syzbot

 sign-in | mailing list | source | docs
🐞 Open [734]
🐞 Fixed [51]
🐞 Invalid [497]
Missing Backports [57]
Kernel Health Bugs/Month Bug Lifetimes Fuzzing Crashes
💬 Send us feedback

UBSAN: shift-out-of-bounds in parse_audio_unit

Status: upstream: reported C repro on 2024/09/22 18:15
Bug presence: origin:lts-only
[Documentation on labels]
Reported-by: syzbot+dbad4fcfae2c7bfc2af8@syzkaller.appspotmail.com
First crash: 13d, last: 13d
Fix commit to backport (bisect log) :
tree: upstream
commit 2f38cf730caedaeacdefb7ff35b0a3c1168117f9
Author: Takashi Iwai <tiwai@suse.de>
Date: Mon Jul 15 12:35:54 2024 +0000

  ALSA: usb: Fix UBSAN warning in parse_audio_unit()

  
Bug presence (2)
Date Name Commit Repro Result
2024/09/22 linux-5.15.y (ToT) 3a5928702e71 C [report] UBSAN: shift-out-of-bounds in parse_audio_unit
2024/09/22 upstream (ToT) de5cb0dcb74c C Didn't crash
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream UBSAN: shift-out-of-bounds in parse_audio_unit sound C error 3 85d 83d 27/28 fixed on 2024/08/14 03:44
android-5-15 UBSAN: shift-out-of-bounds in parse_audio_unit origin:lts C 10 14d 76d 0/2 upstream: reported C repro on 2024/07/22 02:50
android-6-1 UBSAN: shift-out-of-bounds in parse_audio_unit origin:lts C 3 41d 55d 0/2 upstream: reported C repro on 2024/08/11 11:03
Fix bisection attempts (1)
Created Duration User Patch Repo Result
2024/09/27 20:16 7h15m fix candidate upstream OK (1) job log

Sample crash report:
usb 1-1: config 1 has 1 interface, different from the descriptor's value: 3
usb 1-1: New USB device found, idVendor=08b7, idProduct=0000, bcdDevice= 0.00
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=3
usb 1-1: SerialNumber: syz
usb 1-1: 0:2 : does not exist
================================================================================
UBSAN: shift-out-of-bounds in sound/usb/mixer.c:2035:20
shift exponent 41 is too large for 32-bit type 'int'
CPU: 0 PID: 1075 Comm: kworker/0:2 Not tainted 5.15.167-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
 ubsan_epilogue lib/ubsan.c:151 [inline]
 __ubsan_handle_shift_out_of_bounds+0x3bf/0x420 lib/ubsan.c:321
 parse_audio_feature_unit sound/usb/mixer.c:2035 [inline]
 parse_audio_unit+0x265a/0x3df0 sound/usb/mixer.c:2885
 snd_usb_mixer_controls sound/usb/mixer.c:3230 [inline]
 snd_usb_create_mixer+0x1235/0x2e70 sound/usb/mixer.c:3577
 usb_audio_probe+0x1622/0x2090 sound/usb/card.c:883
 usb_probe_interface+0x5c0/0xaf0 drivers/usb/core/driver.c:396
 really_probe+0x24e/0xb60 drivers/base/dd.c:595
 __driver_probe_device+0x1a2/0x3d0 drivers/base/dd.c:755
 driver_probe_device+0x50/0x420 drivers/base/dd.c:785
 __device_attach_driver+0x2b9/0x500 drivers/base/dd.c:907
 bus_for_each_drv+0x183/0x200 drivers/base/bus.c:427
 __device_attach+0x359/0x570 drivers/base/dd.c:979
 bus_probe_device+0xba/0x1e0 drivers/base/bus.c:487
 device_add+0xb48/0xfd0 drivers/base/core.c:3415
 usb_set_configuration+0x19dd/0x2020 drivers/usb/core/message.c:2165
 usb_generic_driver_probe+0x84/0x140 drivers/usb/core/generic.c:238
 usb_probe_device+0x130/0x260 drivers/usb/core/driver.c:293
 really_probe+0x24e/0xb60 drivers/base/dd.c:595
 __driver_probe_device+0x1a2/0x3d0 drivers/base/dd.c:755
 driver_probe_device+0x50/0x420 drivers/base/dd.c:785
 __device_attach_driver+0x2b9/0x500 drivers/base/dd.c:907
 bus_for_each_drv+0x183/0x200 drivers/base/bus.c:427
 __device_attach+0x359/0x570 drivers/base/dd.c:979
 bus_probe_device+0xba/0x1e0 drivers/base/bus.c:487
 device_add+0xb48/0xfd0 drivers/base/core.c:3415
 usb_new_device+0xc17/0x18e0 drivers/usb/core/hub.c:2593
 hub_port_connect drivers/usb/core/hub.c:5455 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5595 [inline]
 port_event drivers/usb/core/hub.c:5741 [inline]
 hub_event+0x2cdf/0x54c0 drivers/usb/core/hub.c:5823
 process_one_work+0x8a1/0x10c0 kernel/workqueue.c:2310
 worker_thread+0xaca/0x1280 kernel/workqueue.c:2457
 kthread+0x3f6/0x4f0 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
 </TASK>
================================================================================

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/09/22 20:13 linux-5.15.y 3a5928702e71 6f888b75 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan UBSAN: shift-out-of-bounds in parse_audio_unit
2024/09/22 19:33 linux-5.15.y 3a5928702e71 6f888b75 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan UBSAN: shift-out-of-bounds in parse_audio_unit
2024/09/22 18:54 linux-5.15.y 3a5928702e71 6f888b75 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan UBSAN: shift-out-of-bounds in parse_audio_unit
2024/09/22 18:14 linux-5.15.y 3a5928702e71 6f888b75 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan UBSAN: shift-out-of-bounds in parse_audio_unit
* Struck through repros no longer work on HEAD.