Re: Possible double-free in the usbnet driver

On Tue, Mar 8, 2016 at 12:39 AM, Oliver Neukum <oneu...@suse.com> wrote: > On Mon, 2016-03-07 at 22:50 +0300, Andrey Konovalov wrote: >> Could you also add: >> Reported-by: Andrey Konovalov <andreyk...@gmail.com> > > Well, the exact bug you reported is fixed

Re: Possible double-free in the usbnet driver

uled. > They must be killed. This fixes an error case related to > the double free reported in > http://www.spinics.net/lists/netdev/msg367669.html > and needs to go on top of Linus' fix to cdc-ncm. > > Signed-off-by: Oliver Neukum <oneu...@suse.com> >

Re: Possible double-free in the usbnet driver

On Sat, Mar 5, 2016 at 12:26 AM, Linus Torvalds <torva...@linux-foundation.org> wrote: > [ Moving this to proper lists ] > > On Thu, Mar 3, 2016 at 4:19 PM, Andrey Konovalov <andreyk...@gmail.com> wrote: >> >> I found another double-free, this time in the usbnet

Re: Possible double-free in the usbnet driver

On Sat, Mar 5, 2016 at 1:42 AM, Oliver Neukum <oneu...@suse.de> wrote: > On Sat, 2016-03-05 at 01:26 +0300, Andrey Konovalov wrote: >> and when I run the vm and connect the device I get: >> >> [ 23.672662] cdc_ncm 1-1:1.6: bind() failure >> [ 23.67344

Re: Possible double-free in the usbnet driver

On Sat, Mar 5, 2016 at 1:43 AM, Linus Torvalds <torva...@linux-foundation.org> wrote: > On Fri, Mar 4, 2016 at 2:26 PM, Andrey Konovalov <andreyk...@gmail.com> wrote: >> >> and when I run the vm and connect the device I get: >> >> [ 23.672662] cdc_ncm 1

Re: Possible double-free in the usbnet driver

On Sat, Mar 5, 2016 at 2:00 AM, Andrey Konovalov <andreyk...@gmail.com> wrote: > On Sat, Mar 5, 2016 at 1:42 AM, Oliver Neukum <oneu...@suse.de> wrote: >> On Sat, 2016-03-05 at 01:26 +0300, Andrey Konovalov wrote: >>> and when I run the vm and connect the devic

Re: usb/gadget: use-after-free in gadgetfs_setup

On Tue, Dec 6, 2016 at 1:28 PM, Andrey Konovalov <andreyk...@google.com> wrote: > On Mon, Dec 5, 2016 at 8:31 PM, Alan Stern <st...@rowland.harvard.edu> wrote: >> On Mon, 5 Dec 2016, Andrey Konovalov wrote: >> >>> Hi! >>> >>> I've got the fol

net/gadget: slab-out-of-bounds write in dev_config

Hi! I've got the following error report while running the syzkaller fuzzer. ep0_write() doesn't check the length, so a user can cause an out-of-bounds with both size and data controlled. There's a comment which says "IN DATA+STATUS caller makes len <= wLength". While I'm not exactly sure what

Re: usb/gadget: use-after-free in gadgetfs_setup

On Wed, Dec 7, 2016 at 8:15 PM, Alan Stern <st...@rowland.harvard.edu> wrote: > On Wed, 7 Dec 2016, Andrey Konovalov wrote: > >> > And in any case, is there any way you can post the series of system >> > calls that syzkaller makes so we can tell what went wrong? &g

Re: Emulating USB devices from userspace

On Fri, Dec 9, 2016 at 8:20 AM, Greg Kroah-Hartman <gre...@linuxfoundation.org> wrote: > On Fri, Dec 09, 2016 at 12:38:23AM +0100, Andrey Konovalov wrote: >> Hi, >> >> I'm working on a way to extend syzkaller [1] to support fuzzing of the >> USB subsystem. The idea

Re: usb/gadget: use-after-free in gadgetfs_setup

On Fri, Dec 9, 2016 at 8:57 PM, Alan Stern <st...@rowland.harvard.edu> wrote: > On Fri, 9 Dec 2016, Andrey Konovalov wrote: > >> On Wed, Dec 7, 2016 at 8:15 PM, Alan Stern <st...@rowland.harvard.edu> wrote: >> > On Wed, 7 Dec 2016, Andrey Konovalov wrote: >>

Re: usb/gadget: use-after-free in gadgetfs_setup

On Tue, Dec 6, 2016 at 9:30 PM, Alan Stern <st...@rowland.harvard.edu> wrote: > [CC: list drastically trimmed] > > On Tue, 6 Dec 2016, Andrey Konovalov wrote: > >> On Tue, Dec 6, 2016 at 1:28 PM, Andrey Konovalov <andreyk...@google.com> >> wrote: >> &g

