syzbot

 sign-in | mailing list | source | docs
🐞 Open [1217]
Subsystems
🐞 Fixed [5619]
🐞 Invalid [13498]
Missing Backports [100]
Kernel Health Bugs/Month Bug Lifetimes Fuzzing Crashes
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

UBSAN: shift-out-of-bounds in parse_audio_unit

Status: fixed on 2024/08/14 03:44
Subsystems: sound
[Documentation on labels]
Reported-by: syzbot+78d5b129a762182225aa@syzkaller.appspotmail.com
Fix commit: 2f38cf730cae ALSA: usb: Fix UBSAN warning in parse_audio_unit()
First crash: 59d, last: 56d
Cause bisection: failed (error log, bisect log)
  
Discussions (8)
Title Replies (including bot) Last reply
[PATCH AUTOSEL 4.19 4/4] ALSA: usb: Fix UBSAN warning in parse_audio_unit() 1 (1) 2024/07/28 16:10
[PATCH AUTOSEL 5.4 7/7] ALSA: usb: Fix UBSAN warning in parse_audio_unit() 1 (1) 2024/07/28 16:10
[PATCH AUTOSEL 5.10 11/11] ALSA: usb: Fix UBSAN warning in parse_audio_unit() 1 (1) 2024/07/28 16:09
[PATCH AUTOSEL 5.15 13/13] ALSA: usb: Fix UBSAN warning in parse_audio_unit() 1 (1) 2024/07/28 16:08
[PATCH AUTOSEL 6.1 15/15] ALSA: usb: Fix UBSAN warning in parse_audio_unit() 1 (1) 2024/07/28 16:07
[PATCH AUTOSEL 6.6 17/17] ALSA: usb: Fix UBSAN warning in parse_audio_unit() 1 (1) 2024/07/28 16:06
[PATCH AUTOSEL 6.10 23/23] ALSA: usb: Fix UBSAN warning in parse_audio_unit() 1 (1) 2024/07/28 16:05
[syzbot] [sound?] [usb?] UBSAN: shift-out-of-bounds in parse_audio_unit 3 (7) 2024/07/16 11:25
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-15 UBSAN: shift-out-of-bounds in parse_audio_unit origin:lts C 8 11d 47d 0/2 upstream: reported C repro on 2024/07/22 02:50
android-6-1 UBSAN: shift-out-of-bounds in parse_audio_unit origin:lts C 3 13d 27d 0/2 upstream: reported C repro on 2024/08/11 11:03
Last patch testing requests (3)
Created Duration User Patch Repo Result
2024/07/16 10:24 27m eadavis@qq.com patch git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git a19ea421490d OK log
2024/07/16 10:20 16m eadavis@qq.com patch git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git a19ea421490d report log
2024/07/16 07:05 17m eadavis@qq.com patch git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git a19ea421490d report log

Sample crash report:
usb 1-1: 0:2 : does not exist
------------[ cut here ]------------
UBSAN: shift-out-of-bounds in sound/usb/mixer.c:2057:20
shift exponent 42 is too large for 32-bit type 'int'
CPU: 1 PID: 45 Comm: kworker/1:1 Not tainted 6.10.0-rc7-syzkaller-00025-ga19ea421490d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 ubsan_epilogue lib/ubsan.c:231 [inline]
 __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468
 parse_audio_feature_unit sound/usb/mixer.c:2057 [inline]
 parse_audio_unit+0x277d/0x3f10 sound/usb/mixer.c:2907
 snd_usb_mixer_controls sound/usb/mixer.c:3252 [inline]
 snd_usb_create_mixer+0x1365/0x2fa0 sound/usb/mixer.c:3599
 usb_audio_probe+0x1688/0x2100 sound/usb/card.c:888
 usb_probe_interface+0x645/0xbb0 drivers/usb/core/driver.c:399
 really_probe+0x2b8/0xad0 drivers/base/dd.c:656
 __driver_probe_device+0x1a2/0x390 drivers/base/dd.c:798
 driver_probe_device+0x50/0x430 drivers/base/dd.c:828
 __device_attach_driver+0x2d6/0x530 drivers/base/dd.c:956
 bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:457
 __device_attach+0x333/0x520 drivers/base/dd.c:1028
 bus_probe_device+0x189/0x260 drivers/base/bus.c:532
 device_add+0x856/0xbf0 drivers/base/core.c:3679
 usb_set_configuration+0x1976/0x1fb0 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0x88/0x140 drivers/usb/core/generic.c:254
 usb_probe_device+0x1b8/0x380 drivers/usb/core/driver.c:294
 really_probe+0x2b8/0xad0 drivers/base/dd.c:656
 __driver_probe_device+0x1a2/0x390 drivers/base/dd.c:798
 driver_probe_device+0x50/0x430 drivers/base/dd.c:828
 __device_attach_driver+0x2d6/0x530 drivers/base/dd.c:956
 bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:457
 __device_attach+0x333/0x520 drivers/base/dd.c:1028
 bus_probe_device+0x189/0x260 drivers/base/bus.c:532
 device_add+0x856/0xbf0 drivers/base/core.c:3679
 usb_new_device+0x104a/0x19a0 drivers/usb/core/hub.c:2651
 hub_port_connect drivers/usb/core/hub.c:5521 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
 port_event drivers/usb/core/hub.c:5821 [inline]
 hub_event+0x2d6a/0x5150 drivers/usb/core/hub.c:5903
 process_one_work kernel/workqueue.c:3248 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3329
 worker_thread+0x86d/0xd50 kernel/workqueue.c:3409
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
---[ end trace ]---

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/07/11 10:40 upstream a19ea421490d c699c2eb .config strace log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in parse_audio_unit
2024/07/13 04:22 upstream e091caf99f3a eaeb5c15 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in parse_audio_unit
2024/07/10 22:08 upstream a19ea421490d e7213be3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in parse_audio_unit
* Struck through repros no longer work on HEAD.