Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp835147ybe;
        Wed, 4 Sep 2019 08:25:53 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwK9lZqomNn3p8S5AlQPQ80OqMIhcgXejwZNoA5nkpnNhEZA+W9w/g4NVy19Sad/CxiBzkw
X-Received: by 2002:a17:902:7c16:: with SMTP id x22mr8150105pll.234.1567610752992;
        Wed, 04 Sep 2019 08:25:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1567610752; cv=none;
        d=google.com; s=arc-20160816;
        b=rDWAl62KgRixMwkJ1pBFdzvSfVz9X2hrGyqjQdNgQtqsqdE5cP/yc57kqylc+K7mLi
         Pfw65QHbarOqzE25EhrRUXbY/9Pag7KVG3zFpIE8QdIdhIrKGDUSG8Q7iUP24H+5ohFi
         1zEjxlUxr7FfV7SO+Fnb8Od4e2khx50Ze85czXZ43woOOnuI8jl0ejVH+jA+LkAnYb1/
         XbXV0dG7s9f6ZieYYY8zDFTpOSiuqICdz3iKsU5X/dRIaZY6KoFKVPNKDL45o7r3Vz64
         q+5skyHN92j3u8ulJnhnufr7Gk33YZMvjMl/G7GBWPM/XPfSolee+V1+i7pF9tfPJhz2
         qORw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:message-id:in-reply-to
         :subject:cc:to:from:date;
        bh=x79FK3ico0OTWgfKdr+F5fq++uPtCHCDirYY2040oMY=;
        b=MBh3tM8eM4xRQGSgddmMN3JTMXk4h4rQmlEduR01/kYoZEOsnNVXMd/d6XvMyjLEkV
         BL0gxsCp2A6BVCvjbn8Bd4ElNIKNn1a1HEepaO0Ao3ssMgHXtQUDKZFtD0iZSWH5De09
         rtrErbI12IYjQDMxRFIMZ7a3HsJHUNbd/BCV539gOFyiNadtvmYf8Eq2zQ0A9s+zxThD
         N9nhGPNi5lNdNeHb+rlCFcymx1DzK4RTGZsBB414D4T6KITBu25xrHRLk5rQLQkVEC0N
         /asvuEe1alzGg8uarJLazqLoOaZ+SQ4caIVzhcZUHF2Ov3bKPlxh7oeGzBn2roZG2rwk
         riUw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 11si4751577pla.399.2019.09.04.08.25.37;
        Wed, 04 Sep 2019 08:25:52 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731307AbfIDPXZ (ORCPT <rfc822;wxiaokuan@gmail.com> + 99 others);
        Wed, 4 Sep 2019 11:23:25 -0400
Received: from iolanthe.rowland.org ([192.131.102.54]:47066 "HELO
        iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with SMTP id S1731173AbfIDPXZ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 4 Sep 2019 11:23:25 -0400
Received: (qmail 4826 invoked by uid 2102); 4 Sep 2019 11:23:24 -0400
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 4 Sep 2019 11:23:24 -0400
Date:   Wed, 4 Sep 2019 11:23:24 -0400 (EDT)
From:   Alan Stern <stern@rowland.harvard.edu>
X-X-Sender: stern@iolanthe.rowland.org
To:     Andrey Konovalov <andreyknvl@google.com>
cc:     syzbot <syzbot+35f4d916c623118d576e@syzkaller.appspotmail.com>,
        <Thinh.Nguyen@synopsys.com>, <dianders@chromium.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        <jflat@chromium.org>, Kai Heng Feng <kai.heng.feng@canonical.com>,
        LKML <linux-kernel@vger.kernel.org>,
        USB list <linux-usb@vger.kernel.org>, <malat@debian.org>,
        <mathias.nyman@linux.intel.com>, <nsaenzjulienne@suse.de>,
        syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Subject: Re: KASAN: slab-out-of-bounds Read in usb_reset_and_verify_device
In-Reply-To: <CAAeHK+xegKOayZw+kvw7ndA4v6Fy77rNM_VQnufZWXEHSjoqhg@mail.gmail.com>
Message-ID: <Pine.LNX.4.44L0.1909041120330.1722-100000@iolanthe.rowland.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 4 Sep 2019, Andrey Konovalov wrote:

> On Wed, Sep 4, 2019 at 4:41 PM Alan Stern <stern@rowland.harvard.edu> wrote:
> >
> > On Tue, 3 Sep 2019, syzbot wrote:
> >
> > > Hello,
> > >
> > > syzbot has tested the proposed patch but the reproducer still triggered
> > > crash:
> > > KASAN: slab-out-of-bounds Read in usb_reset_and_verify_device
> > >
> > > usb 6-1: Using ep0 maxpacket: 16
> > > usb 6-1: BOS total length 54, descriptor 168
> > > usb 6-1: Old BOS ffff8881cd814f60  Len 0xa8
> > > usb 6-1: New BOS ffff8881cd257ae0  Len 0xa8
> > > ==================================================================
> > > BUG: KASAN: slab-out-of-bounds in memcmp+0xa6/0xb0 lib/string.c:904
> > > Read of size 1 at addr ffff8881cd257c36 by task kworker/1:0/17
> >
> > Very sneaky!  A BOS descriptor whose wTotalLength field varies
> > depending on how many bytes you read.
> >
> > This should fix it.  It's the same approach we use for the Config
> > descriptor.
> 
> Nice, core USB bug :)
> 
> Can this potentially lead to something worse than a out-of-bounds memcmp?

I tend to doubt it.  It would require some code that does its own
parsing of the BOS descriptors.  If there is any code like that in the
kernel, I'm not aware of it.

Still, you never know...

Alan Stern