Re: usb/core: warning in usb_create_ep_devs/sysfs_create_dir_ns

On Fri, Dec 16, 2016 at 7:01 PM, Alan Stern <st...@rowland.harvard.edu> wrote: > On Mon, 12 Dec 2016, Andrey Konovalov wrote: > >> Hi! >> >> While running the syzkaller fuzzer I've got the following error report. >> >> On commit 3c49de52d5647cda8b42c4255c

Re: usb/gadget: use-after-free in gadgetfs_setup

On Mon, Dec 12, 2016 at 7:44 PM, Alan Stern wrote: > > I'm still puzzled. Can you try running the test with the diagnostic > patch below? The resulting kernel log ought to help pin down where the > problem comes from. Sure, here's the log: usb 1-1: string descriptor

Re: usb/gadget: warning in ep_write_iter/__alloc_pages_nodemask

On Mon, Dec 12, 2016 at 9:31 PM, Andrey Konovalov <andreyk...@google.com> wrote: > Hi! > > While running the syzkaller fuzzer I've got the following error report. > > The issue is that the len argument is not checked for being too big. > > WARNING: CPU: 1 PID: 9

usb/core: warning in usb_create_ep_devs/sysfs_create_dir_ns

Hi! While running the syzkaller fuzzer I've got the following error report. On commit 3c49de52d5647cda8b42c4255cf8a29d1e22eff5 (Dev 2). WARNING: CPU: 2 PID: 865 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x8a/0xa0 gadgetfs: disconnected sysfs: cannot create duplicate filename

Re: usb/gadget: use-after-free in gadgetfs_setup

On Mon, Dec 12, 2016 at 9:09 PM, Alan Stern <st...@rowland.harvard.edu> wrote: > On Mon, 12 Dec 2016, Andrey Konovalov wrote: > >> On Mon, Dec 12, 2016 at 7:44 PM, Alan Stern <st...@rowland.harvard.edu> >> wrote: >> > >> > I'm still puzzled.

usb/gadget: warning in ep_write_iter/__alloc_pages_nodemask

Hi! While running the syzkaller fuzzer I've got the following error report. The issue is that the len argument is not checked for being too big. WARNING: CPU: 1 PID: 9935 at mm/page_alloc.c:3511 __alloc_pages_nodemask+0x159c/0x1e20 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID:

Emulating USB devices from userspace

Hi, I'm working on a way to extend syzkaller [1] to support fuzzing of the USB subsystem. The idea is to be able to emulate various USB devices and fuzz communication between the emulated device and the kernel. I'm looking for a way to emulate devices from userspace. Similar to how tuntap allows

usb/gadget: GPF in usb_gadget_unregister_driver

Hi! I've got the following error report while running the syzkaller fuzzer. On commit 3c49de52d5647cda8b42c4255cf8a29d1e22eff5 (Dec 2). general protection fault: [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 10564 Comm: syz-executor0 Not

usb/gadget: use-after-free in gadgetfs_setup

Hi! I've got the following error report while running the syzkaller fuzzer. On commit 3c49de52d5647cda8b42c4255cf8a29d1e22eff5 (Dec 2). BUG: KASAN: use-after-free in gadgetfs_setup+0x208a/0x20e0 at addr 88003dfe5bf2 Read of size 2 by task syz-executor0/22994 CPU: 3 PID: 22994 Comm:

Re: usb/gadget: GPF in usb_gadget_unregister_driver

On Sat, Dec 3, 2016 at 6:31 PM, Felix Hädicke wrote: > Hi, >> Hi! >> >> I've got the following error report while running the syzkaller fuzzer. >> >> On commit 3c49de52d5647cda8b42c4255cf8a29d1e22eff5 (Dec 2). >> >> general protection fault: [#1] SMP KASAN >> Dumping

Re: usb/gadget: GPF in usb_gadget_unregister_driver

On Sat, Dec 3, 2016 at 6:13 PM, Greg Kroah-Hartman <gre...@linuxfoundation.org> wrote: > On Sat, Dec 03, 2016 at 05:36:35PM +0100, Andrey Konovalov wrote: >> Hi! >> >> I've got the following error report while running the syzkaller fuzzer. >> >> On commit 3

Re: usb/gadget: GPF in usb_gadget_unregister_driver

On Sat, Dec 3, 2016 at 6:13 PM, Greg Kroah-Hartman <gre...@linuxfoundation.org> wrote: > On Sat, Dec 03, 2016 at 05:36:35PM +0100, Andrey Konovalov wrote: >> Hi! >> >> I've got the following error report while running the syzkaller fuzzer. >> >> On commit 3

usb/gadget: warning in dummy_free_request

Hi! I've got the following error report while running the syzkaller fuzzer. On commit 3c49de52d5647cda8b42c4255cf8a29d1e22eff5 (Dec 2). WARNING: CPU: 0 PID: 5257 at drivers/usb/gadget/udc/dummy_hcd.c:672 dummy_free_request+0x153/0x170 Kernel panic - not syncing: panic_on_warn set ... usb 2-1:

