Hello,
syzbot found the following crash on:
HEAD commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=11d74573e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fa561de00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d74573e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: [email protected]
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:381 [inline]
BUG: KASAN: slab-out-of-bounds in skb_put_data include/linux/skbuff.h:2284 [inline]
BUG: KASAN: slab-out-of-bounds in hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
BUG: KASAN: slab-out-of-bounds in hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
BUG: KASAN: slab-out-of-bounds in hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
Read of size 19671 at addr ffff8881d226413c by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
__kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x152/0x1c0 mm/kasan/generic.c:192
memcpy+0x20/0x50 mm/kasan/common.c:127
memcpy include/linux/string.h:381 [inline]
skb_put_data include/linux/skbuff.h:2284 [inline]
hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
__usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:default_idle+0x28/0x300 arch/x86/kernel/process.c:696
Code: cc cc 41 56 41 55 65 44 8b 2d 44 77 72 7a 41 54 55 53 0f 1f 44 00 00 e8 b6 62 b5 fb e9 07 00 00 00 0f 00 2d ea 0c 53 00 fb f4 <65> 44 8b 2d 20 77 72 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
RSP: 0018:ffffffff87007d80 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: ffffffff8702cc40 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff8702d48c
RBP: fffffbfff0e05988 R08: ffffffff8702cc40 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: ffffffff87e607c0 R15: 0000000000000000
cpuidle_idle_call kernel/sched/idle.c:154 [inline]
do_idle+0x3e0/0x500 kernel/sched/idle.c:269
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
start_kernel+0xe16/0xe5a init/main.c:998
secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:242
The buggy address belongs to the page:
page:ffffea0007489800 refcount:32744 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0
flags: 0x200000000010000(head)
raw: 0200000000010000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00007fe8ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881d2268000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8881d2268080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8881d2268100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
^
ffff8881d2268180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8881d2268200: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
#syz test: https://github.com/google/kasan.git e17994d1
On Sat, Mar 21, 2020 at 3:28 AM syzbot
<[email protected]> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=11d74573e00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
> dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fa561de00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d74573e00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: [email protected]
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:381 [inline]
> BUG: KASAN: slab-out-of-bounds in skb_put_data include/linux/skbuff.h:2284 [inline]
> BUG: KASAN: slab-out-of-bounds in hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
> BUG: KASAN: slab-out-of-bounds in hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
> BUG: KASAN: slab-out-of-bounds in hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
> Read of size 19671 at addr ffff8881d226413c by task swapper/0/0
>
> CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc5-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
> <IRQ>
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0xef/0x16e lib/dump_stack.c:118
> print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
> __kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
> kasan_report+0xe/0x20 mm/kasan/common.c:641
> check_memory_region_inline mm/kasan/generic.c:185 [inline]
> check_memory_region+0x152/0x1c0 mm/kasan/generic.c:192
> memcpy+0x20/0x50 mm/kasan/common.c:127
> memcpy include/linux/string.h:381 [inline]
> skb_put_data include/linux/skbuff.h:2284 [inline]
> hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
> hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
> hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
> __usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
> usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
> dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
> call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
> expire_timers kernel/time/timer.c:1449 [inline]
> __run_timers kernel/time/timer.c:1773 [inline]
> __run_timers kernel/time/timer.c:1740 [inline]
> run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
> __do_softirq+0x21e/0x950 kernel/softirq.c:292
> invoke_softirq kernel/softirq.c:373 [inline]
> irq_exit+0x178/0x1a0 kernel/softirq.c:413
> exiting_irq arch/x86/include/asm/apic.h:546 [inline]
> smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
> apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
> </IRQ>
> RIP: 0010:default_idle+0x28/0x300 arch/x86/kernel/process.c:696
> Code: cc cc 41 56 41 55 65 44 8b 2d 44 77 72 7a 41 54 55 53 0f 1f 44 00 00 e8 b6 62 b5 fb e9 07 00 00 00 0f 00 2d ea 0c 53 00 fb f4 <65> 44 8b 2d 20 77 72 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
> RSP: 0018:ffffffff87007d80 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
> RAX: 0000000000000007 RBX: ffffffff8702cc40 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff8702d48c
> RBP: fffffbfff0e05988 R08: ffffffff8702cc40 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> R13: 0000000000000000 R14: ffffffff87e607c0 R15: 0000000000000000
> cpuidle_idle_call kernel/sched/idle.c:154 [inline]
> do_idle+0x3e0/0x500 kernel/sched/idle.c:269
> cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
> start_kernel+0xe16/0xe5a init/main.c:998
> secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:242
>
> The buggy address belongs to the page:
> page:ffffea0007489800 refcount:32744 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0
> flags: 0x200000000010000(head)
> raw: 0200000000010000 dead000000000100 dead000000000122 0000000000000000
> raw: 0000000000000000 0000000000000000 00007fe8ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff8881d2268000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8881d2268080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >ffff8881d2268100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
> ^
> ffff8881d2268180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8881d2268200: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
> ==================================================================
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at [email protected].
