On Tue, Mar 8, 2016 at 12:39 AM, Oliver Neukum <oneu...@suse.com> wrote:
> On Mon, 2016-03-07 at 22:50 +0300, Andrey Konovalov wrote:
>> Could you also add:
>> Reported-by: Andrey Konovalov <andreyk...@gmail.com>
>
> Well, the exact bug you reported is fixed
uled.
> They must be killed. This fixes an error case related to
> the double free reported in
> http://www.spinics.net/lists/netdev/msg367669.html
> and needs to go on top of Linus' fix to cdc-ncm.
>
> Signed-off-by: Oliver Neukum <oneu...@suse.com>
>
On Sat, Mar 5, 2016 at 12:26 AM, Linus Torvalds
<torva...@linux-foundation.org> wrote:
> [ Moving this to proper lists ]
>
> On Thu, Mar 3, 2016 at 4:19 PM, Andrey Konovalov <andreyk...@gmail.com> wrote:
>>
>> I found another double-free, this time in the usbnet
On Sat, Mar 5, 2016 at 1:42 AM, Oliver Neukum <oneu...@suse.de> wrote:
> On Sat, 2016-03-05 at 01:26 +0300, Andrey Konovalov wrote:
>> and when I run the vm and connect the device I get:
>>
>> [ 23.672662] cdc_ncm 1-1:1.6: bind() failure
>> [ 23.67344
On Sat, Mar 5, 2016 at 1:43 AM, Linus Torvalds
<torva...@linux-foundation.org> wrote:
> On Fri, Mar 4, 2016 at 2:26 PM, Andrey Konovalov <andreyk...@gmail.com> wrote:
>>
>> and when I run the vm and connect the device I get:
>>
>> [ 23.672662] cdc_ncm 1
On Sat, Mar 5, 2016 at 2:00 AM, Andrey Konovalov <andreyk...@gmail.com> wrote:
> On Sat, Mar 5, 2016 at 1:42 AM, Oliver Neukum <oneu...@suse.de> wrote:
>> On Sat, 2016-03-05 at 01:26 +0300, Andrey Konovalov wrote:
>>> and when I run the vm and connect the devic
On Tue, Dec 6, 2016 at 1:28 PM, Andrey Konovalov <andreyk...@google.com> wrote:
> On Mon, Dec 5, 2016 at 8:31 PM, Alan Stern <st...@rowland.harvard.edu> wrote:
>> On Mon, 5 Dec 2016, Andrey Konovalov wrote:
>>
>>> Hi!
>>>
>>> I've got the fol
Hi!
I've got the following error report while running the syzkaller fuzzer.
ep0_write() doesn't check the length, so a user can cause an
out-of-bounds with both size and data controlled.
There's a comment which says "IN DATA+STATUS caller makes len <=
wLength". While I'm not exactly sure what
On Wed, Dec 7, 2016 at 8:15 PM, Alan Stern <st...@rowland.harvard.edu> wrote:
> On Wed, 7 Dec 2016, Andrey Konovalov wrote:
>
>> > And in any case, is there any way you can post the series of system
>> > calls that syzkaller makes so we can tell what went wrong?
&g
On Fri, Dec 9, 2016 at 8:20 AM, Greg Kroah-Hartman
<gre...@linuxfoundation.org> wrote:
> On Fri, Dec 09, 2016 at 12:38:23AM +0100, Andrey Konovalov wrote:
>> Hi,
>>
>> I'm working on a way to extend syzkaller [1] to support fuzzing of the
>> USB subsystem. The idea
On Fri, Dec 9, 2016 at 8:57 PM, Alan Stern <st...@rowland.harvard.edu> wrote:
> On Fri, 9 Dec 2016, Andrey Konovalov wrote:
>
>> On Wed, Dec 7, 2016 at 8:15 PM, Alan Stern <st...@rowland.harvard.edu> wrote:
>> > On Wed, 7 Dec 2016, Andrey Konovalov wrote:
>>
On Tue, Dec 6, 2016 at 9:30 PM, Alan Stern <st...@rowland.harvard.edu> wrote:
> [CC: list drastically trimmed]
>
> On Tue, 6 Dec 2016, Andrey Konovalov wrote:
>
>> On Tue, Dec 6, 2016 at 1:28 PM, Andrey Konovalov <andreyk...@google.com>
>> wrote:
>> &g
On Fri, Dec 16, 2016 at 7:01 PM, Alan Stern <st...@rowland.harvard.edu> wrote:
> On Mon, 12 Dec 2016, Andrey Konovalov wrote:
>
>> Hi!
