| Message ID | 1564410374.25582.15.camel@suse.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | KASAN reporting: general protection fault in flexcop_usb_probe | expand |
Hello, syzbot has tested the proposed patch and the reproducer did not trigger crash: Reported-and-tested-by: syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com Tested on: commit: 6a3599ce usb-fuzzer: main usb gadget fuzzer driver git tree: https://github.com/google/kasan.git usb-fuzzer-usb-testing-2019.07.11 kernel config: https://syzkaller.appspot.com/x/.config?x=662450485a75f217 compiler: gcc (GCC) 9.0.0 20181231 (experimental) patch: https://syzkaller.appspot.com/x/patch.diff?x=1036e80c600000 Note: testing is done by a robot and is best-effort only.
On Mon, Jul 29, 2019 at 5:05 PM syzbot <syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com> wrote: > > Hello, > > syzbot has tested the proposed patch and the reproducer did not trigger > crash: > > Reported-and-tested-by: > syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com > > Tested on: > > commit: 6a3599ce usb-fuzzer: main usb gadget fuzzer driver > git tree: https://github.com/google/kasan.git > usb-fuzzer-usb-testing-2019.07.11 > kernel config: https://syzkaller.appspot.com/x/.config?x=662450485a75f217 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > patch: https://syzkaller.appspot.com/x/patch.diff?x=1036e80c600000 > > Note: testing is done by a robot and is best-effort only. Hi Oliver, Thanks a lot for fixing all of these USB bugs! The usb-fuzzer branch is working again, so it should be possible to use it for testing. But, I've actually just realized, that the proper way to test fixes for USB bugs is to use the exact commit hash that is provided in each bug report (the kernel interface for emulating USB device is not stable yet, and has significantly changed at least once). I've updated syzbot documentation to reflect this. Let's try to retest this one with the right kernel commit id: #syz test: https://github.com/google/kasan.git 9a33b369 Thanks! > > -- > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/000000000000488c6d058ed337b2%40google.com. diff --git a/drivers/media/usb/b2c2/flexcop-usb.c b/drivers/media/usb/b2c2/flexcop-usb.c index 1826ff825c2e..1a801dc286f8 100644 --- a/drivers/media/usb/b2c2/flexcop-usb.c +++ b/drivers/media/usb/b2c2/flexcop-usb.c @@ -538,6 +538,9 @@ static int flexcop_usb_probe(struct usb_interface *intf, struct flexcop_device *fc = NULL; int ret; + if (intf->cur_altsetting->desc.bNumEndpoints < 1) + return -ENODEV; + if ((fc = flexcop_device_kmalloc(sizeof(struct flexcop_usb))) == NULL) { err("out of memory\n"); return -ENOMEM;
Hello, syzbot has tested the proposed patch and the reproducer did not trigger crash: Reported-and-tested-by: syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com Tested on: commit: 9a33b369 usb-fuzzer: main usb gadget fuzzer driver git tree: https://github.com/google/kasan.git kernel config: https://syzkaller.appspot.com/x/.config?x=23e37f59d94ddd15 compiler: gcc (GCC) 9.0.0 20181231 (experimental) patch: https://syzkaller.appspot.com/x/patch.diff?x=11cc12d8600000 Note: testing is done by a robot and is best-effort only.
Am Montag, den 29.07.2019, 18:54 +0200 schrieb Andrey Konovalov: Hi, > Thanks a lot for fixing all of these USB bugs! I fear the day we get serious about MA USB. All these issues will turn into security issues. > The usb-fuzzer branch is working again, so it should be possible to > use it for testing. But, I've actually just realized, that the proper > way to test fixes for USB bugs is to use the exact commit hash that is > provided in each bug report (the kernel interface for emulating USB > device is not stable yet, and has significantly changed at least > once). I've updated syzbot documentation to reflect this. Where is taht documentation? > Let's try to retest this one with the right kernel commit id: > > #syz test: https://github.com/google/kasan.git 9a33b369 Retesting. Regards Oliver
On Tue, Jul 30, 2019 at 9:51 AM Oliver Neukum <oneukum@suse.com> wrote: > > Am Montag, den 29.07.2019, 18:54 +0200 schrieb Andrey Konovalov: > > Hi, > > > Thanks a lot for fixing all of these USB bugs! > > I fear the day we get serious about MA USB. > All these issues will turn into security issues. > > > The usb-fuzzer branch is working again, so it should be possible to > > use it for testing. But, I've actually just realized, that the proper > > way to test fixes for USB bugs is to use the exact commit hash that is > > provided in each bug report (the kernel interface for emulating USB > > device is not stable yet, and has significantly changed at least > > once). I've updated syzbot documentation to reflect this. > > Where is taht documentation? Hi Oliver, The link is referenced in every bug report ;) https://groups.google.com/forum/#!topic/syzkaller-bugs/C4kgnyomFyQ > See https://goo.gl/tpsmEJ for more information about syzbot.
diff --git a/drivers/media/usb/b2c2/flexcop-usb.c b/drivers/media/usb/b2c2/flexcop-usb.c index 1826ff825c2e..1a801dc286f8 100644 --- a/drivers/media/usb/b2c2/flexcop-usb.c +++ b/drivers/media/usb/b2c2/flexcop-usb.c @@ -538,6 +538,9 @@ static int flexcop_usb_probe(struct usb_interface *intf, struct flexcop_device *fc = NULL; int ret; + if (intf->cur_altsetting->desc.bNumEndpoints < 1) + return -ENODEV; + if ((fc = flexcop_device_kmalloc(sizeof(struct flexcop_usb))) == NULL) { err("out of memory\n"); return -ENOMEM;
Reacting to this: Title: general protection fault in flexcop_usb_probe Last occurred: 0 days ago Reported: 102 days ago Branches: Mainline (with usb-fuzzer patches) Dashboard link: https://syzkaller.appspot.com/bug?id=c0203bd72037d0 7493f4b7562411e4f5f4553a8f Original thread: https://lkml.kernel.org/lkml/00000000000010fe260586 536e86@google.com/T/#u This bug has a C reproducer. No one replied to the original thread for this bug. This looks like a bug in a media USB driver. If you fix this bug, please add the following tag to the commit: Reported-by: syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com #syz test: https://github.com/google/kasan.git usb-fuzzer-usb-testing-2019.07.11 From 5a34ecc6c75479a9f245a867e1ce37e6e28f58f8 Mon Sep 17 00:00:00 2001 From: Oliver Neukum <oneukum@suse.com> Date: Mon, 29 Jul 2019 16:21:11 +0200 Subject: [PATCH] b2c2-flexcop-usb: add sanity checking The driver needs an isochronous endpoint to be present. It will oops in its absence. Add checking for it. Reported-by: syzbot+d93dff37e6a89431c158@syzkaller.appspotmail.com Signed-off-by: Oliver Neukum <oneukum@suse.com> --- drivers/media/usb/b2c2/flexcop-usb.c | 3 +++ 1 file changed, 3 insertions(+)