usb/gadget: warning in dev_config/memdup_user

Hi! I've got the following error report while running the syzkaller fuzzer. The length passed to memdup_user() directly without limitations. On commit 2caceb3294a78c389b462e7e236a4e744a53a474 (Dec 1). WARNING: CPU: 3 PID: 14477 at mm/page_alloc.c:3511 __alloc_pages_nodemask+0x159c/0x1e20

usb: warning in vhci_hcd_probe/lockdep_init_map

Hi! I've got the following error report while booting the kernel with various usb configs enabled. On commit 2caceb3294a78c389b462e7e236a4e744a53a474 (Dec 1). gadgetfs: USB Gadget filesystem, version 24 Aug 2004 usbip_core: USB/IP Core v1.0.0 vhci_hcd vhci_hcd: USB/IP Virtual Host Controller

Re: usb: warning in vhci_hcd_probe/lockdep_init_map

On Fri, Dec 2, 2016 at 4:58 PM, Greg Kroah-Hartman <gre...@linuxfoundation.org> wrote: > On Fri, Dec 02, 2016 at 03:35:44PM +0100, Andrey Konovalov wrote: >> Hi! >> >> I've got the following error report while booting the kernel with >> various usb configs

Re: usb/gadget: use-after-free in gadgetfs_setup

On Mon, Dec 5, 2016 at 8:31 PM, Alan Stern <st...@rowland.harvard.edu> wrote: > On Mon, 5 Dec 2016, Andrey Konovalov wrote: > >> Hi! >> >> I've got the following error report while running the syzkaller fuzzer. >> >> On commit 3c49de52d5647cda8b42c4255cf8a

Re: [PATCH] usbip: fix warning in vhci_hcd_probe/lockdep_init_map

oup.c:134 >> [] sysfs_create_group+0x1f/0x30 fs/sysfs/group.c:156 >> [] vhci_start+0x5b4/0x7a0 drivers/usb/usbip/vhci_hcd.c:978 >> [] usb_add_hcd+0x8da/0x1c60 drivers/usb/core/hcd.c:2867 >> [] vhci_hcd_probe+0x97/0x130 >> drivers/usb/usbip/vhci_hcd.c:1103 >> --- >>

Re: usb/gadget: warning in dummy_free_request

On Tue, Dec 27, 2016 at 12:40 PM, Felipe Balbi <ba...@kernel.org> wrote: > > Hi, > > Andrey Konovalov <andreyk...@google.com> writes: >> Hi! >> >> I've got the following error report while running the syzkaller fuzzer. >> >> On commit 3c49de52d

Re: net/gadget: slab-out-of-bounds write in dev_config

On Tue, Dec 6, 2016 at 4:30 PM, Alan Stern <st...@rowland.harvard.edu> wrote: > On Tue, 6 Dec 2016, Andrey Konovalov wrote: > >> Hi! >> >> I've got the following error report while running the syzkaller fuzzer. >> >> ep0_write() doesn't check the lengt

Re: usb/gadget: potential deadlock in gadgetfs_suspend

On Fri, Jun 9, 2017 at 9:14 PM, Alan Stern <st...@rowland.harvard.edu> wrote: > On Fri, 9 Jun 2017, Andrey Konovalov wrote: > >> On Fri, Jun 9, 2017 at 2:41 PM, Andrey Konovalov <andreyk...@google.com> >> wrote: >> > Hi, >> > >> > I'm g

Re: usb/gadget: potential deadlock in gadgetfs_suspend

On Mon, Jun 12, 2017 at 6:11 PM, Andrey Konovalov <andreyk...@google.com> wrote: > On Fri, Jun 9, 2017 at 9:14 PM, Alan Stern <st...@rowland.harvard.edu> wrote: >> On Fri, 9 Jun 2017, Andrey Konovalov wrote: >> >>> On Fri, Jun 9, 2017 at 2:41 PM, Andrey Konovalo

Re: usb/gadget: another GPF in usb_gadget_unregister_driver

On Wed, Jun 7, 2017 at 4:43 PM, Alan Stern <st...@rowland.harvard.edu> wrote: > On Wed, 7 Jun 2017, Andrey Konovalov wrote: > >> Hi, >> >> I've got the following error report while fuzzing the kernel with syzkaller. >> >> On commit b29794ec

Re: usb/gadget: another GPF in usb_gadget_unregister_driver

On Wed, Jun 7, 2017 at 11:20 PM, Alan Stern <st...@rowland.harvard.edu> wrote: > On Wed, 7 Jun 2017, Andrey Konovalov wrote: > >> On Wed, Jun 7, 2017 at 4:43 PM, Alan Stern <st...@rowland.harvard.edu> wrote: >> > On Wed, 7 Jun 2017, Andrey Konovalov wrote: &g

