
6f4303fb2ec680 drivers/hid/usbhid/hid-core.c Jiri Kosina        2009-01-29   995  		return -ENODEV;
6f4303fb2ec680 drivers/hid/usbhid/hid-core.c Jiri Kosina        2009-01-29   996  
0f28b55db54300 drivers/usb/input/hid-core.c  Alan Stern         2006-05-15   997  	/* Many keyboards and mice don't like to be polled for reports,
0f28b55db54300 drivers/usb/input/hid-core.c  Alan Stern         2006-05-15   998  	 * so we will always set the HID_QUIRK_NOGET flag for them. */
0f28b55db54300 drivers/usb/input/hid-core.c  Alan Stern         2006-05-15   999  	if (interface->desc.bInterfaceSubClass == USB_INTERFACE_SUBCLASS_BOOT) {
0f28b55db54300 drivers/usb/input/hid-core.c  Alan Stern         2006-05-15  1000  		if (interface->desc.bInterfaceProtocol == USB_INTERFACE_PROTOCOL_KEYBOARD ||
0f28b55db54300 drivers/usb/input/hid-core.c  Alan Stern         2006-05-15  1001  			interface->desc.bInterfaceProtocol == USB_INTERFACE_PROTOCOL_MOUSE)
0f28b55db54300 drivers/usb/input/hid-core.c  Alan Stern         2006-05-15  1002  				quirks |= HID_QUIRK_NOGET;
0f28b55db54300 drivers/usb/input/hid-core.c  Alan Stern         2006-05-15  1003  	}
0f28b55db54300 drivers/usb/input/hid-core.c  Alan Stern         2006-05-15  1004  
c5b7c7c395a34f drivers/usb/input/hid-core.c  Dmitry Torokhov    2005-09-15  1005  	if (usb_get_extra_descriptor(interface, HID_DT_HID, &hdesc) &&
c5b7c7c395a34f drivers/usb/input/hid-core.c  Dmitry Torokhov    2005-09-15  1006  	    (!interface->desc.bNumEndpoints ||
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16  1007  	     usb_get_extra_descriptor(&interface->endpoint[0], HID_DT_HID, &hdesc))) {
58037eb961f859 drivers/hid/usbhid/hid-core.c Jiri Kosina        2007-05-30  1008  		dbg_hid("class descriptor not present\n");
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16  1009  		return -ENODEV;
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16  1010  	}
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16  1011  
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28  1012  	if (hdesc->bLength < sizeof(struct hid_descriptor)) {
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28  1013  		dbg_hid("hid descriptor is too short\n");
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28  1014  		return -EINVAL;
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28  1015  	}
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28  1016  
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16  1017  	hid->version = le16_to_cpu(hdesc->bcdHID);
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16  1018  	hid->country = hdesc->bCountryCode;
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16  1019  
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28  1020  	num_descriptors = min_t(int, hdesc->bNumDescriptors,
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28  1021  	       (hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28  1022  
f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28  1023  	for (n = 0; n < num_descriptors; n++)

This for loop needs curly braces now.

d3e0d5b253c73b drivers/hid/usbhid/hid-core.c syzbot             2023-12-23  1024  		if (n >= ARRAY_SIZE(hdesc->desc))
d3e0d5b253c73b drivers/hid/usbhid/hid-core.c syzbot             2023-12-23  1025  			break;
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16 @1026  		if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16  1027  			rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength);
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16  1028  
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16 @1029  	if (!rsize || rsize > HID_MAX_DESCRIPTOR_SIZE) {
58037eb961f859 drivers/hid/usbhid/hid-core.c Jiri Kosina        2007-05-30  1030  		dbg_hid("weird size of report descriptor (%u)\n", rsize);
c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16  1031  		return -EINVAL;
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16  1032  	}
^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16  1033  
52150c78270db5 drivers/hid/usbhid/hid-core.c Joe Perches        2017-03-01  1034  	rdesc = kmalloc(rsize, GFP_KERNEL);

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Re: [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning

[Aleksandr Nogikh]

Hi Dan,

In this particular case syzbot just forwarded a user's patch testing
request to the LKML. I think there's not much value in kernel test
robot analyzing such emails.