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
Hello,
syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Read in hfa384x_usbin_callback
==================================================================
BUG: KASAN: use-after-free in memcpy include/linux/string.h:381 [inline]
BUG: KASAN: use-after-free in skb_put_data include/linux/skbuff.h:2284 [inline]
BUG: KASAN: use-after-free in hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
BUG: KASAN: use-after-free in hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
BUG: KASAN: use-after-free in hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
Read of size 19671 at addr ffff8881cda7b33c by task kworker/1:2/95
CPU: 1 PID: 95 Comm: kworker/1:2 Not tainted 5.6.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xef/0x16e lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
__kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
kasan_report+0xe/0x20 mm/kasan/common.c:641
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x152/0x1c0 mm/kasan/generic.c:192
memcpy+0x20/0x50 mm/kasan/common.c:127
memcpy include/linux/string.h:381 [inline]
skb_put_data include/linux/skbuff.h:2284 [inline]
hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
__usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x3b/0x40 kernel/locking/spinlock.c:191
Code: e8 2a e8 96 fb 48 89 ef e8 f2 c9 97 fb f6 c7 02 75 11 53 9d e8 16 50 b5 fb 65 ff 0d f7 bd 72 7a 5b 5d c3 e8 07 4e b5 fb 53 9d <eb> ed 0f 1f 00 55 48 89 fd 65 ff 05 dd bd 72 7a 45 31 c9 41 b8 01
RSP: 0018:ffff8881d56b6f40 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: 0000000000000293 RCX: 0000000000000006
RDX: 0000000000000000 RSI: ffff8881d56a88f0 RDI: ffff8881d56a884c
RBP: ffff8881c0c64b80 R08: ffff8881d56a8000 R09: fffffbfff1266e8f
R10: fffffbfff1266e8e R11: ffffffff89337477 R12: 0000000000000000
R13: ffff8881c0c64bb8 R14: ffff8881c0c64b80 R15: ffff8881c0c64bb8
hfa384x_usbctlx_submit+0x1cb/0x260 drivers/staging/wlan-ng/hfa384x_usb.c:3834
hfa384x_docmd drivers/staging/wlan-ng/hfa384x_usb.c:1233 [inline]
hfa384x_cmd_initialize+0x290/0x4f0 drivers/staging/wlan-ng/hfa384x_usb.c:846
hfa384x_drvr_start+0x1f1/0x480 drivers/staging/wlan-ng/hfa384x_usb.c:2380
prism2sta_ifstate+0x24e/0x510 drivers/staging/wlan-ng/prism2sta.c:471
prism2sta_probe_usb.cold+0x1c8/0x49e drivers/staging/wlan-ng/prism2usb.c:112
usb_probe_interface+0x310/0x800 drivers/usb/core/driver.c:374
really_probe+0x290/0xac0 drivers/base/dd.c:551
driver_probe_device+0x223/0x350 drivers/base/dd.c:724
__device_attach_driver+0x1d1/0x290 drivers/base/dd.c:831
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:431
__device_attach+0x217/0x390 drivers/base/dd.c:897
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
device_add+0x1459/0x1bf0 drivers/base/core.c:2500
usb_set_configuration+0xe47/0x17d0 drivers/usb/core/message.c:2023
usb_generic_driver_probe+0x9d/0xe0 drivers/usb/core/generic.c:241
usb_probe_device+0xd9/0x230 drivers/usb/core/driver.c:272
really_probe+0x290/0xac0 drivers/base/dd.c:551
driver_probe_device+0x223/0x350 drivers/base/dd.c:724
__device_attach_driver+0x1d1/0x290 drivers/base/dd.c:831
bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:431
__device_attach+0x217/0x390 drivers/base/dd.c:897
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
device_add+0x1459/0x1bf0 drivers/base/core.c:2500
usb_new_device.cold+0x540/0xcd0 drivers/usb/core/hub.c:2548
hub_port_connect drivers/usb/core/hub.c:5195 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5335 [inline]
port_event drivers/usb/core/hub.c:5481 [inline]
hub_event+0x21cb/0x4300 drivers/usb/core/hub.c:5563
process_one_work+0x94b/0x1620 kernel/workqueue.c:2264
worker_thread+0x96/0xe20 kernel/workqueue.c:2410
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
The buggy address belongs to the page:
page:ffffea0007369e00 refcount:32737 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0
flags: 0x200000000010000(head)
raw: 0200000000010000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00007fe1ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881cda7ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8881cda7ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8881cda80000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881cda80080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881cda80100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
git tree: https://github.com/google/kasan.git
console output: https://syzkaller.appspot.com/x/log.txt?x=139ea05be00000
kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=16d52b19e00000
On Wed, Mar 25, 2020 at 2:13 PM Hillf Danton <[email protected]> wrote:
>
>
> On Wed, 25 Mar 2020 01:58:03 -0700
> > syzbot has tested the proposed patch but the reproducer still triggered crash:
> > KASAN: use-after-free Read in hfa384x_usbin_callback
> >
> > ==================================================================
> > BUG: KASAN: use-after-free in memcpy include/linux/string.h:381 [inline]
> > BUG: KASAN: use-after-free in skb_put_data include/linux/skbuff.h:2284 [inline]
> > BUG: KASAN: use-after-free in hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
> > BUG: KASAN: use-after-free in hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
> > BUG: KASAN: use-after-free in hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
> > Read of size 19671 at addr ffff8881cda7b33c by task kworker/1:2/95
> >
> > CPU: 1 PID: 95 Comm: kworker/1:2 Not tainted 5.6.0-rc5-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > Workqueue: usb_hub_wq hub_event
> > Call Trace:
> > <IRQ>
> > __dump_stack lib/dump_stack.c:77 [inline]
> > dump_stack+0xef/0x16e lib/dump_stack.c:118
