syzbot


KASAN: use-after-free Read in vhci_hub_control

Status: fixed on 2019/11/20 22:01
Subsystems: usb
[Documentation on labels]
Reported-by: syzbot+600b03e0cf1b73bb23c4@syzkaller.appspotmail.com
Fix commit: 81f7567c51ad usb: usbip: Fix BUG: KASAN: slab-out-of-bounds in vhci_hub_control()
First crash: 2122d, last: 2073d
Fix bisection: fixed by (bisect log) :
commit 81f7567c51ad97668d1c3a48e8ecc482e64d4161
Author: Shuah Khan (Samsung OSG) <shuah@kernel.org>
Date: Fri Oct 5 22:17:44 2018 +0000

  usb: usbip: Fix BUG: KASAN: slab-out-of-bounds in vhci_hub_control()

  
Discussions (7)
Title Replies (including bot) Last reply
KASAN: use-after-free Read in vhci_hub_control 1 (3) 2019/11/07 16:54
Reminder: 99 open syzbot bugs in net subsystem 14 (14) 2019/07/31 15:13
Reminder: 67 open syzbot bugs in usb subsystem 1 (1) 2019/07/24 01:35
Reminder: 47 open syzbot bugs in usb subsystem 1 (1) 2019/07/09 19:01
Reminder: 94 open syzbot bugs in net subsystem 1 (1) 2019/06/25 05:48
Reminder: 42 open syzbot bugs in usb subsystem 1 (1) 2019/06/25 03:44
[PATCH] usbip: vhci_hcd: check port number before using 4 (4) 2018/10/08 20:06

Sample crash report:
random: sshd: uninitialized urandom read (32 bytes read)
urandom_read: 1 callbacks suppressed
random: sshd: uninitialized urandom read (32 bytes read)
vhci_hcd: invalid port number 132
==================================================================
BUG: KASAN: use-after-free in vhci_hub_control+0x1b88/0x1bf0 drivers/usb/usbip/vhci_hcd.c:441
Read of size 4 at addr ffff8801ce635ebc by task syz-executor268/4643

CPU: 1 PID: 4643 Comm: syz-executor268 Not tainted 4.19.0-rc1+ #217
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x30d mm/kasan/report.c:412
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432
 vhci_hub_control+0x1b88/0x1bf0 drivers/usb/usbip/vhci_hcd.c:441
 rh_call_control drivers/usb/core/hcd.c:679 [inline]
 rh_urb_enqueue drivers/usb/core/hcd.c:838 [inline]
 usb_hcd_submit_urb+0x184a/0x2160 drivers/usb/core/hcd.c:1651
 usb_submit_urb+0x895/0x14d0 drivers/usb/core/urb.c:570
 usb_start_wait_urb+0x140/0x360 drivers/usb/core/message.c:57
 usb_internal_control_msg drivers/usb/core/message.c:101 [inline]
 usb_control_msg+0x332/0x4e0 drivers/usb/core/message.c:152
 proc_control+0x99b/0xef0 drivers/usb/core/devio.c:1106
 usbdev_do_ioctl+0x1eb4/0x3b30 drivers/usb/core/devio.c:2394
 usbdev_ioctl+0x25/0x30 drivers/usb/core/devio.c:2551
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:501 [inline]
 do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:685
 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:702
 __do_sys_ioctl fs/ioctl.c:709 [inline]
 __se_sys_ioctl fs/ioctl.c:707 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:707
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x443d89
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffe827be308 EFLAGS: 00000213 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000443d89
RDX: 0000000020000100 RSI: 00000000c0185500 RDI: 0000000000000003
RBP: 00000000006ce018 R08: 0000000000000000 R09: 00000000004002e0
R10: 000000000000000f R11: 0000000000000213 R12: 0000000000401a90
R13: 0000000000401b20 R14: 0000000000000000 R15: 0000000000000000