>>
>> While running the syzkaller fuzzer I've got the following error report.
>>
>> On commit 3c49de52d5647cda8b42c4255c
On Mon, Dec 12, 2016 at 7:44 PM, Alan Stern wrote:
>
> I'm still puzzled. Can you try running the test with the diagnostic
> patch below? The resulting kernel log ought to help pin down where the
> problem comes from.
Sure, here's the log:
usb 1-1: string descriptor
On Mon, Dec 12, 2016 at 9:31 PM, Andrey Konovalov <andreyk...@google.com> wrote:
> Hi!
>
> While running the syzkaller fuzzer I've got the following error report.
>
> The issue is that the len argument is not checked for being too big.
>
> WARNING: CPU: 1 PID: 9
Hi!
While running the syzkaller fuzzer I've got the following error report.
On commit 3c49de52d5647cda8b42c4255cf8a29d1e22eff5 (Dev 2).
WARNING: CPU: 2 PID: 865 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x8a/0xa0
gadgetfs: disconnected
sysfs: cannot create duplicate filename
On Mon, Dec 12, 2016 at 9:09 PM, Alan Stern <st...@rowland.harvard.edu> wrote:
> On Mon, 12 Dec 2016, Andrey Konovalov wrote:
>
>> On Mon, Dec 12, 2016 at 7:44 PM, Alan Stern <st...@rowland.harvard.edu>
>> wrote:
>> >
>> > I'm still puzzled.
Hi!
While running the syzkaller fuzzer I've got the following error report.
The issue is that the len argument is not checked for being too big.
WARNING: CPU: 1 PID: 9935 at mm/page_alloc.c:3511
__alloc_pages_nodemask+0x159c/0x1e20
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID:
Hi,
I'm working on a way to extend syzkaller [1] to support fuzzing of the
USB subsystem. The idea is to be able to emulate various USB devices
and fuzz communication between the emulated device and the kernel. I'm
looking for a way to emulate devices from userspace. Similar to how
tuntap allows
Hi!
I've got the following error report while running the syzkaller fuzzer.
On commit 3c49de52d5647cda8b42c4255cf8a29d1e22eff5 (Dec 2).
general protection fault: [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 10564 Comm: syz-executor0 Not
Hi!
I've got the following error report while running the syzkaller fuzzer.
On commit 3c49de52d5647cda8b42c4255cf8a29d1e22eff5 (Dec 2).
BUG: KASAN: use-after-free in gadgetfs_setup+0x208a/0x20e0 at addr
88003dfe5bf2
Read of size 2 by task syz-executor0/22994
CPU: 3 PID: 22994 Comm:
On Sat, Dec 3, 2016 at 6:31 PM, Felix Hädicke wrote:
> Hi,
>> Hi!
>>
>> I've got the following error report while running the syzkaller fuzzer.
>>
>> On commit 3c49de52d5647cda8b42c4255cf8a29d1e22eff5 (Dec 2).
>>
>> general protection fault: [#1] SMP KASAN
>> Dumping
On Sat, Dec 3, 2016 at 6:13 PM, Greg Kroah-Hartman
<gre...@linuxfoundation.org> wrote:
> On Sat, Dec 03, 2016 at 05:36:35PM +0100, Andrey Konovalov wrote:
>> Hi!
>>
>> I've got the following error report while running the syzkaller fuzzer.
>>
>> On commit 3
On Sat, Dec 3, 2016 at 6:13 PM, Greg Kroah-Hartman
<gre...@linuxfoundation.org> wrote:
> On Sat, Dec 03, 2016 at 05:36:35PM +0100, Andrey Konovalov wrote:
>> Hi!
>>
>> I've got the following error report while running the syzkaller fuzzer.
>>
>> On commit 3
Hi!
I've got the following error report while running the syzkaller fuzzer.
On commit 3c49de52d5647cda8b42c4255cf8a29d1e22eff5 (Dec 2).
