syzbot


UBSAN: array-index-out-of-bounds in usbhid_parse

Status: upstream: reported C repro on 2023/10/16 17:01
Subsystems: usb
[Documentation on labels]
Reported-by: syzbot+c52569baf0c843f35495@syzkaller.appspotmail.com
First crash: 285d, last: 6d18h
Cause bisection: failed (error log, bisect log)
  
Discussions (4)
Title Replies (including bot) Last reply
[PATCH] HID: usbhid: fix recurrent out-of-bounds bug in usbhid_parse() 7 (7) 2024/06/04 17:45
[syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse 1 (4) 2024/05/24 01:56
Re: [syzbot] [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning 3 (4) 2024/03/05 18:55
Re: [syzbot] [PATCH] Tried to correct 1 (2) 2023/11/22 08:08
Last patch testing requests (19)
Created Duration User Patch Repo Result
2024/07/17 16:48 23m retest repro upstream report log
2024/07/17 16:48 18m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2024/07/03 10:21 18m retest repro https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing report log
2024/06/16 15:38 20m retest repro upstream report log
2024/06/16 15:38 18m retest repro upstream report log
2024/06/16 15:38 15m retest repro linux-next error
2024/06/02 06:16 7m retest repro https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing report log
2024/06/02 06:01 15m retest repro upstream report log
2024/05/23 14:17 11h04m n.zhandarovich@fintech.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master OK log
2024/05/03 17:24 16m retest repro upstream report log
2024/04/19 10:05 18m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2023/12/23 19:59 14m tintinm2017@gmail.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2023/11/21 19:19 52m tintinm2017@gmail.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2023/11/17 14:23 15m tintinm2017@gmail.com https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2023/10/17 10:46 22m hdanton@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master OK log
2023/10/17 09:55 22m eadavis@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ad7f1baed071 OK log
2023/10/17 09:28 22m eadavis@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ad7f1baed071 OK log
2023/10/17 08:41 22m eadavis@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ad7f1baed071 OK log
2023/10/17 04:09 1h18m eadavis@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ad7f1baed071 OK log

Sample crash report:
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in drivers/hid/usbhid/hid-core.c:1024:7
index 1 is out of range for type 'struct hid_class_descriptor[1]'
CPU: 0 PID: 8 Comm: kworker/0:1 Not tainted 6.9.0-rc6-syzkaller-00290-gb9158815de52 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 ubsan_epilogue lib/ubsan.c:231 [inline]
 __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429
 usbhid_parse+0x5a7/0xc80 drivers/hid/usbhid/hid-core.c:1024
 hid_add_device+0x132/0x520 drivers/hid/hid-core.c:2790
 usbhid_probe+0xb38/0xea0 drivers/hid/usbhid/hid-core.c:1429
 usb_probe_interface+0x645/0xbb0 drivers/usb/core/driver.c:399
 really_probe+0x2b8/0xad0 drivers/base/dd.c:656
 __driver_probe_device+0x1a2/0x390 drivers/base/dd.c:798
 driver_probe_device+0x50/0x430 drivers/base/dd.c:828
 __device_attach_driver+0x2d6/0x530 drivers/base/dd.c:956
 bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:457
 __device_attach+0x333/0x520 drivers/base/dd.c:1028
 bus_probe_device+0x189/0x260 drivers/base/bus.c:532
 device_add+0x8ff/0xca0 drivers/base/core.c:3720
 usb_set_configuration+0x1976/0x1fb0 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0x88/0x140 drivers/usb/core/generic.c:254
 usb_probe_device+0x1b8/0x380 drivers/usb/core/driver.c:294

Crashes (25):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/05/06 02:59 upstream b9158815de52 610f2a54 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root UBSAN: array-index-out-of-bounds in usbhid_parse
2024/01/13 01:06 upstream 70d201a40823 dda5a988 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root UBSAN: array-index-out-of-bounds in usbhid_parse
2023/10/14 08:36 upstream ad7f1baed071 6388bc36 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce UBSAN: array-index-out-of-bounds in usbhid_parse
2023/10/12 17:56 upstream 401644852d0b 1b231e3c .config console log report syz C [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream UBSAN: array-index-out-of-bounds in usbhid_parse
2024/05/19 05:39 linux-next c75962170e49 c0f1611a .config strace log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root UBSAN: array-index-out-of-bounds in usbhid_parse
2024/05/03 22:12 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing b3e40fc85735 dd26401e .config console log report syz C [disk image] [vmlinux] [kernel image] ci2-upstream-usb UBSAN: array-index-out-of-bounds in usbhid_parse
2023/10/12 18:31 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 1053c4a4b8fc 1b231e3c .config console log report syz C [disk image] [vmlinux] [kernel image] ci2-upstream-usb UBSAN: array-index-out-of-bounds in usbhid_parse
2023/11/10 17:35 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 8de1e7afcc1c 45e9b83e .config console log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 UBSAN: array-index-out-of-bounds in usbhid_parse
2024/02/16 17:25 upstream 4f5e5092fdbf 578f7538 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce UBSAN: array-index-out-of-bounds in usbhid_parse
2024/02/16 17:17 upstream 4f5e5092fdbf 578f7538 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root UBSAN: array-index-out-of-bounds in usbhid_parse
2024/02/16 17:17 upstream 4f5e5092fdbf 578f7538 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root UBSAN: array-index-out-of-bounds in usbhid_parse
2024/02/16 17:17 upstream 4f5e5092fdbf 578f7538 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root UBSAN: array-index-out-of-bounds in usbhid_parse
2024/02/16 17:17 upstream 4f5e5092fdbf 578f7538 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root UBSAN: array-index-out-of-bounds in usbhid_parse
2024/01/10 17:47 upstream ab27740f7665 04815ef1 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce UBSAN: array-index-out-of-bounds in usbhid_parse
2024/02/16 17:17 upstream 4f5e5092fdbf 578f7538 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 UBSAN: array-index-out-of-bounds in usbhid_parse
2024/02/16 17:17 upstream 4f5e5092fdbf 578f7538 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream UBSAN: array-index-out-of-bounds in usbhid_parse
2023/10/12 16:57 upstream 401644852d0b 1b231e3c .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream UBSAN: array-index-out-of-bounds in usbhid_parse
2024/02/16 17:19 upstream 4f5e5092fdbf 578f7538 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 UBSAN: array-index-out-of-bounds in usbhid_parse
2024/06/19 08:07 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing b0fc24f36191 41b7e219 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-usb UBSAN: array-index-out-of-bounds in usbhid_parse
2024/05/17 18:23 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 51474ab44abf a12e99e7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-usb UBSAN: array-index-out-of-bounds in usbhid_parse
2024/05/03 20:35 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing b3e40fc85735 dd26401e .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-usb UBSAN: array-index-out-of-bounds in usbhid_parse
2024/02/16 17:23 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 88bae831f381 578f7538 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-usb UBSAN: array-index-out-of-bounds in usbhid_parse
2024/02/16 17:17 linux-next 2c3b09aac00d 578f7538 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root UBSAN: array-index-out-of-bounds in usbhid_parse
2024/01/27 04:51 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 6613476e225e cc4a4020 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-usb UBSAN: array-index-out-of-bounds in usbhid_parse
2024/02/16 17:17 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci f735966ee23c 578f7538 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 UBSAN: array-index-out-of-bounds in usbhid_parse
* Struck through repros no longer work on HEAD.