syzbot

 sign-in | mailing list | source | docs
🐞 Open [106]
🐞 Fixed [1]
🐞 Invalid [117]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

UBSAN: shift-out-of-bounds in parse_audio_unit

Status: upstream: reported C repro on 2024/08/11 11:03
Reported-by: syzbot+4ae7d2c90e5ed50b8598@syzkaller.appspotmail.com
First crash: 102d, last: 43d
Fix bisection: fixed by (bisect log) :
commit cf8715aecc5bc0ae7ad0fcc0cd9887d3bf0f81a6
Author: Takashi Iwai <tiwai@suse.de>
Date: Mon Jul 15 12:35:54 2024 +0000

  ALSA: usb: Fix UBSAN warning in parse_audio_unit()

  
Bug presence (2)
Date Name Commit Repro Result
2024/11/04 lts (merge base) aa4cd140bba5 C Didn't crash
2024/11/04 upstream (ToT) 557329bcecc2 C Didn't crash
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream UBSAN: shift-out-of-bounds in parse_audio_unit sound C error 3 131d 129d 27/28 fixed on 2024/08/14 03:44
android-5-15 UBSAN: shift-out-of-bounds in parse_audio_unit origin:lts C 18 10d 122d 0/2 upstream: reported C repro on 2024/07/22 02:50
linux-5.15 UBSAN: shift-out-of-bounds in parse_audio_unit origin:lts-only C done 8 4d03h 59d 0/3 upstream: reported C repro on 2024/09/22 18:15
Last patch testing requests (3)
Created Duration User Patch Repo Result
2024/11/04 04:02 20m retest repro android14-6.1 OK log
2024/08/25 11:31 13m retest repro android14-6.1 report log
2024/08/25 11:31 14m retest repro android14-6.1 report log
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2024/11/11 09:27 7h30m bisect fix android14-6.1 OK (1) job log
2024/10/08 16:27 2h39m bisect fix android14-6.1 OK (0) job log log