-- 
Aleksandr

On Wed, Jan 3, 2024 at 3:12 PM Dan Carpenter <dan.carpenter@linaro.org> wrote:
>
> Hi syzbot,
>
> kernel test robot noticed the following build warnings:
>
> https://git-scm.com/docs/git-format-patch#_base_tree_information]
>
> url:    https://github.com/intel-lab-lkp/linux/commits/syzbot/usbhid-fix-array-index-out-of-bounds-in-usbhid_parse-UBSAN-warning/20231225-153341
> base:   https://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git for-next
> patch link:    https://lore.kernel.org/r/0000000000009ae37b060d32c643%40google.com
> patch subject: [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning
> config: x86_64-randconfig-161-20231225 (https://download.01.org/0day-ci/archive/20231226/202312260900.gRDPofL9-lkp@intel.com/config)
> compiler: clang version 16.0.4 (https://github.com/llvm/llvm-project.git ae42196bc493ffe877a7e3dff8be32035dea4d07)
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <lkp@intel.com>
> | Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> | Closes: https://lore.kernel.org/r/202312260900.gRDPofL9-lkp@intel.com/
>
> smatch warnings:
> drivers/hid/usbhid/hid-core.c:1026 usbhid_parse() warn: curly braces intended?
> drivers/hid/usbhid/hid-core.c:1029 usbhid_parse() warn: inconsistent indenting
>
> vim +1026 drivers/hid/usbhid/hid-core.c
>
> c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16   979  static int usbhid_parse(struct hid_device *hid)
> c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16   980  {
> c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16   981        struct usb_interface *intf = to_usb_interface(hid->dev.parent);
> ^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16   982        struct usb_host_interface *interface = intf->cur_altsetting;
> ^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16   983        struct usb_device *dev = interface_to_usbdev (intf);
> ^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16   984        struct hid_descriptor *hdesc;
> 2eb5dc30eb87aa drivers/hid/usbhid/hid-core.c Paul Walmsley      2007-04-19   985        u32 quirks = 0;
> c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16   986        unsigned int rsize = 0;
> c5b7c7c395a34f drivers/usb/input/hid-core.c  Dmitry Torokhov    2005-09-15   987        char *rdesc;
> c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16   988        int ret, n;
> f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28   989        int num_descriptors;
> f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28   990        size_t offset = offsetof(struct hid_descriptor, desc);
> ^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16   991
> d5d3e202753cc0 drivers/hid/usbhid/hid-core.c Benjamin Tissoires 2017-11-20   992        quirks = hid_lookup_quirk(hid);
> ^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16   993
> 6f4303fb2ec680 drivers/hid/usbhid/hid-core.c Jiri Kosina        2009-01-29   994        if (quirks & HID_QUIRK_IGNORE)
> 6f4303fb2ec680 drivers/hid/usbhid/hid-core.c Jiri Kosina        2009-01-29   995                return -ENODEV;
> 6f4303fb2ec680 drivers/hid/usbhid/hid-core.c Jiri Kosina        2009-01-29   996
> 0f28b55db54300 drivers/usb/input/hid-core.c  Alan Stern         2006-05-15   997        /* Many keyboards and mice don't like to be polled for reports,
> 0f28b55db54300 drivers/usb/input/hid-core.c  Alan Stern         2006-05-15   998         * so we will always set the HID_QUIRK_NOGET flag for them. */
> 0f28b55db54300 drivers/usb/input/hid-core.c  Alan Stern         2006-05-15   999        if (interface->desc.bInterfaceSubClass == USB_INTERFACE_SUBCLASS_BOOT) {
> 0f28b55db54300 drivers/usb/input/hid-core.c  Alan Stern         2006-05-15  1000                if (interface->desc.bInterfaceProtocol == USB_INTERFACE_PROTOCOL_KEYBOARD ||
> 0f28b55db54300 drivers/usb/input/hid-core.c  Alan Stern         2006-05-15  1001                        interface->desc.bInterfaceProtocol == USB_INTERFACE_PROTOCOL_MOUSE)
> 0f28b55db54300 drivers/usb/input/hid-core.c  Alan Stern         2006-05-15  1002                                quirks |= HID_QUIRK_NOGET;
> 0f28b55db54300 drivers/usb/input/hid-core.c  Alan Stern         2006-05-15  1003        }
> 0f28b55db54300 drivers/usb/input/hid-core.c  Alan Stern         2006-05-15  1004
> c5b7c7c395a34f drivers/usb/input/hid-core.c  Dmitry Torokhov    2005-09-15  1005        if (usb_get_extra_descriptor(interface, HID_DT_HID, &hdesc) &&
> c5b7c7c395a34f drivers/usb/input/hid-core.c  Dmitry Torokhov    2005-09-15  1006            (!interface->desc.bNumEndpoints ||
> ^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16  1007             usb_get_extra_descriptor(&interface->endpoint[0], HID_DT_HID, &hdesc))) {
> 58037eb961f859 drivers/hid/usbhid/hid-core.c Jiri Kosina        2007-05-30  1008                dbg_hid("class descriptor not present\n");
> c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16  1009                return -ENODEV;
> ^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16  1010        }
> ^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16  1011
> f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28  1012        if (hdesc->bLength < sizeof(struct hid_descriptor)) {
> f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28  1013                dbg_hid("hid descriptor is too short\n");
> f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28  1014                return -EINVAL;
> f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28  1015        }
> f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28  1016
> c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16  1017        hid->version = le16_to_cpu(hdesc->bcdHID);
> c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16  1018        hid->country = hdesc->bCountryCode;
> c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16  1019
> f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28  1020        num_descriptors = min_t(int, hdesc->bNumDescriptors,
> f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28  1021               (hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));
> f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28  1022
> f043bfc98c193c drivers/hid/usbhid/hid-core.c Jaejoong Kim       2017-09-28  1023        for (n = 0; n < num_descriptors; n++)
>
> This for loop needs curly braces now.
>
> d3e0d5b253c73b drivers/hid/usbhid/hid-core.c syzbot             2023-12-23  1024                if (n >= ARRAY_SIZE(hdesc->desc))
> d3e0d5b253c73b drivers/hid/usbhid/hid-core.c syzbot             2023-12-23  1025                        break;
> ^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16 @1026                if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
> ^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16  1027                        rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength);
> ^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16  1028
> ^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16 @1029        if (!rsize || rsize > HID_MAX_DESCRIPTOR_SIZE) {
> 58037eb961f859 drivers/hid/usbhid/hid-core.c Jiri Kosina        2007-05-30  1030                dbg_hid("weird size of report descriptor (%u)\n", rsize);
> c500c9714011ed drivers/hid/usbhid/hid-core.c Jiri Slaby         2008-05-16  1031                return -EINVAL;
> ^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16  1032        }
> ^1da177e4c3f41 drivers/usb/input/hid-core.c  Linus Torvalds     2005-04-16  1033
> 52150c78270db5 drivers/hid/usbhid/hid-core.c Joe Perches        2017-03-01  1034        rdesc = kmalloc(rsize, GFP_KERNEL);
>
> --
> 0-DAY CI Kernel Test Service
> https://github.com/intel/lkp-tests/wiki
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/5e68be46-caab-40f4-8e0f-543566fd7c28%40moroto.mountain.

Re: [syzbot] [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning

[Kees Cook]

Hi,

What's happened to getting a new version of this patch? This flaw is
still reachable in -next from what I can see?

