Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
---|---|---|---|---|---|---|---|---|
KASAN: use-after-free Read in hfa384x_usbin_callback staging usb | C | 3 | 1635d | 1639d | 0/28 | closed as dup on 2020/03/23 13:44 |
syzbot |
sign-in | mailing list | source | docs |
Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
---|---|---|---|---|---|---|---|---|
KASAN: use-after-free Read in hfa384x_usbin_callback staging usb | C | 3 | 1635d | 1639d | 0/28 | closed as dup on 2020/03/23 13:44 |
Title | Replies (including bot) | Last reply |
---|---|---|
KASAN: slab-out-of-bounds Read in hfa384x_usbin_callback | 8 (10) | 2020/05/08 13:51 |
[PATCH 4.9 000/102] 4.9.218-rc1 review | 112 (112) | 2020/04/07 06:05 |
[PATCH 5.6 00/23] 5.6.1-rc1 review | 47 (47) | 2020/04/04 08:41 |
[PATCH 4.14 000/148] 4.14.175-rc1 review | 153 (153) | 2020/04/02 22:47 |
[PATCH 4.19 000/116] 4.19.114-rc1 review | 129 (129) | 2020/04/02 20:04 |
[PATCH 5.5 000/170] 5.5.14-rc1 review | 180 (180) | 2020/04/02 17:40 |
[PATCH 4.4 00/91] 4.4.218-rc1 review | 97 (97) | 2020/04/02 14:13 |
[PATCH 5.4 000/155] 5.4.29-rc1 review | 156 (156) | 2020/03/31 08:59 |
[PATCH] staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback | 1 (1) | 2020/03/26 13:18 |
Re: KASAN: slab-out-of-bounds Read in hfa384x_usbin_callback | 2 (3) | 2020/03/26 02:43 |
Re: KASAN: slab-out-of-bounds Read in hfa384x_usbin_callback | 1 (1) | 2020/03/25 13:29 |
Created | Duration | User | Patch | Repo | Result |
---|---|---|---|---|---|
2020/05/06 11:51 | 10m | andreyknvl@google.com | patch | https://github.com/google/kasan.git e17994d1 | report log |
2020/05/05 13:45 | 10m | oneukum@suse.com | patch | https://github.com/google/kasan.git e17994d1 | report log |
2020/05/05 11:56 | 10m | oneukum@suse.com | patch | https://github.com/google/kasan.git e17994d1 | report log |
2020/03/26 02:24 | 17m | anenbupt@gmail.com | patch | https://github.com/google/kasan.git e17994d1 | OK |
2020/03/26 00:38 | 10m | anenbupt@gmail.com | patch | https://github.com/google/kasan.git e17994d1 | report log |
2020/03/25 17:16 | 10m | anenbupt@gmail.com | patch | https://github.com/google/kasan.git e17994d1 | report log |
2020/03/25 08:46 | 11m | anenbupt@gmail.com | patch | https://github.com/google/kasan.git e17994d1 | report log |
================================================================== BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:381 [inline] BUG: KASAN: slab-out-of-bounds in skb_put_data include/linux/skbuff.h:2284 [inline] BUG: KASAN: slab-out-of-bounds in hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline] BUG: KASAN: slab-out-of-bounds in hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline] BUG: KASAN: slab-out-of-bounds in hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026 Read of size 19671 at addr ffff8881d226413c by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xef/0x16e lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374 __kasan_report.cold+0x37/0x77 mm/kasan/report.c:506 kasan_report+0xe/0x20 mm/kasan/common.c:641 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x152/0x1c0 mm/kasan/generic.c:192 memcpy+0x20/0x50 mm/kasan/common.c:127 memcpy include/linux/string.h:381 [inline] skb_put_data include/linux/skbuff.h:2284 [inline] hfa384x_int_rxmonitor drivers/staging/wlan-ng/hfa384x_usb.c:3412 [inline] hfa384x_usbin_rx drivers/staging/wlan-ng/hfa384x_usb.c:3312 [inline] hfa384x_usbin_callback+0x1993/0x2360 drivers/staging/wlan-ng/hfa384x_usb.c:3026 __usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650 usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716 dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966 call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404 expire_timers kernel/time/timer.c:1449 [inline] __run_timers kernel/time/timer.c:1773 [inline] __run_timers kernel/time/timer.c:1740 [inline] run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786 __do_softirq+0x21e/0x950 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0x178/0x1a0 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:546 [inline] smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 </IRQ> RIP: 0010:default_idle+0x28/0x300 arch/x86/kernel/process.c:696 Code: cc cc 41 56 41 55 65 44 8b 2d 44 77 72 7a 41 54 55 53 0f 1f 44 00 00 e8 b6 62 b5 fb e9 07 00 00 00 0f 00 2d ea 0c 53 00 fb f4 <65> 44 8b 2d 20 77 72 7a 0f 1f 44 00 00 5b 5d 41 5c 41 5d 41 5e c3 RSP: 0018:ffffffff87007d80 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 RAX: 0000000000000007 RBX: ffffffff8702cc40 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffffff8702d48c RBP: fffffbfff0e05988 R08: ffffffff8702cc40 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: ffffffff87e607c0 R15: 0000000000000000 cpuidle_idle_call kernel/sched/idle.c:154 [inline] do_idle+0x3e0/0x500 kernel/sched/idle.c:269 cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:361 start_kernel+0xe16/0xe5a init/main.c:998 secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:242 The buggy address belongs to the page: page:ffffea0007489800 refcount:32744 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0 flags: 0x200000000010000(head) raw: 0200000000010000 dead000000000100 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00007fe8ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881d2268000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881d2268080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8881d2268100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ^ ffff8881d2268180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881d2268200: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ==================================================================
Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2020/03/20 18:27 | https://github.com/google/kasan.git usb-fuzzer | e17994d1e7b1 | 2c31c529 | .config | console log | report | syz | C | ci2-upstream-usb |