syzbot


KASAN: slab-out-of-bounds Read in hiddev_ioctl_usage

Status: closed as dup on 2019/11/22 20:45
Subsystems: input usb
[Documentation on labels]
Reported-by: syzbot+a3f4c2f4f8cde2ff797b@syzkaller.appspotmail.com
First crash: 1643d, last: 1306d
Duplicate of
Title Repro Cause bisect Fix bisect Count Last Reported
KASAN: slab-out-of-bounds Write in hiddev_ioctl_usage input usb C 279 1307d 1650d
Discussions (3)
Title Replies (including bot) Last reply
Reminder: 45 active syzbot reports in usb subsystem 1 (1) 2019/11/19 04:27
Reminder: 67 active syzbot reports in usb subsystem 1 (1) 2019/10/04 03:38
KASAN: slab-out-of-bounds Read in hiddev_ioctl_usage 0 (1) 2019/09/30 22:39
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-54 KASAN: slab-out-of-bounds Read in hiddev_ioctl_usage C 2 1432d 1449d 0/2 auto-obsoleted due to no activity on 2022/08/27 05:02
Last patch testing requests (1)
Created Duration User Patch Repo Result
2019/11/11 01:57 10m tranmanphong@gmail.com patch https://github.com/google/kasan.git 2994c077 report log

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in hiddev_ioctl_usage.isra.0+0x12d0/0x13b0 drivers/hid/usbhid/hiddev.c:522
Read of size 4 at addr ffff8881c1448070 by task syz-executor400/361

CPU: 1 PID: 361 Comm: syz-executor400 Not tainted 5.7.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xef/0x16e lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:382
 __kasan_report.cold+0x37/0x92 mm/kasan/report.c:511
 kasan_report+0x33/0x50 mm/kasan/common.c:625
 hiddev_ioctl_usage.isra.0+0x12d0/0x13b0 drivers/hid/usbhid/hiddev.c:522
 hiddev_ioctl+0x79b/0x1550 drivers/hid/usbhid/hiddev.c:794
 vfs_ioctl fs/ioctl.c:47 [inline]
 ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
 __do_sys_ioctl fs/ioctl.c:772 [inline]
 __se_sys_ioctl fs/ioctl.c:770 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
 do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x444bf9
Code: e8 bc af 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fff20029b08 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000444bf9
RDX: 0000000020000040 RSI: 00000000c018480b RDI: 0000000000000004
RBP: 00000000006cf018 R08: 8fce4d9635172f21 R09: 00000000004002e0
R10: 000000000000000f R11: 0000000000000246 R12: 00000000004028a0
R13: 0000000000402930 R14: 0000000000000000 R15: 0000000000000000

The buggy address belongs to the page:
page:ffffea0007050000 refcount:1 mapcount:0 mapping:000000003efc95f9 index:0x0 head:ffffea0007050000 order:7 compound_mapcount:0 compound_pincount:0
flags: 0x200000000010000(head)
raw: 0200000000010000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881c1447f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881c1447f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8881c1448000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe
                                                             ^
 ffff8881c1448080: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
 ffff8881c1448100: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
==================================================================