Thanks,

-Kees

On Sat, Dec 23, 2023 at 11:59:51AM -0800, syzbot wrote:
> For archival purposes, forwarding an incoming command email to
> linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
> 
> ***
> 
> Subject: [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning
> Author: tintinm2017@gmail.com
> 
> #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
> 
> Look at the bug https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495 reported by syzbot. Tested a patch through syzbot, which gives an error. 
> Requesting help from the maintainers to understand what is really going wrong in the code. 
> 
> Based on my understanding, I believe the value of the number of descriptors is calculated incorrectly before the for loop.
> 
> Signed-off-by: Attreyee Mukherjee <tintinm2017@gmail.com>
> ---
>  drivers/hid/usbhid/hid-core.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
> index a90ed2ceae84..582ddbef448f 100644
> --- a/drivers/hid/usbhid/hid-core.c
> +++ b/drivers/hid/usbhid/hid-core.c
> @@ -1021,6 +1021,8 @@ static int usbhid_parse(struct hid_device *hid)
>  	       (hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));
>  
>  	for (n = 0; n < num_descriptors; n++)
> +		if (n >= ARRAY_SIZE(hdesc->desc))
> +			break;
>  		if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
>  			rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength);
>  
> -- 
> 2.34.1
> 

-- 
Kees Cook

Re: [syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse

[Nikita Zhandarovich]

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
---
 drivers/hid/usbhid/hid-core.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index a90ed2ceae84..f38a4bd3a20e 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -1020,6 +1020,9 @@ static int usbhid_parse(struct hid_device *hid)
 	num_descriptors = min_t(int, hdesc->bNumDescriptors,
 	       (hdesc->bLength - offset) / sizeof(struct hid_class_descriptor));
 
+	if (num_descriptors > ARRAY_SIZE(hdesc->desc))
+		num_descriptors = ARRAY_SIZE(hdesc->desc);
+
 	for (n = 0; n < num_descriptors; n++)
 		if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT)
 			rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength);

Re: [syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+c52569baf0c843f35495@syzkaller.appspotmail.com

Tested on:

commit:         b4d88a60 Merge tag 'block-6.10-20240523' of git://git...
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=117100d8980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=34e05c35ec964e75
dashboard link: https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1293b80c980000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse

[Nikita Zhandarovich]

Test to see that changes made to hid_descriptor are fine.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
---
 drivers/hid/usbhid/hid-core.c       |  2 +-
 drivers/usb/gadget/function/f_fs.c  |  3 ++-
 drivers/usb/gadget/function/f_hid.c | 22 ++++++++++++++--------
 include/linux/hid.h                 |  2 +-
 4 files changed, 18 insertions(+), 11 deletions(-)

diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index a6eb6fe6130d..eb4807785d6d 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -1010,7 +1010,7 @@ static int usbhid_parse(struct hid_device *hid)
 		return -ENODEV;
 	}
 
-	if (hdesc->bLength < sizeof(struct hid_descriptor)) {
+	if (hdesc->bLength < struct_size(hdesc, desc, hdesc->bNumDescriptors)) {
 		dbg_hid("hid descriptor is too short\n");
 		return -EINVAL;
 	}
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 2dea9e42a0f8..a4b6d7cbf56d 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -2550,7 +2550,8 @@ static int __must_check ffs_do_single_desc(char *data, unsigned len,
 	case USB_TYPE_CLASS | 0x01:
 		if (*current_class == USB_INTERFACE_CLASS_HID) {
 			pr_vdebug("hid descriptor\n");
-			if (length != sizeof(struct hid_descriptor))
+			if (length < sizeof(struct hid_descriptor) +
+				     sizeof(struct hid_class_descriptor))
 				goto inv_length;
 			break;
 		} else if (*current_class == USB_INTERFACE_CLASS_CCID) {
diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c
index 740311c4fa24..ec8c2e2d6812 100644
--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -139,13 +139,17 @@ static struct usb_interface_descriptor hidg_interface_desc = {
 };
 
 static struct hid_descriptor hidg_desc = {
-	.bLength			= sizeof hidg_desc,
+	.bLength			= struct_size(&hidg_desc, desc, 1),
 	.bDescriptorType		= HID_DT_HID,
 	.bcdHID				= cpu_to_le16(0x0101),
 	.bCountryCode			= 0x00,
 	.bNumDescriptors		= 0x1,
-	/*.desc[0].bDescriptorType	= DYNAMIC */
-	/*.desc[0].wDescriptorLenght	= DYNAMIC */
+	.desc				= {
+		{
+			.bDescriptorType	= 0, /* DYNAMIC */
+			.wDescriptorLength	= 0, /* DYNAMIC */
+		}
+	}
 };
 
 /* Super-Speed Support */
@@ -936,16 +940,18 @@ static int hidg_setup(struct usb_function *f,
 		switch (value >> 8) {
 		case HID_DT_HID:
 		{
-			struct hid_descriptor hidg_desc_copy = hidg_desc;
+			DEFINE_FLEX(struct hid_descriptor, hidg_desc_copy,
+				desc, bNumDescriptors, 1);
+			*hidg_desc_copy = hidg_desc;
 
 			VDBG(cdev, "USB_REQ_GET_DESCRIPTOR: HID\n");
-			hidg_desc_copy.desc[0].bDescriptorType = HID_DT_REPORT;
-			hidg_desc_copy.desc[0].wDescriptorLength =
+			hidg_desc_copy->desc[0].bDescriptorType = HID_DT_REPORT;
+			hidg_desc_copy->desc[0].wDescriptorLength =
 				cpu_to_le16(hidg->report_desc_length);
 
 			length = min_t(unsigned short, length,
-						   hidg_desc_copy.bLength);
-			memcpy(req->buf, &hidg_desc_copy, length);
+						   hidg_desc_copy->bLength);
+			memcpy(req->buf, hidg_desc_copy, length);
 			goto respond;
 			break;
 		}
diff --git a/include/linux/hid.h b/include/linux/hid.h
index cdc0dc13c87f..85a58ae2c4a0 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -739,7 +739,7 @@ struct hid_descriptor {
 	__u8  bCountryCode;
 	__u8  bNumDescriptors;
 
-	struct hid_class_descriptor desc[1];
+	struct hid_class_descriptor desc[] __counted_by(bNumDescriptors);
 } __attribute__ ((packed));
 
