[PATCH] sound: usb: increase snd_card alloc size
Syzbot reports a slab-out-of-bounds read of a snd_card object. When snd_usb_audio_create calls snd_card_new, it passes sizeof(*chip) as the extra_size argument, which is not enough in this case.
Relevant logs below:
BUG: KASAN: slab-out-of-bounds in imon_probe+0x2983/0x3910 Read of size 1 at addr ffff8880436a2c71 by task kworker/1:2/777 (...) The buggy address belongs to the object at ffff8880436a2000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 1 bytes to the right of allocated 3184-byte region [ffff8880436a2000, ffff8880436a2c70)
Reported-by: syzbot+59875ffef5cb9c9b29e9@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000a838aa0603cc74d6@google.com/ Signed-off-by: Ricardo B. Marliere ricardo@marliere.net --- sound/usb/card.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/usb/card.c b/sound/usb/card.c index 1b2edc0fd2e9..6578326d33e8 100644 --- a/sound/usb/card.c +++ b/sound/usb/card.c @@ -619,7 +619,7 @@ static int snd_usb_audio_create(struct usb_interface *intf, }
err = snd_card_new(&intf->dev, index[idx], id[idx], THIS_MODULE, - sizeof(*chip), &card); + sizeof(*chip) + 2, &card); if (err < 0) { dev_err(&dev->dev, "cannot create card instance %d\n", idx); return err;
On Fri, 22 Sep 2023 02:51:53 +0200, Ricardo B. Marliere wrote:
Syzbot reports a slab-out-of-bounds read of a snd_card object. When snd_usb_audio_create calls snd_card_new, it passes sizeof(*chip) as the extra_size argument, which is not enough in this case.
Relevant logs below:
BUG: KASAN: slab-out-of-bounds in imon_probe+0x2983/0x3910 Read of size 1 at addr ffff8880436a2c71 by task kworker/1:2/777 (...) The buggy address belongs to the object at ffff8880436a2000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 1 bytes to the right of allocated 3184-byte region [ffff8880436a2000, ffff8880436a2c70)
Reported-by: syzbot+59875ffef5cb9c9b29e9@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000a838aa0603cc74d6@google.co/m Signed-off-by: Ricardo B. Marliere ricardo@marliere.net
sound/usb/card.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/usb/card.c b/sound/usb/card.c index 1b2edc0fd2e9..6578326d33e8 100644 --- a/sound/usb/card.c +++ b/sound/usb/card.c @@ -619,7 +619,7 @@ static int snd_usb_audio_create(struct usb_interface *intf, }
err = snd_card_new(&intf->dev, index[idx], id[idx], THIS_MODULE,
sizeof(*chip), &card);
sizeof(*chip) + 2, &card);
Sorry, it's no-no. We have to fix the cause of the OOB access instead of papering over with a random number of increase.
Unfortunately, most important piece of information is trimmed in the changelog, so I can't judge what's going on. The only useful info there is that it's something to do with imon driver, but it's completely independent from USB-audio. How does it access to the external memory allocated by snd-usb-audio driver at all?
Before jumping to the solution, we must understand the problem.
thanks,
Takashi
On Fri, 22 Sep 2023 10:46:26 +0200, Takashi Iwai wrote:
On Fri, 22 Sep 2023 02:51:53 +0200, Ricardo B. Marliere wrote:
Syzbot reports a slab-out-of-bounds read of a snd_card object. When snd_usb_audio_create calls snd_card_new, it passes sizeof(*chip) as the extra_size argument, which is not enough in this case.
Relevant logs below:
BUG: KASAN: slab-out-of-bounds in imon_probe+0x2983/0x3910 Read of size 1 at addr ffff8880436a2c71 by task kworker/1:2/777 (...) The buggy address belongs to the object at ffff8880436a2000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 1 bytes to the right of allocated 3184-byte region [ffff8880436a2000, ffff8880436a2c70)
Reported-by: syzbot+59875ffef5cb9c9b29e9@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000a838aa0603cc74d6@google.co/m Signed-off-by: Ricardo B. Marliere ricardo@marliere.net
sound/usb/card.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/usb/card.c b/sound/usb/card.c index 1b2edc0fd2e9..6578326d33e8 100644 --- a/sound/usb/card.c +++ b/sound/usb/card.c @@ -619,7 +619,7 @@ static int snd_usb_audio_create(struct usb_interface *intf, }
err = snd_card_new(&intf->dev, index[idx], id[idx], THIS_MODULE,
sizeof(*chip), &card);
sizeof(*chip) + 2, &card);
Sorry, it's no-no. We have to fix the cause of the OOB access instead of papering over with a random number of increase.