WARNING: CPU: 0 PID: 5257 at drivers/usb/gadget/udc/dummy_hcd.c:672
dummy_free_request+0x153/0x170
Kernel panic - not syncing: panic_on_warn set ...
usb 2-1:
Hi!
I've got the following error report while running the syzkaller fuzzer.
The length passed to memdup_user() directly without limitations.
On commit 2caceb3294a78c389b462e7e236a4e744a53a474 (Dec 1).
WARNING: CPU: 3 PID: 14477 at mm/page_alloc.c:3511
__alloc_pages_nodemask+0x159c/0x1e20
Hi!
I've got the following error report while booting the kernel with
various usb configs enabled.
On commit 2caceb3294a78c389b462e7e236a4e744a53a474 (Dec 1).
gadgetfs: USB Gadget filesystem, version 24 Aug 2004
usbip_core: USB/IP Core v1.0.0
vhci_hcd vhci_hcd: USB/IP Virtual Host Controller
On Fri, Dec 2, 2016 at 4:58 PM, Greg Kroah-Hartman
<gre...@linuxfoundation.org> wrote:
> On Fri, Dec 02, 2016 at 03:35:44PM +0100, Andrey Konovalov wrote:
>> Hi!
>>
>> I've got the following error report while booting the kernel with
>> various usb configs
On Mon, Dec 5, 2016 at 8:31 PM, Alan Stern <st...@rowland.harvard.edu> wrote:
> On Mon, 5 Dec 2016, Andrey Konovalov wrote:
>
>> Hi!
>>
>> I've got the following error report while running the syzkaller fuzzer.
>>
>> On commit 3c49de52d5647cda8b42c4255cf8a
oup.c:134
>> [] sysfs_create_group+0x1f/0x30 fs/sysfs/group.c:156
>> [] vhci_start+0x5b4/0x7a0 drivers/usb/usbip/vhci_hcd.c:978
>> [] usb_add_hcd+0x8da/0x1c60 drivers/usb/core/hcd.c:2867
>> [] vhci_hcd_probe+0x97/0x130
>> drivers/usb/usbip/vhci_hcd.c:1103
>> ---
>>
On Tue, Dec 27, 2016 at 12:40 PM, Felipe Balbi <ba...@kernel.org> wrote:
>
> Hi,
>
> Andrey Konovalov <andreyk...@google.com> writes:
>> Hi!
>>
>> I've got the following error report while running the syzkaller fuzzer.
>>
>> On commit 3c49de52d
On Tue, Dec 6, 2016 at 4:30 PM, Alan Stern <st...@rowland.harvard.edu> wrote:
> On Tue, 6 Dec 2016, Andrey Konovalov wrote:
>
>> Hi!
>>
>> I've got the following error report while running the syzkaller fuzzer.
>>
>> ep0_write() doesn't check the lengt
On Fri, Jun 9, 2017 at 9:14 PM, Alan Stern <st...@rowland.harvard.edu> wrote:
> On Fri, 9 Jun 2017, Andrey Konovalov wrote:
>
>> On Fri, Jun 9, 2017 at 2:41 PM, Andrey Konovalov <andreyk...@google.com>
>> wrote:
>> > Hi,
>> >
>> > I'm g
On Mon, Jun 12, 2017 at 6:11 PM, Andrey Konovalov <andreyk...@google.com> wrote:
> On Fri, Jun 9, 2017 at 9:14 PM, Alan Stern <st...@rowland.harvard.edu> wrote:
>> On Fri, 9 Jun 2017, Andrey Konovalov wrote:
>>
>>> On Fri, Jun 9, 2017 at 2:41 PM, Andrey Konovalo
On Wed, Jun 7, 2017 at 4:43 PM, Alan Stern <st...@rowland.harvard.edu> wrote:
> On Wed, 7 Jun 2017, Andrey Konovalov wrote:
>
>> Hi,
>>
>> I've got the following error report while fuzzing the kernel with syzkaller.