 #define HID_DEVICE(b, g, ven, prod)					\

Re: [syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

 61.124748][   T29] audit: type=1400 audit(1738246367.103:107): avc:  denied  { mounton } for  pid=5824 comm="syz-executor" path="/root/syzkaller.PSkP8X/syz-tmp" dev="sda1" ino=1933 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1
[   61.149125][   T29] audit: type=1400 audit(1738246367.103:108): avc:  denied  { mount } for  pid=5824 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1
[   61.172056][   T29] audit: type=1400 audit(1738246367.103:109): avc:  denied  { mounton } for  pid=5824 comm="syz-executor" path="/root/syzkaller.PSkP8X/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1
[   61.199012][   T29] audit: type=1400 audit(1738246367.103:110): avc:  denied  { mount } for  pid=5824 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1
[   61.220940][   T29] audit: type=1400 audit(1738246367.113:111): avc:  denied  { mounton } for  pid=5824 comm="syz-executor" path="/root/syzkaller.PSkP8X/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1
[   61.226696][ T5824] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
[   61.248122][   T29] audit: type=1400 audit(1738246367.113:112): avc:  denied  { mounton } for  pid=5824 comm="syz-executor" path="/root/syzkaller.PSkP8X/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=4910 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1
[   61.407846][ T5829] ==================================================================
[   61.415938][ T5829] BUG: KASAN: slab-use-after-free in binder_add_device+0xa4/0xb0
[   61.423696][ T5829] Write of size 8 at addr ffff888033ad8c08 by task syz-executor/5829
[   61.431852][ T5829] 
[   61.434171][ T5829] CPU: 1 UID: 0 PID: 5829 Comm: syz-executor Not tainted 6.13.0-syzkaller-09485-g72deda0abee6-dirty #0
[   61.434185][ T5829] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[   61.434196][ T5829] Call Trace:
[   61.434201][ T5829]  <TASK>
[   61.434206][ T5829]  dump_stack_lvl+0x116/0x1f0
[   61.434227][ T5829]  print_report+0xc3/0x620
[   61.434239][ T5829]  ? __virt_addr_valid+0x5e/0x590
[   61.434250][ T5829]  ? __phys_addr+0xc6/0x150
[   61.434261][ T5829]  kasan_report+0xd9/0x110
[   61.434271][ T5829]  ? binder_add_device+0xa4/0xb0
[   61.434284][ T5829]  ? binder_add_device+0xa4/0xb0
[   61.434296][ T5829]  binder_add_device+0xa4/0xb0
[   61.434308][ T5829]  binderfs_binder_device_create.isra.0+0x95f/0xb70
[   61.434325][ T5829]  binderfs_fill_super+0x8d6/0x1360
[   61.434341][ T5829]  ? __pfx_binderfs_fill_super+0x10/0x10
[   61.434360][ T5829]  ? shrinker_register+0x1a8/0x260
[   61.434375][ T5829]  ? sget_fc+0x808/0xc20
[   61.434390][ T5829]  ? __pfx_set_anon_super_fc+0x10/0x10
[   61.434405][ T5829]  ? __pfx_binderfs_fill_super+0x10/0x10
[   61.434418][ T5829]  get_tree_nodev+0xda/0x190
[   61.434433][ T5829]  vfs_get_tree+0x8b/0x340
[   61.434446][ T5829]  path_mount+0x14e6/0x1f10
[   61.434458][ T5829]  ? kmem_cache_free+0x2e2/0x4d0
[   61.434468][ T5829]  ? __pfx_path_mount+0x10/0x10
[   61.434479][ T5829]  ? putname+0x13c/0x180
[   61.434491][ T5829]  __x64_sys_mount+0x28f/0x310
[   61.434502][ T5829]  ? __pfx___x64_sys_mount+0x10/0x10
[   61.434514][ T5829]  do_syscall_64+0xcd/0x250
[   61.434528][ T5829]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   61.434543][ T5829] RIP: 0033:0x7f92ed5816ba
[   61.434553][ T5829] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   61.434566][ T5829] RSP: 002b:00007f92ed86ff68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   61.434577][ T5829] RAX: ffffffffffffffda RBX: 00007f92ed5f3d49 RCX: 00007f92ed5816ba
[   61.434584][ T5829] RDX: 00007f92ed5ff2fa RSI: 00007f92ed5f3d49 RDI: 00007f92ed5ff2fa
[   61.434591][ T5829] RBP: 00007f92ed5f3f58 R08: 0000000000000000 R09: 0000000000000100
[   61.434597][ T5829] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f92ed5de068
[   61.434603][ T5829] R13: 00007f92ed5de048 R14: 0000000000000009 R15: 0000000000000000
[   61.434612][ T5829]  </TASK>
[   61.434616][ T5829] 
[   61.662253][ T5829] Allocated by task 5824:
[   61.666566][ T5829]  kasan_save_stack+0x33/0x60
[   61.671232][ T5829]  kasan_save_track+0x14/0x30
[   61.675901][ T5829]  __kasan_kmalloc+0xaa/0xb0
[   61.680489][ T5829]  binderfs_binder_device_create.isra.0+0x17a/0xb70
[   61.687072][ T5829]  binderfs_fill_super+0x8d6/0x1360
[   61.692351][ T5829]  get_tree_nodev+0xda/0x190
[   61.697019][ T5829]  vfs_get_tree+0x8b/0x340
[   61.701427][ T5829]  path_mount+0x14e6/0x1f10
[   61.705952][ T5829]  __x64_sys_mount+0x28f/0x310
[   61.710702][ T5829]  do_syscall_64+0xcd/0x250
[   61.715192][ T5829]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   61.721074][ T5829] 
[   61.723377][ T5829] Freed by task 5824:
[   61.727338][ T5829]  kasan_save_stack+0x33/0x60
[   61.732087][ T5829]  kasan_save_track+0x14/0x30
[   61.736952][ T5829]  kasan_save_free_info+0x3b/0x60
[   61.741970][ T5829]  __kasan_slab_free+0x51/0x70
[   61.746718][ T5829]  kfree+0x2c4/0x4d0
[   61.750815][ T5829]  binderfs_evict_inode+0x1e0/0x250
[   61.756001][ T5829]  evict+0x409/0x960
[   61.759886][ T5829]  iput+0x52a/0x890
[   61.763678][ T5829]  dentry_unlink_inode+0x29c/0x480
[   61.768789][ T5829]  __dentry_kill+0x1d0/0x600
[   61.773365][ T5829]  shrink_dentry_list+0x140/0x5d0
[   61.778385][ T5829]  shrink_dcache_parent+0xe2/0x530
[   61.783483][ T5829]  shrink_dcache_for_umount+0xa1/0x3e0
[   61.788936][ T5829]  generic_shutdown_super+0x6c/0x390
[   61.794210][ T5829]  kill_litter_super+0x70/0xa0
[   61.798990][ T5829]  binderfs_kill_super+0x3b/0xa0
[   61.804029][ T5829]  deactivate_locked_super+0xbe/0x1a0
[   61.809396][ T5829]  deactivate_super+0xde/0x100
[   61.814448][ T5829]  cleanup_mnt+0x222/0x450
[   61.818866][ T5829]  task_work_run+0x14e/0x250
[   61.823450][ T5829]  do_exit+0xad8/0x2d70
[   61.827590][ T5829]  do_group_exit+0xd3/0x2a0
[   61.832085][ T5829]  get_signal+0x24ed/0x26c0
[   61.836576][ T5829]  arch_do_signal_or_restart+0x90/0x7e0
[   61.842192][ T5829]  syscall_exit_to_user_mode+0x150/0x2a0
[   61.847808][ T5829]  do_syscall_64+0xda/0x250
[   61.852298][ T5829]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   61.858209][ T5829] 
[   61.860544][ T5829] The buggy address belongs to the object at ffff888033ad8c00
[   61.860544][ T5829]  which belongs to the cache kmalloc-512 of size 512
[   61.874601][ T5829] The buggy address is located 8 bytes inside of
