syzbot


UBSAN: shift-out-of-bounds in hid_report_raw_event (2)

Status: upstream: reported C repro on 2022/11/15 17:41
Reported-by: syzbot+8b1641d2f14732407e23@syzkaller.appspotmail.com
Fix commit: ec61b4191858 HID: core: fix shift-out-of-bounds in hid_report_raw_event
Patched on: [ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce ci-upstream-kmsan-gce-386 ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-usb], missing on: [ci-qemu2-riscv64]
First crash: 79d, last: 79d

Cause bisection: failed (bisect log)
similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream UBSAN: shift-out-of-bounds in hid_report_raw_event C 4 716d 712d 0/24 closed as dup on 2021/02/16 22:41

Sample crash report:
microsoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) > 32! (swapper/0)
================================================================================
UBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20
shift exponent 127 is too large for 32-bit type 'int'
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rc4-syzkaller-00159-g4bbf3422df78 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
 ubsan_epilogue lib/ubsan.c:151 [inline]
 __ubsan_handle_shift_out_of_bounds+0x3a6/0x420 lib/ubsan.c:322
 snto32 drivers/hid/hid-core.c:1323 [inline]
 hid_input_fetch_field drivers/hid/hid-core.c:1572 [inline]
 hid_process_report drivers/hid/hid-core.c:1665 [inline]
 hid_report_raw_event+0xd56/0x18b0 drivers/hid/hid-core.c:1998
 hid_input_report+0x408/0x4f0 drivers/hid/hid-core.c:2066
 hid_irq_in+0x459/0x690 drivers/hid/usbhid/hid-core.c:284
 __usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1671
 dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988
 call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474
 expire_timers kernel/time/timer.c:1519 [inline]
 __run_timers+0x76a/0x980 kernel/time/timer.c:1790
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803
 __do_softirq+0x277/0x75b kernel/softirq.c:571
 __irq_exit_rcu+0xec/0x170 kernel/softirq.c:650
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:22 [inline]
RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:70 [inline]
RIP: 0010:arch_irqs_disabled arch/x86/include/asm/irqflags.h:130 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:113 [inline]
RIP: 0010:acpi_idle_do_entry drivers/acpi/processor_idle.c:572 [inline]
RIP: 0010:acpi_idle_enter+0x43d/0x800 drivers/acpi/processor_idle.c:709
Code: ff e8 a7 8d 38 f7 48 83 e3 08 44 8b 7c 24 04 0f 85 00 01 00 00 e8 33 4d 3f f7 66 90 e8 cc 88 38 f7 0f 00 2d f5 af c4 00 fb f4 <4c> 89 e3 48 c1 eb 03 42 80 3c 2b 00 74 08 4c 89 e7 e8 7d 64 8d f7
RSP: 0018:ffffffff8ca07b80 EFLAGS: 000002d3
RAX: ffffffff8a512d84 RBX: 0000000000000000 RCX: ffffffff8cabb7c0
RDX: 0000000000000000 RSI: ffffffff8aad68a0 RDI: ffffffff8b0ac540
RBP: ffffffff8ca07c30 R08: ffffffff8a512d69 R09: fffffbfff19576f9
R10: fffffbfff19576f9 R11: 1ffffffff19576f8 R12: ffffffff8ca07bc0
R13: dffffc0000000000 R14: ffff8880121c6800 R15: 0000000000000001
 cpuidle_enter_state+0x50b/0xf50 drivers/cpuidle/cpuidle.c:239
 cpuidle_enter+0x59/0x90 drivers/cpuidle/cpuidle.c:356
 call_cpuidle kernel/sched/idle.c:155 [inline]
 cpuidle_idle_call kernel/sched/idle.c:236 [inline]
 do_idle+0x3da/0x680 kernel/sched/idle.c:303
 cpu_startup_entry+0x15/0x20 kernel/sched/idle.c:400
 rest_init+0x24f/0x270 init/main.c:729
 arch_call_rest_init+0xa/0xa init/main.c:890
 start_kernel+0x4b6/0x565 init/main.c:1145
 secondary_startup_64_no_verify+0xcf/0xdb
 </TASK>
================================================================================
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	e8 a7 8d 38 f7       	callq  0xf7388dac
   5:	48 83 e3 08          	and    $0x8,%rbx
   9:	44 8b 7c 24 04       	mov    0x4(%rsp),%r15d
   e:	0f 85 00 01 00 00    	jne    0x114
  14:	e8 33 4d 3f f7       	callq  0xf73f4d4c
  19:	66 90                	xchg   %ax,%ax
  1b:	e8 cc 88 38 f7       	callq  0xf73888ec
  20:	0f 00 2d f5 af c4 00 	verw   0xc4aff5(%rip)        # 0xc4b01c
  27:	fb                   	sti
  28:	f4                   	hlt
* 29:	4c 89 e3             	mov    %r12,%rbx <-- trapping instruction
  2c:	48 c1 eb 03          	shr    $0x3,%rbx
  30:	42 80 3c 2b 00       	cmpb   $0x0,(%rbx,%r13,1)
  35:	74 08                	je     0x3f
  37:	4c 89 e7             	mov    %r12,%rdi
  3a:	e8 7d 64 8d f7       	callq  0xf78d64bc

Crashes (1):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci-upstream-kasan-gce-smack-root 2022/11/11 17:34 upstream 4bbf3422df78 3ead01ad .config strace log report syz C [disk image] [vmlinux] [kernel image] UBSAN: shift-out-of-bounds in hid_report_raw_event
* Struck through repros no longer work on HEAD.