syzbot

 sign-in | mailing list | source | docs
🐞 Open [987] Subsystems 🐞 Fixed [5236] 🐞 Invalid [12505] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: slab-out-of-bounds Write in hiddev_ioctl_usage

Status: fixed on 2020/09/25 01:17
Subsystems: input usb
[Documentation on labels]
Reported-by: syzbot+34ee1b45d88571c2fa8b@syzkaller.appspotmail.com
Fix commit: 25a097f52046 HID: hiddev: Fix slab-out-of-bounds write in hiddev_ioctl_usage()
First crash: 1679d, last: 1335d
Duplicate bugs (1)
duplicates (1):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
KASAN: slab-out-of-bounds Read in hiddev_ioctl_usage input usb C 142 1334d 1668d 0/26 closed as dup on 2019/11/22 20:45
Discussions (16)
Title Replies (including bot) Last reply
[PATCH 4.19 000/125] 4.19.143-rc1 review 147 (147) 2020/10/26 00:54
[PATCH 4.4 00/62] 4.4.235-rc1 review 70 (70) 2020/09/30 09:01
[PATCH AUTOSEL 5.8 01/42] hwmon: (pmbus/isl68137) remove READ_TEMPERATURE_1 telemetry for RAA228228 48 (48) 2020/09/05 12:04
[PATCH 5.8 000/255] 5.8.6-rc1 review 263 (263) 2020/09/03 09:29
[PATCH 4.14 00/91] 4.14.196-rc1 review 95 (95) 2020/09/02 16:46
[PATCH 4.9 00/78] 4.9.235-rc1 review 82 (82) 2020/09/02 16:46
[PATCH 5.4 000/214] 5.4.62-rc1 review 219 (219) 2020/09/02 07:24
[PATCH AUTOSEL 4.4 1/5] HID: hiddev: Fix slab-out-of-bounds write in hiddev_ioctl_usage() 5 (5) 2020/08/31 15:32
[PATCH AUTOSEL 4.9 1/6] HID: hiddev: Fix slab-out-of-bounds write in hiddev_ioctl_usage() 6 (6) 2020/08/31 15:31
[PATCH AUTOSEL 4.14 1/9] HID: hiddev: Fix slab-out-of-bounds write in hiddev_ioctl_usage() 9 (9) 2020/08/31 15:31
[PATCH AUTOSEL 4.19 01/11] HID: hiddev: Fix slab-out-of-bounds write in hiddev_ioctl_usage() 11 (11) 2020/08/31 15:31
[PATCH AUTOSEL 5.4 01/23] HID: quirks: Always poll three more Lenovo PixArt mice 23 (23) 2020/08/31 15:30
[Linux-kernel-mentees] [PATCH v1] usbhid: Fix slab-out-of-bounds write in hiddev_ioctl_usage() 15 (15) 2020/08/18 10:00
Reminder: 45 active syzbot reports in usb subsystem 1 (1) 2019/11/19 04:27
Reminder: 67 active syzbot reports in usb subsystem 1 (1) 2019/10/04 03:38
KASAN: slab-out-of-bounds Write in hiddev_ioctl_usage 1 (2) 2019/09/20 13:51
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-54 KASAN: slab-out-of-bounds Write in hiddev_ioctl_usage C 4 1459d 1478d 1/2 fixed on 2021/10/13 19:27

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in hiddev_ioctl_usage.isra.0+0x1251/0x13b0 drivers/hid/usbhid/hiddev.c:528
Write of size 4 at addr ffff8881cd03ca58 by task syz-executor227/353