[   61.874601][ T5829]  freed 512-byte region [ffff888033ad8c00, ffff888033ad8e00)
[   61.888229][ T5829] 
[   61.890535][ T5829] The buggy address belongs to the physical page:
[   61.896943][ T5829] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33ad8
[   61.905689][ T5829] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   61.914167][ T5829] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[   61.921715][ T5829] page_type: f5(slab)
[   61.925679][ T5829] raw: 00fff00000000040 ffff88801b041c80 dead000000000100 dead000000000122
[   61.934259][ T5829] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   61.942830][ T5829] head: 00fff00000000040 ffff88801b041c80 dead000000000100 dead000000000122
[   61.951499][ T5829] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   61.960156][ T5829] head: 00fff00000000002 ffffea0000ceb601 ffffffffffffffff 0000000000000000
[   61.968812][ T5829] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
[   61.977484][ T5829] page dumped because: kasan: bad access detected
[   61.983891][ T5829] page_owner tracks the page as allocated
[   61.989672][ T5829] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5204, tgid 5204 (udevd), ts 20443550863, free_ts 19532985486
[   62.010416][ T5829]  post_alloc_hook+0x181/0x1b0
[   62.015177][ T5829]  get_page_from_freelist+0xfce/0x2f80
[   62.020624][ T5829]  __alloc_frozen_pages_noprof+0x221/0x2470
[   62.026501][ T5829]  alloc_pages_mpol+0x1fc/0x540
[   62.031336][ T5829]  new_slab+0x23d/0x330
[   62.035480][ T5829]  ___slab_alloc+0xc5d/0x1720
[   62.040177][ T5829]  __slab_alloc.constprop.0+0x56/0xb0
[   62.045542][ T5829]  __kmalloc_cache_noprof+0xfa/0x410
[   62.050830][ T5829]  kernfs_fop_open+0x28b/0xdb0
[   62.055588][ T5829]  do_dentry_open+0x735/0x1c40
[   62.060366][ T5829]  vfs_open+0x82/0x3f0
[   62.064419][ T5829]  path_openat+0x1e88/0x2d80
[   62.068988][ T5829]  do_filp_open+0x20c/0x470
[   62.073484][ T5829]  do_sys_openat2+0x17a/0x1e0
[   62.078160][ T5829]  __x64_sys_openat+0x175/0x210
[   62.082997][ T5829]  do_syscall_64+0xcd/0x250
[   62.087498][ T5829] page last free pid 5205 tgid 5205 stack trace:
[   62.093813][ T5829]  free_frozen_pages+0x6db/0xfb0
[   62.098734][ T5829]  rcu_core+0x79d/0x14d0
[   62.102960][ T5829]  handle_softirqs+0x213/0x8f0
[   62.107713][ T5829]  __irq_exit_rcu+0x109/0x170
[   62.112387][ T5829]  irq_exit_rcu+0x9/0x30
[   62.116624][ T5829]  sysvec_apic_timer_interrupt+0xa4/0xc0
[   62.122243][ T5829]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[   62.128212][ T5829] 
[   62.130521][ T5829] Memory state around the buggy address:
[   62.136131][ T5829]  ffff888033ad8b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   62.144174][ T5829]  ffff888033ad8b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   62.152216][ T5829] >ffff888033ad8c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   62.160266][ T5829]                       ^
[   62.164578][ T5829]  ffff888033ad8c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   62.172621][ T5829]  ffff888033ad8d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   62.180658][ T5829] ==================================================================
[   62.199606][ T5829] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   62.206872][ T5829] CPU: 1 UID: 0 PID: 5829 Comm: syz-executor Not tainted 6.13.0-syzkaller-09485-g72deda0abee6-dirty #0
[   62.217884][ T5829] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[   62.227922][ T5829] Call Trace:
[   62.231187][ T5829]  <TASK>
[   62.234103][ T5829]  dump_stack_lvl+0x3d/0x1f0
[   62.238731][ T5829]  panic+0x71d/0x800
[   62.242615][ T5829]  ? __pfx_panic+0x10/0x10
[   62.247018][ T5829]  ? irqentry_exit+0x3b/0x90
[   62.251593][ T5829]  ? lockdep_hardirqs_on+0x7c/0x110
[   62.256789][ T5829]  ? preempt_schedule_thunk+0x1a/0x30
[   62.262169][ T5829]  ? preempt_schedule_common+0x44/0xc0
[   62.267619][ T5829]  ? check_panic_on_warn+0x1f/0xb0
[   62.272717][ T5829]  check_panic_on_warn+0xab/0xb0
[   62.277728][ T5829]  end_report+0x117/0x180
[   62.282070][ T5829]  kasan_report+0xe9/0x110
[   62.286521][ T5829]  ? binder_add_device+0xa4/0xb0
[   62.291449][ T5829]  ? binder_add_device+0xa4/0xb0
[   62.296389][ T5829]  binder_add_device+0xa4/0xb0
[   62.301141][ T5829]  binderfs_binder_device_create.isra.0+0x95f/0xb70
[   62.307722][ T5829]  binderfs_fill_super+0x8d6/0x1360
[   62.313001][ T5829]  ? __pfx_binderfs_fill_super+0x10/0x10
[   62.318631][ T5829]  ? shrinker_register+0x1a8/0x260
[   62.323733][ T5829]  ? sget_fc+0x808/0xc20
[   62.327964][ T5829]  ? __pfx_set_anon_super_fc+0x10/0x10
[   62.333409][ T5829]  ? __pfx_binderfs_fill_super+0x10/0x10
[   62.339029][ T5829]  get_tree_nodev+0xda/0x190
[   62.343610][ T5829]  vfs_get_tree+0x8b/0x340
[   62.348123][ T5829]  path_mount+0x14e6/0x1f10
[   62.352612][ T5829]  ? kmem_cache_free+0x2e2/0x4d0
[   62.357536][ T5829]  ? __pfx_path_mount+0x10/0x10
[   62.362372][ T5829]  ? putname+0x13c/0x180
[   62.366603][ T5829]  __x64_sys_mount+0x28f/0x310
[   62.371360][ T5829]  ? __pfx___x64_sys_mount+0x10/0x10
[   62.376630][ T5829]  do_syscall_64+0xcd/0x250
[   62.381121][ T5829]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   62.387019][ T5829] RIP: 0033:0x7f92ed5816ba
[   62.391443][ T5829] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   62.411242][ T5829] RSP: 002b:00007f92ed86ff68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   62.419651][ T5829] RAX: ffffffffffffffda RBX: 00007f92ed5f3d49 RCX: 00007f92ed5816ba
[   62.427605][ T5829] RDX: 00007f92ed5ff2fa RSI: 00007f92ed5f3d49 RDI: 00007f92ed5ff2fa
[   62.435561][ T5829] RBP: 00007f92ed5f3f58 R08: 0000000000000000 R09: 0000000000000100
[   62.443515][ T5829] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f92ed5de068
[   62.451492][ T5829] R13: 00007f92ed5de048 R14: 0000000000000009 R15: 0000000000000000
[   62.459483][ T5829]  </TASK>
[   62.462725][ T5829] Kernel Offset: disabled
[   62.467031][ T5829] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3526199464=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at b50eb251af
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=b50eb251af3b122fb1b2c574dde0c3d16f6a8cfd -X 'github.com/google/syzkaller/prog.gitRevisionDate=20241203-163055'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"b50eb251af3b122fb1b2c574dde0c3d16f6a8cfd\"
/usr/bin/ld: /tmp/ccVS4jTw.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=10b9a324580000


