Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp53556ybl;
        Fri, 9 Aug 2019 02:21:14 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxPOK+le1MiRYWJCvGyisiaEBqzNO4O4xLTHba5DwoibUDiHN85R6xpMdu5GEPqqONIdcS8
X-Received: by 2002:a17:902:6b0c:: with SMTP id o12mr17541768plk.113.1565342473963;
        Fri, 09 Aug 2019 02:21:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1565342473; cv=none;
        d=google.com; s=arc-20160816;
        b=rINb0fAgS3kNmmG8V3llEHV6RkOvtvEB1Q0E0caucmE/A/76sq4GUhya/sNYtU9vg5
         y+/NArkUpddkg3XToKrztSO0OQsRsWo5jk1wcT49ywgIFYzfnQcFqxGd8khBrGhuYtuF
         9WaX5WShfsIWFHZmGYQbL4491saP1VpsPGTO9+GRTAHvg9S2aL9Sgjjhg+2OGw+TRMv8
         JjSBt9OcM4uDVPmuKJgNfmBoqM4/Wj23vXyERoXCaEvlUrXop2Xv6B40nuEZFVB8RdS/
         nytWTQ/sSYcI35UiADB80LqXkNG2+p0QGTeyl15QUsUqOsTDfsyfUkufvwTioKRtxDv/
         WA8Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=+QGcWpSN/BRAudpaX/T2TeWXiisetAXH4pLxoBWqAjY=;
        b=QosIw2vuZVh4LNenAfxIKo0S9JHiAEBazcIQ2UXzqnL65yQv/C/bd+acz1skaszRSA
         TpamBGnLA7yFhWcJ9/2sWpOBZxg3GP5Ukp2MjLeLZk/cPwr+KR4BNk3Y12+1eJmno2/J
         Gy5I011VZPo5wlP5XiC81LVbRCYoe9wrb/7PWWyKO62Sh9uVB05c0/G2lixDYUJGURAR
         yBYmJEhx5m2hXbgPiS5T8o2FrJ/i/GG5yHf0WU+Di4uI5K2wPzMklbJgqIMNEd4tnbPX
         TTBnvW5skv+ZLO6w45fHQLQB4cRIYXKRCv//ybk5kWNFkviwjzYfklpnzroce/CdmCqD
         K8bg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=guBuS1Zb;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v33si39089825pgk.152.2019.08.09.02.20.58;
        Fri, 09 Aug 2019 02:21:13 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=guBuS1Zb;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2406176AbfHIJSW (ORCPT <rfc822;learnos2017@gmail.com>
        + 99 others); Fri, 9 Aug 2019 05:18:22 -0400
Received: from mail.kernel.org ([198.145.29.99]:45376 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2406167AbfHIJSV (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 9 Aug 2019 05:18:21 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 53BA421783;
        Fri,  9 Aug 2019 09:18:20 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1565342300;
        bh=vDFk0iDv4uhF/mh6uYPLsEe3xs+segrrcnOWuXxQKms=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=guBuS1ZbRdjlgZXkIRMxo5T/SU/GeSbZSxdnKSL6erjXVJ68Ixg5GfFw48ZcAQDUJ
         vTZF38S2BSeNjyyySFS+ew1qhyVgLU9/0UnNyatr/Z0JcgoD0Fmx/FRLRvGYhvhSGK
         go/RU2KVvB6UqqPtB9Y439Cv67wUAgDcPXYyT1DU=
Date:   Fri, 9 Aug 2019 10:55:45 +0200
From:   Greg KH <gregkh@linuxfoundation.org>
To:     Kees Cook <keescook@chromium.org>
Cc:     syzbot <syzbot+45b2f40f0778cfa7634e@syzkaller.appspotmail.com>,
        Michael Hund <mhund@ld-didactic.de>, akpm@linux-foundation.org,
        andreyknvl@google.com, cai@lca.pw, linux-kernel@vger.kernel.org,
        linux-mm@kvack.org, linux-usb@vger.kernel.org,
        syzkaller-bugs@googlegroups.com, tglx@linutronix.de
Subject: Re: BUG: bad usercopy in ld_usb_read
Message-ID: <20190809085545.GB21320@kroah.com>
References: <0000000000005c056c058f9a5437@google.com>
 <20190808124654.GB32144@kroah.com>
 <201908081604.D1203D408@keescook>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <201908081604.D1203D408@keescook>
User-Agent: Mutt/1.12.1 (2019-06-15)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Aug 08, 2019 at 04:06:32PM -0700, Kees Cook wrote:
> On Thu, Aug 08, 2019 at 02:46:54PM +0200, Greg KH wrote:
> > On Thu, Aug 08, 2019 at 05:38:06AM -0700, syzbot wrote:
> > > Hello,
> > > 
> > > syzbot found the following crash on:
> > > 
> > > HEAD commit:    e96407b4 usb-fuzzer: main usb gadget fuzzer driver
> > > git tree:       https://github.com/google/kasan.git usb-fuzzer
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=13aeaece600000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=cfa2c18fb6a8068e
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=45b2f40f0778cfa7634e
> > > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> > > 
> > > Unfortunately, I don't have any reproducer for this crash yet.
> > > 
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: syzbot+45b2f40f0778cfa7634e@syzkaller.appspotmail.com
> > > 
> > > ldusb 6-1:0.124: Read buffer overflow, -131383996186150 bytes dropped
> > 
> > That's a funny number :)
> > 
> > Nice overflow found, I see you are now starting to fuzz the char device
> > nodes of usb drivers...
> > 
> > Michael, care to fix this up?
> 
> This looks like the length in the read-from-device buffer is unchecked:
> 
>         /* actual_buffer contains actual_length + interrupt_in_buffer */
>         actual_buffer = (size_t *)(dev->ring_buffer + dev->ring_tail * (sizeof(size_t)+dev->interrupt_in_endpoint_size));
>         bytes_to_read = min(count, *actual_buffer);
>         if (bytes_to_read < *actual_buffer)
>                 dev_warn(&dev->intf->dev, "Read buffer overflow, %zd bytes dropped\n",
>                          *actual_buffer-bytes_to_read);
> 
>         /* copy one interrupt_in_buffer from ring_buffer into userspace */
>         if (copy_to_user(buffer, actual_buffer+1, bytes_to_read)) {
>                 retval = -EFAULT;
>                 goto unlock_exit;
>         }
> 
> I assume what's stored at actual_buffer is bogus and needs validation
> somewhere before it's actually used. (If not here, maybe where ever the
> write into the buffer originally happens?)

I think it should be verified here, as that's when it is parsed.  The
data is written to the buffer in ld_usb_interrupt_in_callback() but it
does not "know" how to parse it at that location.

thanks,

greg k-h