Syzbot reports a slab-out-of-bounds read of a snd_card object. When snd_usb_audio_create calls snd_card_new, it passes sizeof(*chip) as the extra_size argument, which is not enough in this case.
Relevant logs below:
BUG: KASAN: slab-out-of-bounds in imon_probe+0x2983/0x3910 Read of size 1 at addr ffff8880436a2c71 by task kworker/1:2/777 (...) The buggy address belongs to the object at ffff8880436a2000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 1 bytes to the right of allocated 3184-byte region [ffff8880436a2000, ffff8880436a2c70)
Reported-by: syzbot+59875ffef5cb9c9b29e9@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000a838aa0603cc74d6@google.com/ Signed-off-by: Ricardo B. Marliere ricardo@marliere.net --- sound/usb/card.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/usb/card.c b/sound/usb/card.c index 1b2edc0fd2e9..6578326d33e8 100644 --- a/sound/usb/card.c +++ b/sound/usb/card.c @@ -619,7 +619,7 @@ static int snd_usb_audio_create(struct usb_interface *intf, }
err = snd_card_new(&intf->dev, index[idx], id[idx], THIS_MODULE, - sizeof(*chip), &card); + sizeof(*chip) + 2, &card); if (err < 0) { dev_err(&dev->dev, "cannot create card instance %d\n", idx); return err;