Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp378657ybz; Fri, 1 May 2020 00:11:01 -0700 (PDT) X-Google-Smtp-Source: APiQypIvfu8cCGQBjS5DC1Lp8NOvFecA8KC1YFHj5gzRlYdHmEnvkoO7oAaGFc4wTvARxcWnYPDb X-Received: by 2002:a17:906:1603:: with SMTP id m3mr1946930ejd.205.1588317061614; Fri, 01 May 2020 00:11:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588317061; cv=none; d=google.com; s=arc-20160816; b=KZstt3U1ein8UQTDnhwt3Jxpq87SEgzcuTNCYbTdjnEHqo8gOwa5vF4WsP8XxGnXdZ oukSO7cek7UN82UeQy6CfOiKEoGPUtdOlwKq/xhe98ES6rKZ4KFsgUcwvnXM+mGuzhnX ILIR0zzGTL7NfzQTw0pWVOzDsyNDECaCw7JqttzjN63eXZK7qILQE8QCaJ/smV4ZEg/V 2t8fthX32BaX522rPh+KOuFi/y3JfO8DvXSuRCst/duPhbCD8P4wvxB1aP4igd8vWybh ySJ6cX4nY+3+/EelW15F6q0P19Xcyg9vfooY4wNc3jZccT794vwxRupSyjRqtVIkx05E N7Hg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=E4HhDTpk+sr3abcV8Zjb7b93aOTnLiMVES6eJ0lo8SU=; b=wksZdcwlCmTu83h2LNy/VQR919UPw0wwocs/VE0xW+RrasoTqSowmCIqv/IWdhExVR ATG9VLogpctisGaN8IyKPPW69SPXTf2jrDfDcPXHAw3g1UwqAqyob9Eo9WmxWo3peiNc QgJbqJhv4pVMx/ZYuy8+qIs8hYPyIUDQPZWrSzZwYOgC5qNR4iUCXlbK7yXMR7jmsRWv 6sTWRXDxNt5+ya5GFQ3s0mnX1HoWO42WHJUpvDjHjCr0r7hxurrg7mD410CRTRrBVJRh 4C1R/BnwUEbJXvwtAiUSwZ/Lq3100TbpKFytU26sgZlrPy4gdzI9vNjX1SHH6IVpbBkg 2+mg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Qj19+Zqq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r18si1291644ejj.211.2020.05.01.00.10.37; Fri, 01 May 2020 00:11:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Qj19+Zqq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728325AbgEAHFl (ORCPT + 99 others); Fri, 1 May 2020 03:05:41 -0400 Received: from mail.kernel.org ([198.145.29.99]:60460 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726452AbgEAHFl (ORCPT ); Fri, 1 May 2020 03:05:41 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 432AD20787; Fri, 1 May 2020 07:05:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1588316740; bh=jYNhlYnFtixV0yMkmtZtTWGf5j9cLn7aPBRr6wi5fJk=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Qj19+ZqqfEzypqnR6XVc2An/vln/tzKyCpEEiGSpr6D4oqqo3lGgitV104SmxOrvs odRbzMqcNBlNp28qtXx5QRxVRYMiZHIkE2C1lMw+vLyD3KLh8e3C6rTCLI9jrsnqNg VbQyE1KTSjO/XKmpUBTUsAOrAlw9qHuECHuobW0A= Date: Fri, 1 May 2020 09:05:38 +0200 From: Greg KH To: Kyungtae Kim Cc: balbi@kernel.org, syzkaller , USB list , LKML , Dave Tian Subject: Re: KASAN: slab-out-of-bounds Read in gadget_dev_desc_UDC_store Message-ID: <20200501070538.GB887524@kroah.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Apr 30, 2020 at 11:03:54PM -0400, Kyungtae Kim wrote: > We report a bug (in linux-5.6.8) found by FuzzUSB (a modified version > of syzkaller). > > This happened when the size of "name" buffer is smaller than that of > "page" buffer > (after function kstrdup executed at line 263). > I guess it comes from the "page" buffer containing 0 value in the middle. > So accessing the "name" buffer with "len" variable, which is used to > indicate the size of "page" buffer, > triggered memory access violation. > To fix, it may need to check the size of name buffer, and try to use > right index variable. Can you submit a patch for this as you have a reproducer to test the issue? thanks, greg k-h