Crashes (142):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/04/26 00:11 https://github.com/google/kasan.git usb-fuzzer 059e7e0ff26c b8bb8e5f .config console log report syz C ci2-upstream-usb
2020/04/08 15:06 https://github.com/google/kasan.git usb-fuzzer 0fa84af850a4 db9bcd4b .config console log report syz C ci2-upstream-usb
2019/11/19 11:41 https://github.com/google/kasan.git usb-fuzzer 46178223c0ca 432c7650 .config console log report syz C ci2-upstream-usb
2019/09/28 08:27 https://github.com/google/kasan.git usb-fuzzer 2994c07743fe d8074e0b .config console log report syz C ci2-upstream-usb
2020/08/29 19:15 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 3ed8e1c2ac99 d5a3ae1f .config console log report ci2-upstream-usb
2020/08/29 18:14 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 3ed8e1c2ac99 d5a3ae1f .config console log report ci2-upstream-usb
2020/08/29 03:47 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 3ed8e1c2ac99 d5a3ae1f .config console log report ci2-upstream-usb
2020/08/27 00:17 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing cb06b385d536 318430cb .config console log report ci2-upstream-usb
2020/08/25 02:46 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 28157b8c7d9a 344da168 .config console log report ci2-upstream-usb
2020/08/23 17:40 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 28157b8c7d9a a6d5f3ad .config console log report ci2-upstream-usb
2020/08/23 03:36 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 28157b8c7d9a 1da71ab0 .config console log report ci2-upstream-usb
2020/08/21 21:14 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 28157b8c7d9a 6436ce4b .config console log report ci2-upstream-usb
2020/08/21 04:52 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 28157b8c7d9a 70160577 .config console log report ci2-upstream-usb
2020/08/19 15:19 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 28157b8c7d9a db787902 .config console log report ci2-upstream-usb
2020/08/19 13:06 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 28157b8c7d9a db787902 .config console log report ci2-upstream-usb
2020/08/16 14:24 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 449dc8c97089 5ce13532 .config console log report ci2-upstream-usb
2020/08/14 02:17 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 449dc8c97089 54ce1ed6 .config console log report ci2-upstream-usb
2020/08/09 20:16 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 449dc8c97089 70301872 .config console log report ci2-upstream-usb
2020/08/05 10:15 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing e3ee0e740c38 b7129355 .config console log report ci2-upstream-usb
2020/05/01 15:16 https://github.com/google/kasan.git usb-fuzzer 059e7e0ff26c 143a10e9 .config console log report ci2-upstream-usb
2020/05/01 07:16 https://github.com/google/kasan.git usb-fuzzer 059e7e0ff26c 3698959a .config console log report ci2-upstream-usb
2020/03/22 00:03 https://github.com/google/kasan.git usb-fuzzer e17994d1e7b1 78267cec .config console log report ci2-upstream-usb
2020/03/04 03:49 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 1f73b64b .config console log report ci2-upstream-usb
2020/02/27 20:10 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 40bcfdd5 .config console log report ci2-upstream-usb
2020/02/26 18:30 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 251aabb7 .config console log report ci2-upstream-usb
2020/02/25 06:24 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 59b57593 .config console log report ci2-upstream-usb
2020/02/23 15:52 https://github.com/google/kasan.git usb-fuzzer 307a2623c9d7 2c36e7a7 .config console log report ci2-upstream-usb
2020/02/23 05:29 https://github.com/google/kasan.git usb-fuzzer 307a2623c9d7 2c36e7a7 .config console log report ci2-upstream-usb
2020/02/23 01:43 https://github.com/google/kasan.git usb-fuzzer 307a2623c9d7 2c36e7a7 .config console log report ci2-upstream-usb
2020/02/22 18:42 https://github.com/google/kasan.git usb-fuzzer 307a2623c9d7 2c36e7a7 .config console log report ci2-upstream-usb
2020/02/21 21:06 https://github.com/google/kasan.git usb-fuzzer 307a2623c9d7 2ffa6679 .config console log report ci2-upstream-usb
2020/02/21 14:23 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 bd2a74a3 .config console log report ci2-upstream-usb
2020/02/21 10:30 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 bd2a74a3 .config console log report ci2-upstream-usb
2020/02/21 07:43 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 bd2a74a3 .config console log report ci2-upstream-usb
2020/02/20 17:37 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 81230308 .config console log report ci2-upstream-usb
2020/02/20 16:05 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 81230308 .config console log report ci2-upstream-usb
2020/02/20 11:12 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 b690a6e3 .config console log report ci2-upstream-usb
2020/02/20 02:38 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 b690a6e3 .config console log report ci2-upstream-usb
2020/02/19 14:36 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 47fae6e9 .config console log report ci2-upstream-usb
2020/02/18 18:11 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 012fbc32 .config console log report ci2-upstream-usb
2020/02/18 08:12 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 1ce142dc .config console log report ci2-upstream-usb
2020/02/16 19:30 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 cf914200 .config console log report ci2-upstream-usb
2020/02/16 14:47 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 cf914200 .config console log report ci2-upstream-usb
2020/02/15 16:00 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 5d7b90f1 .config console log report ci2-upstream-usb
2020/02/15 10:07 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 5d7b90f1 .config console log report ci2-upstream-usb
2020/02/14 22:23 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 5d7b90f1 .config console log report ci2-upstream-usb
* Struck through repros no longer work on HEAD.