Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
MIME-Version: 1.0
From:   Kyungtae Kim <kt0755@gmail.com>
Date:   Thu, 30 Apr 2020 23:03:54 -0400
Message-ID: <CAEAjamvq+puThrxfo80TOy=xgbQEQNT6xvxy4w6hP2O1By66uw@mail.gmail.com>
Subject: KASAN: slab-out-of-bounds Read in gadget_dev_desc_UDC_store
To:     balbi@kernel.org, Greg KH <gregkh@linuxfoundation.org>
Cc:     syzkaller <syzkaller@googlegroups.com>,
        USB list <linux-usb@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Dave Tian <dave.jing.tian@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

We report a bug (in linux-5.6.8) found by FuzzUSB (a modified version
of syzkaller).

This happened when the size of "name" buffer is smaller than that of
"page" buffer
(after function kstrdup executed at line 263).
I guess it comes from the "page" buffer containing 0 value in the middle.
So accessing the "name" buffer with "len" variable, which is used to
indicate the size of "page" buffer,
triggered memory access violation.
To fix, it may need to check the size of name buffer, and try to use
right index variable.

kernel config: https://kt0755.github.io/etc/config_v5.6.8

==================================================================
BUG: KASAN: slab-out-of-bounds in
gadget_dev_desc_UDC_store+0x1ba/0x200
drivers/usb/gadget/configfs.c:266
Read of size 1 at addr ffff88806a55dd7e by task syz-executor.0/17208

CPU: 2 PID: 17208 Comm: syz-executor.0 Not tainted 5.6.8 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xce/0x128 lib/dump_stack.c:118
 print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374
 __kasan_report+0x131/0x1b0 mm/kasan/report.c:506
 kasan_report+0x12/0x20 mm/kasan/common.c:641
 __asan_report_load1_noabort+0x14/0x20 mm/kasan/generic_report.c:132
 gadget_dev_desc_UDC_store+0x1ba/0x200 drivers/usb/gadget/configfs.c:266
 flush_write_buffer fs/configfs/file.c:251 [inline]
 configfs_write_file+0x2f1/0x4c0 fs/configfs/file.c:283
 __vfs_write+0x85/0x110 fs/read_write.c:494
 vfs_write+0x1cd/0x510 fs/read_write.c:558
 ksys_write+0x18a/0x220 fs/read_write.c:611
 __do_sys_write fs/read_write.c:623 [inline]
 __se_sys_write fs/read_write.c:620 [inline]
 __x64_sys_write+0x73/0xb0 fs/read_write.c:620
 do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x452149
Code: 2d 61 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 0f 83 fb 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f3bd907cc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000073c0f8 RCX: 0000000000452149
RDX: 00000000fffffed8 RSI: 00000000200003c0 RDI: 0000000000000003
RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bf782
R13: 00000000004d7710 R14: 00007f3bd907d6d4 R15: 00000000ffffffff

