syzbot

 sign-in | mailing list | source | docs
🐞 Open [978] Subsystems 🐞 Fixed [5235] 🐞 Invalid [12492] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: slab-out-of-bounds Read in garmin_read_process

Status: fixed on 2020/07/17 17:58
Subsystems: usb
[Documentation on labels]
Reported-by: syzbot+d29e9263e13ce0b9f4fd@syzkaller.appspotmail.com
Fix commit: e9b3c610a05c USB: serial: garmin_gps: add sanity checking for data length
First crash: 1494d, last: 1494d
Discussions (8)
Title Replies (including bot) Last reply
[PATCH 4.4 00/86] 4.4.224-rc1 review 95 (95) 2020/05/21 07:47
[PATCH 4.14 000/114] 4.14.181-rc1 review 119 (119) 2020/05/19 16:28
[PATCH 4.9 00/90] 4.9.224-rc1 review 95 (95) 2020/05/19 16:27
[PATCH 5.6 000/118] 5.6.13-rc1 review 127 (127) 2020/05/15 08:52
[PATCH 4.19 00/48] 4.19.123-rc1 review 61 (61) 2020/05/14 20:28
[PATCH 5.4 00/90] 5.4.41-rc1 review 95 (95) 2020/05/13 23:01
[PATCH] garmin_gps: add sanity checking for data length 2 (2) 2020/04/22 07:14
KASAN: slab-out-of-bounds Read in garmin_read_process 1 (3) 2020/03/24 14:28
Last patch testing requests (1)
Created Duration User Patch Repo Result
2020/03/24 13:43 18m oneukum@suse.de patch https://github.com/google/kasan.git e17994d1 OK

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in __le32_to_cpup include/uapi/linux/byteorder/little_endian.h:58 [inline]
BUG: KASAN: slab-out-of-bounds in getLayerId drivers/usb/serial/garmin_gps.c:208 [inline]
BUG: KASAN: slab-out-of-bounds in garmin_read_process+0x1b0/0x2e0 drivers/usb/serial/garmin_gps.c:1142
Read of size 4 at addr ffff8881ca74abe8 by task swapper/1/0

CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xef/0x16e lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:374
 __kasan_report.cold+0x37/0x77 mm/kasan/report.c:506
 kasan_report+0xe/0x20 mm/kasan/common.c:641
 __le32_to_cpup include/uapi/linux/byteorder/little_endian.h:58 [inline]
 getLayerId drivers/usb/serial/garmin_gps.c:208 [inline]
 garmin_read_process+0x1b0/0x2e0 drivers/usb/serial/garmin_gps.c:1142
 garmin_read_int_callback+0x19f/0x746 drivers/usb/serial/garmin_gps.c:1279
 __usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
 usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
 dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/03/21 12:33 https://github.com/google/kasan.git usb-fuzzer e17994d1e7b1 aa6c6a55 .config console log report syz C ci2-upstream-usb
* Struck through repros no longer work on HEAD.