Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp164531pxb; Tue, 12 Jan 2021 23:54:11 -0800 (PST) X-Google-Smtp-Source: ABdhPJytFi+mR/mX0J6Bh7en/M1VjzZMxBpnO5swhW8dofBuiECZq6i+16QdqbDqJoOqvHNqB9Wu X-Received: by 2002:a17:906:e250:: with SMTP id gq16mr649021ejb.382.1610524451198; Tue, 12 Jan 2021 23:54:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610524451; cv=none; d=google.com; s=arc-20160816; b=tXpcNmHo869FcobaX52cde6e9GL59ThNz0aRXYAt+raNO1bTy/oT3HOmsDamTxN/zJ KklW4mpk7/+Ui50ExxWNlb9UnhOdUe02ECzJHxdPk6SIS5v77y4wrmzyjEb8QQWHpqDi UojqoCJMQUT4588JHUkQfzMwP+7GlDrfNIooosTLTWAVsdkCL1vh7e5GKtxt8Pwtyd1p RJ3P5it5bY5dvMYM5ME7Qigd9fRQPF0MlsnkvSbr+KlPczvu9kVOFRpM+m5N4k2vjSTG whl4TAn7FIntsYM16Sh8lu5B/wB6gs+UR2tcuq0LcfzStrp9jKX/k5q+VTHYR8ko9fRv Txqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=9UC3WqOSRiYcuFTiM0QqZNqlYdxaiG6fCPw/3f8TYXQ=; b=ZNpPhss6dpE7Np/o0LB0GNKBS+Do6tuzqHt9ljObk0zQni9tQEz3XXIss1zpfHlJ60 Bi83o1DCaX4kSY10SNMuC5vl6GX8mLn8jmzESWk/+jQuO9p4+p+X7CItH+oYTocwC4Uu TTNv/vH7GU06sSckt+78O5zbTvQQnvYyWAsgOuSdOe3ETuokQbHgnaQJ8GhA7w/QrCTm twaNEG7FUSZultABtRF2/ly+UDO/Bimpd5mz+AgZUhTvwAJt8nDzMyBo7EgYd4m3O60Q DFuHKS/4ZTP+feyuFLtTEO1duS5L0hFga+2InhD+/wSKkV7uZ5TqnSLd+8V0chhDO7mA ACRQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=i7DXqJIh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c35si623725edf.522.2021.01.12.23.53.47; Tue, 12 Jan 2021 23:54:11 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=i7DXqJIh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726618AbhAMHwT (ORCPT + 99 others); Wed, 13 Jan 2021 02:52:19 -0500 Received: from mail.kernel.org ([198.145.29.99]:57618 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726136AbhAMHwT (ORCPT ); Wed, 13 Jan 2021 02:52:19 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 6D6392311F; Wed, 13 Jan 2021 07:51:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1610524298; bh=pGMaaIllS4magcVjWolOOHb7CsgiI5Zj3CzLFu268og=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=i7DXqJIhPex9YSxi4hMko3aevLv0nD8FOwFJsk5Xv7ZLBJZHFp+BnsuJDTaJ2S3XV nt0m0rRJokcZWQQRS9uGMRayzwaUtTE86maZmJ9u8dsX481uZSnLwl8WCf3r5usfNm YOid601TMw5JKB8HIW6aSpnL8BPSEwqlIPOtOmVE= Date: Wed, 13 Jan 2021 08:51:33 +0100 From: Greg KH To: =?utf-8?B?5oWV5Yas5Lqu?= Cc: linux-kernel , linux-media@vger.kernel.org, mchehab@kernel.org, sean@mess.org, anant.thazhemadam@gmail.com, syzkaller-bugs , Dmitry Vyukov Subject: Re: "UBSAN: shift-out-of-bounds in mceusb_dev_recv" should share the same root cause with "UBSAN: shift-out-of-bounds in mceusb_dev_printdata" Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jan 13, 2021 at 01:04:44PM +0800, 慕冬亮 wrote: > Hi developers, > > I found that "UBSAN: shift-out-of-bounds in mceusb_dev_recv" and > "UBSAN: shift-out-of-bounds in mceusb_dev_printdata" should share the > same root cause. > The reason is that the PoCs after minimization has a high similarity > with the other. And their stack trace only diverges at the last > function call. The following is some analysis for this bug. > > The following code in the mceusb_process_ir_data is the vulnerable > -------------------------------------------------------------------------------------------------------------------------- > for (; i < buf_len; i++) { > switch (ir->parser_state) { > case SUBCMD: > ir->rem = mceusb_cmd_datasize(ir->cmd, ir->buf_in[i]); > mceusb_dev_printdata(ir, ir->buf_in, buf_len, i - 1, > ir->rem + 2, false); > if (i + ir->rem < buf_len) > mceusb_handle_command(ir, &ir->buf_in[i - 1]); > -------------------------------------------------------------------------------------------------------------------------- > > The first report crashes at a shift operation(1<<*hi) in mceusb_handle_command. > -------------------------------------------------------------------------------------------------------------------------- > static void mceusb_handle_command(struct mceusb_dev *ir, u8 *buf_in) > { > u8 *hi = &buf_in[2]; /* read only when required */ > if (cmd == MCE_CMD_PORT_SYS) { > switch (subcmd) { > case MCE_RSP_GETPORTSTATUS: > if (buf_in[5] == 0) > ir->txports_cabled |= 1 << *hi; > -------------------------------------------------------------------------------------------------------------------------- > > The second report crashes at another shift operation (1U << data[0]) > in mceusb_dev_printdata. > -------------------------------------------------------------------------------------------------------------------------- > static void mceusb_dev_printdata(struct mceusb_dev *ir, u8 *buf, int buf_len, > int offset, int len, bool out) > { > data = &buf[offset] + 2; > > period = DIV_ROUND_CLOSEST((1U << data[0] * 2) * > (data[1] + 1), 10); > -------------------------------------------------------------------------------------------------------------------------- > > >From the analysis, we can know the data[0] and *hi access the same > memory cell - ``ir->buf_in[i+1]``. So the root cause should be that it > misses the check of ir->buf_in[i+1]. > > For the patch of this bug, there is one from anant.thazhemadam@gmail.com: > -------------------------------------------------------------------------------------------------------------------------- > diff --git a/drivers/media/rc/mceusb.c b/drivers/media/rc/mceusb.c > index f1dbd059ed08..79de721b1c4a 100644 > --- a/drivers/media/rc/mceusb.c > +++ b/drivers/media/rc/mceusb.c > @@ -1169,7 +1169,7 @@ static void mceusb_handle_command(struct > mceusb_dev *ir, u8 *buf_in) > switch (subcmd) { > /* the one and only 5-byte return value command */ > case MCE_RSP_GETPORTSTATUS: > - if (buf_in[5] == 0) > + if ((buf_in[5] == 0) && (*hi <= 32)) > ir->txports_cabled |= 1 << *hi; > break; > -------------------------------------------------------------------------------------------------------------------------- > I tried this patch in the second crash report and found it does not > work. I think we should add another filter for the value in > ``ir->buf_in[i+1]``. > > With this grouping, I think developers can take into consideration the > issue in mceusb_dev_printdata and generate a complete patch for this > bug. Why not create a patch yourself and submit it? That way you get the correct credit for solving the problem. thanks, greg k-h