> > print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
> > __kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
> > kasan_report+0xe/0x20 mm/kasan/common.c:641
> > check_memory_region_inline mm/kasan/generic.c:185 [inline]
> > check_memory_region+0x152/0x1c0 mm/kasan/generic.c:192
> > memcpy+0x20/0x50 mm/kasan/common.c:127
> > memcpy include/linux/string.h:381 [inline]
> > skb_put_data include/linux/skbuff.h:2284 [inline]
> > hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
> > hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
> > hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
> > __usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
> > usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
> > dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
> > call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
> > expire_timers kernel/time/timer.c:1449 [inline]
> > __run_timers kernel/time/timer.c:1773 [inline]
> > __run_timers kernel/time/timer.c:1740 [inline]
> > run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
> > __do_softirq+0x21e/0x950 kernel/softirq.c:292
> > invoke_softirq kernel/softirq.c:373 [inline]
> > irq_exit+0x178/0x1a0 kernel/softirq.c:413
> > exiting_irq arch/x86/include/asm/apic.h:546 [inline]
> > smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
> > apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
> > </IRQ>
> > RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
> > RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
> > RIP: 0010:_raw_spin_unlock_irqrestore+0x3b/0x40 kernel/locking/spinlock.c:191
> > Code: e8 2a e8 96 fb 48 89 ef e8 f2 c9 97 fb f6 c7 02 75 11 53 9d e8 16 50 b5 fb 65 ff 0d f7 bd 72 7a 5b 5d c3 e8 07 4e b5 fb 53 9d <eb> ed 0f 1f 00 55 48 89 fd 65 ff 05 dd bd 72 7a 45 31 c9 41 b8 01
> > RSP: 0018:ffff8881d56b6f40 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff13
> > RAX: 0000000000000007 RBX: 0000000000000293 RCX: 0000000000000006
> > RDX: 0000000000000000 RSI: ffff8881d56a88f0 RDI: ffff8881d56a884c
> > RBP: ffff8881c0c64b80 R08: ffff8881d56a8000 R09: fffffbfff1266e8f
> > R10: fffffbfff1266e8e R11: ffffffff89337477 R12: 0000000000000000
> > R13: ffff8881c0c64bb8 R14: ffff8881c0c64b80 R15: ffff8881c0c64bb8
> > hfa384x_usbctlx_submit+0x1cb/0x260 drivers/staging/wlan-ng/hfa384x_usb.c:3834
> > hfa384x_docmd drivers/staging/wlan-ng/hfa384x_usb.c:1233 [inline]
> > hfa384x_cmd_initialize+0x290/0x4f0 drivers/staging/wlan-ng/hfa384x_usb.c:846
> > hfa384x_drvr_start+0x1f1/0x480 drivers/staging/wlan-ng/hfa384x_usb.c:2380
> > prism2sta_ifstate+0x24e/0x510 drivers/staging/wlan-ng/prism2sta.c:471
> > prism2sta_probe_usb.cold+0x1c8/0x49e drivers/staging/wlan-ng/prism2usb.c:112
> > usb_probe_interface+0x310/0x800 drivers/usb/core/driver.c:374
> > really_probe+0x290/0xac0 drivers/base/dd.c:551
> > driver_probe_device+0x223/0x350 drivers/base/dd.c:724
> > __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:831
> > bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:431
> > __device_attach+0x217/0x390 drivers/base/dd.c:897
> > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
> > device_add+0x1459/0x1bf0 drivers/base/core.c:2500
> > usb_set_configuration+0xe47/0x17d0 drivers/usb/core/message.c:2023
> > usb_generic_driver_probe+0x9d/0xe0 drivers/usb/core/generic.c:241
> > usb_probe_device+0xd9/0x230 drivers/usb/core/driver.c:272
> > really_probe+0x290/0xac0 drivers/base/dd.c:551
> > driver_probe_device+0x223/0x350 drivers/base/dd.c:724
> > __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:831
> > bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:431
> > __device_attach+0x217/0x390 drivers/base/dd.c:897
> > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
> > device_add+0x1459/0x1bf0 drivers/base/core.c:2500
> > usb_new_device.cold+0x540/0xcd0 drivers/usb/core/hub.c:2548
> > hub_port_connect drivers/usb/core/hub.c:5195 [inline]
> > hub_port_connect_change drivers/usb/core/hub.c:5335 [inline]
> > port_event drivers/usb/core/hub.c:5481 [inline]
> > hub_event+0x21cb/0x4300 drivers/usb/core/hub.c:5563
> > process_one_work+0x94b/0x1620 kernel/workqueue.c:2264
> > worker_thread+0x96/0xe20 kernel/workqueue.c:2410
> > kthread+0x318/0x420 kernel/kthread.c:255
> > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
> >
> > The buggy address belongs to the page:
> > page:ffffea0007369e00 refcount:32737 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0
> > flags: 0x200000000010000(head)
> > raw: 0200000000010000 dead000000000100 dead000000000122 0000000000000000
> > raw: 0000000000000000 0000000000000000 00007fe1ffffffff 0000000000000000
> > page dumped because: kasan: bad access detected
> >
> > Memory state around the buggy address:
> > ffff8881cda7ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > ffff8881cda7ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > >ffff8881cda80000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > ^
> > ffff8881cda80080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > ffff8881cda80100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > ==================================================================
> >
> >
> > Tested on:
> >
> > commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
> > git tree: https://github.com/google/kasan.git
> > console output: https://syzkaller.appspot.com/x/log.txt?x=139ea05be00000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
> > dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
> > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > patch: https://syzkaller.appspot.com/x/patch.diff?x=16d52b19e00000
>
> Add a line of debug info.
