syzbot


UBSAN: array-index-out-of-bounds in usbhid_parse

Status: upstream: reported C repro on 2023/10/16 17:01
Subsystems: usb
[Documentation on labels]
Reported-by: syzbot+c52569baf0c843f35495@syzkaller.appspotmail.com
First crash: 133d, last: 6d06h
Cause bisection: failed (error log, bisect log)
  
Discussions (3)
Title Replies (including bot) Last reply
Re: [syzbot] [PATCH] usbhid: fix array-index-out-of-bounds in usbhid_parse UBSAN warning 2 (3) 2024/01/03 14:29
Re: [syzbot] [PATCH] Tried to correct 1 (2) 2023/11/22 08:08
[syzbot] [usb?] UBSAN: array-index-out-of-bounds in usbhid_parse 0 (2) 2023/11/17 14:23
Last patch testing requests (16)
Created Duration User Patch Repo Result
2024/02/10 18:58 14m retest repro upstream report log
2024/01/06 09:19 38m retest repro https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing report log
2024/01/06 09:09 17m retest repro upstream report log
2023/12/23 19:59 14m tintinm2017@gmail.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2023/12/09 00:59 51m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2023/12/09 00:56 40m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2023/11/25 00:27 14m retest repro upstream report log
2023/11/21 19:19 52m tintinm2017@gmail.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2023/11/17 14:23 15m tintinm2017@gmail.com https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2023/10/28 08:47 16m retest repro upstream report log
2023/10/28 08:52 8m retest repro https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing report log
2023/10/17 10:46 22m hdanton@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master OK log
2023/10/17 09:55 22m eadavis@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ad7f1baed071 OK log
2023/10/17 09:28 22m eadavis@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ad7f1baed071 OK log
2023/10/17 08:41 22m eadavis@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ad7f1baed071 OK log
2023/10/17 04:09 1h18m eadavis@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ad7f1baed071 OK log

Sample crash report:
usb 1-1: string descriptor 0 read error: -22
usb 1-1: New USB device found, idVendor=080e, idProduct=4eb9, bcdDevice=d7.f6
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in drivers/hid/usbhid/hid-core.c:1024:18
index 1 is out of range for type 'hid_class_descriptor [1]'
CPU: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.7.0-syzkaller-06264-g70d201a40823 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x125/0x1b0 lib/dump_stack.c:106
 ubsan_epilogue lib/ubsan.c:217 [inline]
 __ubsan_handle_out_of_bounds+0x111/0x150 lib/ubsan.c:347
 usbhid_parse+0x94a/0xa20 drivers/hid/usbhid/hid-core.c:1024
 hid_add_device+0x189/0xa60 drivers/hid/hid-core.c:2790
 usbhid_probe+0xd0a/0x1360 drivers/hid/usbhid/hid-core.c:1429
 usb_probe_interface+0x307/0x930 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x234/0xc90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830
 __device_attach_driver+0x1d4/0x300 drivers/base/dd.c:958
 bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457
 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
 bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532
 device_add+0x117e/0x1aa0 drivers/base/core.c:3625
 usb_set_configuration+0x10cb/0x1c40 drivers/usb/core/message.c:2207
 usb_generic_driver_probe+0xca/0x130 drivers/usb/core/generic.c:238
 usb_probe_device+0xda/0x2c0 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x234/0xc90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830
 __device_attach_driver+0x1d4/0x300 drivers/base/dd.c:958
 bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457
 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
 bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532
 device_add+0x117e/0x1aa0 drivers/base/core.c:3625
 usb_new_device+0xd80/0x19f0 drivers/usb/core/hub.c:2576
 hub_port_connect drivers/usb/core/hub.c:5440 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5580 [inline]
 port_event drivers/usb/core/hub.c:5740 [inline]
 hub_event+0x2dac/0x4e10 drivers/usb/core/hub.c:5822
 process_one_work+0x886/0x15d0 kernel/workqueue.c:2633
 process_scheduled_works kernel/workqueue.c:2706 [inline]
 worker_thread+0x8b9/0x1290 kernel/workqueue.c:2787
 kthread+0x2c6/0x3a0 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
 </TASK>
---[ end trace ]---
Ker

Crashes (19):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/01/13 01:06 upstream 70d201a40823 dda5a988 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root UBSAN: array-index-out-of-bounds in usbhid_parse
2023/10/14 08:36 upstream ad7f1baed071 6388bc36 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce UBSAN: array-index-out-of-bounds in usbhid_parse
2023/10/12 17:56 upstream 401644852d0b 1b231e3c .config console log report syz C [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream UBSAN: array-index-out-of-bounds in usbhid_parse
2023/10/12 18:31 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 1053c4a4b8fc 1b231e3c .config console log report syz C [disk image] [vmlinux] [kernel image] ci2-upstream-usb UBSAN: array-index-out-of-bounds in usbhid_parse
2023/11/10 17:35 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 8de1e7afcc1c 45e9b83e .config console log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 UBSAN: array-index-out-of-bounds in usbhid_parse
2024/02/16 17:25 upstream 4f5e5092fdbf 578f7538 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce UBSAN: array-index-out-of-bounds in usbhid_parse
2024/02/16 17:17 upstream 4f5e5092fdbf 578f7538 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root UBSAN: array-index-out-of-bounds in usbhid_parse
2024/02/16 17:17 upstream 4f5e5092fdbf 578f7538 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root UBSAN: array-index-out-of-bounds in usbhid_parse
2024/02/16 17:17 upstream 4f5e5092fdbf 578f7538 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root UBSAN: array-index-out-of-bounds in usbhid_parse
2024/02/16 17:17 upstream 4f5e5092fdbf 578f7538 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root UBSAN: array-index-out-of-bounds in usbhid_parse
2024/01/10 17:47 upstream ab27740f7665 04815ef1 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce UBSAN: array-index-out-of-bounds in usbhid_parse
2024/02/16 17:17 upstream 4f5e5092fdbf 578f7538 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 UBSAN: array-index-out-of-bounds in usbhid_parse
2024/02/16 17:17 upstream 4f5e5092fdbf 578f7538 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream UBSAN: array-index-out-of-bounds in usbhid_parse
2023/10/12 16:57 upstream 401644852d0b 1b231e3c .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream UBSAN: array-index-out-of-bounds in usbhid_parse
2024/02/16 17:19 upstream 4f5e5092fdbf 578f7538 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 UBSAN: array-index-out-of-bounds in usbhid_parse
2024/02/16 17:23 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 88bae831f381 578f7538 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-usb UBSAN: array-index-out-of-bounds in usbhid_parse
2024/02/16 17:17 linux-next 2c3b09aac00d 578f7538 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root UBSAN: array-index-out-of-bounds in usbhid_parse
2024/01/27 04:51 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 6613476e225e cc4a4020 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-usb UBSAN: array-index-out-of-bounds in usbhid_parse
2024/02/16 17:17 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci f735966ee23c 578f7538 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 UBSAN: array-index-out-of-bounds in usbhid_parse
* Struck through repros no longer work on HEAD.