Re: usb/gadget: another GPF in usb_gadget_unregister_driver

On Thu, Jun 8, 2017 at 5:55 PM, Alan Stern <st...@rowland.harvard.edu> wrote: > On Thu, 8 Jun 2017, Andrey Konovalov wrote: > >> On Wed, Jun 7, 2017 at 11:20 PM, Alan Stern <st...@rowland.harvard.edu> >> wrote: >> > On Wed, 7 Jun 2017, Andrey Konovalov wro

usb/gadget: another GPF in usb_gadget_unregister_driver

Hi, I've got the following error report while fuzzing the kernel with syzkaller. On commit b29794ec95c6856b316c2295904208bf11ffddd9 (4.12-rc4+). This looks quite similar to https://groups.google.com/forum/#!topic/syzkaller/HDawLBeeORI I'm able to reproduce this, so I can collect some debug

Re: usb/gadget: potential deadlock in gadgetfs_suspend

On Fri, Jun 9, 2017 at 2:41 PM, Andrey Konovalov <andreyk...@google.com> wrote: > Hi, > > I'm getting some hangs while fuzzing the kernel with syzkaller. > > Possibly it happens during the execution of the following syzkaller program: > > mmap(&(0x7f00/0xb90

Re: usb/gadget: potential deadlock in gadgetfs_suspend

On Mon, Jun 12, 2017 at 10:25 PM, Alan Stern wrote: > > As you surmised, this was caused by a race. The race was between > dummy_udc_stop() and set_link_state(), both in dummy_hcd.c. A symptom > of this race is that the first routine clears dum->driver while the >

gadgetfs: how to wait for USB device initialization?

Hi! I'm trying to use gadgetfs to fuzz USB device drivers by simply connecting random devices for now. What I want to achieve right now is the following: 1. mount gadgetfs 2. emulate connection of a new USB device 3. wait for the device to finish initializing 4. unmount gadgetfs 5. goto 1 The

usb/gadget: potential deadlock in gadgetfs_suspend

Hi, I'm getting some hangs while fuzzing the kernel with syzkaller. Possibly it happens during the execution of the following syzkaller program: mmap(&(0x7f00/0xb9)=nil, (0xb9), 0x3, 0x32, 0x, 0x0) r0 =

Re: usb/gadget: potential deadlock in gadgetfs_suspend

On Fri, Jun 9, 2017 at 2:41 PM, Andrey Konovalov <andreyk...@google.com> wrote: > Hi, > > I'm getting some hangs while fuzzing the kernel with syzkaller. > > Possibly it happens during the execution of the following syzkaller program: > > mmap(&(0x7f00/0xb90

Re: usb/gadget: potential deadlock in gadgetfs_suspend

On Tue, Jun 13, 2017 at 7:44 PM, Alan Stern <st...@rowland.harvard.edu> wrote: > On Tue, 13 Jun 2017, Andrey Konovalov wrote: > >> Hi Alan, >> >> Thanks for the patch! >> >> I've been testing with your patch applied and the "bad spinlock magic&quo

Re: gadgetfs: how to wait for USB device initialization?

On Tue, Jun 13, 2017 at 6:22 PM, Tal Shorer <tal.sho...@gmail.com> wrote: > On Tue, Jun 13, 2017 at 7:02 PM, Tal Shorer <tal.sho...@gmail.com> wrote: >> On Tue, Jun 13, 2017 at 3:21 PM, Andrey Konovalov <andreyk...@google.com> >> wrote: >>> Hi! >

[PATCH v2] uwb: properly check kthread_run return value

uwbd_start() calls kthread_run() and checks that the return value is not NULL. But the return value is not NULL in case kthread_run() fails, it takes the form of ERR_PTR(-EINTR). Use IS_ERR() instead. Also add a check to uwbd_stop(). Signed-off-by: Andrey Konovalov <andreyk...@google.

[PATCH] uwb: properly check kthread_run return value

uwbd_start() calls kthread_run() and checks that the return value is not NULL. But the return value is not NULL in case kthread_run() fails, it takes the form of ERR_PTR(-EINTR). Use IS_ERR() instead. Signed-off-by: Andrey Konovalov <andreyk...@google.com> --- drivers/uwb/uwbd.c | 2 +-

Re: [PATCH] uwb: properly check kthread_run return value

On Wed, Sep 13, 2017 at 5:06 PM, Andrey Konovalov <andreyk...@google.com> wrote: > uwbd_start() calls kthread_run() and checks that the return value is > not NULL. But the return value is not NULL in case kthread_run() fails, > it takes the form of ERR_PTR(-EINTR). > >

Re: usb/uwb: GPF in uwbd_start

On Tue, Sep 12, 2017 at 9:55 PM, Greg Kroah-Hartman <gre...@linuxfoundation.org> wrote: > On Tue, Sep 12, 2017 at 07:10:07PM +0200, Andrey Konovalov wrote: >> Hi! >> >> I've got the following crashes while fuzzing the kernel with syzkaller. >> >> On commit 8

[PATCH v3] uwb: properly check kthread_run return value

uwbd_start() calls kthread_run() and checks that the return value is not NULL. But the return value is not NULL in case kthread_run() fails, it takes the form of ERR_PTR(-EINTR). Use IS_ERR() instead. Also add a check to uwbd_stop(). Signed-off-by: Andrey Konovalov <andreyk...@google.