Unfortunately, most important piece of information is trimmed in the changelog, so I can't judge what's going on. The only useful info there is that it's something to do with imon driver, but it's completely independent from USB-audio. How does it access to the external memory allocated by snd-usb-audio driver at all?
Before jumping to the solution, we must understand the problem.
Now I took a look at the syzbot URL and got more info.
Through a quick glance, my wild guess is that two different drivers are bound to two interfaces of the device, the first one to usb-audio and the second one to imon. And imon driver blindly assumes that the first interface is bound with imon, too, and that can be the cause. A patch like below (totally untested!) might fix the problem.
Can you reproduce the problem in your side? Or did you pick this up randomly without testing?
In anyway, let's put media people to Cc.
thanks,
Takashi
--- a/drivers/media/rc/imon.c +++ b/drivers/media/rc/imon.c @@ -2427,6 +2427,12 @@ static int imon_probe(struct usb_interface *interface, goto fail; }
+ if (first_if->dev.driver != interface->dev.driver) { + dev_err(&interface->dev, "inconsistent driver matching\n"); + ret = -EINVAL; + goto fail; + } + if (ifnum == 0) { ictx = imon_init_intf0(interface, id); if (!ictx) {
On 23/09/22 11:49AM, Takashi Iwai wrote:
On Fri, 22 Sep 2023 10:46:26 +0200, Takashi Iwai wrote:
On Fri, 22 Sep 2023 02:51:53 +0200, Ricardo B. Marliere wrote:
Syzbot reports a slab-out-of-bounds read of a snd_card object. When snd_usb_audio_create calls snd_card_new, it passes sizeof(*chip) as the extra_size argument, which is not enough in this case.
Relevant logs below:
BUG: KASAN: slab-out-of-bounds in imon_probe+0x2983/0x3910 Read of size 1 at addr ffff8880436a2c71 by task kworker/1:2/777 (...) The buggy address belongs to the object at ffff8880436a2000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 1 bytes to the right of allocated 3184-byte region [ffff8880436a2000, ffff8880436a2c70)
Reported-by: syzbot+59875ffef5cb9c9b29e9@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000a838aa0603cc74d6@google.co/m Signed-off-by: Ricardo B. Marliere ricardo@marliere.net
sound/usb/card.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/usb/card.c b/sound/usb/card.c index 1b2edc0fd2e9..6578326d33e8 100644 --- a/sound/usb/card.c +++ b/sound/usb/card.c @@ -619,7 +619,7 @@ static int snd_usb_audio_create(struct usb_interface *intf, }
err = snd_card_new(&intf->dev, index[idx], id[idx], THIS_MODULE,
sizeof(*chip), &card);
sizeof(*chip) + 2, &card);
Sorry, it's no-no. We have to fix the cause of the OOB access instead of papering over with a random number of increase.
Unfortunately, most important piece of information is trimmed in the changelog, so I can't judge what's going on. The only useful info there is that it's something to do with imon driver, but it's completely independent from USB-audio. How does it access to the external memory allocated by snd-usb-audio driver at all?
Before jumping to the solution, we must understand the problem.
Now I took a look at the syzbot URL and got more info.
Through a quick glance, my wild guess is that two different drivers are bound to two interfaces of the device, the first one to usb-audio and the second one to imon. And imon driver blindly assumes that the first interface is bound with imon, too, and that can be the cause. A patch like below (totally untested!) might fix the problem.
Can you reproduce the problem in your side? Or did you pick this up randomly without testing?
Thanks for the valuable info! I tested your proposed patch and it works. Will you send it as a proper patch or can the maintainers pick it from here?