CPU: 1 PID: 353 Comm: syz-executor227 Not tainted 5.7.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xef/0x16e lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xd3/0x314 mm/kasan/report.c:382
 __kasan_report.cold+0x37/0x92 mm/kasan/report.c:511
 kasan_report+0x33/0x50 mm/kasan/common.c:625
 hiddev_ioctl_usage.isra.0+0x1251/0x13b0 drivers/hid/usbhid/hiddev.c:528
 hiddev_ioctl+0x79b/0x1550 drivers/hid/usbhid/hiddev.c:794
 vfs_ioctl fs/ioctl.c:47 [inline]
 ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
 __do_sys_ioctl fs/ioctl.c:772 [inline]
 __se_sys_ioctl fs/ioctl.c:770 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
 do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x444d19
Code: e8 bc af 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fff559d6318 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000444d19
RDX: 0000000020000000 RSI: 000000004018480c RDI: 0000000000000004
RBP: 00000000006cf018 R08: 9188084ba2bfac07 R09: 00000000004002e0
R10: 000000000000000f R11: 0000000000000246 R12: 00000000004029c0
R13: 0000000000402a50 R14: 0000000000000000 R15: 0000000000000000

The buggy address belongs to the page:
page:ffffea0007340c00 refcount:1 mapcount:0 mapping:000000009882e140 index:0x0 head:ffffea0007340c00 order:4 compound_mapcount:0 compound_pincount:0
flags: 0x200000000010000(head)
raw: 0200000000010000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881cd03c900: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
 ffff8881cd03c980: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>ffff8881cd03ca00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
                                                    ^
 ffff8881cd03ca80: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
 ffff8881cd03cb00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
==================================================================