Re: usb/uwb: WARNING in hwarc_neep_init/usb_submit_urb

On Wed, Sep 13, 2017 at 4:59 PM, Alan Stern <st...@rowland.harvard.edu> wrote: > On Wed, 13 Sep 2017, Dmitry Vyukov wrote: > >> On Tue, Sep 12, 2017 at 9:57 PM, Greg Kroah-Hartman >> <gre...@linuxfoundation.org> wrote: >> > On Tue, Sep 12, 2017 at 08:53:11PM

Re: [PATCH v2] uwb: properly check kthread_run return value

On Wed, Sep 13, 2017 at 6:53 PM, Dmitry Vyukov <dvyu...@google.com> wrote: > On Wed, Sep 13, 2017 at 6:06 PM, Andrey Konovalov <andreyk...@google.com> > wrote: >> uwbd_start() calls kthread_run() and checks that the return value is >> not NULL. But the return value i

[PATCH] uwb: ensure that endpoint is interrupt

48 c7 c7 a0 e5 55 86 e8 20 08 8f fd <0f> ff e9 9b f7 ff ff e8 4a 04 d6 fd e9 80 f7 ff ff e8 60 11 a6 ---[ end trace 55d741234124cfc3 ]--- Check that endpoint is interrupt. Found by syzkaller. Signed-off-by: Andrey Konovalov <andreyk...@google.com> --- drivers/uwb/hwa-rc.c | 2 ++ 1

Re: usb/gadget: stalls in dummy_timer

On Tue, Sep 12, 2017 at 7:44 PM, Andrey Konovalov <andreyk...@google.com> wrote: > On Tue, Sep 12, 2017 at 7:06 PM, Dmitry Torokhov > <dmitry.torok...@gmail.com> wrote: >> On Tue, Sep 12, 2017 at 05:48:51PM +0200, Andrey Konovalov wrote: >>> On Mon, Sep 11,

usb/hid: slab-out-of-bounds read in usbhid_parse

Hi! I've got the following crash while fuzzing the kernel with syzkaller. On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18). It seems that there's no proper check on the hdesc->bNumDescriptors value in usbhid_parse(). it iterates over hdesc->desc and accesses hdesc->desc[n] fields,

usb/core: slab-out-of-bounds in usb_set_configuration

Hi! I've got the following crash while fuzzing the kernel with syzkaller. On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18). It seems there's no proper size check of a USB_DT_INTERFACE_ASSOCIATION descriptor. It's only checked that the size is >= 2 in usb_parse_configuration(), so

Re: usb/core: slab-out-of-bounds in usb_set_configuration

On Mon, Sep 18, 2017 at 8:50 PM, Greg Kroah-Hartman <gre...@linuxfoundation.org> wrote: > On Mon, Sep 18, 2017 at 07:22:24PM +0200, Andrey Konovalov wrote: >> Hi! >> >> I've got the following crash while fuzzing the kernel with syzkaller. >> >> On commit e

Re: usb/hid: slab-out-of-bounds read in usbhid_parse

On Tue, Sep 19, 2017 at 1:47 PM, Kim Jaejoong <climbbb@gmail.com> wrote: > Hi, Andrey Konovalov > > Thanks for the report. > > 2017-09-19 2:33 GMT+09:00 Andrey Konovalov <andreyk...@google.com>: >> Hi! >> >> I've got the following crash while fuzzi

Re: usb/gadget: stalls in dummy_timer

On Fri, Sep 15, 2017 at 8:57 PM, Alan Stern <st...@rowland.harvard.edu> wrote: > On Thu, 14 Sep 2017, Andrey Konovalov wrote: > >> On Thu, Sep 14, 2017 at 7:49 PM, Alan Stern <st...@rowland.harvard.edu> >> wrote: >> > On Thu, 14 Sep 2017, Andrey Konovalov wr

Re: usb/core: slab-out-of-bounds read in cdc_parse_cdc_header

On Thu, Sep 21, 2017 at 4:07 PM, Greg Kroah-Hartman <gre...@linuxfoundation.org> wrote: > On Thu, Sep 21, 2017 at 03:51:44PM +0200, Andrey Konovalov wrote: >> On Thu, Sep 21, 2017 at 10:04 AM, Greg Kroah-Hartman >> <gre...@linuxfoundation.org> wrote: >> > On T

