syzbot


KASAN: slab-out-of-bounds Read in hfa384x_usbin_callback

Status: fixed on 2020/05/10 10:41
Subsystems: staging usb
[Documentation on labels]
Reported-by: syzbot+7d42d68643a35f71ac8a@syzkaller.appspotmail.com
Fix commit: 1165dd73e811 staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback
First crash: 1528d, last: 1528d
Duplicate bugs (1)
duplicates (1):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
KASAN: use-after-free Read in hfa384x_usbin_callback staging usb C 3 1521d 1526d 0/26 closed as dup on 2020/03/23 13:44
Discussions (11)
Title Replies (including bot) Last reply
KASAN: slab-out-of-bounds Read in hfa384x_usbin_callback 8 (10) 2020/05/08 13:51
[PATCH 4.9 000/102] 4.9.218-rc1 review 112 (112) 2020/04/07 06:05
[PATCH 5.6 00/23] 5.6.1-rc1 review 47 (47) 2020/04/04 08:41
[PATCH 4.14 000/148] 4.14.175-rc1 review 153 (153) 2020/04/02 22:47
[PATCH 4.19 000/116] 4.19.114-rc1 review 129 (129) 2020/04/02 20:04
[PATCH 5.5 000/170] 5.5.14-rc1 review 180 (180) 2020/04/02 17:40
[PATCH 4.4 00/91] 4.4.218-rc1 review 97 (97) 2020/04/02 14:13
[PATCH 5.4 000/155] 5.4.29-rc1 review 156 (156) 2020/03/31 08:59
[PATCH] staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback 1 (1) 2020/03/26 13:18
Re: KASAN: slab-out-of-bounds Read in hfa384x_usbin_callback 2 (3) 2020/03/26 02:43
Re: KASAN: slab-out-of-bounds Read in hfa384x_usbin_callback 1 (1) 2020/03/25 13:29
Last patch testing requests (7)
Created Duration User Patch Repo Result
2020/05/06 11:51 10m andreyknvl@google.com patch https://github.com/google/kasan.git e17994d1 report log
2020/05/05 13:45 10m oneukum@suse.com patch https://github.com/google/kasan.git e17994d1 report log
2020/05/05 11:56 10m oneukum@suse.com patch https://github.com/google/kasan.git e17994d1 report log
2020/03/26 02:24 17m anenbupt@gmail.com patch https://github.com/google/kasan.git e17994d1 OK
2020/03/26 00:38 10m anenbupt@gmail.com patch https://github.com/google/kasan.git e17994d1 report log
2020/03/25 17:16 10m anenbupt@gmail.com patch https://github.com/google/kasan.git e17994d1 report log
2020/03/25 08:46 11m anenbupt@gmail.com patch https://github.com/google/kasan.git e17994d1 report log

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:381 [inline]
BUG: KASAN: slab-out-of-bounds in skb_put_data include/linux/skbuff.h:2284 [inline]
BUG: KASAN: slab-out-of-bounds in hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
BUG: KASAN: slab-out-of-bounds in hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
BUG: KASAN: slab-out-of-bounds in hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
Read of size 19671 at addr ffff8881d226413c by task swapper/0/0

CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xef/0x16e lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
 __kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
 kasan_report+0xe/0x20 mm/kasan/common.c:641
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x152/0x1c0 mm/kasan/generic.c:192
 memcpy+0x20/0x50 mm/kasan/common.c:127
 memcpy include/linux/string.h:381 [inline]
 skb_put_data include/linux/skbuff.h:2284 [inline]
 hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline]
 hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline]
 hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026
 __usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
 usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
 dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
 call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
 expire_timers kernel/time/timer.c:1449 [inline]
 __run_timers kernel/time/timer.c:1773 [inline]
 __run_timers kernel/time/timer.c:1740 [inline]
 run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
 __do_softirq+0x21e/0x950 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x178/0x1a0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:546 [inline]
 smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
 </IRQ>
RIP: 0010:default_idle+0x28/0x300 arch/x86/kernel/process.c:696
Code: cc cc 41 56 41 55 65 44 8b 2d 44 77 72 7a 41 54 55 53 0f 1f 44 00 00 e8 b6 62 b5 fb e9 07 00 00 00 0f 00 2d ea 0c 53 00 fb f4 <65> 44 8b 2d 20 77 72 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3
RSP: 0018:ffffffff87007d80 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: ffffffff8702cc40 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff8702d48c
RBP: fffffbfff0e05988 R08: ffffffff8702cc40 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: ffffffff87e607c0 R15: 0000000000000000
 cpuidle_idle_call kernel/sched/idle.c:154 [inline]
 do_idle+0x3e0/0x500 kernel/sched/idle.c:269
 cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361
 start_kernel+0xe16/0xe5a init/main.c:998
 secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:242

The buggy address belongs to the page:
page:ffffea0007489800 refcount:32744 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0
flags: 0x200000000010000(head)
raw: 0200000000010000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00007fe8ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881d2268000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881d2268080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8881d2268100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
                   ^
 ffff8881d2268180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881d2268200: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/03/20 18:27 https://github.com/google/kasan.git usb-fuzzer e17994d1e7b1 2c31c529 .config console log report syz C ci2-upstream-usb
* Struck through repros no longer work on HEAD.