>>
>> On commit b29794ec
On Wed, Jun 7, 2017 at 11:20 PM, Alan Stern <st...@rowland.harvard.edu> wrote:
> On Wed, 7 Jun 2017, Andrey Konovalov wrote:
>
>> On Wed, Jun 7, 2017 at 4:43 PM, Alan Stern <st...@rowland.harvard.edu> wrote:
>> > On Wed, 7 Jun 2017, Andrey Konovalov wrote:
&g
On Thu, Jun 8, 2017 at 5:55 PM, Alan Stern <st...@rowland.harvard.edu> wrote:
> On Thu, 8 Jun 2017, Andrey Konovalov wrote:
>
>> On Wed, Jun 7, 2017 at 11:20 PM, Alan Stern <st...@rowland.harvard.edu>
>> wrote:
>> > On Wed, 7 Jun 2017, Andrey Konovalov wro
Hi,
I've got the following error report while fuzzing the kernel with syzkaller.
On commit b29794ec95c6856b316c2295904208bf11ffddd9 (4.12-rc4+).
This looks quite similar to
https://groups.google.com/forum/#!topic/syzkaller/HDawLBeeORI
I'm able to reproduce this, so I can collect some debug
On Fri, Jun 9, 2017 at 2:41 PM, Andrey Konovalov <andreyk...@google.com> wrote:
> Hi,
>
> I'm getting some hangs while fuzzing the kernel with syzkaller.
>
> Possibly it happens during the execution of the following syzkaller program:
>
> mmap(&(0x7f00/0xb90
On Mon, Jun 12, 2017 at 10:25 PM, Alan Stern wrote:
>
> As you surmised, this was caused by a race. The race was between
> dummy_udc_stop() and set_link_state(), both in dummy_hcd.c. A symptom
> of this race is that the first routine clears dum->driver while the
>
Hi!
I'm trying to use gadgetfs to fuzz USB device drivers by simply
connecting random devices for now.
What I want to achieve right now is the following:
1. mount gadgetfs
2. emulate connection of a new USB device
3. wait for the device to finish initializing
4. unmount gadgetfs
5. goto 1
The
Hi,
I'm getting some hangs while fuzzing the kernel with syzkaller.
Possibly it happens during the execution of the following syzkaller program:
mmap(&(0x7f00/0xb9)=nil, (0xb9), 0x3, 0x32,
0x, 0x0)
r0 =
On Fri, Jun 9, 2017 at 2:41 PM, Andrey Konovalov <andreyk...@google.com> wrote:
> Hi,
>
> I'm getting some hangs while fuzzing the kernel with syzkaller.
>
> Possibly it happens during the execution of the following syzkaller program:
>
> mmap(&(0x7f00/0xb90
On Tue, Jun 13, 2017 at 7:44 PM, Alan Stern <st...@rowland.harvard.edu> wrote:
> On Tue, 13 Jun 2017, Andrey Konovalov wrote:
>
>> Hi Alan,
>>
>> Thanks for the patch!
>>
>> I've been testing with your patch applied and the "bad spinlock magic&quo
On Tue, Jun 13, 2017 at 6:22 PM, Tal Shorer <tal.sho...@gmail.com> wrote:
> On Tue, Jun 13, 2017 at 7:02 PM, Tal Shorer <tal.sho...@gmail.com> wrote:
>> On Tue, Jun 13, 2017 at 3:21 PM, Andrey Konovalov <andreyk...@google.com>
>> wrote:
>>> Hi!
>
uwbd_start() calls kthread_run() and checks that the return value is
not NULL. But the return value is not NULL in case kthread_run() fails,
it takes the form of ERR_PTR(-EINTR).
Use IS_ERR() instead.
Also add a check to uwbd_stop().
Signed-off-by: Andrey Konovalov <andreyk...@google.
uwbd_start() calls kthread_run() and checks that the return value is
not NULL. But the return value is not NULL in case kthread_run() fails,
it takes the form of ERR_PTR(-EINTR).
Use IS_ERR() instead.
Signed-off-by: Andrey Konovalov <andreyk...@google.com>
---
drivers/uwb/uwbd.c | 2 +-
On Wed, Sep 13, 2017 at 5:06 PM, Andrey Konovalov <andreyk...@google.com> wrote:
> uwbd_start() calls kthread_run() and checks that the return value is
> not NULL. But the return value is not NULL in case kthread_run() fails,
> it takes the form of ERR_PTR(-EINTR).