Hi Hillf,
You need to issue a syz test command if you want your patch to be
tested. See how Qiujun did it just above.
Thanks!
>
> --- a/drivers/staging/wlan-ng/hfa384x_usb.c
> +++ b/drivers/staging/wlan-ng/hfa384x_usb.c
> @@ -3374,6 +3374,11 @@ static void hfa384x_int_rxmonitor(struct
> skblen - sizeof(struct p80211_caphdr));
> }
>
> + if (datalen > WLAN_DATA_MAXLEN) {
> + pr_debug("%s datalen %u > WLAN_DATA_MAXLEN %u\n", __func__,
> + datalen, WLAN_DATA_MAXLEN);
> + return;
> + }
> skb = dev_alloc_skb(skblen);
> if (!skb)
> return;
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/20200325131309.12792-1-hdanton%40sina.com.
On Wed, Mar 25, 2020 at 9:13 PM Hillf Danton <[email protected]> wrote:
>
>
> On Wed, 25 Mar 2020 01:58:03 -0700
> > syzbot has tested the proposed patch but the reproducer still triggered crash:
> > KASAN: use-after-free Read in hfa384x_usbin_callback
> >
> > ==================================================================
> > BUG: KASAN: use-after-free in memcpy include/linux/string.h:381 [inline]
> > BUG: KASAN: use-after-free in skb_put_data include/linux/skbuff.h:2284 [inline]
> > BUG: KASAN: use-after-free in hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
> > BUG: KASAN: use-after-free in hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
> > BUG: KASAN: use-after-free in hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
> > Read of size 19671 at addr ffff8881cda7b33c by task kworker/1:2/95
> >
> > CPU: 1 PID: 95 Comm: kworker/1:2 Not tainted 5.6.0-rc5-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > Workqueue: usb_hub_wq hub_event
> > Call Trace:
> > <IRQ>
> > __dump_stack lib/dump_stack.c:77 [inline]
> > dump_stack+0xef/0x16e lib/dump_stack.c:118
> > print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
> > __kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
> > kasan_report+0xe/0x20 mm/kasan/common.c:641
> > check_memory_region_inline mm/kasan/generic.c:185 [inline]
> > check_memory_region+0x152/0x1c0 mm/kasan/generic.c:192
> > memcpy+0x20/0x50 mm/kasan/common.c:127
> > memcpy include/linux/string.h:381 [inline]
> > skb_put_data include/linux/skbuff.h:2284 [inline]
> > hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
> > hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
> > hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
> > __usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
> > usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
> > dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
> > call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
> > expire_timers kernel/time/timer.c:1449 [inline]
> > __run_timers kernel/time/timer.c:1773 [inline]
> > __run_timers kernel/time/timer.c:1740 [inline]
> > run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
> > __do_softirq+0x21e/0x950 kernel/softirq.c:292
> > invoke_softirq kernel/softirq.c:373 [inline]
> > irq_exit+0x178/0x1a0 kernel/softirq.c:413
> > exiting_irq arch/x86/include/asm/apic.h:546 [inline]
> > smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
> > apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
> > </IRQ>
> > RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
> > RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
> > RIP: 0010:_raw_spin_unlock_irqrestore+0x3b/0x40 kernel/locking/spinlock.c:191
> > Code: e8 2a e8 96 fb 48 89 ef e8 f2 c9 97 fb f6 c7 02 75 11 53 9d e8 16 50 b5 fb 65 ff 0d f7 bd 72 7a 5b 5d c3 e8 07 4e b5 fb 53 9d <eb> ed 0f 1f 00 55 48 89 fd 65 ff 05 dd bd 72 7a 45 31 c9 41 b8 01
> > RSP: 0018:ffff8881d56b6f40 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff13
> > RAX: 0000000000000007 RBX: 0000000000000293 RCX: 0000000000000006
> > RDX: 0000000000000000 RSI: ffff8881d56a88f0 RDI: ffff8881d56a884c
> > RBP: ffff8881c0c64b80 R08: ffff8881d56a8000 R09: fffffbfff1266e8f
> > R10: fffffbfff1266e8e R11: ffffffff89337477 R12: 0000000000000000
> > R13: ffff8881c0c64bb8 R14: ffff8881c0c64b80 R15: ffff8881c0c64bb8
> > hfa384x_usbctlx_submit+0x1cb/0x260 drivers/staging/wlan-ng/hfa384x_usb.c:3834
> > hfa384x_docmd drivers/staging/wlan-ng/hfa384x_usb.c:1233 [inline]
> > hfa384x_cmd_initialize+0x290/0x4f0 drivers/staging/wlan-ng/hfa384x_usb.c:846
> > hfa384x_drvr_start+0x1f1/0x480 drivers/staging/wlan-ng/hfa384x_usb.c:2380
> > prism2sta_ifstate+0x24e/0x510 drivers/staging/wlan-ng/prism2sta.c:471
> > prism2sta_probe_usb.cold+0x1c8/0x49e drivers/staging/wlan-ng/prism2usb.c:112
> > usb_probe_interface+0x310/0x800 drivers/usb/core/driver.c:374
> > really_probe+0x290/0xac0 drivers/base/dd.c:551
> > driver_probe_device+0x223/0x350 drivers/base/dd.c:724
> > __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:831
> > bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:431
> > __device_attach+0x217/0x390 drivers/base/dd.c:897
> > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
> > device_add+0x1459/0x1bf0 drivers/base/core.c:2500
