syzbot

 sign-in | mailing list | source | docs
🐞 Open [988] Subsystems 🐞 Fixed [5236] 🐞 Invalid [12506] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

UBSAN: shift-out-of-bounds in vhci_hub_control (2)

Status: fixed on 2021/11/10 00:50
Subsystems: usb
[Documentation on labels]
Reported-by: syzbot+3dea30b047f41084de66@syzkaller.appspotmail.com
Fix commit: 1cc5ed25bdad usbip: vhci_hcd fix shift out-of-bounds in vhci_hub_control()
First crash: 1131d, last: 1119d
Cause bisection: introduced by (bisect log) [release commit]:
commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Sun Sep 15 21:19:32 2019 +0000

  Linux 5.3

Crash: UBSAN: undefined-behaviour in vhci_hub_control (log)
Repro: C syz .config
  
Discussions (7)
Title Replies (including bot) Last reply
[PATCH 4.19 00/56] 4.19.185-rc1 review 62 (62) 2021/04/07 08:23
[PATCH 5.10 000/126] 5.10.28-rc1 review 153 (153) 2021/04/07 08:20
[PATCH 4.14 00/52] 4.14.229-rc1 review 56 (56) 2021/04/07 00:58
[PATCH 5.4 00/74] 5.4.110-rc1 review 84 (84) 2021/04/06 07:12
[PATCH 5.11 000/152] 5.11.12-rc1 review 156 (156) 2021/04/06 00:09
[PATCH] usbip: vhci_hcd fix shift out-of-bounds in vhci_hub_control() 1 (1) 2021/03/24 23:06
[syzbot] UBSAN: shift-out-of-bounds in vhci_hub_control (2) 2 (4) 2021/03/24 21:05
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream UBSAN: shift-out-of-bounds in vhci_hub_control usb C unreliable 4 1183d 1219d 19/26 fixed on 2021/03/10 01:48
Last patch testing requests (1)
Created Duration User Patch Repo Result
2021/03/24 20:05 16m musamaanjum@gmail.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 84196390 OK

Sample crash report:
================================================================================
UBSAN: shift-out-of-bounds in drivers/usb/usbip/vhci_hcd.c:605:42
shift exponent 768 is too large for 32-bit type 'int'
CPU: 0 PID: 8421 Comm: syz-executor852 Not tainted 5.12.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x141/0x1d7 lib/dump_stack.c:120
 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327
 vhci_hub_control.cold+0x20b/0x5f0 drivers/usb/usbip/vhci_hcd.c:605
 rh_call_control drivers/usb/core/hcd.c:683 [inline]
 rh_urb_enqueue drivers/usb/core/hcd.c:841 [inline]
 usb_hcd_submit_urb+0xcaf/0x22d0 drivers/usb/core/hcd.c:1544
 usb_submit_urb+0x6e4/0x1540 drivers/usb/core/urb.c:585
 usb_start_wait_urb+0x101/0x4c0 drivers/usb/core/message.c:58
 usb_internal_control_msg drivers/usb/core/message.c:102 [inline]
 usb_control_msg+0x31c/0x4a0 drivers/usb/core/message.c:153
 do_proc_control+0x4af/0x980 drivers/usb/core/devio.c:1165
 proc_control drivers/usb/core/devio.c:1191 [inline]
 usbdev_do_ioctl drivers/usb/core/devio.c:2535 [inline]
 usbdev_ioctl+0x10e2/0x36c0 drivers/usb/core/devio.c:2708
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl fs/ioctl.c:739 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x443499
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd96535f58 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004004a0 RCX: 0000000000443499
RDX: 0000000020000000 RSI: 00000000c0185500 RDI: 0000000000000003
RBP: 0000000000403040 R08: 0000000000000000 R09: 00000000004004a0
R10: 000000000000000f R11: 0000000000000246 R12: 00000000004030d0
R13: 0000000000000000 R14: 00000000004b1018 R15: 00000000004004a0
================================================================================

Crashes (5):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/03/23 03:57 upstream 84196390620a 8092f30d .config console log report syz C ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in vhci_hub_control
2021/04/02 07:46 upstream ffd9fb546d49 6a81331a .config console log report info ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in vhci_hub_control
2021/03/28 14:33 upstream 0f4498cef9f5 a8529b82 .config console log report info ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in vhci_hub_control
2021/03/23 03:43 upstream 84196390620a 8092f30d .config console log report info ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in vhci_hub_control
2021/03/20 17:33 upstream 1c273e10bc0c 17810eae .config console log report info ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in vhci_hub_control
* Struck through repros no longer work on HEAD.