>
>
On Tue, Sep 12, 2017 at 9:55 PM, Greg Kroah-Hartman
<gre...@linuxfoundation.org> wrote:
> On Tue, Sep 12, 2017 at 07:10:07PM +0200, Andrey Konovalov wrote:
>> Hi!
>>
>> I've got the following crashes while fuzzing the kernel with syzkaller.
>>
>> On commit 8
uwbd_start() calls kthread_run() and checks that the return value is
not NULL. But the return value is not NULL in case kthread_run() fails,
it takes the form of ERR_PTR(-EINTR).
Use IS_ERR() instead.
Also add a check to uwbd_stop().
Signed-off-by: Andrey Konovalov <andreyk...@google.
On Wed, Sep 13, 2017 at 4:59 PM, Alan Stern <st...@rowland.harvard.edu> wrote:
> On Wed, 13 Sep 2017, Dmitry Vyukov wrote:
>
>> On Tue, Sep 12, 2017 at 9:57 PM, Greg Kroah-Hartman
>> <gre...@linuxfoundation.org> wrote:
>> > On Tue, Sep 12, 2017 at 08:53:11PM
On Wed, Sep 13, 2017 at 6:53 PM, Dmitry Vyukov <dvyu...@google.com> wrote:
> On Wed, Sep 13, 2017 at 6:06 PM, Andrey Konovalov <andreyk...@google.com>
> wrote:
>> uwbd_start() calls kthread_run() and checks that the return value is
>> not NULL. But the return value i
48 c7 c7 a0 e5 55 86 e8 20 08 8f fd <0f>
ff e9 9b f7 ff ff e8 4a 04 d6 fd e9 80 f7 ff ff e8 60 11 a6
---[ end trace 55d741234124cfc3 ]---
Check that endpoint is interrupt.
Found by syzkaller.
Signed-off-by: Andrey Konovalov <andreyk...@google.com>
---
drivers/uwb/hwa-rc.c | 2 ++
1
On Tue, Sep 12, 2017 at 7:44 PM, Andrey Konovalov <andreyk...@google.com> wrote:
> On Tue, Sep 12, 2017 at 7:06 PM, Dmitry Torokhov
> <dmitry.torok...@gmail.com> wrote:
>> On Tue, Sep 12, 2017 at 05:48:51PM +0200, Andrey Konovalov wrote:
>>> On Mon, Sep 11,
Hi!
I've got the following crash while fuzzing the kernel with syzkaller.
On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
It seems that there's no proper check on the hdesc->bNumDescriptors
value in usbhid_parse(). it iterates over hdesc->desc and accesses
hdesc->desc[n] fields,
Hi!
I've got the following crash while fuzzing the kernel with syzkaller.
On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
It seems there's no proper size check of a
USB_DT_INTERFACE_ASSOCIATION descriptor. It's only checked that the
size is >= 2 in usb_parse_configuration(), so
On Mon, Sep 18, 2017 at 8:50 PM, Greg Kroah-Hartman
<gre...@linuxfoundation.org> wrote:
> On Mon, Sep 18, 2017 at 07:22:24PM +0200, Andrey Konovalov wrote:
>> Hi!
>>
>> I've got the following crash while fuzzing the kernel with syzkaller.
>>
>> On commit e
On Tue, Sep 19, 2017 at 1:47 PM, Kim Jaejoong <climbbb@gmail.com> wrote:
> Hi, Andrey Konovalov
>
> Thanks for the report.
>
> 2017-09-19 2:33 GMT+09:00 Andrey Konovalov <andreyk...@google.com>:
>> Hi!
>>
>> I've got the following crash while fuzzi
On Fri, Sep 15, 2017 at 8:57 PM, Alan Stern <st...@rowland.harvard.edu> wrote:
> On Thu, 14 Sep 2017, Andrey Konovalov wrote:
>
>> On Thu, Sep 14, 2017 at 7:49 PM, Alan Stern <st...@rowland.harvard.edu>
>> wrote:
>> > On Thu, 14 Sep 2017, Andrey Konovalov wr
On Thu, Sep 21, 2017 at 4:07 PM, Greg Kroah-Hartman
<gre...@linuxfoundation.org> wrote:
> On Thu, Sep 21, 2017 at 03:51:44PM +0200, Andrey Konovalov wrote:
>> On Thu, Sep 21, 2017 at 10:04 AM, Greg Kroah-Hartman
>> <gre...@linuxfoundation.org> wrote:
>> > On T
On Wed, Sep 20, 2017 at 7:59 PM, Alan Stern <st...@rowland.harvard.edu> wrote:
> On Mon, 11 Sep 2017, Andrey Konovalov wrote:
>
>> Hi!