> > usb_set_configuration+0xe47/0x17d0 drivers/usb/core/message.c:2023
> > usb_generic_driver_probe+0x9d/0xe0 drivers/usb/core/generic.c:241
> > usb_probe_device+0xd9/0x230 drivers/usb/core/driver.c:272
> > really_probe+0x290/0xac0 drivers/base/dd.c:551
> > driver_probe_device+0x223/0x350 drivers/base/dd.c:724
> > __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:831
> > bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:431
> > __device_attach+0x217/0x390 drivers/base/dd.c:897
> > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
> > device_add+0x1459/0x1bf0 drivers/base/core.c:2500
> > usb_new_device.cold+0x540/0xcd0 drivers/usb/core/hub.c:2548
> > hub_port_connect drivers/usb/core/hub.c:5195 [inline]
> > hub_port_connect_change drivers/usb/core/hub.c:5335 [inline]
> > port_event drivers/usb/core/hub.c:5481 [inline]
> > hub_event+0x21cb/0x4300 drivers/usb/core/hub.c:5563
> > process_one_work+0x94b/0x1620 kernel/workqueue.c:2264
> > worker_thread+0x96/0xe20 kernel/workqueue.c:2410
> > kthread+0x318/0x420 kernel/kthread.c:255
> > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
> >
> > The buggy address belongs to the page:
> > page:ffffea0007369e00 refcount:32737 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0
> > flags: 0x200000000010000(head)
> > raw: 0200000000010000 dead000000000100 dead000000000122 0000000000000000
> > raw: 0000000000000000 0000000000000000 00007fe1ffffffff 0000000000000000
> > page dumped because: kasan: bad access detected
> >
> > Memory state around the buggy address:
> > ffff8881cda7ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > ffff8881cda7ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > >ffff8881cda80000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > ^
> > ffff8881cda80080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > ffff8881cda80100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > ==================================================================
> >
> >
> > Tested on:
> >
> > commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
> > git tree: https://github.com/google/kasan.git
> > console output: https://syzkaller.appspot.com/x/log.txt?x=139ea05be00000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
> > dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
> > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > patch: https://syzkaller.appspot.com/x/patch.diff?x=16d52b19e00000
>
> Add a line of debug info.
>
> --- a/drivers/staging/wlan-ng/hfa384x_usb.c
> +++ b/drivers/staging/wlan-ng/hfa384x_usb.c
> @@ -3374,6 +3374,11 @@ static void hfa384x_int_rxmonitor(struct
> skblen - sizeof(struct p80211_caphdr));
> }
>
> + if (datalen > WLAN_DATA_MAXLEN) {
> + pr_debug("%s datalen %u > WLAN_DATA_MAXLEN %u\n", __func__,
> + datalen, WLAN_DATA_MAXLEN);
> + return;
> + }
> skb = dev_alloc_skb(skblen);
> if (!skb)
> return;
Great!
>
#syz test: https://github.com/google/kasan.git e17994d1
forgot to trigger:(
On Thu, Mar 26, 2020 at 10:22 AM Qiujun Huang <[email protected]> wrote:
>
> On Wed, Mar 25, 2020 at 9:13 PM Hillf Danton <[email protected]> wrote:
> >
> >
> > On Wed, 25 Mar 2020 01:58:03 -0700
> > > syzbot has tested the proposed patch but the reproducer still triggered crash:
> > > KASAN: use-after-free Read in hfa384x_usbin_callback
> > >
> > > ==================================================================
> > > BUG: KASAN: use-after-free in memcpy include/linux/string.h:381 [inline]
> > > BUG: KASAN: use-after-free in skb_put_data include/linux/skbuff.h:2284 [inline]
> > > BUG: KASAN: use-after-free in hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
> > > BUG: KASAN: use-after-free in hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
> > > BUG: KASAN: use-after-free in hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
> > > Read of size 19671 at addr ffff8881cda7b33c by task kworker/1:2/95
> > >
> > > CPU: 1 PID: 95 Comm: kworker/1:2 Not tainted 5.6.0-rc5-syzkaller #0
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > > Workqueue: usb_hub_wq hub_event
> > > Call Trace:
> > > <IRQ>
> > > __dump_stack lib/dump_stack.c:77 [inline]
> > > dump_stack+0xef/0x16e lib/dump_stack.c:118
> > > print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
> > > __kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
> > > kasan_report+0xe/0x20 mm/kasan/common.c:641
> > > check_memory_region_inline mm/kasan/generic.c:185 [inline]
> > > check_memory_region+0x152/0x1c0 mm/kasan/generic.c:192
> > > memcpy+0x20/0x50 mm/kasan/common.c:127
> > > memcpy include/linux/string.h:381 [inline]
> > > skb_put_data include/linux/skbuff.h:2284 [inline]
> > > hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
> > > hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
> > > hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
> > > __usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
> > > usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
> > > dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