Tested on:

commit:         72deda0a Merge tag 'soundwire-6.14-rc1' of git://git.k..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config:  https://syzkaller.appspot.com/x/.config?x=d1d4677fc8e45064
dashboard link: https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10fa0b64580000

Re: [syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse

[Nikita Zhandarovich]

Test if upstream is broken.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Re: [syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1
[   63.252248][   T29] audit: type=1400 audit(1738309108.737:112): avc:  denied  { mounton } for  pid=5825 comm="syz-executor" path="/root/syzkaller.4uglaD/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=4883 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1
[   63.279716][   T29] audit: type=1400 audit(1738309108.737:113): avc:  denied  { unmount } for  pid=5825 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1
[   63.299322][   T29] audit: type=1400 audit(1738309108.757:114): avc:  denied  { mounton } for  pid=5825 comm="syz-executor" path="/dev/binderfs" dev="devtmpfs" ino=2723 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:device_t tclass=dir permissive=1
[   63.322245][   T29] audit: type=1400 audit(1738309108.757:115): avc:  denied  { mount } for  pid=5825 comm="syz-executor" name="/" dev="binder" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=filesystem permissive=1
[   63.345302][   T29] audit: type=1400 audit(1738309108.757:116): avc:  denied  { mounton } for  pid=5825 comm="syz-executor" path="/sys/fs/fuse/connections" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=dir permissive=1
[   63.349349][ T5825] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
[   63.601832][ T5830] ==================================================================
[   63.609917][ T5830] BUG: KASAN: slab-use-after-free in binder_add_device+0xa4/0xb0
[   63.617631][ T5830] Write of size 8 at addr ffff888033fc6c08 by task syz-executor/5830
[   63.625684][ T5830] 
[   63.628098][ T5830] CPU: 0 UID: 0 PID: 5830 Comm: syz-executor Not tainted 6.13.0-syzkaller-09760-g69e858e0b8b2 #0
[   63.628112][ T5830] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[   63.628121][ T5830] Call Trace:
[   63.628126][ T5830]  <TASK>
[   63.628134][ T5830]  dump_stack_lvl+0x116/0x1f0
[   63.628154][ T5830]  print_report+0xc3/0x620
[   63.628166][ T5830]  ? __virt_addr_valid+0x5e/0x590
[   63.628178][ T5830]  ? __phys_addr+0xc6/0x150
[   63.628188][ T5830]  kasan_report+0xd9/0x110
[   63.628198][ T5830]  ? binder_add_device+0xa4/0xb0
[   63.628212][ T5830]  ? binder_add_device+0xa4/0xb0
[   63.628226][ T5830]  binder_add_device+0xa4/0xb0
[   63.628238][ T5830]  binderfs_binder_device_create.isra.0+0x95f/0xb70
[   63.628255][ T5830]  binderfs_fill_super+0x8d6/0x1360
[   63.628271][ T5830]  ? __pfx_binderfs_fill_super+0x10/0x10
[   63.628290][ T5830]  ? shrinker_register+0x1a8/0x260
[   63.628305][ T5830]  ? sget_fc+0x808/0xc20
[   63.628320][ T5830]  ? __pfx_set_anon_super_fc+0x10/0x10
[   63.628335][ T5830]  ? __pfx_binderfs_fill_super+0x10/0x10
[   63.628349][ T5830]  get_tree_nodev+0xda/0x190
[   63.628364][ T5830]  vfs_get_tree+0x8b/0x340
[   63.628377][ T5830]  path_mount+0x14e6/0x1f10
[   63.628389][ T5830]  ? kmem_cache_free+0x2e2/0x4d0
[   63.628399][ T5830]  ? __pfx_path_mount+0x10/0x10
[   63.628410][ T5830]  ? putname+0x13c/0x180
[   63.628423][ T5830]  __x64_sys_mount+0x28f/0x310
[   63.628434][ T5830]  ? __pfx___x64_sys_mount+0x10/0x10
[   63.628446][ T5830]  do_syscall_64+0xcd/0x250
[   63.628461][ T5830]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   63.628476][ T5830] RIP: 0033:0x7f5c0fd816ba
[   63.628486][ T5830] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   63.628499][ T5830] RSP: 002b:00007ffc2db5bbc8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   63.628510][ T5830] RAX: ffffffffffffffda RBX: 00007f5c0fdf3d49 RCX: 00007f5c0fd816ba
[   63.628517][ T5830] RDX: 00007f5c0fdff2fa RSI: 00007f5c0fdf3d49 RDI: 00007f5c0fdff2fa
[   63.628524][ T5830] RBP: 00007f5c0fdf3f58 R08: 0000000000000000 R09: 00000000000001ff
[   63.628531][ T5830] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5c0fdde068
[   63.628537][ T5830] R13: 00007f5c0fdde048 R14: 0000000000000009 R15: 0000000000000000
[   63.628546][ T5830]  </TASK>
[   63.628550][ T5830] 
[   63.855639][ T5830] Allocated by task 5825:
[   63.859939][ T5830]  kasan_save_stack+0x33/0x60
[   63.864593][ T5830]  kasan_save_track+0x14/0x30
[   63.869241][ T5830]  __kasan_kmalloc+0xaa/0xb0
[   63.873802][ T5830]  binderfs_binder_device_create.isra.0+0x17a/0xb70