The buggy address belongs to the page:
page:ffffea0007398d40 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x2fffc0000000000()
raw: 02fffc0000000000 0000000000000000 ffffffff07390101 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801ce635d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8801ce635e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8801ce635e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                        ^
 ffff8801ce635f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8801ce635f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (41):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/09/01 04:47 upstream 420f51f4ab6b a4718693 .config console log report syz C ci-upstream-kasan-gce-root
2018/08/31 22:52 upstream 420f51f4ab6b a4718693 .config console log report syz C ci-upstream-kasan-gce
2018/09/01 12:41 linux-next a880148cb2af a4718693 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/10/19 00:29 upstream fa520c47eaa1 9aba67b5 .config console log report ci-upstream-kasan-gce-smack-root
2018/10/17 18:07 upstream c0cff31be705 1ba7fd7e .config console log report ci-upstream-kasan-gce-selinux-root
2018/10/16 15:12 upstream f0a7d1883d9f 1ba7fd7e .config console log report ci-upstream-kasan-gce-root
2018/10/16 15:09 upstream f0a7d1883d9f 1ba7fd7e .config console log report ci-upstream-kasan-gce-smack-root
2018/10/16 07:17 upstream f0a7d1883d9f 8cd30605 .config console log report ci-upstream-kasan-gce-selinux-root
2018/10/15 02:28 upstream 3a27203102eb caf12900 .config console log report ci-upstream-kasan-gce-selinux-root
2018/10/14 16:51 upstream 3a27203102eb caf12900 .config console log report ci-upstream-kasan-gce
2018/10/13 11:33 upstream bab5c80b2110 caf12900 .config console log report ci-upstream-kasan-gce-root
2018/10/12 04:37 upstream 0778a9f2dd92 ba6ddb43 .config console log report ci-upstream-kasan-gce-root
2018/10/10 21:29 upstream 3d647e62686f 5b11ac2c .config console log report ci-upstream-kasan-gce-selinux-root
2018/10/08 14:52 upstream 0238df646e62 8b311eaf .config console log report ci-upstream-kasan-gce-smack-root
2018/10/07 02:40 upstream c1d84a1b42ef 8b311eaf .config console log report ci-upstream-kasan-gce-smack-root
2018/10/05 21:55 upstream b2e45b46d85b 8b311eaf .config console log report ci-upstream-kasan-gce-selinux-root
2018/10/04 07:04 upstream cec4de302c5f 8b311eaf .config console log report ci-upstream-kasan-gce-selinux-root
2018/10/04 04:10 upstream cec4de302c5f 8b311eaf .config console log report ci-upstream-kasan-gce-selinux-root
2018/10/03 19:21 upstream 6bebe37927f3 8b311eaf .config console log report ci-upstream-kasan-gce-smack-root
2018/10/02 05:06 upstream 385afbf8c3e8 e06f7713 .config console log report ci-upstream-kasan-gce-smack-root
2018/09/29 20:37 upstream 82ec752cce8b 41e4b329 .config console log report ci-upstream-kasan-gce
2018/09/29 10:04 upstream e704966c45e4 41e4b329 .config console log report ci-upstream-kasan-gce-selinux-root
2018/09/29 05:20 upstream e704966c45e4 41e4b329 .config console log report ci-upstream-kasan-gce
2018/09/28 19:38 upstream ad0371482b1e 137d7c66 .config console log report ci-upstream-kasan-gce-root
2018/09/26 11:13 upstream a38523185b40 455b6354 .config console log report ci-upstream-kasan-gce-root
2018/09/22 14:10 upstream 10dc890d4228 37079712 .config console log report ci-upstream-kasan-gce
2018/09/21 15:14 upstream 234b69e3e089 37079712 .config console log report ci-upstream-kasan-gce-root
2018/09/05 14:43 upstream 28619527b8a7 196410e4 .config console log report ci-upstream-kasan-gce-selinux-root
2018/09/01 21:50 upstream 360bd62dc494 a4718693 .config console log report ci-upstream-kasan-gce
2018/09/01 21:27 upstream 360bd62dc494 a4718693 .config console log report ci-upstream-kasan-gce
2018/09/01 20:15 upstream 420f51f4ab6b a4718693 .config console log report ci-upstream-kasan-gce
2018/08/31 18:43 upstream 420f51f4ab6b a4718693 .config console log report ci-upstream-kasan-gce
2018/08/31 17:44 upstream 217c3e019675 a4718693 .config console log report ci-upstream-kasan-gce-root
2018/08/31 17:40 upstream 217c3e019675 a4718693 .config console log report ci-upstream-kasan-gce
2018/10/18 01:23 upstream c343db455eb3 b2695b95 .config console log report ci-upstream-kasan-gce-386
2018/10/13 18:56 upstream 7ec21823634d caf12900 .config console log report ci-upstream-kasan-gce-386
2018/10/08 02:14 upstream 0238df646e62 8b311eaf .config console log report ci-upstream-kasan-gce-386
2018/10/07 15:26 upstream fb1c592cf4c9 8b311eaf .config console log report ci-upstream-kasan-gce-386
2018/10/03 19:21 upstream 6bebe37927f3 8b311eaf .config console log report ci-upstream-kasan-gce-386
2018/10/11 01:18 linux-next 7f3049305d22 5f818b4b .config console log report ci-upstream-linux-next-kasan-gce-root
2018/10/07 02:35 linux-next 12ffaa1197f5 8b311eaf .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.