Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp4501808ybl; Mon, 9 Dec 2019 11:52:35 -0800 (PST) X-Google-Smtp-Source: APXvYqySenR0MARcuE/pYWPAW/tCvu4OYMB5Bq1pcTIk8yKfOTh5kl2H9UnH4on4FAm/yf9T1pbz X-Received: by 2002:a05:6830:2006:: with SMTP id e6mr10807143otp.367.1575921155852; Mon, 09 Dec 2019 11:52:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1575921155; cv=none; d=google.com; s=arc-20160816; b=KqPK/TeSul2abuguP9E6JWUBYfI0VbAqwFwt9b8boVtlH3fS6TziNGiDSs/IUPvQzI BPIHVCGVDCNiU9AQtESN5rrVpALo4TFEWjJ5ABWqzrmQXwhtYX/FE09tUl0wyCKtou3t id8QU3JLAuH4Ak9E0SRdHPL5P0OqS1I6D1gSdjagQFkbEafM31oFFbO+qBDv80bbvC28 0dCoqYY3AsH2LnBXUDlGrcoU5+7lOC0VdPRzcvgXHa5z6MbwT/ldNF5vx5kUeShndMbj AHZwyHdyyOt5p4kEx3BkwmSuuX+xILdm7Mg87Z7ryAkJr4e45YoUdUAa+aC2ih66vMPF RlIg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:in-reply-to :subject:cc:to:from:date; bh=wSVDSQEvBFNN+IGP+UwYXOqUHsnwFdqsiAE6So/gS8Y=; b=eiLYSM1NDTFJ0NIu3kwx0ZcfR+gp7TqX2vXuPZkDXBYgjI2bfZhQml9fME7c+BBXLY i/InK3TCrYreWxMwVeEjUolV5wLEPHaCu1hq4NEc35KwQoGPbEBi4lx2F81ZRrqX/64U qQGJg9TzMddnNMINIwHOWQbO7jeOkoREd+EgJVjMxehEui9aRBYuKpcaWqrt2pPfT7xt 9bZrX43vQvcv9gGtzU/sEwuy4iGj1lyLd49YJ1HB4EhSh2xzAt+ojzcXKvpQHWMJljYz jslGO7o+2ksJQa6MdCrWKuBgdZyv61XGeQLEc5VZtRjJLAoLhtAMfKb+qPb6ZhxLTpb1 N0aQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z1si490050otq.21.2019.12.09.11.52.22; Mon, 09 Dec 2019 11:52:35 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726689AbfLITvm (ORCPT + 99 others); Mon, 9 Dec 2019 14:51:42 -0500 Received: from iolanthe.rowland.org ([192.131.102.54]:38412 "HELO iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1726522AbfLITvm (ORCPT ); Mon, 9 Dec 2019 14:51:42 -0500 Received: (qmail 6629 invoked by uid 2102); 9 Dec 2019 14:51:41 -0500 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 9 Dec 2019 14:51:41 -0500 Date: Mon, 9 Dec 2019 14:51:41 -0500 (EST) From: Alan Stern X-X-Sender: stern@iolanthe.rowland.org To: syzbot cc: andreyknvl@google.com, , , , , , Subject: Re: KASAN: slab-out-of-bounds Read in hid_field_extract In-Reply-To: <0000000000008eb2c605994a2b38@google.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 9 Dec 2019, syzbot wrote: > Hello, > > syzbot has tested the proposed patch but the reproducer still triggered > crash: > KASAN: slab-out-of-bounds Read in hid_field_extract > > microsoft 0003:045E:07DA.0001: Report rsize 4096 csize 1 > microsoft 0003:045E:07DA.0001: Field offset 0 size 12 count 4899 > ================================================================== > BUG: KASAN: slab-out-of-bounds in __extract drivers/hid/hid-core.c:1345 > [inline] > BUG: KASAN: slab-out-of-bounds in hid_field_extract+0x150/0x170 > drivers/hid/hid-core.c:1365 > Read of size 1 at addr ffff8881cc759000 by task swapper/1/0 Nobody bothers to check for ridiculously long reports? This field had report_size = 12 and report_count = 4899! Alan Stern #syz test: https://github.com/google/kasan.git 1f22d15c Index: usb-devel/drivers/hid/hid-core.c =================================================================== --- usb-devel.orig/drivers/hid/hid-core.c +++ usb-devel/drivers/hid/hid-core.c @@ -267,6 +267,10 @@ static int hid_add_field(struct hid_pars offset = report->size; report->size += parser->global.report_size * parser->global.report_count; + if (report->size > HID_MAX_BUFFER_SIZE << 3) { + hid_err(parser->device, "report is too long\n"); + return -1; + } if (!parser->local.usage_index) /* Ignore padding fields */ return 0; @@ -1488,6 +1492,7 @@ static void hid_input_field(struct hid_d if (!value) return; + hid_info(hid, "Field offset %u size %u count %u\n", offset, size, count); for (n = 0; n < count; n++) { value[n] = min < 0 ? @@ -1712,6 +1717,7 @@ int hid_report_raw_event(struct hid_devi } if (hid->claimed != HID_CLAIMED_HIDRAW && report->maxfield) { + hid_info(hid, "Report rsize %u csize %u\n", rsize, csize); for (a = 0; a < report->maxfield; a++) hid_input_field(hid, report->field[a], cdata, interrupt); hdrv = hid->driver;