Received: by 2002:a05:7412:37c9:b0:e2:908c:2ebd with SMTP id jz9csp2825762rdb; Fri, 22 Sep 2023 09:18:05 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEUndzXiOO7WYBFWb7Mzjh7s9YojzcWMgnlTqMuLZ+n0Bfbgc0+p5dr2tc+nTpxdz880HQ1 X-Received: by 2002:a17:902:74c6:b0:1c5:8401:356c with SMTP id f6-20020a17090274c600b001c58401356cmr8613987plt.62.1695399485224; Fri, 22 Sep 2023 09:18:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695399485; cv=none; d=google.com; s=arc-20160816; b=FvzeO+ixz/DKZP/PPddiefmt6bIDHo3Aon2DmqaDNiPFVrggXdqgORoLijQgb1MrSV 5dTrF3zTUe4Ieewtl3xGTEiZ8zfEtSeryjDHWwlX8KvS+fScTSNCfeT4GGtcL8oQdV3x YUYB6qUrCCU330jWHnzGS3lhABNuSjntnt1OSUE5WPN8qisO1pauqp1S4K1S2w+ITtlZ nUztBmJe+vYeGOwA0CGtLb4VukmsvvumWyN/f9HGxGsa0BHR7+p26chJ7Q7mI58/r0bs tek+CwSuW6yh9AzKpSOxHP/TT9ta5ZaN13FXdwd4MWJNlAU5Ai1ycjernN0moYiVPkeP uj2Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:references:in-reply-to :subject:cc:to:from:message-id:date:dkim-signature:dkim-signature; bh=OHleDVW/EWfCO2jlxKvuMDthf5XAZe9Js7GLKX4BZ4Y=; fh=WMzM2efvKN3AM7F34NuUMQnOtTN5phbRLaBeyaBPpL0=; b=uCZOunwJRcU6fqIvWWPt1Et3jGWE2bDE33KYs918bVhu9EQ47or791P+AykzYCLRHZ j6MlTsKutydw/Gi6RRB74RjbnNEHTjdZnImqXfrHfq55gzpp4vdPWnLqtlLHo0msaTEr YLNOzyMO+YJVmzFVxnf99LVjcAy7LSCKOKZfjc1FPt/uFnHhCEOgunsZqSpT5iCQ0fkL jC6ZQyydbbTgIE9sDrHqmdtjH/k8fhTLbDO6VW4nKZ0eGz/CNYk3UcI7VpVMdTaSzyw9 biZK42r45lhnrYV4I7f9/w8OmCNDydDJmrEKxnB51uBFAfzklJbOB6YpFDkmdKIV4Xwi PcKQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=wrK7gqgE; dkim=neutral (no key) header.i=@suse.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Return-Path: Received: from agentk.vger.email (agentk.vger.email. [2620:137:e000::3:2]) by mx.google.com with ESMTPS id km11-20020a17090327cb00b001c4248c3f8bsi3804644plb.559.2023.09.22.09.18.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 22 Sep 2023 09:18:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) client-ip=2620:137:e000::3:2; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=wrK7gqgE; dkim=neutral (no key) header.i=@suse.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by agentk.vger.email (Postfix) with ESMTP id 0763F825E4AA; Fri, 22 Sep 2023 02:49:39 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at agentk.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231384AbjIVJtX (ORCPT + 99 others); Fri, 22 Sep 2023 05:49:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45808 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230064AbjIVJtW (ORCPT ); Fri, 22 Sep 2023 05:49:22 -0400 Received: from smtp-out2.suse.de (smtp-out2.suse.de [IPv6:2001:67c:2178:6::1d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F26868F; Fri, 22 Sep 2023 02:49:15 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id A98801F45F; Fri, 22 Sep 2023 09:49:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1695376154; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=OHleDVW/EWfCO2jlxKvuMDthf5XAZe9Js7GLKX4BZ4Y=; b=wrK7gqgEMqxN2EEFpr9tlrgPtg+tUnkqxFRaSet960sq0zCVbUDXWSE7DIjkrhPx8tnBGN T6boY3LxmG6ap/7sIme7lEOmvGLBA4v3DmwtLP7PAinGgjsV3zpHoFs2PPDUWae199zZsQ Tm122vpl05w/itw+yG6SCPjmkO5nZfs= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1695376154; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=OHleDVW/EWfCO2jlxKvuMDthf5XAZe9Js7GLKX4BZ4Y=; b=CuMxQSCTzo4WxY8Y/dt5PoO0reVuGU2jfqQ7MZG6S0eyNMRYvljNLbMkG5lKzqTpTb+rT3 cuxXxAxjcX+SeiDQ== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 6708913478; Fri, 22 Sep 2023 09:49:14 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id fUu6FxpjDWWHZwAAMHmgww (envelope-from ); Fri, 22 Sep 2023 09:49:14 +0000 Date: Fri, 22 Sep 2023 11:49:13 +0200 Message-ID: <877coiedwm.wl-tiwai@suse.de> From: Takashi Iwai To: "Ricardo B. Marliere" Cc: Jaroslav Kysela , Takashi Iwai , Ruslan Bilovol , Sean Young , Mauro Carvalho Chehab , linux-media@vger.kernel.org, alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org, linux-kernel-mentees@lists.linuxfoundation.org, syzbot+59875ffef5cb9c9b29e9@syzkaller.appspotmail.com Subject: Re: [PATCH] sound: usb: increase snd_card alloc size In-Reply-To: <87h6nmegt9.wl-tiwai@suse.de> References: <20230922005152.163640-1-ricardo@marliere.net> <87h6nmegt9.wl-tiwai@suse.de> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.2 Mule/6.0 MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Fri, 22 Sep 2023 02:49:39 -0700 (PDT) On Fri, 22 Sep 2023 10:46:26 +0200, Takashi Iwai wrote: > > On Fri, 22 Sep 2023 02:51:53 +0200, > Ricardo B. Marliere wrote: > > > > Syzbot reports a slab-out-of-bounds read of a snd_card object. When > > snd_usb_audio_create calls snd_card_new, it passes sizeof(*chip) as the > > extra_size argument, which is not enough in this case. > > > > Relevant logs below: > > > > BUG: KASAN: slab-out-of-bounds in imon_probe+0x2983/0x3910 > > Read of size 1 at addr ffff8880436a2c71 by task kworker/1:2/777 > > (...) > > The buggy address belongs to the object at ffff8880436a2000 > > which belongs to the cache kmalloc-4k of size 4096 > > The buggy address is located 1 bytes to the right of > > allocated 3184-byte region [ffff8880436a2000, ffff8880436a2c70) > > > > Reported-by: syzbot+59875ffef5cb9c9b29e9@syzkaller.appspotmail.com > > Closes: https://lore.kernel.org/all/000000000000a838aa0603cc74d6@google.co/m > > Signed-off-by: Ricardo B. Marliere > > --- > > sound/usb/card.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/sound/usb/card.c b/sound/usb/card.c > > index 1b2edc0fd2e9..6578326d33e8 100644 > > --- a/sound/usb/card.c > > +++ b/sound/usb/card.c > > @@ -619,7 +619,7 @@ static int snd_usb_audio_create(struct usb_interface *intf, > > } > > > > err = snd_card_new(&intf->dev, index[idx], id[idx], THIS_MODULE, > > - sizeof(*chip), &card); > > + sizeof(*chip) + 2, &card); > > Sorry, it's no-no. We have to fix the cause of the OOB access instead > of papering over with a random number of increase. > > Unfortunately, most important piece of information is trimmed in the > changelog, so I can't judge what's going on. The only useful info > there is that it's something to do with imon driver, but it's > completely independent from USB-audio. How does it access to the > external memory allocated by snd-usb-audio driver at all? > > Before jumping to the solution, we must understand the problem. Now I took a look at the syzbot URL and got more info. Through a quick glance, my wild guess is that two different drivers are bound to two interfaces of the device, the first one to usb-audio and the second one to imon. And imon driver blindly assumes that the first interface is bound with imon, too, and that can be the cause. A patch like below (totally untested!) might fix the problem. Can you reproduce the problem in your side? Or did you pick this up randomly without testing? In anyway, let's put media people to Cc. thanks, Takashi --- a/drivers/media/rc/imon.c +++ b/drivers/media/rc/imon.c @@ -2427,6 +2427,12 @@ static int imon_probe(struct usb_interface *interface, goto fail; } + if (first_if->dev.driver != interface->dev.driver) { + dev_err(&interface->dev, "inconsistent driver matching\n"); + ret = -EINVAL; + goto fail; + } + if (ifnum == 0) { ictx = imon_init_intf0(interface, id); if (!ictx) {