[   63.880372][ T5830]  binderfs_fill_super+0x8d6/0x1360
[   63.885551][ T5830]  get_tree_nodev+0xda/0x190
[   63.890132][ T5830]  vfs_get_tree+0x8b/0x340
[   63.894529][ T5830]  path_mount+0x14e6/0x1f10
[   63.899013][ T5830]  __x64_sys_mount+0x28f/0x310
[   63.903753][ T5830]  do_syscall_64+0xcd/0x250
[   63.908236][ T5830]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   63.914106][ T5830] 
[   63.916406][ T5830] Freed by task 5825:
[   63.920358][ T5830]  kasan_save_stack+0x33/0x60
[   63.925013][ T5830]  kasan_save_track+0x14/0x30
[   63.929663][ T5830]  kasan_save_free_info+0x3b/0x60
[   63.934667][ T5830]  __kasan_slab_free+0x51/0x70
[   63.939409][ T5830]  kfree+0x2c4/0x4d0
[   63.943291][ T5830]  binderfs_evict_inode+0x1e0/0x250
[   63.948494][ T5830]  evict+0x409/0x960
[   63.952454][ T5830]  iput+0x52a/0x890
[   63.956240][ T5830]  dentry_unlink_inode+0x29c/0x480
[   63.961341][ T5830]  __dentry_kill+0x1d0/0x600
[   63.965923][ T5830]  shrink_dentry_list+0x140/0x5d0
[   63.970955][ T5830]  shrink_dcache_parent+0xe2/0x530
[   63.976049][ T5830]  shrink_dcache_for_umount+0xa1/0x3e0
[   63.981488][ T5830]  generic_shutdown_super+0x6c/0x390
[   63.986757][ T5830]  kill_litter_super+0x70/0xa0
[   63.991514][ T5830]  binderfs_kill_super+0x3b/0xa0
[   63.996437][ T5830]  deactivate_locked_super+0xbe/0x1a0
[   64.001818][ T5830]  deactivate_super+0xde/0x100
[   64.006607][ T5830]  cleanup_mnt+0x222/0x450
[   64.011006][ T5830]  task_work_run+0x14e/0x250
[   64.015574][ T5830]  do_exit+0xad8/0x2d70
[   64.019705][ T5830]  do_group_exit+0xd3/0x2a0
[   64.024189][ T5830]  get_signal+0x24ed/0x26c0
[   64.028671][ T5830]  arch_do_signal_or_restart+0x90/0x7e0
[   64.034189][ T5830]  syscall_exit_to_user_mode+0x150/0x2a0
[   64.039798][ T5830]  do_syscall_64+0xda/0x250
[   64.044368][ T5830]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   64.050240][ T5830] 
[   64.052537][ T5830] The buggy address belongs to the object at ffff888033fc6c00
[   64.052537][ T5830]  which belongs to the cache kmalloc-512 of size 512
[   64.066582][ T5830] The buggy address is located 8 bytes inside of
[   64.066582][ T5830]  freed 512-byte region [ffff888033fc6c00, ffff888033fc6e00)
[   64.080181][ T5830] 
[   64.082483][ T5830] The buggy address belongs to the physical page:
[   64.088873][ T5830] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33fc4
[   64.097612][ T5830] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   64.106608][ T5830] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[   64.114131][ T5830] page_type: f5(slab)
[   64.118088][ T5830] raw: 00fff00000000040 ffff88801b041c80 ffffea0000d64600 dead000000000002
[   64.126660][ T5830] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   64.135218][ T5830] head: 00fff00000000040 ffff88801b041c80 ffffea0000d64600 dead000000000002
[   64.143878][ T5830] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   64.152610][ T5830] head: 00fff00000000002 ffffea0000cff101 ffffffffffffffff 0000000000000000
[   64.161253][ T5830] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
[   64.169911][ T5830] page dumped because: kasan: bad access detected
[   64.176303][ T5830] page_owner tracks the page as allocated
[   64.182001][ T5830] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5204, tgid 5204 (udevd), ts 19812150758, free_ts 19804332293
[   64.202759][ T5830]  post_alloc_hook+0x181/0x1b0
[   64.207510][ T5830]  get_page_from_freelist+0xfce/0x2f80
[   64.212945][ T5830]  __alloc_frozen_pages_noprof+0x221/0x2470
[   64.218837][ T5830]  alloc_pages_mpol+0x1fc/0x540
[   64.223678][ T5830]  new_slab+0x23d/0x330
[   64.227813][ T5830]  ___slab_alloc+0xc5d/0x1720
[   64.232469][ T5830]  __slab_alloc.constprop.0+0x56/0xb0
[   64.237817][ T5830]  __kmalloc_cache_noprof+0xfa/0x410
[   64.243092][ T5830]  kernfs_fop_open+0x28b/0xdb0
[   64.247841][ T5830]  do_dentry_open+0x735/0x1c40
[   64.252589][ T5830]  vfs_open+0x82/0x3f0
[   64.256632][ T5830]  path_openat+0x1e88/0x2d80
[   64.261192][ T5830]  do_filp_open+0x20c/0x470
[   64.265666][ T5830]  do_sys_openat2+0x17a/0x1e0
[   64.270318][ T5830]  __x64_sys_openat+0x175/0x210
[   64.275142][ T5830]  do_syscall_64+0xcd/0x250
[   64.279635][ T5830] page last free pid 5198 tgid 5198 stack trace:
[   64.285933][ T5830]  free_frozen_pages+0x6db/0xfb0
[   64.290843][ T5830]  qlist_free_all+0x4e/0x120
[   64.295415][ T5830]  kasan_quarantine_reduce+0x195/0x1e0
[   64.300872][ T5830]  __kasan_slab_alloc+0x69/0x90
[   64.305697][ T5830]  __kmalloc_node_noprof+0x1d0/0x510
[   64.310962][ T5830]  __kvmalloc_node_noprof+0xad/0x1a0
