Received: by 2002:a05:6358:c692:b0:131:369:b2a3 with SMTP id fe18csp223351rwb; Tue, 25 Jul 2023 14:53:19 -0700 (PDT) X-Google-Smtp-Source: APBJJlFlSa2wpik1mkT+tJevPJLK3pN0SdgNFbwW3l0ctV0RREr8gI225jFzP4uCGJDk71nebmwB X-Received: by 2002:a17:907:7783:b0:991:e7c3:5712 with SMTP id ky3-20020a170907778300b00991e7c35712mr96960ejc.30.1690321999045; Tue, 25 Jul 2023 14:53:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690321999; cv=none; d=google.com; s=arc-20160816; b=m1Ztabz4yJ5yB4ITwg7OrxcbudgGncnZKhO+JbNObfKmaIhUYgS70CpAbrbq1UFD57 FRRbhQH3BHoiW7NBxFttk44pZ5oEJq5/JfCXFhK8HaCnx+yXsfyzuM+e6ck7woWZOQZQ i5QUOmjY0K0ZmvohSO+yvE+FNihLUvfejCiAYCInSPHgTBcE0yDMqhVIME5ylpScAn/g 4OR/d080o/QaxJYoJcDa1z+tM8+IkVDxf34xBD29VLr367AhBfcSeipcIYn8Tjpc0Qw9 +R0ogeaNfRvM94DENVQ9oDolQtAAlxOi/eLzcps9R9ciGi30vpAg5oMoRtV+lkYIvTHx BYQQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=q07ZfbutiRvstQH8mmaYvg9UxNddg/Oi7Sdo7G46hNk=; fh=M7tGW7u9cDsYa6rMNx19XgKq05/EYyisepsI2nKy5Gw=; b=Tfy2hz36EncpTbQO3XvqADuqRJonHWhmGfy8ad8OsS3m+5Pf0S69zbuz957sWEBgJe p4XdFQPhCjPNSjOFfGSGwaUROa/wKK1TLfgpcoL2pEUICbUmx7xrvqcFn+BfEvgQg7oG mQDuzeeR0JkeXhvilgxQVdE55FE1KZ9UJgxpti0GT5emti60M5p7zfhAJ10qaUFY0jXN wa1pm0U0aBhLLdA4dkO0s2IhXZdRK4jGvoIipCXdq6ms8lHH/b1kMB9oAx3wwRHLDguO Ko/gWaXqRCUGmO71Em17y4zGquJVSxjY7TzTg6n3xWjlcTXADJ6elTumKaGfZ6hmS/Ml BSRA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ga12-20020a170906b84c00b00991dcfb1b07si8464417ejb.962.2023.07.25.14.52.54; Tue, 25 Jul 2023 14:53:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230291AbjGYVaz (ORCPT + 99 others); Tue, 25 Jul 2023 17:30:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60416 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229850AbjGYVat (ORCPT ); Tue, 25 Jul 2023 17:30:49 -0400 Received: from netrider.rowland.org (netrider.rowland.org [192.131.102.5]) by lindbergh.monkeyblade.net (Postfix) with SMTP id 2248B1FEF for ; Tue, 25 Jul 2023 14:30:26 -0700 (PDT) Received: (qmail 1901038 invoked by uid 1000); 25 Jul 2023 17:30:26 -0400 Date: Tue, 25 Jul 2023 17:30:26 -0400 From: Alan Stern To: Khazhy Kumykov Cc: syzbot , gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] [usb?] KASAN: slab-out-of-bounds Read in read_descriptors (3) Message-ID: <248d9759-aef7-45ce-b0a4-6c1cafee76c9@rowland.harvard.edu> References: <0000000000007fc04d06011e274f@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,SPF_HELO_PASS,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 25, 2023 at 01:42:01PM -0700, Khazhy Kumykov wrote: > On Tue, Jul 25, 2023 at 12:26 PM Alan Stern wrote: > > @@ -2671,12 +2671,17 @@ int usb_authorize_device(struct usb_devi > > } > > > > if (usb_dev->wusb) { > > - result = usb_get_device_descriptor(usb_dev, sizeof(usb_dev->descriptor)); > > - if (result < 0) { > > + struct usb_device_descriptor *descr; > > + > > + descr = usb_get_device_descriptor(usb_dev); > > + if (IS_ERR(descr)) { > > + result = PTR_ERR(descr); > > dev_err(&usb_dev->dev, "can't re-read device descriptor for " > > "authorization: %d\n", result); > > goto error_device_descriptor; > > } > > + usb_dev->descriptor = *descr; > Hmm, in your first patch you rejected diffs to the descriptor here, > which might be necessary - since we don't re-initialize the device so > can get a similar issue if the bad usb device decides to change > bNumConfigurations to cause a buffer overrun. (This also stuck out to > me as an exception to the "descriptors should be immutable" comment > later in the patch. I removed that part of the previous patch because there's no point to it. None of this code ever gets executed; the usb_dev->wusb test can never succeed because the kernel doesn't support wireless USB any more. (I asked Greg KH about that in a separate email thread: .) A later patch will remove all of the wireless USB stuff. The only real reason for leaving this much of the code there now is to prevent compilation errors and keep the form looking right. > > @@ -6018,7 +6064,7 @@ static int usb_reset_and_verify_device(s > > /* ep0 maxpacket size may change; let the HCD know about it. > > * Other endpoints will be handled by re-enumeration. */ > > usb_ep0_reinit(udev); > > - ret = hub_port_init(parent_hub, udev, port1, i); > > + ret = hub_port_init(parent_hub, udev, port1, i, &descriptor); > Looks like this is the only caller that passes &descriptor, and it > just checks that it didn't change. Would it make sense to put the > enitre descriptors_changed stanza in hub_port_init, for the re-init > case? The descriptors_changed check has to be _somewhere_, either here or there. I don't see what difference it makes whether the check is done in this routine or in hub_port_init. Since it doesn't matter, why change the existing code? Alan Stern