Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp783240ybe; Wed, 4 Sep 2019 07:42:30 -0700 (PDT) X-Google-Smtp-Source: APXvYqynQQOezyJvS/uWmACdlaCny0rxP7kKUZQNikPlFLDkcV2o1DxVoYpkaS6IhsthszopbHU6 X-Received: by 2002:a17:90a:cf0d:: with SMTP id h13mr5388132pju.122.1567608150183; Wed, 04 Sep 2019 07:42:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1567608150; cv=none; d=google.com; s=arc-20160816; b=0WpDGxG+WxRvneoWPdEWD+SJ+IIH0kIajeoNqZ5vUAAeufEJwvFe9eyhtLpnMJNXHJ yUmR9tc7ZeK52v1E6E9cQMjVXh4m7Rt0k6DIzoOKV5zy6r+4pT7uFL9vXrKdBeV63Mkm SvO48AXHXo3f9bJFqdjTcgNDL91ZwtS2EUqUNS3dEjNRP275WcQEIjzxn9rw14d3dM4M acH0hv7s/3HJaTeErsa3AH0GtE6KM/RU9fXuCCgGt10ldTQur8MG+acrqryGqfrmEfhS R4EU2VAfMEFWwJVUeB12N2aotciSLs9TU7X0OSaS/J7KXrdH/aiAuebJKlSsk/tc3eIp dWSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:in-reply-to :subject:cc:to:from:date; bh=u0roWi+/Ej96lN/ltGYebPkMvXsPEB26SaFYKtchzto=; b=euBe9JyfwzRLnSBGKVqOTkJFZNrh5rgGHa9z4BEhqbTOODFVqd2auEA0ksprP0zi5H UuBENdsYe7HUNNzvJOdAxhwmAJBkz359a0mVDEFppnDqg7zOFwd+VlY+oexWJ8Yvd1mX wK+0w6Vf9xZe9RbqcOlYQGnHsyxY1ne0mH6OEZvZfkvxCee+gkTdBYLzdrllGgjUYFpN kACnywZl97E3TiWhs9rsVpoSXR0c6YjWq7jt1kM9Vy0EnGjS0o/lComZE3w7kKGJwFQ1 yHOAQPOnA2vcl4kytJ/Go5Z9WtNaVCzy3pnbT16qdCezsMMIZa0mPETIyjo7wzIPNMKC hX4A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h5si2426817pjs.91.2019.09.04.07.42.13; Wed, 04 Sep 2019 07:42:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731060AbfIDOlI (ORCPT + 99 others); Wed, 4 Sep 2019 10:41:08 -0400 Received: from iolanthe.rowland.org ([192.131.102.54]:46816 "HELO iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1730067AbfIDOlH (ORCPT ); Wed, 4 Sep 2019 10:41:07 -0400 Received: (qmail 3843 invoked by uid 2102); 4 Sep 2019 10:41:06 -0400 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 4 Sep 2019 10:41:06 -0400 Date: Wed, 4 Sep 2019 10:41:06 -0400 (EDT) From: Alan Stern X-X-Sender: stern@iolanthe.rowland.org To: syzbot cc: Thinh.Nguyen@synopsys.com, , , , , , , , , , , Subject: Re: KASAN: slab-out-of-bounds Read in usb_reset_and_verify_device In-Reply-To: <000000000000b580440591ac8df5@google.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 3 Sep 2019, syzbot wrote: > Hello, > > syzbot has tested the proposed patch but the reproducer still triggered > crash: > KASAN: slab-out-of-bounds Read in usb_reset_and_verify_device > > usb 6-1: Using ep0 maxpacket: 16 > usb 6-1: BOS total length 54, descriptor 168 > usb 6-1: Old BOS ffff8881cd814f60 Len 0xa8 > usb 6-1: New BOS ffff8881cd257ae0 Len 0xa8 > ================================================================== > BUG: KASAN: slab-out-of-bounds in memcmp+0xa6/0xb0 lib/string.c:904 > Read of size 1 at addr ffff8881cd257c36 by task kworker/1:0/17 Very sneaky! A BOS descriptor whose wTotalLength field varies depending on how many bytes you read. This should fix it. It's the same approach we use for the Config descriptor. Alan Stern #syz test: https://github.com/google/kasan.git eea39f24 drivers/usb/core/config.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) Index: usb-devel/drivers/usb/core/config.c =================================================================== --- usb-devel.orig/drivers/usb/core/config.c +++ usb-devel/drivers/usb/core/config.c @@ -921,7 +921,7 @@ int usb_get_bos_descriptor(struct usb_de struct usb_bos_descriptor *bos; struct usb_dev_cap_header *cap; struct usb_ssp_cap_descriptor *ssp_cap; - unsigned char *buffer; + unsigned char *buffer, *buffer0; int length, total_len, num, i, ssac; __u8 cap_type; int ret; @@ -966,10 +966,12 @@ int usb_get_bos_descriptor(struct usb_de ret = -ENOMSG; goto err; } + + buffer0 = buffer; total_len -= length; + buffer += length; for (i = 0; i < num; i++) { - buffer += length; cap = (struct usb_dev_cap_header *)buffer; if (total_len < sizeof(*cap) || total_len < cap->bLength) { @@ -983,8 +985,6 @@ int usb_get_bos_descriptor(struct usb_de break; } - total_len -= length; - if (cap->bDescriptorType != USB_DT_DEVICE_CAPABILITY) { dev_warn(ddev, "descriptor type invalid, skip\n"); continue; @@ -1019,7 +1019,11 @@ int usb_get_bos_descriptor(struct usb_de default: break; } + + total_len -= length; + buffer += length; } + dev->bos->desc->wTotalLength = cpu_to_le16(buffer - buffer0); return 0;