Received: by 2002:a05:6358:c692:b0:131:369:b2a3 with SMTP id fe18csp560639rwb; Tue, 25 Jul 2023 21:55:13 -0700 (PDT) X-Google-Smtp-Source: APBJJlGofOybqgBFWsTsEWqscZQm0drDE/ArbGJEgkoq497KeTMAZE40pfYR91Q2HIG9KzgwORfX X-Received: by 2002:a17:907:7849:b0:992:a0c7:8d2a with SMTP id lb9-20020a170907784900b00992a0c78d2amr667553ejc.54.1690347313300; Tue, 25 Jul 2023 21:55:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690347313; cv=none; d=google.com; s=arc-20160816; b=RBOaWxqmoDD5UVxKFOnSTgbPp3xGVJzzUjqsf/Xrm/8+Nn9tQiSB1aHCel5r7KpIpx uvLK2ORSDeqyK1/ZqM0ziC9il0UEitgA5mUZQ96mEyHzdRyQVGXQh+ZOZrlWtOQGtTtk oV21bWa0f2LEm8+kd4X0u6paurXOOwLo2JTt+wpIPebd2QiNqRTmN6PslK2qltinip7Y GaFNPbtUISrpSaNVceWDWEBqJKvWBw3amKV2waZh53rrAXHDqL34jdFjoHFbTGMWIb7I 2tgbirGcUISfqOthN3PCLuOwtaAsRKuT/0UjJR910cs5RBKoSfMM+hWgiV8k+QiG5BJb nsmQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=J8TLtrAXEdPktYFQMo+hO7FJYfDKqYlEG87SJAX5k1M=; fh=mCvGcpgogZtDimA3FhyZTMDoyN0vGsePEJUqvk990ys=; b=wO/sQ2Aan4hprb/erkReN2s/I6NfiAx0y1SNy3bcTqcOD1y/m0W0oaeJ+BKvFod+Th th0iWDOtrDUs67shxMvlr9pLShymrPvi80Dh8aKvHFAXtTZ5AtnKwOAL9g8FZb4dj7gG qZIKykzPVL04tI/AUgjc3/wJDev5V0qKtapMfvhWpnbHH9RiWn90WxZn4kOojGNQFt3g dtE2kpLXh5O/DRWLAdWOk01SgGU+qkrk5LLd3LXl7zg/9AvKVJWUR7YMOESeqhdgdkP1 IGjqFwkdzsQD+UwooF4ClhLb5xiKGxSh4gyfhwoOyVczCfh3VWO2mHioi70xSnwlkvFM WnzA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ymSWm1Ub; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s2-20020a1709060c0200b00992feaf6478si8994469ejf.1017.2023.07.25.21.54.48; Tue, 25 Jul 2023 21:55:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ymSWm1Ub; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230382AbjGZEBS (ORCPT + 99 others); Wed, 26 Jul 2023 00:01:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54474 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231341AbjGZEAv (ORCPT ); Wed, 26 Jul 2023 00:00:51 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8F94C2695; Tue, 25 Jul 2023 21:00:43 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 24EA0611C5; Wed, 26 Jul 2023 04:00:43 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 32012C433C7; Wed, 26 Jul 2023 04:00:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1690344042; bh=nJyQNPWmwhk6sKMUVQGcLNtqflIMJz6GUInerB3U6N0=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=ymSWm1UbOP/FMZ0v3tQmAldKICJ+tgmsE9EE7Jlwc893uBtrPwblBLUPPSk3LoFbe 4Hy0SmiV2ewFitkVmrx5ymvx/Q/6FnSww0oRGDWbDtDx2/b4nZQo4HSrvIw0uZXnWq jDIo5LeaJkM9Wz+Yv6c/aJXrqhBaF7mslTO/LUhM= Date: Wed, 26 Jul 2023 06:00:39 +0200 From: Greg KH To: Khazhy Kumykov Cc: Alan Stern , syzbot , linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] [usb?] KASAN: slab-out-of-bounds Read in read_descriptors (3) Message-ID: <2023072648-exclaim-crisply-9d8a@gregkh> References: <0000000000007fc04d06011e274f@google.com> <248d9759-aef7-45ce-b0a4-6c1cafee76c9@rowland.harvard.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 25, 2023 at 02:46:37PM -0700, Khazhy Kumykov wrote: > On Tue, Jul 25, 2023 at 2:30 PM Alan Stern wrote: > > > > On Tue, Jul 25, 2023 at 01:42:01PM -0700, Khazhy Kumykov wrote: > > > On Tue, Jul 25, 2023 at 12:26 PM Alan Stern wrote: > > > > > > @@ -2671,12 +2671,17 @@ int usb_authorize_device(struct usb_devi > > > > } > > > > > > > > if (usb_dev->wusb) { > > > > - result = usb_get_device_descriptor(usb_dev, sizeof(usb_dev->descriptor)); > > > > - if (result < 0) { > > > > + struct usb_device_descriptor *descr; > > > > + > > > > + descr = usb_get_device_descriptor(usb_dev); > > > > + if (IS_ERR(descr)) { > > > > + result = PTR_ERR(descr); > > > > dev_err(&usb_dev->dev, "can't re-read device descriptor for " > > > > "authorization: %d\n", result); > > > > goto error_device_descriptor; > > > > } > > > > + usb_dev->descriptor = *descr; > > > Hmm, in your first patch you rejected diffs to the descriptor here, > > > which might be necessary - since we don't re-initialize the device so > > > can get a similar issue if the bad usb device decides to change > > > bNumConfigurations to cause a buffer overrun. (This also stuck out to > > > me as an exception to the "descriptors should be immutable" comment > > > later in the patch. > > > > I removed that part of the previous patch because there's no point to > > it. None of this code ever gets executed; the usb_dev->wusb test can > > never succeed because the kernel doesn't support wireless USB any more. > > (I asked Greg KH about that in a separate email thread: > > .) > > > > A later patch will remove all of the wireless USB stuff. The only real > > reason for leaving this much of the code there now is to prevent > > compilation errors and keep the form looking right. > Ah ok, cool. > > > > > > > @@ -6018,7 +6064,7 @@ static int usb_reset_and_verify_device(s > > > > /* ep0 maxpacket size may change; let the HCD know about it. > > > > * Other endpoints will be handled by re-enumeration. */ > > > > usb_ep0_reinit(udev); > > > > - ret = hub_port_init(parent_hub, udev, port1, i); > > > > + ret = hub_port_init(parent_hub, udev, port1, i, &descriptor); > > > Looks like this is the only caller that passes &descriptor, and it > > > just checks that it didn't change. Would it make sense to put the > > > enitre descriptors_changed stanza in hub_port_init, for the re-init > > > case? > > > > The descriptors_changed check has to be _somewhere_, either here or > > there. I don't see what difference it makes whether the check is done > > in this routine or in hub_port_init. Since it doesn't matter, why > > change the existing code? > No strong feelings, but it lets us remove the variable in > usb_reset_and_verify_device() and directly check on the malloc'd copy, > instead of copying back up to here. > > Overall, looks good to my naive eyes. > > CVE-2023-37453 was filed for this syzbot report, I'm not sure how that > system gets tracked, but might be good to mention for folks looking > for a fix. Who filed CVEs for random syzbot reports? That's crazy, and no, we aren't going to track it as CVEs mean nothing for the kernel as I've said many times. thanks, greg k-h