Received: by 2002:a25:23cc:0:0:0:0:0 with SMTP id j195csp1437173ybj; Tue, 5 May 2020 21:12:57 -0700 (PDT) X-Google-Smtp-Source: APiQypIJWUVr/DsvuZWG0yWJYUyAFpiI6fpvdsiCc2YDLLpGdh0gihtL1zY1RfajfuKhk5GuC0BY X-Received: by 2002:a17:906:85c2:: with SMTP id i2mr5899738ejy.147.1588738377081; Tue, 05 May 2020 21:12:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588738377; cv=none; d=google.com; s=arc-20160816; b=Tf5lxqihgAouvATqv9Ko1oIRSLRAzbOReyVzYhcM6lah2czuWBM+ihlYiSbprYdyeJ Uv6WVbZECsofyDOgwtSVSWV1vUwxw+8DyajBnQL2iu4tjZB0/klmS/LvlpU0sJ5s4On9 TL6L27Ihn1yKPgrD+fRsLDmRa2rvfZKYahZW728kmRwmJdU3SSFVMHIuALVCfGqb1N0w FRZQbW2FMaBvTWhjC5sFHXDz3rguN7QxVcS8vh0458O8J9tsR8r7oTKj0l6N9XffngWt TqZYCQLtycX+ZQ04P69t6rfdyicSR4nlwtxYY8AuJ+qR2HLpvGsH6Rq3Un2leOqbXPK7 ApFg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=LPWbtQ2Ipi4zH8vFVUvc1d3VaVsHhfFkCiz+akQxQ1s=; b=bxhHaQsYSXGRxfz/zyDf6JEt/UmPkuVMVTDqwA+57hNuTsIXqFawi2fDoDeOdui/Wq CHyV57/wbRVUbkPUUVexot0gwfbdbGuX5jneQyfEkz/vXHtNU9rGnWoMKNeXpZ8l0QQl wXohoA5u5S7+GLzN2gUvhDlzeKXG8tWyriMgsWg5VjkmLOAv4EMtWdpsV0mfWuoftbZp I7zOYNXKaLhYsLD41E6Te1whZ6KJplYthC3KRlAIq+8ZKG360tS4G0fEjhD94j2CsjEP d97yHx/hNq3cZj/tZ14s1G4mW+/tL9gkYH9doIzCBtWXRHb5P0Qf8IoDY/BSM7ooT0FW tDNQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=SPtmcHHr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t4si393895ejr.418.2020.05.05.21.12.33; Tue, 05 May 2020 21:12:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=SPtmcHHr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726134AbgEFEIa (ORCPT + 99 others); Wed, 6 May 2020 00:08:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37964 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725300AbgEFEI3 (ORCPT ); Wed, 6 May 2020 00:08:29 -0400 Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2D7A8C061A0F; Tue, 5 May 2020 21:08:29 -0700 (PDT) Received: by mail-lj1-x236.google.com with SMTP id f18so803502lja.13; Tue, 05 May 2020 21:08:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LPWbtQ2Ipi4zH8vFVUvc1d3VaVsHhfFkCiz+akQxQ1s=; b=SPtmcHHr7tdZpS0WGhctRtDuSDha+MZN0YPNsafUc94yqdQQVOWg+FFAibD7bYwRcT ChxKdbH+LmcX0Rvq7EKy5C8TSpbxks24+h9EKUpw8TU9nWGWtKyWBa2Ynk7Lns9gY88T wD33/dUlXqDWH3jN4KPYMyMSODGSdh4Hk5LQmXrwINK3Ps6NTBIx5x+lNinwPBeSP4Yp jaP2XWlJ67knCfWI9qwm43DDdECSC5o58Pvp8BujjfuoKG9hB973GOM25XPkznf90NaD dgrLEpPBxWOh9Nokt7AjQoHpr8vpylaZrVJ3CE2Lt1W7StqcNYEQCUoP/4I7FDShybGs G2gw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LPWbtQ2Ipi4zH8vFVUvc1d3VaVsHhfFkCiz+akQxQ1s=; b=mPPZUdjLciJB0yqN0/aHApVgA/L2SyZmjWVMtaOYwe71/GJkb4lqBtv4peXyXuVEGe WzJ+VjqVuRSkvCQh2At6PHt+6/SO93fKRhE5FfZg84NNdx2FGUHNpqFhxFAXlz1vbtKz 2a+fKG2uVio6Arpl6jO4Ge7H6uTqfFIsnDB/gjmxBNQ3X/0z560qFvtc9DIOtPhhe8pG 7wlh1Snp6c50UWvJ7lTY5s3cB1mOx+UH5L42SQU1/FcipvpLTHwmds45o/sKsyv6Hgl1 l9bMEbTALpCDL/w0ryQRGdFoPt8bM7HlzBvoLgnPzBg1z+cbX9VLDDvL65ORFD+yvLKd 9nMA== X-Gm-Message-State: AGi0PuY7oVDlohQIPyloCw9gtew6Mtp1HER83T67MyTVINMdWW18elUb aJ6Xs/0hSbBfJWDPwAHhbbhOtKjhVAqQgvztDwhH7BL/ X-Received: by 2002:a2e:8056:: with SMTP id p22mr3689511ljg.266.1588738107661; Tue, 05 May 2020 21:08:27 -0700 (PDT) MIME-Version: 1.0 References: <20200501070538.GB887524@kroah.com> In-Reply-To: <20200501070538.GB887524@kroah.com> From: Kyungtae Kim Date: Wed, 6 May 2020 00:08:16 -0400 Message-ID: Subject: Re: KASAN: slab-out-of-bounds Read in gadget_dev_desc_UDC_store To: Greg KH Cc: balbi@kernel.org, syzkaller , USB list , LKML , Dave Tian Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 01, 2020 at 09:05:38AM +0200, Greg KH wrote: > On Thu, Apr 30, 2020 at 11:03:54PM -0400, Kyungtae Kim wrote: > > We report a bug (in linux-5.6.8) found by FuzzUSB (a modified version > > of syzkaller). > > > > This happened when the size of "name" buffer is smaller than that of > > "page" buffer > > (after function kstrdup executed at line 263). > > I guess it comes from the "page" buffer containing 0 value in the middle. > > So accessing the "name" buffer with "len" variable, which is used to > > indicate the size of "page" buffer, > > triggered memory access violation. > > To fix, it may need to check the size of name buffer, and try to use > > right index variable. > > Can you submit a patch for this as you have a reproducer to test the > issue? > > thanks, > > greg k-h I just submitted a patch after testing with the repro. Regards, Kyungtae