>>
>> It seems that gadget->ops can be NULL so it probably needs to be
>> checked as well as gadget->ops->ioctl i
Hi!
I've got the following crash while fuzzing the kernel with syzkaller.
On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
It looks like cdc_parse_cdc_header() doesn't validate buflen before
accessing buffer[1], buffer[2] and so on. The only check present is
while (buflen > 0).
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
Looks like hso_create_net_device() can do goto exit before registering
network device.
hso 1-1:4.0: Can't find BULK IN endpoint
[ cut here
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
Is seems there's no check on the if_num value when it's used in ((u32
*)(id->driver_info))[if_num].
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
The issue occurs when we iterate over interface altsettings, but I
don't see the driver doing anything wrong. I might be missing
something, or this might be an
On Thu, Sep 21, 2017 at 10:04 AM, Greg Kroah-Hartman
<gre...@linuxfoundation.org> wrote:
> On Thu, Sep 21, 2017 at 09:31:54AM +0200, Greg Kroah-Hartman wrote:
>> On Wed, Sep 20, 2017 at 04:45:08PM +0200, Andrey Konovalov wrote:
>> > Hi!
>> >
>> >
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
Line numbers might be a little off, due to some local changes to
gadgetfs code but the issue is AFAIU with calling copy_to_user() with
spinlock held in
On Thu, Sep 14, 2017 at 7:49 PM, Alan Stern <st...@rowland.harvard.edu> wrote:
> On Thu, 14 Sep 2017, Andrey Konovalov wrote:
>
>> Looked at this a little more.
>>
>> dummy_timer() stucks in an infinite loop. It calls
>> usb_hcd_giveback_urb(), which in turn
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
usb 1-1: new full-speed USB device number 2 using dummy_hcd
gadgetfs: connected
gadgetfs: disconnected
gadgetfs: connected
usb 1-1: config 225 has an invalid
On Thu, Sep 21, 2017 at 9:04 PM, Alan Stern <st...@rowland.harvard.edu> wrote:
> On Thu, 21 Sep 2017, Andrey Konovalov wrote:
>
>> On Thu, Sep 21, 2017 at 6:10 PM, Greg Kroah-Hartman
>> <gre...@linuxfoundation.org> wrote:
>> > On Thu, Sep 21, 2017 at 0
On Thu, Sep 21, 2017 at 7:35 PM, Alan Stern <st...@rowland.harvard.edu> wrote:
> On Thu, 21 Sep 2017, Andrey Konovalov wrote:
>
>> Hi!
>>
>> I've got the following report while fuzzing the kernel with syzkaller.
>>
>> On commit ebb2c2437d8008d46796902ff39
On Thu, Sep 21, 2017 at 6:50 PM, Alan Stern <st...@rowland.harvard.edu> wrote:
> On Thu, 21 Sep 2017, Andrey Konovalov wrote:
>
>> Hi!
>>
>> I've got the following report while fuzzing the kernel with syzkaller.
>>
>> On commit ebb2c2437d8008d46796902f
On Tue, Sep 19, 2017 at 7:17 PM, Alan Stern <st...@rowland.harvard.edu> wrote:
> On Tue, 19 Sep 2017, Andrey Konovalov wrote:
>
>> On Fri, Sep 15, 2017 at 8:57 PM, Alan Stern <st...@rowland.harvard.edu>
>> wrote:
>> > On Thu, 14 Sep 2017, Andrey Konovalov
On Wed, Sep 20, 2017 at 6:57 AM, Kim Jaejoong <climbbb@gmail.com> wrote:
> Hi Andrey
>
> 2017-09-19 21:38 GMT+09:00 Andrey Konovalov <andreyk...@google.com>:
>> Hi Kim,
>>
>> I'm not sure. Is there a check on the bLength field of a
>> hid_descrip
On Tue, Oct 10, 2017 at 9:25 AM, Jaejoong Kim <climbbb@gmail.com> wrote:
> Hi,
>
> To. Jiri, Alan,
>
> Could you please review this patch?