Sample crash report:
usb 1-1: 0:2 : does not exist
================================================================================
UBSAN: shift-out-of-bounds in sound/usb/mixer.c:2059:20
shift exponent 41 is too large for 32-bit type 'int'
CPU: 0 PID: 19 Comm: kworker/0:1 Not tainted 6.1.90-syzkaller-00004-g79436849ef1d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
 dump_stack+0x15/0x1a lib/dump_stack.c:113
 ubsan_epilogue lib/ubsan.c:151 [inline]
 __ubsan_handle_shift_out_of_bounds+0x3e1/0x440 lib/ubsan.c:321
 parse_audio_feature_unit sound/usb/mixer.c:2059 [inline]
 parse_audio_unit+0x25f0/0x3c40 sound/usb/mixer.c:2909
 snd_usb_mixer_controls sound/usb/mixer.c:3254 [inline]
 snd_usb_create_mixer+0x1289/0x2e20 sound/usb/mixer.c:3601
 usb_audio_probe+0x15fe/0x2100 sound/usb/card.c:937
 usb_probe_interface+0x5b6/0xa90 drivers/usb/core/driver.c:397
 really_probe+0x2b8/0x920 drivers/base/dd.c:639
 __driver_probe_device+0x1a0/0x310 drivers/base/dd.c:808
 driver_probe_device+0x54/0x3d0 drivers/base/dd.c:838
 __device_attach_driver+0x2e3/0x490 drivers/base/dd.c:966
 bus_for_each_drv+0x183/0x200 drivers/base/bus.c:427
 __device_attach+0x312/0x510 drivers/base/dd.c:1038
 device_initial_probe+0x1a/0x20 drivers/base/dd.c:1087
 bus_probe_device+0xbe/0x1e0 drivers/base/bus.c:487
 device_add+0xb60/0xf10 drivers/base/core.c:3686
 usb_set_configuration+0x190f/0x1e80 drivers/usb/core/message.c:2165
 usb_generic_driver_probe+0x8b/0x150 drivers/usb/core/generic.c:238
 usb_probe_device+0x144/0x260 drivers/usb/core/driver.c:294
 really_probe+0x2b8/0x920 drivers/base/dd.c:639
 __driver_probe_device+0x1a0/0x310 drivers/base/dd.c:808
 driver_probe_device+0x54/0x3d0 drivers/base/dd.c:838
 __device_attach_driver+0x2e3/0x490 drivers/base/dd.c:966
 bus_for_each_drv+0x183/0x200 drivers/base/bus.c:427
 __device_attach+0x312/0x510 drivers/base/dd.c:1038
 device_initial_probe+0x1a/0x20 drivers/base/dd.c:1087
 bus_probe_device+0xbe/0x1e0 drivers/base/bus.c:487
 device_add+0xb60/0xf10 drivers/base/core.c:3686
 usb_new_device+0xf2f/0x1820 drivers/usb/core/hub.c:2645
 hub_port_connect drivers/usb/core/hub.c:5553 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5693 [inline]
 port_event drivers/usb/core/hub.c:5853 [inline]
 hub_event+0x2db1/0x4830 drivers/usb/core/hub.c:5935
 process_one_work+0x73d/0xcb0 kernel/workqueue.c:2299
 worker_thread+0xa60/0x1260 kernel/workqueue.c:2446
 kthread+0x26d/0x300 kernel/kthread.c:386
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
 </TASK>
================================================================================
usb 1-1: 5:0: cannot get min/max values for control 2 (id 5)
usb 1-1: USB disconnect, device number 2
usb 1-1: new high-speed USB device number 3 using dummy_hcd
usb 1-1: config 1 has an invalid descriptor of length 0, skipping remainder of the config
usb 1-1: config 1 has 1 interface, different from the descriptor's value: 3
usb 1-1: New USB device found, idVendor=08b7, idProduct=0000, bcdDevice= 0.00
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=3
usb 1-1: SerialNumber: syz
usb 1-1: 0:2 : does not exist
usb 1-1: 5:0: cannot get min/max values for control 2 (id 5)
usb 1-1: USB disconnect, device number 3
usb 1-1: new high-speed USB device number 4 using dummy_hcd
usb 1-1: config 1 has an invalid descriptor of length 0, skipping remainder of the config
usb 1-1: config 1 has 1 interface, different from the descriptor's value: 3
usb 1-1: New USB device found, idVendor=08b7, idProduct=0000, bcdDevice= 0.00
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=3
usb 1-1: SerialNumber: syz
usb 1-1: 0:2 : does not exist
usb 1-1: 5:0: cannot get min/max values for control 2 (id 5)
usb 1-1: USB disconnect, device number 4
usb 1-1: new high-speed USB device number 5 using dummy_hcd
usb 1-1: config 1 has an invalid descriptor of length 0, skipping remainder of the config
usb 1-1: config 1 has 1 interface, different from the descriptor's value: 3
usb 1-1: New USB device found, idVendor=08b7, idProduct=0000, bcdDevice= 0.00
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=3
usb 1-1: SerialNumber: syz
usb 1-1: 0:2 : does not exist
usb 1-1: 5:0: cannot get min/max values for control 2 (id 5)
usb 1-1: USB disconnect, device number 5
usb 1-1: new high-speed USB device number 6 using dummy_hcd
usb 1-1: config 1 has an invalid descriptor of length 0, skipping remainder of the config
usb 1-1: config 1 has 1 interface, different from the descriptor's value: 3
usb 1-1: New USB device found, idVendor=08b7, idProduct=0000, bcdDevice= 0.00
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=3
usb 1-1: SerialNumber: syz
usb 1-1: 0:2 : does not exist
usb 1-1: 5:0: cannot get min/max values for control 2 (id 5)
usb 1-1: USB disconnect, device number 6
usb 1-1: new high-speed USB device number 7 using dummy_hcd
usb 1-1: config 1 has an invalid descriptor of length 0, skipping remainder of the config
usb 1-1: config 1 has 1 interface, different from the descriptor's value: 3
usb 1-1: New USB device found, idVendor=08b7, idProduct=0000, bcdDevice= 0.00
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=3
usb 1-1: SerialNumber: syz
usb 1-1: 0:2 : does not exist
usb 1-1: 5:0: cannot get min/max values for control 2 (id 5)
usb 1-1: USB disconnect, device number 7
usb 1-1: new high-speed USB device number 8 using dummy_hcd
usb 1-1: config 1 has an invalid descriptor of length 0, skipping remainder of the config
usb 1-1: config 1 has 1 interface, different from the descriptor's value: 3
usb 1-1: New USB device found, idVendor=08b7, idProduct=0000, bcdDevice= 0.00
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=3
usb 1-1: SerialNumber: syz
usb 1-1: 0:2 : does not exist
usb 1-1: 5:0: cannot get min/max values for control 2 (id 5)
usb 1-1: USB disconnect, device number 8
usb 1-1: new high-speed USB device number 9 using dummy_hcd
usb 1-1: config 1 has an invalid descriptor of length 0, skipping remainder of the config
usb 1-1: config 1 has 1 interface, different from the descriptor's value: 3
usb 1-1: New USB device found, idVendor=08b7, idProduct=0000, bcdDevice= 0.00
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=3
usb 1-1: SerialNumber: syz

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/08/11 11:30 android14-6.1 79436849ef1d 6f4edef4 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] ci2-android-6-1 UBSAN: shift-out-of-bounds in parse_audio_unit
2024/08/11 11:00 android14-6.1 79436849ef1d 6f4edef4 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] ci2-android-6-1 UBSAN: shift-out-of-bounds in parse_audio_unit
2024/08/11 10:32 android14-6.1 79436849ef1d 6f4edef4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 UBSAN: shift-out-of-bounds in parse_audio_unit
* Struck through repros no longer work on HEAD.