In anyway, let's put media people to Cc.
thanks,
Takashi
--- a/drivers/media/rc/imon.c +++ b/drivers/media/rc/imon.c @@ -2427,6 +2427,12 @@ static int imon_probe(struct usb_interface *interface, goto fail; }
- if (first_if->dev.driver != interface->dev.driver) {
dev_err(&interface->dev, "inconsistent driver matching\n");
ret = -EINVAL;
goto fail;
- }
- if (ifnum == 0) { ictx = imon_init_intf0(interface, id); if (!ictx) {
Tested-by: Ricardo B. Marliere ricardo@marliere.net
Linux garage 6.6.0-rc2-next-20230921-dirty #15 SMP PREEMPT_DYNAMIC Fri Sep 22 07:29:07 -03 2023 x86_64
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue Sep 19 21:04:06 UTC 2023 on ttyS0 10:31:03 root@garage ~ # ./syz-execprog repsyz 2023/09/22 10:31:08 parsed 1 programs [ 43.416521][ T8175] cc1plus (8175) used greatest stack depth: 22080 bytes left [ 43.470240][ T8179] cc1plus (8179) used greatest stack depth: 22008 bytes left [ 49.171720][ T8224] Adding 124996k swap on ./swap-file. Priority:0 extents:23 across:1427660k [ 49.178542][ T8224] syz-executor (8224) used greatest stack depth: 21096 bytes left 2023/09/22 10:31:15 executed programs: 0 [ 49.233026][ T55] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 49.234270][ T55] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 49.235218][ T55] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 49.236338][ T55] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 49.237283][ T55] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 49.238146][ T55] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 49.355885][ T8240] chnl_net:caif_netlink_parms(): no params data found [ 49.395950][ T8240] bridge0: port 1(bridge_slave_0) entered blocking state [ 49.396944][ T8240] bridge0: port 1(bridge_slave_0) entered disabled state [ 49.397714][ T8240] bridge_slave_0: entered allmulticast mode [ 49.398831][ T8240] bridge_slave_0: entered promiscuous mode [ 49.401610][ T8240] bridge0: port 2(bridge_slave_1) entered blocking state [ 49.402380][ T8240] bridge0: port 2(bridge_slave_1) entered disabled state [ 49.403189][ T8240] bridge_slave_1: entered allmulticast mode [ 49.404311][ T8240] bridge_slave_1: entered promiscuous mode [ 49.421315][ T8240] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 49.423376][ T8240] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 49.440902][ T8240] team0: Port device team_slave_0 added [ 49.442592][ T8240] team0: Port device team_slave_1 added [ 49.457205][ T8240] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 49.458088][ T8240] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 49.461793][ T8240] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 49.464566][ T8240] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 49.465329][ T8240] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 49.468023][ T8240] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 49.491775][ T8240] hsr_slave_0: entered promiscuous mode [ 49.493000][ T8240] hsr_slave_1: entered promiscuous mode [ 49.576424][ T8240] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 49.580029][ T8240] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 49.582870][ T8240] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 49.585559][ T8240] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 49.598460][ T8240] bridge0: port 2(bridge_slave_1) entered blocking state [ 49.599405][ T8240] bridge0: port 2(bridge_slave_1) entered forwarding state [ 49.600596][ T8240] bridge0: port 1(bridge_slave_0) entered blocking state [ 49.601368][ T8240] bridge0: port 1(bridge_slave_0) entered forwarding state [ 49.632834][ T8240] 8021q: adding VLAN 0 to HW filter on device bond0 [ 49.638691][ T23] bridge0: port 1(bridge_slave_0) entered disabled state [ 49.651679][ T23] bridge0: port 2(bridge_slave_1) entered disabled state [ 49.656749][ T8240] 8021q: adding VLAN 0 to HW filter on device team0 [ 49.661350][ T31] bridge0: port 1(bridge_slave_0) entered blocking state [ 49.662190][ T31] bridge0: port 1(bridge_slave_0) entered forwarding state [ 