Hello,
When fuzzing the Linux kernel driver v5.18.0, the following crash was triggered.
HEAD commit: 4b0986a3613c92f4ec1bdc7f60ec66fea135991f (HEAD, tag: v5.18)
git tree: upstream
kernel config: https://pastebin.com/KecL2gaG
C reproducer: https://pastebin.com/KcSa8fCB
console output: https://pastebin.com/zcM1f6ra
Basically, in the c reproducer, we use the gadget module to emulate
the process of attaching a usb device (vendor id: 0xcf2, product id:
0x6250, with function: phonet_null and ms_null).
To reproduce this crash, we utilize a third-party library to emulate
the attaching process: https://github.com/linux-usb-gadgets/libusbgx.
Just clone this repository, make install it, and compile the c
reproducer with ``` gcc crash.c -lusbgx -o crash ``` will do the
trick.
It seems that when function usb_stor_msg_common tries to call
usb_submit_urb, the value in current_urb on struct us_data cause
usb_submit_urb return a error, which makes the kernel panic on warn
The crash report is as follow:
```
------------[ cut here ]------------
URB ffff888111cb3700 submitted while active
WARNING: CPU: 0 PID: 1204 at drivers/usb/core/urb.c:378
usb_submit_urb+0x136b/0x1820 drivers/usb/core/urb.c:378
Modules linked in:
CPU: 0 PID: 1204 Comm: kworker/0:2 Not tainted 5.18.0 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Workqueue: events_freezable usb_stor_scan_dwork
RIP: 0010:usb_submit_urb+0x136b/0x1820 drivers/usb/core/urb.c:378
Code: 89 de e8 18 94 95 fd 84 db 0f 85 21 f5 ff ff e8 eb 92 95 fd 4c
89 fe 48 c7 c7 60 9d a7 86 c6 05 c8 6c 86 05 01 e8 16 0e 10 02 <0f> 0b
e9 ff f4 ff ff 41 be ed ff ff ff e9 f4 f4 ff ff e8 be 92 95
RSP: 0018:ffffc90000527ad8 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff88810d6c3900 RDI: fffff520000a4f4d
RBP: 1ffff920000a4f6d R08: ffffffff812beb18 R09: 0000000000000000
R10: 0000000000000005 R11: ffffed1023504f09 R12: ffffc90000527b88
R13: ffff88810b970e00 R14: 00000000fffffff0 R15: ffff888111cb3700
FS: 0000000000000000(0000) GS:ffff88811a800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000558d2f1c9338 CR3: 000000010c890000 CR4: 0000000000350ef0
Call Trace:
<TASK>
usb_stor_msg_common+0x233/0x550 drivers/usb/storage/transport.c:143
usb_stor_control_msg+0x377/0x4f0 drivers/usb/storage/transport.c:205
usb_stor_Bulk_max_lun+0xfa/0x1e0 drivers/usb/storage/transport.c:1081
usb_stor_scan_dwork+0x19f/0x270 drivers/usb/storage/usb.c:906
process_one_work+0x9cc/0x1650 kernel/workqueue.c:2289
worker_thread+0x623/0x1070 kernel/workqueue.c:2436
kthread+0x2ef/0x3a0 kernel/kthread.c:346
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
</TASK>
```