Re: usb/gadget: null-ptr-deref in dev_ioctl

On Wed, Sep 20, 2017 at 7:59 PM, Alan Stern <st...@rowland.harvard.edu> wrote: > On Mon, 11 Sep 2017, Andrey Konovalov wrote: > >> Hi! >> >> It seems that gadget->ops can be NULL so it probably needs to be >> checked as well as gadget->ops->ioctl i

usb/core: slab-out-of-bounds read in cdc_parse_cdc_header

Hi! I've got the following crash while fuzzing the kernel with syzkaller. On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18). It looks like cdc_parse_cdc_header() doesn't validate buflen before accessing buffer[1], buffer[2] and so on. The only check present is while (buflen > 0).

usb/net/hso: warning in hso_free_net_device

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18). Looks like hso_create_net_device() can do goto exit before registering network device. hso 1-1:4.0: Can't find BULK IN endpoint [ cut here

usb/net/hso: global-out-of-bounds in hso_probe

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18). Is seems there's no check on the if_num value when it's used in ((u32 *)(id->driver_info))[if_num].

usb/storage/uas: slab-out-of-bounds in uas_probe

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18). The issue occurs when we iterate over interface altsettings, but I don't see the driver doing anything wrong. I might be missing something, or this might be an

Re: usb/core: slab-out-of-bounds read in cdc_parse_cdc_header

On Thu, Sep 21, 2017 at 10:04 AM, Greg Kroah-Hartman <gre...@linuxfoundation.org> wrote: > On Thu, Sep 21, 2017 at 09:31:54AM +0200, Greg Kroah-Hartman wrote: >> On Wed, Sep 20, 2017 at 04:45:08PM +0200, Andrey Konovalov wrote: >> > Hi! >> > >> >

usb/gadget: copy_to_user called with spinlock held

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18). Line numbers might be a little off, due to some local changes to gadgetfs code but the issue is AFAIU with calling copy_to_user() with spinlock held in

Re: usb/gadget: stalls in dummy_timer

On Thu, Sep 14, 2017 at 7:49 PM, Alan Stern <st...@rowland.harvard.edu> wrote: > On Thu, 14 Sep 2017, Andrey Konovalov wrote: > >> Looked at this a little more. >> >> dummy_timer() stucks in an infinite loop. It calls >> usb_hcd_giveback_urb(), which in turn

usb/media/zr364xx: GPF in zr364xx_vidioc_querycap/strlcpy

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18). usb 1-1: new full-speed USB device number 2 using dummy_hcd gadgetfs: connected gadgetfs: disconnected gadgetfs: connected usb 1-1: config 225 has an invalid

Re: usb/storage/uas: slab-out-of-bounds in uas_probe

On Thu, Sep 21, 2017 at 9:04 PM, Alan Stern <st...@rowland.harvard.edu> wrote: > On Thu, 21 Sep 2017, Andrey Konovalov wrote: > >> On Thu, Sep 21, 2017 at 6:10 PM, Greg Kroah-Hartman >> <gre...@linuxfoundation.org> wrote: >> > On Thu, Sep 21, 2017 at 0

Re: usb/gadget: copy_to_user called with spinlock held

On Thu, Sep 21, 2017 at 7:35 PM, Alan Stern <st...@rowland.harvard.edu> wrote: > On Thu, 21 Sep 2017, Andrey Konovalov wrote: > >> Hi! >> >> I've got the following report while fuzzing the kernel with syzkaller. >> >> On commit ebb2c2437d8008d46796902ff39

Re: usb/storage/uas: slab-out-of-bounds in uas_probe

On Thu, Sep 21, 2017 at 6:50 PM, Alan Stern <st...@rowland.harvard.edu> wrote: > On Thu, 21 Sep 2017, Andrey Konovalov wrote: > >> Hi! >> >> I've got the following report while fuzzing the kernel with syzkaller. >> >> On commit ebb2c2437d8008d46796902f

Re: usb/gadget: stalls in dummy_timer

On Tue, Sep 19, 2017 at 7:17 PM, Alan Stern <st...@rowland.harvard.edu> wrote: > On Tue, 19 Sep 2017, Andrey Konovalov wrote: > >> On Fri, Sep 15, 2017 at 8:57 PM, Alan Stern <st...@rowland.harvard.edu> >> wrote: >> > On Thu, 14 Sep 2017, Andrey Konovalov

Re: usb/hid: slab-out-of-bounds read in usbhid_parse

On Wed, Sep 20, 2017 at 6:57 AM, Kim Jaejoong <climbbb@gmail.com> wrote: > Hi Andrey > > 2017-09-19 21:38 GMT+09:00 Andrey Konovalov <andreyk...@google.com>: >> Hi Kim, >> >> I'm not sure. Is there a check on the bLength field of a >> hid_descrip

Re: [PATCH v2] HID: usbhid: fix out-of-bounds bug

On Tue, Oct 10, 2017 at 9:25 AM, Jaejoong Kim <climbbb@gmail.com> wrote: > Hi, > > To. Jiri, Alan, > > Could you please review this patch? > > To. Andey, > > Could you please test with this patch for KASAN OOB error? Hi! Yes, your patch fixes the issue. Tha