49.673212][ T765] bridge0: port 2(bridge_slave_1) entered blocking state [ 49.674679][ T765] bridge0: port 2(bridge_slave_1) entered forwarding state [ 49.698632][ T8240] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 49.702458][ T8240] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 49.778155][ T8240] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 49.802649][ T8240] veth0_vlan: entered promiscuous mode [ 49.806107][ T8240] veth1_vlan: entered promiscuous mode [ 49.818270][ T8240] veth0_macvtap: entered promiscuous mode [ 49.822124][ T8240] veth1_macvtap: entered promiscuous mode [ 49.829757][ T8240] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 49.833955][ T8240] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 49.836876][ T8240] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 49.837861][ T8240] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 49.838840][ T8240] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 49.840126][ T8240] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 49.893587][ T8569] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 49.894469][ T8569] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 49.917314][ T8569] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 49.918127][ T8569] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 49.961690][ T8587] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 49.965046][ T8587] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 50.219962][ T765] usb 2-1: new high-speed USB device number 2 using dummy_hcd [ 50.459682][ T765] usb 2-1: Using ep0 maxpacket: 16 [ 50.579830][ T765] usb 2-1: config 1 has too many interfaces: 163, using maximum allowed: 32 [ 50.581753][ T765] usb 2-1: config 1 has an invalid descriptor of length 7, skipping remainder of the config [ 50.583812][ T765] usb 2-1: config 1 has 3 interfaces, different from the descriptor's value: 163 [ 50.585682][ T765] usb 2-1: config 1 interface 1 altsetting 1 endpoint 0x1 has an invalid bInterval 0, changing to 7 [ 50.587870][ T765] usb 2-1: config 1 interface 1 altsetting 1 endpoint 0x1 has invalid wMaxPacketSize 0 [ 50.590104][ T765] usb 2-1: too many endpoints for config 1 interface 2 altsetting 0: 128, using maximum allowed: 30 [ 50.592292][ T765] usb 2-1: config 1 interface 2 altsetting 0 has 0 endpoint descriptors, different from the interface descriptor's value: 128 [ 50.594921][ T765] usb 2-1: config 1 interface 2 altsetting 1 endpoint 0x82 has an invalid bInterval 62, changing to 7 [ 50.597128][ T765] usb 2-1: config 1 interface 2 altsetting 1 endpoint 0x82 has invalid maxpacket 41992, setting to 1024 [ 50.749794][ T765] usb 2-1: New USB device found, idVendor=15c2, idProduct=0039, bcdDevice=80.f3 [ 50.751765][ T765] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 50.753415][ T765] usb 2-1: Product: syz [ 50.754255][ T765] usb 2-1: Manufacturer: syz [ 50.755247][ T765] usb 2-1: SerialNumber: syz [ 50.805761][ T765] imon:imon_find_endpoints: no valid input (IR) endpoint found [ 50.807506][ T765] imon 2-1:1.0: unable to initialize intf0, err -19 [ 50.808934][ T765] imon:imon_probe: failed to initialize context! [ 50.810288][ T765] imon 2-1:1.0: unable to register, err -19 [ 51.069921][ T765] usb 2-1: 2:1 : UAC_AS_GENERAL descriptor not found [ 51.113716][ T765] imon 2-1:1.1: inconsistent driver matching [ 51.121438][ T765] imon 2-1:1.1: unable to register, err -22 [ 51.122866][ T765] imon: probe of 2-1:1.1 failed with error -22 [ 51.132274][ T765] usb 2-1: USB disconnect, device number 2 [ 51.270491][ T4485] Bluetooth: hci0: command 0x0409 tx timeout 10:31:17 root@garage ~ #
On Fri, 22 Sep 2023 12:37:02 +0200, Ricardo B. Marliere wrote:
On 23/09/22 11:49AM, Takashi Iwai wrote:
On Fri, 22 Sep 2023 10:46:26 +0200, Takashi Iwai wrote:
On Fri, 22 Sep 2023 02:51:53 +0200, Ricardo B. Marliere wrote:
Syzbot reports a slab-out-of-bounds read of a snd_card object. When snd_usb_audio_create calls snd_card_new, it passes sizeof(*chip) as the extra_size argument, which is not enough in this case.
