syzbot

 sign-in | mailing list | source | docs
🐞 Open [992] Subsystems 🐞 Fixed [5242] 🐞 Invalid [12509] Missing Backports [84] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: stack-out-of-bounds Read in hfcsusb_probe

Status: fixed on 2019/08/14 02:14
Subsystems: usb isdn4linux
[Documentation on labels]
Reported-by: syzbot+8750abbc3a46ef47d509@syzkaller.appspotmail.com
Fix commit: f384e62a82ba ISDN: hfcsusb: checking idx of ep configuration
First crash: 1840d, last: 1732d
Discussions (14)
Title Replies (including bot) Last reply
[PATCH 4.9 000/223] 4.9.187-stable review 231 (231) 2019/08/28 03:02
[PATCH 5.2 00/20] 5.2.6-stable review 32 (32) 2019/08/07 02:38
[PATCH 4.19 00/32] 4.19.64-stable review 43 (43) 2019/08/06 23:16
[PATCH 4.14 00/25] 4.14.136-stable review 32 (32) 2019/08/03 15:59
[PATCH 4.4 000/158] 4.4.187-stable review 166 (166) 2019/08/03 15:57
[PATCH AUTOSEL 5.2 01/85] ARM: riscpc: fix DMA 86 (86) 2019/07/26 13:46
[PATCH AUTOSEL 4.4 01/23] ARM: riscpc: fix DMA 23 (23) 2019/07/26 13:45
[PATCH AUTOSEL 4.9 01/30] ARM: riscpc: fix DMA 30 (30) 2019/07/26 13:44
[PATCH AUTOSEL 4.14 01/37] ARM: riscpc: fix DMA 37 (37) 2019/07/26 13:43
[PATCH AUTOSEL 4.19 01/47] ARM: riscpc: fix DMA 47 (47) 2019/07/26 13:42
[PATCH] ISDN: hfcsusb: checking idx of ep configuration 2 (2) 2019/07/15 18:10
Reminder: 47 open syzbot bugs in usb subsystem 1 (1) 2019/07/09 19:01
Reminder: 42 open syzbot bugs in usb subsystem 1 (1) 2019/06/25 03:44
KASAN: stack-out-of-bounds Read in hfcsusb_probe 0 (1) 2019/04/14 20:06
Last patch testing requests (2)
Created Duration User Patch Repo Result
2019/07/15 13:39 38m tranmanphong@gmail.com patch https://github.com/google/kasan.git usb-fuzzer OK
2019/07/15 00:40 35m tranmanphong@gmail.com patch https://github.com/google/kasan.git usb-fuzzer OK

Sample crash report:
usb 1-1: string descriptor 0 read error: -22
usb 1-1: New USB device found, idVendor=07b0, idProduct=0007, bcdDevice= 2.aa
usb 1-1: New USB device strings: Mfr=115, Product=64, SerialNumber=5
usb 1-1: config 0 descriptor??
==================================================================
BUG: KASAN: stack-out-of-bounds in hfcsusb_probe.cold+0x1a46/0x2682 drivers/isdn/hardware/mISDN/hfcsusb.c:1962
Read of size 4 at addr ffff8881d9e0f250 by task kworker/0:1/12

CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.2.0-rc6+ #14
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xca/0x13e lib/dump_stack.c:113
 print_address_description+0x67/0x231 mm/kasan/report.c:188
 __kasan_report.cold+0x1a/0x32 mm/kasan/report.c:317
 kasan_report+0xe/0x20 mm/kasan/common.c:614
 hfcsusb_probe.cold+0x1a46/0x2682 drivers/isdn/hardware/mISDN/hfcsusb.c:1962
 usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
 really_probe+0x281/0x660 drivers/base/dd.c:509
 driver_probe_device+0x104/0x210 drivers/base/dd.c:670
 __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:777
 bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
 __device_attach+0x217/0x360 drivers/base/dd.c:843
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
 device_add+0xae6/0x16f0 drivers/base/core.c:2111
 usb_set_configuration+0xdf6/0x1670 drivers/usb/core/message.c:2023
 generic_probe+0x9d/0xd5 drivers/usb/core/generic.c:210
 usb_probe_device+0x99/0x100 drivers/usb/core/driver.c:266
 really_probe+0x281/0x660 drivers/base/dd.c:509
 driver_probe_device+0x104/0x210 drivers/base/dd.c:670
 __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:777
 bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
 __device_attach+0x217/0x360 drivers/base/dd.c:843
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:514
 device_add+0xae6/0x16f0 drivers/base/core.c:2111
 usb_new_device.cold+0x8c1/0x1016 drivers/usb/core/hub.c:2536
 hub_port_connect drivers/usb/core/hub.c:5098 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
 port_event drivers/usb/core/hub.c:5359 [inline]
 hub_event+0x1b3d/0x35f0 drivers/usb/core/hub.c:5441
 process_one_work+0x905/0x1570 kernel/workqueue.c:2269
 worker_thread+0x96/0xe20 kernel/workqueue.c:2415
 kthread+0x30b/0x410 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

The buggy address belongs to the page:
page:ffffea00076783c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x200000000000000()
raw: 0200000000000000 ffffea00076783c8 ffffea00076783c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881d9e0f100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881d9e0f180: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1 01 f2
>ffff8881d9e0f200: 00 00 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00
                                                 ^
 ffff8881d9e0f280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881d9e0f300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (634):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/07/11 20:36 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 186a30b9 .config console log report syz C ci2-upstream-usb
2019/07/09 21:18 https://github.com/google/kasan.git usb-fuzzer 7829a896a587 f62e1e85 .config console log report syz C ci2-upstream-usb
2019/04/14 20:20 https://github.com/google/kasan.git usb-fuzzer 9a33b36996cb 505ab413 .config console log report syz C ci2-upstream-usb
2019/04/13 12:20 https://github.com/google/kasan.git usb-fuzzer 9a33b36996cb c402d8f1 .config console log report syz C ci2-upstream-usb
2019/07/29 12:50 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/29 11:36 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/29 09:51 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/29 04:42 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/29 03:31 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/29 02:18 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/28 23:32 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/28 19:39 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/28 14:22 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/28 13:08 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/28 12:44 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/28 10:24 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/28 09:01 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/28 07:04 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/28 04:53 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/28 02:31 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/28 00:04 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/27 22:20 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/27 21:09 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/27 18:56 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/27 17:39 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/27 15:32 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/27 14:13 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/27 09:41 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/27 08:16 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/27 07:06 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/27 03:31 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 c85e1c5b .config console log report ci2-upstream-usb
2019/07/27 00:46 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 8fe30d3e .config console log report ci2-upstream-usb
2019/07/26 18:15 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 8fe30d3e .config console log report ci2-upstream-usb
2019/07/26 14:27 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 8fe30d3e .config console log report ci2-upstream-usb
2019/07/26 11:46 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 732bc5a0 .config console log report ci2-upstream-usb
2019/07/26 10:38 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 732bc5a0 .config console log report ci2-upstream-usb
2019/07/26 08:46 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 732bc5a0 .config console log report ci2-upstream-usb
2019/07/26 07:35 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 732bc5a0 .config console log report ci2-upstream-usb
2019/07/26 06:07 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 732bc5a0 .config console log report ci2-upstream-usb
2019/07/26 00:14 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 0d7a1249 .config console log report ci2-upstream-usb
2019/07/26 00:13 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 0d7a1249 .config console log report ci2-upstream-usb
2019/07/25 21:52 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 0d7a1249 .config console log report ci2-upstream-usb
2019/07/25 19:00 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 0d7a1249 .config console log report ci2-upstream-usb
2019/07/25 16:10 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 0d7a1249 .config console log report ci2-upstream-usb
2019/07/25 12:47 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 32329ceb .config console log report ci2-upstream-usb
2019/07/25 09:34 https://github.com/google/kasan.git usb-fuzzer 6a3599ceaa39 32329ceb .config console log report ci2-upstream-usb
* Struck through repros no longer work on HEAD.