Re: [PATCH 2/9] ALSA: bcd2000: Add a sanity check for invalid EPs

c:406 >usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361 > > > This patch adds a sanity check of validity of EPs at the device > initialization phase for avoiding the call with an invalid EP. > > Reported-by: Andrey Konovalov <andreyk...@google.com>

usb/net/asix: null-ptr-deref in asix_suspend

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit 8a5776a5f49812d29fe4b2d0a2d71675c3facf3f (4.14-rc4). It seems that priv ends up being NULL. usb 1-1: New USB device found, idVendor=0557, idProduct=2009 usb 1-1: New USB device strings: Mfr=204, Product=1,

Re: [PATCH 2/9] ALSA: bcd2000: Add a sanity check for invalid EPs

On Tue, Oct 10, 2017 at 4:33 PM, Takashi Iwai <ti...@suse.de> wrote: > On Tue, 10 Oct 2017 16:00:25 +0200, > Andrey Konovalov wrote: >> >> On Tue, Oct 10, 2017 at 3:38 PM, Takashi Iwai <ti...@suse.de> wrote: >> > As syzkaller spotted, currently bcd2000 driv

usb/gadget: stalls in dummy_timer

Hi! I've been getting stall reports like this one while fuzzing the USB stack with gadgetfs. I'm wondering whether this is a bug in gadgetfs or is this report induced by the changes I've made to the USB core code. I didn't touch gadgetfs code though (except for adding a few printk's). I'm on

Re: usb/gadget: stalls in dummy_timer

On Mon, Sep 11, 2017 at 3:25 PM, Alan Stern <st...@rowland.harvard.edu> wrote: > On Mon, 11 Sep 2017, Andrey Konovalov wrote: > >> Hi! >> >> I've been getting stall reports like this one while fuzzing the USB >> stack with gadgetfs. I'm wonderi

usb/gadget: null-ptr-deref in dev_ioctl

Hi! It seems that gadget->ops can be NULL so it probably needs to be checked as well as gadget->ops->ioctl in dev_ioctl() in drivers/usb/gadget/legacy/inode.c. kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault:

usb/uwb: WARNING in hwarc_neep_init/usb_submit_urb

Hi! I've got the following crash while fuzzing the kernel with syzkaller. On commit 81a84ad3cb5711cec79f4dd53a4ce026b092c432 (Sep 3). gadgetfs: bound to dummy_udc driver usb 1-1: new full-speed USB device number 2 using dummy_hcd gadgetfs: connected gadgetfs: disconnected gadgetfs: connected

Re: usb/gadget: stalls in dummy_timer

On Mon, Sep 11, 2017 at 8:54 PM, Dmitry Torokhov <dmitry.torok...@gmail.com> wrote: > On Mon, Sep 11, 2017 at 8:15 AM, Andrey Konovalov <andreyk...@google.com> > wrote: >> On Mon, Sep 11, 2017 at 3:25 PM, Alan Stern <st...@rowland.harvard.edu> >> wrote: >&

usb/uwb: GPF in uwbd_start

Hi! I've got the following crashes while fuzzing the kernel with syzkaller. On commit 81a84ad3cb5711cec79f4dd53a4ce026b092c432 (Sep 3). uwbd_start() calls kthread_run() and checks that the return value in not NULL. But the return value is not NULL in case kthread_run() fails, it takes the form

usb/serial/visor: slab-out-of-bounds in palm_os_3_probe

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit dc972a67cc54585bd83ad811c4e9b6ab3dcd427e (4.14-rc2+). There's no check on the connection_info->num_ports value when iterating over ports. usb 1-1: Handspring Visor / Palm OS: port 162, is for unknown use usb

Re: usb/misc/usbtest: null-ptr-deref in usbtest_probe/get_endpoints

On Thu, Sep 28, 2017 at 7:01 PM, Alan Stern <st...@rowland.harvard.edu> wrote: > On Thu, 28 Sep 2017, Andrey Konovalov wrote: > >> Hi! >> >> I've got the following report while fuzzing the kernel with syzkaller. >> >> On commit dc972a67cc54585bd83ad811c4

Re: usb/serial/visor: slab-out-of-bounds in palm_os_3_probe

On Fri, Sep 29, 2017 at 10:37 AM, Greg Kroah-Hartman <gre...@linuxfoundation.org> wrote: > On Thu, Sep 28, 2017 at 07:57:46PM +0200, Andrey Konovalov wrote: >> Hi! >> >> I've got the following report while fuzzing the kernel with syzkaller. >> >> On commit d

usb/misc/usbtest: null-ptr-deref in usbtest_probe/get_endpoints

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit dc972a67cc54585bd83ad811c4e9b6ab3dcd427e (4.14-rc2+). It seems that out pointer ends up being NULL and kernel crashes on access to out->desc.bEndpointAddress. gadgetfs: bound to dummy_udc driver usb 1-1: new

usb/net/lan78xx: use-after-free in lan78xx_write_reg

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit e19b205be43d11bff638cad4487008c48d21c103 (4.14-rc2). == BUG: KASAN: use-after-free in lan78xx_write_reg.isra.21+0x1a8/0x1b0 Read of size 8 at addr