>
> To. Andey,
>
> Could you please test with this patch for KASAN OOB error?
Hi!
Yes, your patch fixes the issue.
Tha
c:406
>usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361
>
>
> This patch adds a sanity check of validity of EPs at the device
> initialization phase for avoiding the call with an invalid EP.
>
> Reported-by: Andrey Konovalov <andreyk...@google.com>
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 8a5776a5f49812d29fe4b2d0a2d71675c3facf3f (4.14-rc4).
It seems that priv ends up being NULL.
usb 1-1: New USB device found, idVendor=0557, idProduct=2009
usb 1-1: New USB device strings: Mfr=204, Product=1,
On Tue, Oct 10, 2017 at 4:33 PM, Takashi Iwai <ti...@suse.de> wrote:
> On Tue, 10 Oct 2017 16:00:25 +0200,
> Andrey Konovalov wrote:
>>
>> On Tue, Oct 10, 2017 at 3:38 PM, Takashi Iwai <ti...@suse.de> wrote:
>> > As syzkaller spotted, currently bcd2000 driv
Hi!
I've been getting stall reports like this one while fuzzing the USB
stack with gadgetfs. I'm wondering whether this is a bug in gadgetfs
or is this report induced by the changes I've made to the USB core
code. I didn't touch gadgetfs code though (except for adding a few
printk's).
I'm on
On Mon, Sep 11, 2017 at 3:25 PM, Alan Stern <st...@rowland.harvard.edu> wrote:
> On Mon, 11 Sep 2017, Andrey Konovalov wrote:
>
>> Hi!
>>
>> I've been getting stall reports like this one while fuzzing the USB
>> stack with gadgetfs. I'm wonderi
Hi!
It seems that gadget->ops can be NULL so it probably needs to be
checked as well as gadget->ops->ioctl in dev_ioctl() in
drivers/usb/gadget/legacy/inode.c.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault:
Hi!
I've got the following crash while fuzzing the kernel with syzkaller.
On commit 81a84ad3cb5711cec79f4dd53a4ce026b092c432 (Sep 3).
gadgetfs: bound to dummy_udc driver
usb 1-1: new full-speed USB device number 2 using dummy_hcd
gadgetfs: connected
gadgetfs: disconnected
gadgetfs: connected
On Mon, Sep 11, 2017 at 8:54 PM, Dmitry Torokhov
<dmitry.torok...@gmail.com> wrote:
> On Mon, Sep 11, 2017 at 8:15 AM, Andrey Konovalov <andreyk...@google.com>
> wrote:
>> On Mon, Sep 11, 2017 at 3:25 PM, Alan Stern <st...@rowland.harvard.edu>
>> wrote:
>&
Hi!
I've got the following crashes while fuzzing the kernel with syzkaller.
On commit 81a84ad3cb5711cec79f4dd53a4ce026b092c432 (Sep 3).
uwbd_start() calls kthread_run() and checks that the return value in
not NULL. But the return value is not NULL in case kthread_run()
fails, it takes the form
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit dc972a67cc54585bd83ad811c4e9b6ab3dcd427e (4.14-rc2+).
There's no check on the connection_info->num_ports value when
iterating over ports.
usb 1-1: Handspring Visor / Palm OS: port 162, is for unknown use
usb
On Thu, Sep 28, 2017 at 7:01 PM, Alan Stern <st...@rowland.harvard.edu> wrote:
> On Thu, 28 Sep 2017, Andrey Konovalov wrote:
>
>> Hi!
>>
>> I've got the following report while fuzzing the kernel with syzkaller.
>>
>> On commit dc972a67cc54585bd83ad811c4
On Fri, Sep 29, 2017 at 10:37 AM, Greg Kroah-Hartman
<gre...@linuxfoundation.org> wrote:
> On Thu, Sep 28, 2017 at 07:57:46PM +0200, Andrey Konovalov wrote:
>> Hi!
>>
>> I've got the following report while fuzzing the kernel with syzkaller.
>>
>> On commit d
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit dc972a67cc54585bd83ad811c4e9b6ab3dcd427e (4.14-rc2+).
