Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp3471194yba; Tue, 7 May 2019 01:35:41 -0700 (PDT) X-Google-Smtp-Source: APXvYqxF8KXoIpmMFYqOnNf8lPYBW8l0twNO7G8PxDT6MkgKAKOwTVCsvfiXV1XuNfu2IUSZ/apI X-Received: by 2002:a63:ca0b:: with SMTP id n11mr37044227pgi.442.1557218141777; Tue, 07 May 2019 01:35:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557218141; cv=none; d=google.com; s=arc-20160816; b=HsYycS4quiw1mqoYu9rLmVUWgBQHHi7shRt4Vh+0AfJoPRJEx2xPZnvdJl8AcZlLID 2yDc2tqGiItHojMObuumWauFQBuXopCusmj34ZKyqO9aQvqQlxjHPYkNXtSx64WbqRJp pURjIExcsTdA9b9dTv4xMbc7bDrAlPSsPXlxLGBtEaeuyURvb8luqIspPNuuObyeebcV qFL5+cxaBH7hVKovQg6r1RYUvZsGf2EZvI82mUMDHS+FiKVZouHAjS8gxnlBx+7gs0Xw mAb6hE3hK2WVmhXCmrl4A5uSVkhgNG7NXDQDsqYyhxOQDvXwYB3xyU6AvucCjgRM3iIS ox0A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=JVwysLC6toX2nyIeQoEP1UKJSN5udlnWwblQh6x6pT0=; b=QtK/rU3jd9UO7gUJFp3EAZPgTgnpIGP1Y9rklRpx1mb9nlFe3pW0SE+qC7xMgjnlft Bvy0qTwGDipd78r8L7u0Tj+0jGlO+DTHkGonbSiZPDnVIdM6njrxG0CRFyjxURq5ndh2 0O7qkCx5VjyqDM0DN1eqFqhZbcfvtDYEXdGPg3ALCW+iq9H4ATCoE5Mqs+EDZ7SM6KUi YVoNds5YYrEOnqznRMFCgQQ9hS/K/Thg1FErux/fc/XPVwpkAS6tJtH6eGlVMnjfWDGi m2fx9bdFW1Fjl7m3Fv/+cqJYYXdvkOIr3zx/ZaOq/+6WdNIKObWa9cgag6Ee8SJ5GOz7 R3gg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 5si19157054pgm.540.2019.05.07.01.35.24; Tue, 07 May 2019 01:35:41 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726769AbfEGIed (ORCPT + 99 others); Tue, 7 May 2019 04:34:33 -0400 Received: from mail-lj1-f194.google.com ([209.85.208.194]:45502 "EHLO mail-lj1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726291AbfEGIed (ORCPT ); Tue, 7 May 2019 04:34:33 -0400 Received: by mail-lj1-f194.google.com with SMTP id r76so2443825lja.12; Tue, 07 May 2019 01:34:31 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=JVwysLC6toX2nyIeQoEP1UKJSN5udlnWwblQh6x6pT0=; b=blBmAm0OpW0B8WbcjIwqSDGTJPb31Qdt4XuH8z7CduanKt2BUn5kSaigkD4c9Kg312 sH/xHeR3T3xUDXfDGoVeCLuN4enVw8dKX2D1leq5Xq9s64a0xrV5VJDQc01gliPUKkrH tF+b2nywJHI2r9DN7047vIv8qS/4cKYJwL+5d9pYgejRuI2sYrpp9ict5Y+ZFGVW6b8+ 9O+YTyDVSZFNBroSM1hdWwaEOwhSXkqTbBREpJuI6yPt+u/MxrJ8oQFG04P+2kjSyLkD Q22BbCU6WpN2qH0jkccnr7RZYyUNwKnsHa2Z14cK/yfQrFjc0OVQ4nt+TUUb52VqG3eT ANfg== X-Gm-Message-State: APjAAAXq4Tz6lTMBbNxVoueHOP8yPOG+IlimPocF7tJdqAiDakvBvjlF 6gG4jKtInlP/w8UudyAgV4Y= X-Received: by 2002:a2e:3311:: with SMTP id d17mr16663969ljc.52.1557218071028; Tue, 07 May 2019 01:34:31 -0700 (PDT) Received: from xi.terra (c-74bee655.07-184-6d6c6d4.bbcust.telenor.se. [85.230.190.116]) by smtp.gmail.com with ESMTPSA id d23sm2820976ljj.38.2019.05.07.01.34.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 07 May 2019 01:34:29 -0700 (PDT) Received: from johan by xi.terra with local (Exim 4.91) (envelope-from ) id 1hNvYU-0006uI-C9; Tue, 07 May 2019 10:34:30 +0200 Date: Tue, 7 May 2019 10:34:30 +0200 From: Johan Hovold To: Alan Stern Cc: syzbot , andreyknvl@google.com, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, linux-usb@vger.kernel.org, mchehab@kernel.org, syzkaller-bugs@googlegroups.com, wen.yang99@zte.com.cn Subject: Re: general protection fault in smsusb_init_device Message-ID: <20190507083430.GD4333@localhost> References: <0000000000008d89900586ccd37b@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.11.4 (2019-03-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 06, 2019 at 04:41:41PM -0400, Alan Stern wrote: > On Thu, 18 Apr 2019, syzbot wrote: > > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit: d34f9519 usb-fuzzer: main usb gadget fuzzer driver > > git tree: https://github.com/google/kasan/tree/usb-fuzzer > > console output: https://syzkaller.appspot.com/x/log.txt?x=128ec3fd200000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=c73d1bb5aeaeae20 > > dashboard link: https://syzkaller.appspot.com/bug?extid=53f029db71c19a47325a > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16138e67200000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=128dddbf200000 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+53f029db71c19a47325a@syzkaller.appspotmail.com > > > > usb 1-1: config 0 descriptor?? > > usb 1-1: string descriptor 0 read error: -71 > > smsusb:smsusb_probe: board id=18, interface number 0 > > kasan: CONFIG_KASAN_INLINE enabled > > kasan: GPF could be caused by NULL-ptr deref or user memory access > > general protection fault: 0000 [#1] SMP KASAN PTI > > CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 5.1.0-rc5-319617-gd34f951 #4 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > Google 01/01/2011 > > Workqueue: usb_hub_wq hub_event > > RIP: 0010:smsusb_init_device+0x366/0x937 > > drivers/media/usb/siano/smsusb.c:429 > > The driver assumes endpoint 1in exists, and doesn't check the existence > of the endpoints it uses. > > Alan Stern > > > #syz test: https://github.com/google/kasan.git usb-fuzzer > > drivers/media/usb/siano/smsusb.c | 32 +++++++++++++++++++------------- > 1 file changed, 19 insertions(+), 13 deletions(-) > > Index: usb-devel/drivers/media/usb/siano/smsusb.c > =================================================================== > --- usb-devel.orig/drivers/media/usb/siano/smsusb.c > +++ usb-devel/drivers/media/usb/siano/smsusb.c > @@ -400,6 +400,7 @@ static int smsusb_init_device(struct usb > struct smsusb_device_t *dev; > void *mdev; > int i, rc; > + int in_maxp; > > /* create device object */ > dev = kzalloc(sizeof(struct smsusb_device_t), GFP_KERNEL); > @@ -411,6 +412,23 @@ static int smsusb_init_device(struct usb > dev->udev = interface_to_usbdev(intf); > dev->state = SMSUSB_DISCONNECTED; > > + for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) { > + struct usb_endpoint_descriptor *desc = > + &intf->cur_altsetting->endpoint[i].desc; > + > + if (desc->bEndpointAddress & USB_DIR_IN) { > + dev->in_ep = desc->bEndpointAddress; > + in_maxp = usb_endpoint_maxp(desc); > + } else { > + dev->out_ep = desc->bEndpointAddress; > + } > + } > + > + pr_debug("in_ep = %02x, out_ep = %02x\n", > + dev->in_ep, dev->out_ep); > + if (!dev->in_ep || !dev->out_ep) /* Missing endpoints? */ > + return -EINVAL; Looks like you're now leaking dev here, and so is the current code in the later error paths. Since this return value will be returned from probe, you may want to use -ENXIO or -ENODEV instead of -EINVAL. Looks good otherwise. Johan