> > > call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
> > > expire_timers kernel/time/timer.c:1449 [inline]
> > > __run_timers kernel/time/timer.c:1773 [inline]
> > > __run_timers kernel/time/timer.c:1740 [inline]
> > > run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
> > > __do_softirq+0x21e/0x950 kernel/softirq.c:292
> > > invoke_softirq kernel/softirq.c:373 [inline]
> > > irq_exit+0x178/0x1a0 kernel/softirq.c:413
> > > exiting_irq arch/x86/include/asm/apic.h:546 [inline]
> > > smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
> > > apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
> > > </IRQ>
> > > RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
> > > RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
> > > RIP: 0010:_raw_spin_unlock_irqrestore+0x3b/0x40 kernel/locking/spinlock.c:191
> > > Code: e8 2a e8 96 fb 48 89 ef e8 f2 c9 97 fb f6 c7 02 75 11 53 9d e8 16 50 b5 fb 65 ff 0d f7 bd 72 7a 5b 5d c3 e8 07 4e b5 fb 53 9d <eb> ed 0f 1f 00 55 48 89 fd 65 ff 05 dd bd 72 7a 45 31 c9 41 b8 01
> > > RSP: 0018:ffff8881d56b6f40 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff13
> > > RAX: 0000000000000007 RBX: 0000000000000293 RCX: 0000000000000006
> > > RDX: 0000000000000000 RSI: ffff8881d56a88f0 RDI: ffff8881d56a884c
> > > RBP: ffff8881c0c64b80 R08: ffff8881d56a8000 R09: fffffbfff1266e8f
> > > R10: fffffbfff1266e8e R11: ffffffff89337477 R12: 0000000000000000
> > > R13: ffff8881c0c64bb8 R14: ffff8881c0c64b80 R15: ffff8881c0c64bb8
> > > hfa384x_usbctlx_submit+0x1cb/0x260 drivers/staging/wlan-ng/hfa384x_usb.c:3834
> > > hfa384x_docmd drivers/staging/wlan-ng/hfa384x_usb.c:1233 [inline]
> > > hfa384x_cmd_initialize+0x290/0x4f0 drivers/staging/wlan-ng/hfa384x_usb.c:846
> > > hfa384x_drvr_start+0x1f1/0x480 drivers/staging/wlan-ng/hfa384x_usb.c:2380
> > > prism2sta_ifstate+0x24e/0x510 drivers/staging/wlan-ng/prism2sta.c:471
> > > prism2sta_probe_usb.cold+0x1c8/0x49e drivers/staging/wlan-ng/prism2usb.c:112
> > > usb_probe_interface+0x310/0x800 drivers/usb/core/driver.c:374
> > > really_probe+0x290/0xac0 drivers/base/dd.c:551
> > > driver_probe_device+0x223/0x350 drivers/base/dd.c:724
> > > __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:831
> > > bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:431
> > > __device_attach+0x217/0x390 drivers/base/dd.c:897
> > > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
> > > device_add+0x1459/0x1bf0 drivers/base/core.c:2500
> > > usb_set_configuration+0xe47/0x17d0 drivers/usb/core/message.c:2023
> > > usb_generic_driver_probe+0x9d/0xe0 drivers/usb/core/generic.c:241
> > > usb_probe_device+0xd9/0x230 drivers/usb/core/driver.c:272
> > > really_probe+0x290/0xac0 drivers/base/dd.c:551
> > > driver_probe_device+0x223/0x350 drivers/base/dd.c:724
> > > __device_attach_driver+0x1d1/0x290 drivers/base/dd.c:831
> > > bus_for_each_drv+0x162/0x1e0 drivers/base/bus.c:431
> > > __device_attach+0x217/0x390 drivers/base/dd.c:897
> > > bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
> > > device_add+0x1459/0x1bf0 drivers/base/core.c:2500
> > > usb_new_device.cold+0x540/0xcd0 drivers/usb/core/hub.c:2548
> > > hub_port_connect drivers/usb/core/hub.c:5195 [inline]
> > > hub_port_connect_change drivers/usb/core/hub.c:5335 [inline]
> > > port_event drivers/usb/core/hub.c:5481 [inline]
> > > hub_event+0x21cb/0x4300 drivers/usb/core/hub.c:5563
> > > process_one_work+0x94b/0x1620 kernel/workqueue.c:2264
> > > worker_thread+0x96/0xe20 kernel/workqueue.c:2410
> > > kthread+0x318/0x420 kernel/kthread.c:255
> > > ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
> > >
> > > The buggy address belongs to the page:
> > > page:ffffea0007369e00 refcount:32737 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0
> > > flags: 0x200000000010000(head)
> > > raw: 0200000000010000 dead000000000100 dead000000000122 0000000000000000
> > > raw: 0000000000000000 0000000000000000 00007fe1ffffffff 0000000000000000
> > > page dumped because: kasan: bad access detected
> > >
> > > Memory state around the buggy address:
> > > ffff8881cda7ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > > ffff8881cda7ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > > >ffff8881cda80000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > > ^
> > > ffff8881cda80080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > > ffff8881cda80100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > > ==================================================================
> > >
> > >
> > > Tested on:
> > >
> > > commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
> > > git tree: https://github.com/google/kasan.git
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=139ea05be00000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
> > > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > > patch: https://syzkaller.appspot.com/x/patch.diff?x=16d52b19e00000
> >
> > Add a line of debug info.