It seems that out pointer ends up being NULL and kernel crashes on
access to out->desc.bEndpointAddress.
gadgetfs: bound to dummy_udc driver
usb 1-1: new
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit e19b205be43d11bff638cad4487008c48d21c103 (4.14-rc2).
==
BUG: KASAN: use-after-free in lan78xx_write_reg.isra.21+0x1a8/0x1b0
Read of size 8 at addr
On Wed, Sep 27, 2017 at 1:18 PM, Arvind Yadav wrote:
> We are not releasing 'buf' memory on failure or disconnect a device.
>
> Adding 'u8 *buf' as part of 'lan78xx_net' structure to make proper
> handle for 'buf'.
> Now releasing 'buf' memory on failure. It's allocate
On Wed, Sep 27, 2017 at 2:06 PM, Andrey Konovalov <andreyk...@google.com> wrote:
> On Wed, Sep 27, 2017 at 1:18 PM, Arvind Yadav <arvind.yadav...@gmail.com>
> wrote:
>> We are not releasing 'buf' memory on failure or disconnect a device.
>>
>> Adding 'u8 *buf
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit e19b205be43d11bff638cad4487008c48d21c103 (4.14-rc2).
gadgetfs: bound to dummy_udc driver
usb 1-1: new full-speed USB device number 2 using dummy_hcd
gadgetfs: connected
gadgetfs: disconnected
gadgetfs:
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit e19b205be43d11bff638cad4487008c48d21c103 (4.14-rc2).
gadgetfs: bound to dummy_udc driver
usb 1-1: new full-speed USB device number 2 using dummy_hcd
gadgetfs: connected
gadgetfs: disconnected
gadgetfs:
y the
> console code when a driver accepts but does not register any ports for
> an interface which also lacks endpoint descriptors.
>
> Fixes: 0e517c93dc02 ("USB: serial: console: clean up sanity checks")
> Cc: stable <sta...@vger.kernel.org> # 4.11
> Rep
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-rc5+).
Looks like usb_get_bos_descriptor() doesn't check that buffer has
enough space for usb_dev_cap_header, which causes out-of-bounds
accesses.
On Wed, Oct 4, 2017 at 4:40 PM, Greg Kroah-Hartman
<gre...@linuxfoundation.org> wrote:
> On Tue, Oct 03, 2017 at 11:29:40AM +0200, Johan Hovold wrote:
>> On Fri, Sep 29, 2017 at 10:37:55AM +0200, Greg Kroah-Hartman wrote:
>> > On Thu, Sep 28, 2017 at 07:57:46PM +0200
On Wed, Oct 18, 2017 at 5:25 PM, Alan Stern <st...@rowland.harvard.edu> wrote:
> On Wed, 18 Oct 2017, Andrey Konovalov wrote:
>
>> Hi!
>>
>> I've got the following report while fuzzing the kernel with syzkaller.
>>
>> On commit 3e0cc09a3a2c40ec1ffb6b4e12da
On Tue, Dec 12, 2017 at 5:12 PM, Alan Stern <st...@rowland.harvard.edu> wrote:
> On Tue, 12 Dec 2017, Andrey Konovalov wrote:
>
>> On Tue, Dec 12, 2017 at 4:41 PM, Alan Stern <st...@rowland.harvard.edu>
>> wrote:
>> > On Mon, 11 Dec 2017, Greg KH wrote:
>
6d 08 4d 85 ed 74 0b e8 26 2b 51 fd 4c
RIP: asix_suspend+0x76/0xc0 RSP: 88006bbae718
---[ end trace dfc4f5649284342c ]---
Signed-off-by: Andrey Konovalov <andreyk...@google.com>
---
Changes in v2:
- added asix_resume() fix
---
drivers/net/usb/asix_devices.c | 4 ++--
1 file change
On Mon, Nov 6, 2017 at 10:49 AM, Oliver Neukum <oneu...@suse.com> wrote:
> Am Donnerstag, den 02.11.2017, 21:26 +0100 schrieb Andrey Konovalov:
>> When asix_suspend() is called dev->driver_priv might not have been
>> assigned a value, so we need to check that it
1 - 100 of 115 matches
Mail list logo