Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp378657ybz;
        Fri, 1 May 2020 00:11:01 -0700 (PDT)
X-Google-Smtp-Source: APiQypIvfu8cCGQBjS5DC1Lp8NOvFecA8KC1YFHj5gzRlYdHmEnvkoO7oAaGFc4wTvARxcWnYPDb
X-Received: by 2002:a17:906:1603:: with SMTP id m3mr1946930ejd.205.1588317061614;
        Fri, 01 May 2020 00:11:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1588317061; cv=none;
        d=google.com; s=arc-20160816;
        b=KZstt3U1ein8UQTDnhwt3Jxpq87SEgzcuTNCYbTdjnEHqo8gOwa5vF4WsP8XxGnXdZ
         oukSO7cek7UN82UeQy6CfOiKEoGPUtdOlwKq/xhe98ES6rKZ4KFsgUcwvnXM+mGuzhnX
         ILIR0zzGTL7NfzQTw0pWVOzDsyNDECaCw7JqttzjN63eXZK7qILQE8QCaJ/smV4ZEg/V
         2t8fthX32BaX522rPh+KOuFi/y3JfO8DvXSuRCst/duPhbCD8P4wvxB1aP4igd8vWybh
         ySJ6cX4nY+3+/EelW15F6q0P19Xcyg9vfooY4wNc3jZccT794vwxRupSyjRqtVIkx05E
         N7Hg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date
         :dkim-signature;
        bh=E4HhDTpk+sr3abcV8Zjb7b93aOTnLiMVES6eJ0lo8SU=;
        b=wksZdcwlCmTu83h2LNy/VQR919UPw0wwocs/VE0xW+RrasoTqSowmCIqv/IWdhExVR
         ATG9VLogpctisGaN8IyKPPW69SPXTf2jrDfDcPXHAw3g1UwqAqyob9Eo9WmxWo3peiNc
         QgJbqJhv4pVMx/ZYuy8+qIs8hYPyIUDQPZWrSzZwYOgC5qNR4iUCXlbK7yXMR7jmsRWv
         6sTWRXDxNt5+ya5GFQ3s0mnX1HoWO42WHJUpvDjHjCr0r7hxurrg7mD410CRTRrBVJRh
         4C1R/BnwUEbJXvwtAiUSwZ/Lq3100TbpKFytU26sgZlrPy4gdzI9vNjX1SHH6IVpbBkg
         2+mg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=Qj19+Zqq;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id r18si1291644ejj.211.2020.05.01.00.10.37;
        Fri, 01 May 2020 00:11:01 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=Qj19+Zqq;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728325AbgEAHFl (ORCPT <rfc822;jaysonjohndmello@gmail.com>
        + 99 others); Fri, 1 May 2020 03:05:41 -0400
Received: from mail.kernel.org ([198.145.29.99]:60460 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726452AbgEAHFl (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 1 May 2020 03:05:41 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 432AD20787;
        Fri,  1 May 2020 07:05:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1588316740;
        bh=jYNhlYnFtixV0yMkmtZtTWGf5j9cLn7aPBRr6wi5fJk=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=Qj19+ZqqfEzypqnR6XVc2An/vln/tzKyCpEEiGSpr6D4oqqo3lGgitV104SmxOrvs
         odRbzMqcNBlNp28qtXx5QRxVRYMiZHIkE2C1lMw+vLyD3KLh8e3C6rTCLI9jrsnqNg
         VbQyE1KTSjO/XKmpUBTUsAOrAlw9qHuECHuobW0A=
Date:   Fri, 1 May 2020 09:05:38 +0200
From:   Greg KH <gregkh@linuxfoundation.org>
To:     Kyungtae Kim <kt0755@gmail.com>
Cc:     balbi@kernel.org, syzkaller <syzkaller@googlegroups.com>,
        USB list <linux-usb@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Dave Tian <dave.jing.tian@gmail.com>
Subject: Re: KASAN: slab-out-of-bounds Read in gadget_dev_desc_UDC_store
Message-ID: <20200501070538.GB887524@kroah.com>
References: <CAEAjamvq+puThrxfo80TOy=xgbQEQNT6xvxy4w6hP2O1By66uw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAEAjamvq+puThrxfo80TOy=xgbQEQNT6xvxy4w6hP2O1By66uw@mail.gmail.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Apr 30, 2020 at 11:03:54PM -0400, Kyungtae Kim wrote:
> We report a bug (in linux-5.6.8) found by FuzzUSB (a modified version
> of syzkaller).
> 
> This happened when the size of "name" buffer is smaller than that of
> "page" buffer
> (after function kstrdup executed at line 263).
> I guess it comes from the "page" buffer containing 0 value in the middle.
> So accessing the "name" buffer with "len" variable, which is used to
> indicate the size of "page" buffer,
> triggered memory access violation.
> To fix, it may need to check the size of name buffer, and try to use
> right index variable.

Can you submit a patch for this as you have a reproducer to test the
issue?

thanks,

greg k-h