[   64.316225][ T5830]  seq_read_iter+0x82a/0x12b0
[   64.320886][ T5830]  kernfs_fop_read_iter+0x414/0x580
[   64.326074][ T5830]  vfs_read+0x886/0xbf0
[   64.330216][ T5830]  ksys_read+0x12b/0x250
[   64.334453][ T5830]  do_syscall_64+0xcd/0x250
[   64.338943][ T5830]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   64.344831][ T5830] 
[   64.347142][ T5830] Memory state around the buggy address:
[   64.352755][ T5830]  ffff888033fc6b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   64.360791][ T5830]  ffff888033fc6b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   64.368826][ T5830] >ffff888033fc6c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   64.376859][ T5830]                       ^
[   64.381176][ T5830]  ffff888033fc6c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   64.389211][ T5830]  ffff888033fc6d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   64.397245][ T5830] ==================================================================
[   64.407234][ T5830] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   64.414448][ T5830] CPU: 0 UID: 0 PID: 5830 Comm: syz-executor Not tainted 6.13.0-syzkaller-09760-g69e858e0b8b2 #0
[   64.424947][ T5830] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[   64.434979][ T5830] Call Trace:
[   64.438234][ T5830]  <TASK>
[   64.441141][ T5830]  dump_stack_lvl+0x3d/0x1f0
[   64.445803][ T5830]  panic+0x71d/0x800
[   64.449679][ T5830]  ? __pfx_panic+0x10/0x10
[   64.454073][ T5830]  ? irqentry_exit+0x3b/0x90
[   64.458641][ T5830]  ? lockdep_hardirqs_on+0x7c/0x110
[   64.463817][ T5830]  ? preempt_schedule_thunk+0x1a/0x30
[   64.469166][ T5830]  ? preempt_schedule_common+0x44/0xc0
[   64.474602][ T5830]  ? check_panic_on_warn+0x1f/0xb0
[   64.479709][ T5830]  check_panic_on_warn+0xab/0xb0
[   64.484639][ T5830]  end_report+0x117/0x180
[   64.488943][ T5830]  kasan_report+0xe9/0x110
[   64.493336][ T5830]  ? binder_add_device+0xa4/0xb0
[   64.498264][ T5830]  ? binder_add_device+0xa4/0xb0
[   64.503177][ T5830]  binder_add_device+0xa4/0xb0
[   64.507917][ T5830]  binderfs_binder_device_create.isra.0+0x95f/0xb70
[   64.514492][ T5830]  binderfs_fill_super+0x8d6/0x1360
[   64.519674][ T5830]  ? __pfx_binderfs_fill_super+0x10/0x10
[   64.525314][ T5830]  ? shrinker_register+0x1a8/0x260
[   64.530418][ T5830]  ? sget_fc+0x808/0xc20
[   64.534643][ T5830]  ? __pfx_set_anon_super_fc+0x10/0x10
[   64.540095][ T5830]  ? __pfx_binderfs_fill_super+0x10/0x10
[   64.545718][ T5830]  get_tree_nodev+0xda/0x190
[   64.550288][ T5830]  vfs_get_tree+0x8b/0x340
[   64.554683][ T5830]  path_mount+0x14e6/0x1f10
[   64.559166][ T5830]  ? kmem_cache_free+0x2e2/0x4d0
[   64.564081][ T5830]  ? __pfx_path_mount+0x10/0x10
[   64.568905][ T5830]  ? putname+0x13c/0x180
[   64.573125][ T5830]  __x64_sys_mount+0x28f/0x310
[   64.577872][ T5830]  ? __pfx___x64_sys_mount+0x10/0x10
[   64.583142][ T5830]  do_syscall_64+0xcd/0x250
[   64.587624][ T5830]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   64.593497][ T5830] RIP: 0033:0x7f5c0fd816ba
[   64.597888][ T5830] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   64.617482][ T5830] RSP: 002b:00007ffc2db5bbc8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   64.625976][ T5830] RAX: ffffffffffffffda RBX: 00007f5c0fdf3d49 RCX: 00007f5c0fd816ba
[   64.633954][ T5830] RDX: 00007f5c0fdff2fa RSI: 00007f5c0fdf3d49 RDI: 00007f5c0fdff2fa
[   64.641918][ T5830] RBP: 00007f5c0fdf3f58 R08: 0000000000000000 R09: 00000000000001ff
[   64.649864][ T5830] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5c0fdde068
[   64.657812][ T5830] R13: 00007f5c0fdde048 R14: 0000000000000009 R15: 0000000000000000
[   64.665767][ T5830]  </TASK>
[   64.668899][ T5830] Kernel Offset: disabled
[   64.673206][ T5830] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2275386146=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at b50eb251af
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=b50eb251af3b122fb1b2c574dde0c3d16f6a8cfd -X 'github.com/google/syzkaller/prog.gitRevisionDate=20241203-163055'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"b50eb251af3b122fb1b2c574dde0c3d16f6a8cfd\"
/usr/bin/ld: /tmp/ccVVKqYN.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=14b5e5f8580000


Tested on:

commit:         69e858e0 Merge tag 'uml-for-linus-6.14-rc1' of git://g..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config:  https://syzkaller.appspot.com/x/.config?x=d1d4677fc8e45064
dashboard link: https://syzkaller.appspot.com/bug?extid=c52569baf0c843f35495
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.