Received: by 2002:a25:f815:0:0:0:0:0 with SMTP id u21csp2788784ybd; Mon, 24 Jun 2019 12:41:50 -0700 (PDT) X-Google-Smtp-Source: APXvYqxcZzokxvYfEI2XoS8wtMjR7PYBxn8q6OsnFexTzRPtmCl8a+JY5wgINrvbloBfWreLPLdU X-Received: by 2002:a17:90a:360b:: with SMTP id s11mr26484615pjb.51.1561405309945; Mon, 24 Jun 2019 12:41:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561405309; cv=none; d=google.com; s=arc-20160816; b=N7DJGAauhrWwvV/wstXkPjHJTGoNVfBvc/PiGIIAQxisrSoFWncu0KMYLmCOGQjwc0 JIsNUhiM1ajAl+iYetIwuQ5pTzQPlcdIC6vcEi4pfMUC61WqXE84URypJ7Sb4q+wFKEz bgHHlSLVOpzbm3ou2tN4zrxHipw/M9djUq4tOboBYIe71Z4hfPJ5vcRQsCjti3euuDMe K07MOZCY3a1QVv9k9bavokDV71fsOygBna+xopbmHgg4sIKH13hPOMIalMCef38/NNfW EE/BPQF8lyY85tUXoY5585Q/kPNvVyyzbFut5AGY8A5VvGo7rL+RJc/fVCNgB+CkbzAS t9Rw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=5sMA8Bhdq57YWns4UhDuBeWcNG1MKu8bMzUeQztIwmo=; b=Jal4QZfqu6Q8SWeOF3FpUbqTp867SIBSapTqLS1D8Q9GCh8qRccjyq5fPNG9XpSDvC Gnm2SnUTUvX3mzlQaXzvmh5cayHgL3oe7b4x7Jvb2dMl/iJpNICXtU52kb+yzAnGhsNn mXvREqeMc+9DnuYMH6SZZYb4zCvzeSIj6iu6GC91K11BC2JitDcyTJRo1jAG7MBgX9x9 Tlt7OrsuoyvZrTNgZi3B3VHbeeFFFWq/XWKUbLnpq7PX4HED5penIFBw1qYw/mWoIXTk VMYZqG3rZB5hY6Sh+ohEsIuTnGm3SqyQ8zlX5iRQJMs01+2yk1d/r5pI0RfSRCzml92v iJpA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=geq2YQDj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v24si10642435ply.101.2019.06.24.12.41.34; Mon, 24 Jun 2019 12:41:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=geq2YQDj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729811AbfFXP3m (ORCPT + 99 others); Mon, 24 Jun 2019 11:29:42 -0400 Received: from mail-pf1-f196.google.com ([209.85.210.196]:37765 "EHLO mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726708AbfFXP3k (ORCPT ); Mon, 24 Jun 2019 11:29:40 -0400 Received: by mail-pf1-f196.google.com with SMTP id 19so7712220pfa.4 for ; Mon, 24 Jun 2019 08:29:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=5sMA8Bhdq57YWns4UhDuBeWcNG1MKu8bMzUeQztIwmo=; b=geq2YQDjLudJEDsQW5df0w57jpwjsnFBugQD+Uxq7vemrKR40xxaxDNeQF0sXx3Rup +DA2Un2DphDRoo8ungSfRXbIAeOYVSP8atN1GmkrIUp93o/qfei8daFta8ZANX/Rvha4 cj2FUFRjj3kQxyF5HmshlEZsPmv7/9ueZ7OJ5s3KeCt0ghUcyz89NUbZG6iKL8mWwoEo FKc59cQrxu83tAxDA9Z32lh8AlnSNyPPgm63n25sGVi2SzkFa/PJnHT06AfrLkjgqj4g nG4ha0ezpIaDHia4ysySQd3D5K+Qm+edX7DKO2J+ZRt5LuFDdjJHZ4yw+lStdI4s8Qga d8gg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=5sMA8Bhdq57YWns4UhDuBeWcNG1MKu8bMzUeQztIwmo=; b=JP3916FgwVHZf0ncIqU0k6J2wOPMVYQTtj/yviwSru2TZG8XsuFv6WffQPGGn/AE34 EylWnTC8O8FDcUGH/EvytmtGazMHtay/ysyNRNxzvJM5/b3K8Z3Q0znnN3SgxgAHhCf+ 5mF+a/d/TisRCJ5KFzaMTQBpKXLAByCkw3wTMIuud/H83xpDwXrv4GCptixGW6G3KRkO Qy9Qm/sM18vZqkKW8YC/H//QGwjywiGX62An2Sai2zKaBq1oG4Q/4kQ0brGKg2vuWzsq rFKFXdLz/vWa+f+Dz1eSfcbe0hPZfSx7gXS/+QNmmlgVQN8GPvMWzT77FPeK7SGobJKc 7cAg== X-Gm-Message-State: APjAAAVVq6daxfOLO/2AMsSApky0/9rMlOsFgz9RgefFhHA11o94aJ5M 2joFC5FtIANJWs3gMPkaQA8FdjI9gxKdH+IQS6St0A== X-Received: by 2002:a65:4c0c:: with SMTP id u12mr33434112pgq.130.1561390178725; Mon, 24 Jun 2019 08:29:38 -0700 (PDT) MIME-Version: 1.0 References: <0000000000008f19f7058c10a633@google.com> <871rzj6sww.fsf@miraculix.mork.no> In-Reply-To: <871rzj6sww.fsf@miraculix.mork.no> From: Andrey Konovalov Date: Mon, 24 Jun 2019 17:29:27 +0200 Message-ID: Subject: Re: KASAN: global-out-of-bounds Read in qmi_wwan_probe To: =?UTF-8?Q?Bj=C3=B8rn_Mork?= Cc: Kristian Evensen , syzbot , "David S. Miller" , LKML , USB list , netdev , syzkaller-bugs Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 24, 2019 at 2:59 PM Bj=C3=B8rn Mork wrote: > > syzbot writes: > > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit: 9939f56e usb-fuzzer: main usb gadget fuzzer driver > > git tree: https://github.com/google/kasan.git usb-fuzzer > > console output: https://syzkaller.appspot.com/x/log.txt?x=3D1615a669a00= 000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=3Ddf134eda130= bb43a > > dashboard link: https://syzkaller.appspot.com/bug?extid=3Db68605d7fadd2= 1510de1 > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=3D10630af6a= 00000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=3D1127da69a00= 000 > > > > IMPORTANT: if you fix the bug, please add the following tag to the comm= it: > > Reported-by: syzbot+b68605d7fadd21510de1@syzkaller.appspotmail.com > > > > usb 1-1: new high-speed USB device number 2 using dummy_hcd > > usb 1-1: Using ep0 maxpacket: 8 > > usb 1-1: New USB device found, idVendor=3D12d1, idProduct=3D14f1, > > bcdDevice=3Dd4.d9 > > usb 1-1: New USB device strings: Mfr=3D0, Product=3D0, SerialNumber=3D0 > > usb 1-1: config 0 descriptor?? > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > BUG: KASAN: global-out-of-bounds in qmi_wwan_probe+0x342/0x360 > > drivers/net/usb/qmi_wwan.c:1417 > > Read of size 8 at addr ffffffff8618c140 by task kworker/1:1/22 > > > > CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 5.2.0-rc5+ #11 > > Hardware name: Google Google Compute Engine/Google Compute Engine, > > BIOS Google 01/01/2011 > > Workqueue: usb_hub_wq hub_event > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0xca/0x13e lib/dump_stack.c:113 > > print_address_description+0x67/0x231 mm/kasan/report.c:188 > > __kasan_report.cold+0x1a/0x32 mm/kasan/report.c:317 > > kasan_report+0xe/0x20 mm/kasan/common.c:614 > > qmi_wwan_probe+0x342/0x360 drivers/net/usb/qmi_wwan.c:1417 > > usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361 > > really_probe+0x281/0x660 drivers/base/dd.c:509 > > driver_probe_device+0x104/0x210 drivers/base/dd.c:670 > > __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:777 > > bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454 > > > > Hello Kristian! > > I need some help understanding this... IIUC syzbot is claiming an > out-of-bounds access at line 1417 in v5.2-rc5. Or whatever - I'm having > a hard time deciphering what kernel version the bot is actually > testing. The claimed HEAD is not a kernel commit. At least not in my > kernel... The bot currently tests this tree: https://github.com/google/kasan/tree/usb-fuzzer, which is essentially 5.2-rc5. > > > But if this is correct, then it points to the info->data access you > recently added: > > 822e44b45eb99 (Kristian Evensen 2019-03-02 13:32:26 +0100 1409) /= * Several Quectel modems supports dynamic interface configuration, so > 7c5cca3588545 (Kristian Evensen 2018-09-08 13:50:48 +0200 1410) = * we need to match on class/subclass/protocol. These values are > 7c5cca3588545 (Kristian Evensen 2018-09-08 13:50:48 +0200 1411) = * identical for the diagnostic- and QMI-interface, but bNumEndpoints is > 7c5cca3588545 (Kristian Evensen 2018-09-08 13:50:48 +0200 1412) = * different. Ignore the current interface if the number of endpoints > e4bf63482c309 (Kristian Evensen 2019-04-07 15:39:09 +0200 1413) = * equals the number for the diag interface (two). > 7c5cca3588545 (Kristian Evensen 2018-09-08 13:50:48 +0200 1414) = */ > e4bf63482c309 (Kristian Evensen 2019-04-07 15:39:09 +0200 1415) i= nfo =3D (void *)&id->driver_info; > e4bf63482c309 (Kristian Evensen 2019-04-07 15:39:09 +0200 1416) > e4bf63482c309 (Kristian Evensen 2019-04-07 15:39:09 +0200 1417) i= f (info->data & QMI_WWAN_QUIRK_QUECTEL_DYNCFG) { > e4bf63482c309 (Kristian Evensen 2019-04-07 15:39:09 +0200 1418) = if (desc->bNumEndpoints =3D=3D 2) > e4bf63482c309 (Kristian Evensen 2019-04-07 15:39:09 +0200 1419) = return -ENODEV; > e4bf63482c309 (Kristian Evensen 2019-04-07 15:39:09 +0200 1420) } > > > I must be blind. I cannot see how this could end up failing. > id->driver_info is always set to one of qmi_wwan_info, > qmi_wwan_info_quirk_dtr or qmi_wwan_info_quirk_quectel_dyncfg at this > point. How does that end up out-of-bounds? I've run the reproducer locally and checked the addresses. The structures that you mentioned are at: gef> p &qmi_wwan_info $1 =3D (const struct driver_info *) 0xffffffff85d32e80 gef> p &qmi_wwan_info_quirk_dtr $2 =3D (const struct driver_info *) 0xffffffff85d32dc0 gef> p &qmi_wwan_info_quirk_quectel_dyncfg $3 =3D (const struct driver_info *) 0xffffffff85d32d00 And the bad access for me happens on address 0xffffffff85d32ce0, so it seems that driver_info somehow ended up lying below qmi_wwan_info_quirk_quectel_dyncfg. gef> x/6gx 0xffffffff85d32ce0 0xffffffff85d32ce0: 0x0000000000000000 0x0000000000000000 0xffffffff85d32cf0: 0x0000000000000000 0x0000000000000000 0xffffffff85d32d00 : 0xffffffff85d32cc0 0x0000000000000600 > > > > Bj=C3=B8rn