Re: [RFT] lan78xx: FIX use-after-free in lan78xx_write_reg

On Wed, Sep 27, 2017 at 1:18 PM, Arvind Yadav wrote: > We are not releasing 'buf' memory on failure or disconnect a device. > > Adding 'u8 *buf' as part of 'lan78xx_net' structure to make proper > handle for 'buf'. > Now releasing 'buf' memory on failure. It's allocate

Re: [RFT] lan78xx: FIX use-after-free in lan78xx_write_reg

On Wed, Sep 27, 2017 at 2:06 PM, Andrey Konovalov <andreyk...@google.com> wrote: > On Wed, Sep 27, 2017 at 1:18 PM, Arvind Yadav <arvind.yadav...@gmail.com> > wrote: >> We are not releasing 'buf' memory on failure or disconnect a device. >> >> Adding 'u8 *buf

usb/misc/rio500: double-free or invalid-free in disconnect_rio

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit e19b205be43d11bff638cad4487008c48d21c103 (4.14-rc2). gadgetfs: bound to dummy_udc driver usb 1-1: new full-speed USB device number 2 using dummy_hcd gadgetfs: connected gadgetfs: disconnected gadgetfs:

usb/serial: use-after-free in usb_serial_disconnect/__lock_acquire

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit e19b205be43d11bff638cad4487008c48d21c103 (4.14-rc2). gadgetfs: bound to dummy_udc driver usb 1-1: new full-speed USB device number 2 using dummy_hcd gadgetfs: connected gadgetfs: disconnected gadgetfs:

Re: [PATCH 1/2] USB: serial: console: fix use-after-free on disconnect

y the > console code when a driver accepts but does not register any ports for > an interface which also lacks endpoint descriptors. > > Fixes: 0e517c93dc02 ("USB: serial: console: clean up sanity checks") > Cc: stable <sta...@vger.kernel.org> # 4.11 > Rep

usb/core: slab-out-of-bounds in usb_get_bos_descriptor

Hi! I've got the following report while fuzzing the kernel with syzkaller. On commit 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-rc5+). Looks like usb_get_bos_descriptor() doesn't check that buffer has enough space for usb_dev_cap_header, which causes out-of-bounds accesses.

Re: usb/serial/visor: slab-out-of-bounds in palm_os_3_probe

On Wed, Oct 4, 2017 at 4:40 PM, Greg Kroah-Hartman <gre...@linuxfoundation.org> wrote: > On Tue, Oct 03, 2017 at 11:29:40AM +0200, Johan Hovold wrote: >> On Fri, Sep 29, 2017 at 10:37:55AM +0200, Greg Kroah-Hartman wrote: >> > On Thu, Sep 28, 2017 at 07:57:46PM +0200

Re: usb/core: slab-out-of-bounds in usb_get_bos_descriptor

On Wed, Oct 18, 2017 at 5:25 PM, Alan Stern <st...@rowland.harvard.edu> wrote: > On Wed, 18 Oct 2017, Andrey Konovalov wrote: > >> Hi! >> >> I've got the following report while fuzzing the kernel with syzkaller. >> >> On commit 3e0cc09a3a2c40ec1ffb6b4e12da

Re: [PATCH] USB: core: only clean up what we allocated

On Tue, Dec 12, 2017 at 5:12 PM, Alan Stern <st...@rowland.harvard.edu> wrote: > On Tue, 12 Dec 2017, Andrey Konovalov wrote: > >> On Tue, Dec 12, 2017 at 4:41 PM, Alan Stern <st...@rowland.harvard.edu> >> wrote: >> > On Mon, 11 Dec 2017, Greg KH wrote: >

[PATCH v2] net: usb: asix: fill null-ptr-deref in asix_suspend

6d 08 4d 85 ed 74 0b e8 26 2b 51 fd 4c RIP: asix_suspend+0x76/0xc0 RSP: 88006bbae718 ---[ end trace dfc4f5649284342c ]--- Signed-off-by: Andrey Konovalov <andreyk...@google.com> --- Changes in v2: - added asix_resume() fix --- drivers/net/usb/asix_devices.c | 4 ++-- 1 file change

Re: [PATCH] net: usb: asix: fill null-ptr-deref in asix_suspend

On Mon, Nov 6, 2017 at 10:49 AM, Oliver Neukum <oneu...@suse.com> wrote: > Am Donnerstag, den 02.11.2017, 21:26 +0100 schrieb Andrey Konovalov: >> When asix_suspend() is called dev->driver_priv might not have been >> assigned a value, so we need to check that it

  1   2   >