Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2165555yba; Fri, 19 Apr 2019 13:31:53 -0700 (PDT) X-Google-Smtp-Source: APXvYqyK0qZPDjFjUnhAqfdFPw3r1kLsepB9p4xHl29n1a3Q4TJFawBK1qOqGjRWzCC/4576XCOz X-Received: by 2002:aa7:8b08:: with SMTP id f8mr6248629pfd.146.1555705913675; Fri, 19 Apr 2019 13:31:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555705913; cv=none; d=google.com; s=arc-20160816; b=Z/IwU1NzDti04PAkyVmWF1SHdZ5IMGk2CUMk466VjGGibxdhl1H7/8hNk3kyXjI4Q2 i8qnEFOCTvLXIhhxby/PZtmwlmOr3iP3+veWcTxtWBVVUWyhEiVNNJWWXWi5c/Vgi3qE 0FtLXuH1z6q7PhYuekOP1TTD6vTJ/kJio7WSQqAIs0cE1mbKt1ORsK4BTr6y0KKGGnBR 8SJTie9i6ZGVOEYSZr/33q5JKZLT8m1/rhVEnVH7T2duyoQLO54enEP8k8NSchnmX5cj TEkShBFev09Vpn83VrFQSYlDnEDh87Z3k832uHkiR29LOAqkc8oYR7j5s7wvOg/BMXTf vDfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:in-reply-to :subject:cc:to:from:date; bh=snxzVt8DenBhSbKBei9iHYspSIO4p7p1IZYZEP2B05A=; b=aH/dVpUgaXAR5m3dqdcTXGpJpFRiLg5dKzMjcR2aTGs0WZEx7uvjFcdWGHk/aCnXqk 6VxnAiAH74slU03D3klfM7q+dCagP2gcCG6fFitpTfDhGP+9IxLCEnTFEomMPzhKhxbp byxiTY9eOgO3Or0grMde9nbBZl5ITRPD10rrusHxsvvD0czSXNF/3bay5CmiENnqRK3I /jFLjsLInU3Uc3JALdOjix66q8/MoyiiFB4tDuoyltSUDJkuW8toIEba7gbC+sl2ubKa QG9NzZGjWN3nwv3mgYV+Ck6wyaBMRozArx+clNaWNNe/aaTZFDwr58rxNXA8TDJuQd+P Etfg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 33si5831697pgm.385.2019.04.19.13.31.37; Fri, 19 Apr 2019 13:31:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725897AbfDSU3d (ORCPT + 99 others); Fri, 19 Apr 2019 16:29:33 -0400 Received: from iolanthe.rowland.org ([192.131.102.54]:32972 "HELO iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1725878AbfDSU3d (ORCPT ); Fri, 19 Apr 2019 16:29:33 -0400 Received: (qmail 8731 invoked by uid 2102); 19 Apr 2019 16:29:32 -0400 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 19 Apr 2019 16:29:32 -0400 Date: Fri, 19 Apr 2019 16:29:32 -0400 (EDT) From: Alan Stern X-X-Sender: stern@iolanthe.rowland.org To: syzbot , Mauro Carvalho Chehab cc: andreyknvl@google.com, Kernel development list , , USB list , , Subject: Re: general protection fault in smsusb_init_device In-Reply-To: <0000000000008d89900586ccd37b@google.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 18 Apr 2019, syzbot wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit: d34f9519 usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan/tree/usb-fuzzer > console output: https://syzkaller.appspot.com/x/log.txt?x=128ec3fd200000 > kernel config: https://syzkaller.appspot.com/x/.config?x=c73d1bb5aeaeae20 > dashboard link: https://syzkaller.appspot.com/bug?extid=53f029db71c19a47325a > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16138e67200000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=128dddbf200000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+53f029db71c19a47325a@syzkaller.appspotmail.com > > usb 1-1: config 0 descriptor?? > usb 1-1: string descriptor 0 read error: -71 > smsusb:smsusb_probe: board id=18, interface number 0 > kasan: CONFIG_KASAN_INLINE enabled > kasan: GPF could be caused by NULL-ptr deref or user memory access > general protection fault: 0000 [#1] SMP KASAN PTI > CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 5.1.0-rc5-319617-gd34f951 #4 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Workqueue: usb_hub_wq hub_event > RIP: 0010:smsusb_init_device+0x366/0x937 > drivers/media/usb/siano/smsusb.c:429 > Code: 48 c1 ea 03 80 3c 02 00 74 05 e8 24 1e 66 f7 4d 8b b6 f0 04 00 00 b8 > ff ff 37 00 48 c1 e0 2a 49 8d 7e 04 48 89 fa 48 c1 ea 03 <8a> 14 02 48 89 > f8 83 e0 07 ff c0 38 d0 7c 09 84 d2 74 05 e8 b1 1d > RSP: 0018:ffff8880a86570d0 EFLAGS: 00010247 > RAX: dffffc0000000000 RBX: ffff88809a81b300 RCX: ffffffff8a42b5b3 > RDX: 0000000000000000 RSI: ffffffff8a42b6a3 RDI: 0000000000000004 > RBP: ffff88808ca70000 R08: ffff8880a8503100 R09: ffff8880a8657130 > R10: ffffed10150cae34 R11: ffff8880a86571a7 R12: ffff88809a81be54 > R13: ffff88809a81be5c R14: 0000000000000000 R15: ffff88808ca70000 > FS: 0000000000000000(0000) GS:ffff8880ad100000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007f1ad259d000 CR3: 000000009a3aa000 CR4: 00000000001406e0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > smsusb_probe+0xd64/0xe08 drivers/media/usb/siano/smsusb.c:570 The reason for this bug is clear. The code in smsusb_probe() at line 429 does this: dev->response_alignment = le16_to_cpu(dev->udev->ep_in[1]->desc.wMaxPacketSize) - sizeof(struct sms_msg_hdr); which assumes there really is an ep1-IN endpoint. If there isn't, the code crashes. Testing that the endpoint exists is easy enough, but I'm not sure how this test should be integrated with the rest of the function. Someone who knows the code better ought to be able to do it with no trouble. Alan Stern