syzbot


UBSAN: shift-out-of-bounds in option_probe

Status: fixed on 2021/03/10 01:48
Subsystems: usb
[Documentation on labels]
Reported-by: syzbot+8881b478dad0a7971f79@syzkaller.appspotmail.com
Fix commit: a251963f76fa USB: serial: option: add interface-number sanity check to flag handling
First crash: 1197d, last: 1194d
Cause bisection: failed (error log, bisect log)
  
Discussions (8)
Title Replies (including bot) Last reply
[PATCH 4.14 000/242] 4.14.213-rc1 review 245 (245) 2021/01/13 01:20
[PATCH 5.10 00/40] 5.10.3-rc1 review 60 (60) 2021/01/06 23:56
[PATCH 4.19 000/346] 4.19.164-rc1 review 356 (356) 2021/01/02 11:29
[PATCH 4.4 000/132] 4.4.249-rc1 review 136 (136) 2020/12/30 09:37
[PATCH 5.4 000/453] 5.4.86-rc1 review 465 (465) 2020/12/30 09:22
[PATCH 4.9 000/175] 4.9.249-rc1 review 178 (178) 2020/12/29 09:28
[PATCH] USB: serial: option: add interface-number sanity check to flag handling 3 (3) 2020/12/09 13:57
UBSAN: shift-out-of-bounds in option_probe 1 (2) 2020/12/09 09:24

Sample crash report:
usb 1-1: config 0 interface 109 has no altsetting 0
usb 1-1: New USB device found, idVendor=12d1, idProduct=02cb, bcdDevice= 1.fb
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1: config 0 descriptor??
================================================================================
UBSAN: shift-out-of-bounds in drivers/usb/serial/option.c:2120:21
shift exponent 109 is too large for 64-bit type 'long unsigned int'
CPU: 0 PID: 3169 Comm: kworker/0:3 Not tainted 5.10.0-rc6-next-20201207-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395
 option_probe.cold+0x1a/0x1f drivers/usb/serial/option.c:2120
 usb_serial_probe+0x32d/0xef0 drivers/usb/serial/usb-serial.c:905
 usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
 really_probe+0x2b1/0xe40 drivers/base/dd.c:554
 driver_probe_device+0x285/0x3f0 drivers/base/dd.c:738
 __device_attach_driver+0x216/0x2d0 drivers/base/dd.c:844

Crashes (22):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/12/08 05:03 linux-next 15ac8fdb7440 51a9082e .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/12/10 06:32 linux-next a9e26cb5f261 c090b4da .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/10 06:30 linux-next a9e26cb5f261 c090b4da .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/10 05:54 linux-next a9e26cb5f261 c090b4da .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/10 05:43 linux-next a9e26cb5f261 c090b4da .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/10 04:36 linux-next a9e26cb5f261 c090b4da .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/09 23:12 linux-next a9e26cb5f261 c090b4da .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/09 22:59 linux-next a9e26cb5f261 c090b4da .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/09 22:50 linux-next a9e26cb5f261 c090b4da .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/09 22:42 linux-next a9e26cb5f261 c090b4da .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/09 21:38 linux-next a9e26cb5f261 c090b4da .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/09 10:45 linux-next a9e26cb5f261 40cc414d .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/09 10:45 linux-next a9e26cb5f261 40cc414d .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/09 02:34 linux-next a9e26cb5f261 a7f7f4a4 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/09 01:44 linux-next a9e26cb5f261 a7f7f4a4 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/08 22:32 linux-next a9e26cb5f261 a7f7f4a4 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/08 14:38 linux-next 15ac8fdb7440 51a9082e .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/08 03:24 linux-next 15ac8fdb7440 51a9082e .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/07 22:04 linux-next 15ac8fdb7440 1190297f .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/07 22:04 linux-next 15ac8fdb7440 1190297f .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/07 22:04 linux-next 15ac8fdb7440 1190297f .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/07 14:51 linux-next 15ac8fdb7440 1190297f .config console log report info ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.