Crashes (279):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/04/26 20:35 https://github.com/google/kasan.git usb-fuzzer 059e7e0ff26c 0ce7569e .config console log report syz C ci2-upstream-usb
2020/04/08 00:26 https://github.com/google/kasan.git usb-fuzzer 0fa84af850a4 db9bcd4b .config console log report syz C ci2-upstream-usb
2019/09/20 10:26 https://github.com/google/kasan.git usb-fuzzer e0bd8d794fc9 d96e88f3 .config console log report syz C ci2-upstream-usb
2020/08/28 16:53 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 3ed8e1c2ac99 d5a3ae1f .config console log report ci2-upstream-usb
2020/08/25 00:41 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 28157b8c7d9a 344da168 .config console log report ci2-upstream-usb
2020/08/23 22:39 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 28157b8c7d9a cef5ae68 .config console log report ci2-upstream-usb
2020/08/21 19:10 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 28157b8c7d9a 6436ce4b .config console log report ci2-upstream-usb
2020/04/30 04:18 https://github.com/google/kasan.git usb-fuzzer 059e7e0ff26c 2dd552a5 .config console log report ci2-upstream-usb
2020/04/30 01:34 https://github.com/google/kasan.git usb-fuzzer 059e7e0ff26c 2dd552a5 .config console log report ci2-upstream-usb
2020/04/29 11:34 https://github.com/google/kasan.git usb-fuzzer 059e7e0ff26c ba2806db .config console log report ci2-upstream-usb
2020/04/28 15:42 https://github.com/google/kasan.git usb-fuzzer 059e7e0ff26c e3ecea2e .config console log report ci2-upstream-usb
2020/03/11 23:54 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c d850e9d0 .config console log report ci2-upstream-usb
2020/03/07 16:28 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 2e9971bb .config console log report ci2-upstream-usb
2020/03/07 02:36 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c fd2a5f28 .config console log report ci2-upstream-usb
2020/03/06 02:20 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c b655d91b .config console log report ci2-upstream-usb
2020/03/03 21:42 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 1f73b64b .config console log report ci2-upstream-usb
2020/02/25 09:44 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 59b57593 .config console log report ci2-upstream-usb
2020/02/24 18:55 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 1253d6f0 .config console log report ci2-upstream-usb
2020/02/22 22:33 https://github.com/google/kasan.git usb-fuzzer 307a2623c9d7 2c36e7a7 .config console log report ci2-upstream-usb
2020/02/21 06:41 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 bd2a74a3 .config console log report ci2-upstream-usb
2020/02/21 02:36 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 81230308 .config console log report ci2-upstream-usb
2020/02/20 15:29 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 81230308 .config console log report ci2-upstream-usb
2020/02/20 00:03 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 47fae6e9 .config console log report ci2-upstream-usb
2020/02/18 02:54 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 1ce142dc .config console log report ci2-upstream-usb
2020/02/15 11:02 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 5d7b90f1 .config console log report ci2-upstream-usb
2020/02/15 08:23 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 5d7b90f1 .config console log report ci2-upstream-usb
2020/02/14 23:42 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 5d7b90f1 .config console log report ci2-upstream-usb
2020/02/14 06:33 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 5d7b90f1 .config console log report ci2-upstream-usb
2020/02/14 04:16 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 5d7b90f1 .config console log report ci2-upstream-usb
2020/02/13 09:26 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 84f4fc8a .config console log report ci2-upstream-usb
2020/02/12 22:37 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 84f4fc8a .config console log report ci2-upstream-usb
2020/02/12 08:55 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 a75b198c .config console log report ci2-upstream-usb
2020/02/11 18:06 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 4d1ab643 .config console log report ci2-upstream-usb
2020/02/11 14:44 https://github.com/google/kasan.git usb-fuzzer 7f0cd6c7c423 084454ae .config console log report ci2-upstream-usb
2020/02/09 20:17 https://github.com/google/kasan.git usb-fuzzer e5cd56e94edd 6ece2ea5 .config console log report ci2-upstream-usb
2020/02/08 14:37 https://github.com/google/kasan.git usb-fuzzer e5cd56e94edd 06150bf1 .config console log report ci2-upstream-usb
2020/02/07 03:26 https://github.com/google/kasan.git usb-fuzzer e5cd56e94edd 06150bf1 .config console log report ci2-upstream-usb
2020/02/05 23:23 https://github.com/google/kasan.git usb-fuzzer e5cd56e94edd 662cf49a .config console log report ci2-upstream-usb
2020/02/05 18:48 https://github.com/google/kasan.git usb-fuzzer e5cd56e94edd 662cf49a .config console log report ci2-upstream-usb
2020/02/05 14:22 https://github.com/google/kasan.git usb-fuzzer e5cd56e94edd 662cf49a .config console log report ci2-upstream-usb
2020/02/05 13:18 https://github.com/google/kasan.git usb-fuzzer e5cd56e94edd 93e5e335 .config console log report ci2-upstream-usb
2020/02/05 04:52 https://github.com/google/kasan.git usb-fuzzer e5cd56e94edd 93e5e335 .config console log report ci2-upstream-usb
2020/02/05 03:46 https://github.com/google/kasan.git usb-fuzzer e5cd56e94edd 93e5e335 .config console log report ci2-upstream-usb
2020/02/03 10:14 https://github.com/google/kasan.git usb-fuzzer cd234325a5f1 93e5e335 .config console log report ci2-upstream-usb
2020/02/03 03:10 https://github.com/google/kasan.git usb-fuzzer cd234325a5f1 93e5e335 .config console log report ci2-upstream-usb
2020/02/02 19:23 https://github.com/google/kasan.git usb-fuzzer cd234325a5f1 93e5e335 .config console log report ci2-upstream-usb
2020/02/02 15:09 https://github.com/google/kasan.git usb-fuzzer cd234325a5f1 93e5e335 .config console log report ci2-upstream-usb
2020/02/02 09:34 https://github.com/google/kasan.git usb-fuzzer cd234325a5f1 2274ad39 .config console log report ci2-upstream-usb
2020/02/02 01:55 https://github.com/google/kasan.git usb-fuzzer cd234325a5f1 2274ad39 .config console log report ci2-upstream-usb
2020/02/01 18:05 https://github.com/google/kasan.git usb-fuzzer cd234325a5f1 326d4c78 .config console log report ci2-upstream-usb
2020/02/01 14:46 https://github.com/google/kasan.git usb-fuzzer cd234325a5f1 326d4c78 .config console log report ci2-upstream-usb
* Struck through repros no longer work on HEAD.