> >
> > --- a/drivers/staging/wlan-ng/hfa384x_usb.c
> > +++ b/drivers/staging/wlan-ng/hfa384x_usb.c
> > @@ -3374,6 +3374,11 @@ static void hfa384x_int_rxmonitor(struct
> > skblen - sizeof(struct p80211_caphdr));
> > }
> >
> > + if (datalen > WLAN_DATA_MAXLEN) {
> > + pr_debug("%s datalen %u > WLAN_DATA_MAXLEN %u\n", __func__,
> > + datalen, WLAN_DATA_MAXLEN);
> > + return;
> > + }
> > skb = dev_alloc_skb(skblen);
> > if (!skb)
> > return;
>
> Great!
>
> >
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger crash:
Reported-and-tested-by: [email protected]
Tested on:
commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
git tree: https://github.com/google/kasan.git
kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=1406d1d3e00000
Note: testing is done by a robot and is best-effort only.
Am Freitag, den 20.03.2020, 12:28 -0700 schrieb syzbot:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=11d74573e00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
> dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fa561de00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d74573e00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: [email protected]
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:381 [inline]
> BUG: KASAN: slab-out-of-bounds in skb_put_data include/linux/skbuff.h:2284 [inline]
> BUG: KASAN: slab-out-of-bounds in hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
> BUG: KASAN: slab-out-of-bounds in hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
> BUG: KASAN: slab-out-of-bounds in hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
> Read of size 19671 at addr ffff8881d226413c by task swapper/0/0
#syz test: https://github.com/google/kasan.git e17994d1
Am Freitag, den 20.03.2020, 12:28 -0700 schrieb syzbot:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=11d74573e00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
> dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fa561de00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d74573e00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: [email protected]
>
Hi,
is this bug still active and can a test be run on it? I requested one
yesterday. If my analysis is correct this bug has security
implications, so it is kind of important.
Regards
Oliver
On Wed, May 6, 2020 at 10:54 AM Oliver Neukum <[email protected]> wrote:
>
> Am Freitag, den 20.03.2020, 12:28 -0700 schrieb syzbot:
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
> > git tree: https://github.com/google/kasan.git usb-fuzzer
> > console output: https://syzkaller.appspot.com/x/log.txt?x=11d74573e00000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
> > dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
> > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fa561de00000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d74573e00000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: [email protected]
> >
>
> Hi,
>
> is this bug still active and can a test be run on it? I requested one
> yesterday. If my analysis is correct this bug has security
> implications, so it is kind of important.
I see your request in the queue and it's been registered and
completed, but for some reason syzbot didn't send an email with a
response.
Let me try this once again:
#syz test: https://github.com/google/kasan.git e17994d1
On Wed, May 6, 2020 at 1:50 PM Andrey Konovalov <[email protected]> wrote:
>
> On Wed, May 6, 2020 at 10:54 AM Oliver Neukum <[email protected]> wrote:
> >
> > Am Freitag, den 20.03.2020, 12:28 -0700 schrieb syzbot:
> > > Hello,
> > >
> > > syzbot found the following crash on:
> > >
> > > HEAD commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
> > > git tree: https://github.com/google/kasan.git usb-fuzzer
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=11d74573e00000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
> > > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fa561de00000
> > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d74573e00000
> > >
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: [email protected]
> > >
> >
> > Hi,
> >
> > is this bug still active and can a test be run on it? I requested one
> > yesterday. If my analysis is correct this bug has security
> > implications, so it is kind of important.
>
> I see your request in the queue and it's been registered and
> completed, but for some reason syzbot didn't send an email with a
> response.
>
> Let me try this once again:
>
> #syz test: https://github.com/google/kasan.git e17994d1
Still no response. Dmitry, any idea what could be wrong here?
On Thu, May 7, 2020 at 5:56 PM 'Andrey Konovalov' via syzkaller-bugs
<[email protected]> wrote:
>
> On Wed, May 6, 2020 at 1:50 PM Andrey Konovalov <[email protected]> wrote:
> >
> > On Wed, May 6, 2020 at 10:54 AM Oliver Neukum <[email protected]> wrote:
> > >
> > > Am Freitag, den 20.03.2020, 12:28 -0700 schrieb syzbot:
> > > > Hello,
> > > >
> > > > syzbot found the following crash on:
> > > >
> > > > HEAD commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
> > > > git tree: https://github.com/google/kasan.git usb-fuzzer
> > > > console output: https://syzkaller.appspot.com/x/log.txt?x=11d74573e00000
> > > > kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
> > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fa561de00000
> > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d74573e00000
> > > >
> > > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > > Reported-by: [email protected]
> > > >
> > >
> > > Hi,
> > >
> > > is this bug still active and can a test be run on it? I requested one
> > > yesterday. If my analysis is correct this bug has security
> > > implications, so it is kind of important.