Allocated by task 1:
 save_stack+0x21/0x90 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc.constprop.3+0xa7/0xd0 mm/kasan/common.c:515
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529
 __kmalloc+0x11c/0x310 mm/slub.c:3841
 kmalloc include/linux/slab.h:560 [inline]
 kzalloc include/linux/slab.h:669 [inline]
 acpi_os_allocate_zeroed+0x3e/0x42 include/acpi/platform/aclinuxex.h:57
 acpi_ns_internalize_name+0xd9/0x16a drivers/acpi/acpica/nsutils.c:331
 acpi_ns_get_node_unlocked+0x17e/0x1fe drivers/acpi/acpica/nsutils.c:666
 acpi_ns_get_node+0x44/0x62 drivers/acpi/acpica/nsutils.c:726
 acpi_ns_evaluate+0xc8/0x93e drivers/acpi/acpica/nseval.c:61
 acpi_ut_evaluate_object+0xe4/0x386 drivers/acpi/acpica/uteval.c:60
 acpi_ut_execute_power_methods+0xda/0x1b1 drivers/acpi/acpica/uteval.c:288
 acpi_get_object_info+0x487/0x994 drivers/acpi/acpica/nsxfname.c:366
 acpi_set_pnp_ids drivers/acpi/scan.c:1245 [inline]
 acpi_init_device_object+0xbfd/0x17a0 drivers/acpi/scan.c:1585
 acpi_add_single_object+0x121/0x1710 drivers/acpi/scan.c:1620
 acpi_bus_check_add+0x1c9/0x4f0 drivers/acpi/scan.c:1873
 acpi_ns_walk_namespace+0x1d3/0x320 drivers/acpi/acpica/nswalk.c:236
 acpi_walk_namespace+0xb5/0xef drivers/acpi/acpica/nsxfeval.c:606
 acpi_bus_scan+0xdf/0xf0 drivers/acpi/scan.c:2054
 acpi_scan_init+0x264/0x5e4 drivers/acpi/scan.c:2218
 acpi_init+0x592/0x612 drivers/acpi/bus.c:1249
 do_one_initcall+0xe0/0x650 init/main.c:1152
 do_initcall_level init/main.c:1225 [inline]
 do_initcalls init/main.c:1241 [inline]
 do_basic_setup init/main.c:1261 [inline]
 kernel_init_freeable+0x5e8/0x67c init/main.c:1445
 kernel_init+0x13/0x1b0 init/main.c:1352
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Freed by task 1:
 save_stack+0x21/0x90 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 kasan_set_free_info mm/kasan/common.c:337 [inline]
 __kasan_slab_free+0x135/0x190 mm/kasan/common.c:476
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:485
 slab_free_hook mm/slub.c:1444 [inline]
 slab_free_freelist_hook mm/slub.c:1477 [inline]
 slab_free mm/slub.c:3034 [inline]
 kfree+0xf7/0x410 mm/slub.c:3995
 acpi_os_free include/acpi/platform/aclinuxex.h:62 [inline]
 acpi_ns_get_node_unlocked+0x1c8/0x1fe drivers/acpi/acpica/nsutils.c:686
 acpi_ns_get_node+0x44/0x62 drivers/acpi/acpica/nsutils.c:726
 acpi_ns_evaluate+0xc8/0x93e drivers/acpi/acpica/nseval.c:61
 acpi_ut_evaluate_object+0xe4/0x386 drivers/acpi/acpica/uteval.c:60
 acpi_ut_execute_power_methods+0xda/0x1b1 drivers/acpi/acpica/uteval.c:288
 acpi_get_object_info+0x487/0x994 drivers/acpi/acpica/nsxfname.c:366
 acpi_set_pnp_ids drivers/acpi/scan.c:1245 [inline]
 acpi_init_device_object+0xbfd/0x17a0 drivers/acpi/scan.c:1585
 acpi_add_single_object+0x121/0x1710 drivers/acpi/scan.c:1620
 acpi_bus_check_add+0x1c9/0x4f0 drivers/acpi/scan.c:1873
 acpi_ns_walk_namespace+0x1d3/0x320 drivers/acpi/acpica/nswalk.c:236
 acpi_walk_namespace+0xb5/0xef drivers/acpi/acpica/nsxfeval.c:606
 acpi_bus_scan+0xdf/0xf0 drivers/acpi/scan.c:2054
 acpi_scan_init+0x264/0x5e4 drivers/acpi/scan.c:2218
 acpi_init+0x592/0x612 drivers/acpi/bus.c:1249
 do_one_initcall+0xe0/0x650 init/main.c:1152
 do_initcall_level init/main.c:1225 [inline]
 do_initcalls init/main.c:1241 [inline]
 do_basic_setup init/main.c:1261 [inline]
 kernel_init_freeable+0x5e8/0x67c init/main.c:1445
 kernel_init+0x13/0x1b0 init/main.c:1352
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff88806a55dd68
 which belongs to the cache kmalloc-8 of size 8
The buggy address is located 14 bytes to the right of
 8-byte region [ffff88806a55dd68, ffff88806a55dd70)
The buggy address belongs to the page:
page:ffffea0001a95740 refcount:1 mapcount:0 mapping:ffff88806c00f980
index:0xffff88806a55dfd8
flags: 0x100000000000200(slab)
raw: 0100000000000200 ffffea0001a95600 0000000500000005 ffff88806c00f980
raw: ffff88806a55dfd8 0000000080aa0005 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88806a55dc00: fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb
 ffff88806a55dc80: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc
>ffff88806a55dd00: fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc
                                                                ^
 ffff88806a55dd80: fb fc fc fb fc fc 00 fc fc 00 fc fc fb fc fc fb
 ffff88806a55de00: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc
==================================================================

Regards,
Kyungtae Kim