> >
> > I see your request in the queue and it's been registered and
> > completed, but for some reason syzbot didn't send an email with a
> > response.
> >
> > Let me try this once again:
> >
> > #syz test: https://github.com/google/kasan.git e17994d1
>
> Still no response. Dmitry, any idea what could be wrong here?
I suspect it has something to do with the fact that the bug is already
fixed (has a fixing commit).
...right, it was broken by:
https://github.com/google/syzkaller/commit/f8368f999a1964df6d39a225cd3f5ab3942dd755
and we lack a test for this scenario. It was supposed to only disable
mailing of bisection jobs.
On Fri, May 8, 2020 at 11:33 AM Dmitry Vyukov <[email protected]> wrote:
>
> On Thu, May 7, 2020 at 5:56 PM 'Andrey Konovalov' via syzkaller-bugs
> <[email protected]> wrote:
> >
> > On Wed, May 6, 2020 at 1:50 PM Andrey Konovalov <[email protected]> wrote:
> > >
> > > On Wed, May 6, 2020 at 10:54 AM Oliver Neukum <[email protected]> wrote:
> > > >
> > > > Am Freitag, den 20.03.2020, 12:28 -0700 schrieb syzbot:
> > > > > Hello,
> > > > >
> > > > > syzbot found the following crash on:
> > > > >
> > > > > HEAD commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
> > > > > git tree: https://github.com/google/kasan.git usb-fuzzer
> > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=11d74573e00000
> > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
> > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
> > > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fa561de00000
> > > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d74573e00000
> > > > >
> > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > > > Reported-by: [email protected]
> > > > >
> > > >
> > > > Hi,
> > > >
> > > > is this bug still active and can a test be run on it? I requested one
> > > > yesterday. If my analysis is correct this bug has security
> > > > implications, so it is kind of important.
> > >
> > > I see your request in the queue and it's been registered and
> > > completed, but for some reason syzbot didn't send an email with a
> > > response.
> > >
> > > Let me try this once again:
> > >
> > > #syz test: https://github.com/google/kasan.git e17994d1
> >
> > Still no response. Dmitry, any idea what could be wrong here?
>
> I suspect it has something to do with the fact that the bug is already
> fixed (has a fixing commit).
>
> ...right, it was broken by:
> https://github.com/google/syzkaller/commit/f8368f999a1964df6d39a225cd3f5ab3942dd755
> and we lack a test for this scenario. It was supposed to only disable
> mailing of bisection jobs.
Fixed in https://github.com/google/syzkaller/commit/2b98fdbcbcac6e99d12c88857406ef446bcac872
and added a test to fix this behavior for future.
Thanks for the report.
On Fri, May 8, 2020 at 12:31 PM Dmitry Vyukov <[email protected]> wrote:
> > On Thu, May 7, 2020 at 5:56 PM 'Andrey Konovalov' via syzkaller-bugs
> > <[email protected]> wrote:
> > >
> > > On Wed, May 6, 2020 at 1:50 PM Andrey Konovalov <[email protected]> wrote:
> > > >
> > > > On Wed, May 6, 2020 at 10:54 AM Oliver Neukum <[email protected]> wrote:
> > > > >
> > > > > Am Freitag, den 20.03.2020, 12:28 -0700 schrieb syzbot:
> > > > > > Hello,
> > > > > >
> > > > > > syzbot found the following crash on:
> > > > > >
> > > > > > HEAD commit: e17994d1 usb: core: kcov: collect coverage from usb comple..
> > > > > > git tree: https://github.com/google/kasan.git usb-fuzzer
> > > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=11d74573e00000
> > > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=5d64370c438bc60
> > > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=7d42d68643a35f71ac8a
> > > > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15fa561de00000
> > > > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d74573e00000
> > > > > >
> > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > > > > Reported-by: [email protected]
> > > > > >
> > > > >
> > > > > Hi,
> > > > >
> > > > > is this bug still active and can a test be run on it? I requested one
> > > > > yesterday. If my analysis is correct this bug has security
> > > > > implications, so it is kind of important.
> > > >
> > > > I see your request in the queue and it's been registered and
> > > > completed, but for some reason syzbot didn't send an email with a
> > > > response.
> > > >
> > > > Let me try this once again:
> > > >
> > > > #syz test: https://github.com/google/kasan.git e17994d1
> > >
> > > Still no response. Dmitry, any idea what could be wrong here?
> >
> > I suspect it has something to do with the fact that the bug is already
> > fixed (has a fixing commit).
> >
> > ...right, it was broken by:
> > https://github.com/google/syzkaller/commit/f8368f999a1964df6d39a225cd3f5ab3942dd755
> > and we lack a test for this scenario. It was supposed to only disable
> > mailing of bisection jobs.
>
> Fixed in https://github.com/google/syzkaller/commit/2b98fdbcbcac6e99d12c88857406ef446bcac872
> and added a test to fix this behavior for future.
> Thanks for the report.
syzbot dashboard will now also show patch testing requests on the bug
page for better transparency, see e.g. for this bug:
https://syzkaller.appspot.com/bug?id=093ce698cf84160a66868dcac5394e105342f8c5#jobs
FTR, implemented in:
https://github.com/google/syzkaller/commit/e97b06d3cef9296e9d0e827c42bccdd36b555986