Relevant logs below:
BUG: KASAN: slab-out-of-bounds in imon_probe+0x2983/0x3910 Read of size 1 at addr ffff8880436a2c71 by task kworker/1:2/777 (...) The buggy address belongs to the object at ffff8880436a2000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 1 bytes to the right of allocated 3184-byte region [ffff8880436a2000, ffff8880436a2c70)
Reported-by: syzbot+59875ffef5cb9c9b29e9@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000a838aa0603cc74d6@google.co/m Signed-off-by: Ricardo B. Marliere ricardo@marliere.net
sound/usb/card.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/usb/card.c b/sound/usb/card.c index 1b2edc0fd2e9..6578326d33e8 100644 --- a/sound/usb/card.c +++ b/sound/usb/card.c @@ -619,7 +619,7 @@ static int snd_usb_audio_create(struct usb_interface *intf, }
err = snd_card_new(&intf->dev, index[idx], id[idx], THIS_MODULE,
sizeof(*chip), &card);
sizeof(*chip) + 2, &card);
Sorry, it's no-no. We have to fix the cause of the OOB access instead of papering over with a random number of increase.
Unfortunately, most important piece of information is trimmed in the changelog, so I can't judge what's going on. The only useful info there is that it's something to do with imon driver, but it's completely independent from USB-audio. How does it access to the external memory allocated by snd-usb-audio driver at all?
Before jumping to the solution, we must understand the problem.
Now I took a look at the syzbot URL and got more info.
Through a quick glance, my wild guess is that two different drivers are bound to two interfaces of the device, the first one to usb-audio and the second one to imon. And imon driver blindly assumes that the first interface is bound with imon, too, and that can be the cause. A patch like below (totally untested!) might fix the problem.
Can you reproduce the problem in your side? Or did you pick this up randomly without testing?
Thanks for the valuable info! I tested your proposed patch and it works. Will you send it as a proper patch or can the maintainers pick it from here?
Good to hear! Then I'll submit a proper patch later. Thanks for quick testing.
Takashi
In anyway, let's put media people to Cc.
thanks,
Takashi
--- a/drivers/media/rc/imon.c +++ b/drivers/media/rc/imon.c @@ -2427,6 +2427,12 @@ static int imon_probe(struct usb_interface *interface, goto fail; }
- if (first_if->dev.driver != interface->dev.driver) {
dev_err(&interface->dev, "inconsistent driver matching\n");
ret = -EINVAL;
goto fail;
- }
- if (ifnum == 0) { ictx = imon_init_intf0(interface, id); if (!ictx) {
Tested-by: Ricardo B. Marliere ricardo@marliere.net
Linux garage 6.6.0-rc2-next-20230921-dirty #15 SMP PREEMPT_DYNAMIC Fri Sep 22 07:29:07 -03 2023 x86_64
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue Sep 19 21:04:06 UTC 2023 on ttyS0 10:31:03 root@garage ~ # ./syz-execprog repsyz 2023/09/22 10:31:08 parsed 1 programs [ 43.416521][ T8175] cc1plus (8175) used greatest stack depth: 22080 bytes left [ 43.470240][ T8179] cc1plus (8179) used greatest stack depth: 22008 bytes left [ 49.171720][ T8224] Adding 124996k swap on ./swap-file. Priority:0 extents:23 across:1427660k [ 49.178542][ T8224] syz-executor (8224) used greatest stack depth: 21096 bytes left 2023/09/22 10:31:15 executed programs: 0 [ 49.233026][ T55] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 49.234270][ T55] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 49.235218][ T55] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 49.236338][ T55] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 49.237283][ T55] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 49.238146][ T55] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 49.355885][ T8240] chnl_net:caif_netlink_parms(): no params data found [ 49.395950][ T8240] bridge0: port 1(bridge_slave_0) entered blocking state [ 49.396944][ T8240] bridge0: port 1(bridge_slave_0) entered disabled state [ 49.397714][ T8240] bridge_slave_0: entered allmulticast mode [ 49.398831][ T8240] bridge_slave_0: entered promiscuous mode [ 49.401610][ T8240] bridge0: port 2(bridge_slave_1) entered blocking state [ 49.402380][ T8240] bridge0: port 2(bridge_slave_1) entered disabled state [ 49.403189][ T8240] bridge_slave_1: entered allmulticast mode [ 49.404311][ T8240] bridge_slave_1: entered promiscuous mode [ 49.421315][ T8240] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 49.423376][ T8240] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 49.440902][ T8240] team0: Port device team_slave_0 added [ 49.442592][ T8240] team0: Port device team_slave_1 added [ 49.457205][ T8240] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 49.458088][ T8240] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 49.461793][ T8240] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 49.464566][ T8240] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 49.465329][ T8240] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 49.468023][ T8240] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 49.491775][ T8240] hsr_slave_0: entered promiscuous mode [ 49.493000][ T8240] hsr_slave_1: entered promiscuous mode [ 49.576424][ T8240] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 49.580029][ T8240] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 49.582870][ T8240] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 49.585559][ T8240] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 49.598460][ T8240] bridge0: port 2(bridge_slave_1) entered blocking state [ 49.599405][ T8240] bridge0: port 2(bridge_slave_1) entered forwarding state [ 49.600596][ T8240] bridge0: port 1(bridge_slave_0) entered blocking state [ 49.601368][ T8240] bridge0: port 1(bridge_slave_0) entered forwarding state [ 49.632834][ T8240] 8021q: adding VLAN 0 to HW filter on device bond0 [ 49.638691][ T23] bridge0: port 1(bridge_slave_0) entered disabled state [ 49.651679][ T23] bridge0: port 2(bridge_slave_1) entered disabled state [ 49.656749][ T8240] 8021q: adding VLAN 0 to HW filter on device team0 [ 49.661350][ T31] bridge0: port 1(bridge_slave_0) entered blocking state [ 49.662190][ T31] bridge0: port 1(bridge_slave_0) entered forwarding state [ 49.673212][ T765] bridge0: port 2(bridge_slave_1) entered blocking state [ 49.674679][ T765] bridge0: port 2(bridge_slave_1) entered forwarding state [ 49.698632][ T8240] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 49.702458][ T8240] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 49.778155][ T8240] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 49.802649][ T8240] veth0_vlan: entered promiscuous mode [ 49.806107][ T8240] veth1_vlan: entered promiscuous mode [ 49.818270][ T8240] veth0_macvtap: entered promiscuous mode [ 49.822124][ T8240] veth1_macvtap: entered promiscuous mode [ 49.829757][ T8240] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 49.833955][ T8240] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 49.836876][ T8240] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 49.837861][ T8240] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 49.838840][ T8240] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 49.840126][ T8240] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 49.893587][ T8569] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 49.894469][ T8569] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 49.917314][ T8569] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 49.918127][ T8569] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 49.961690][ T8587] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 49.965046][ T8587] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 50.219962][ T765] usb 2-1: new high-speed USB device number 2 using dummy_hcd [ 50.459682][ T765] usb 2-1: Using ep0 maxpacket: 16 [ 50.579830][ T765] usb 2-1: config 1 has too many interfaces: 163, using maximum allowed: 32 [ 50.581753][ T765] usb 2-1: config 1 has an invalid descriptor of length 7, skipping remainder of the config [ 50.583812][ T765] usb 2-1: config 1 has 3 interfaces, different from the descriptor's value: 163 [ 50.585682][ T765] usb 2-1: config 1 interface 1 altsetting 1 endpoint 0x1 has an invalid bInterval 0, changing to 7 [ 50.587870][ T765] usb 2-1: config 1 interface 1 altsetting 1 endpoint 0x1 has invalid wMaxPacketSize 0 [ 50.590104][ T765] usb 2-1: too many endpoints for config 1 interface 2 altsetting 0: 128, using maximum allowed: 30 [ 50.592292][ T765] usb 2-1: config 1 interface 2 altsetting 0 has 0 endpoint descriptors, different from the interface descriptor's value: 128 [ 50.594921][ T765] usb 2-1: config 1 interface 2 altsetting 1 endpoint 0x82 has an invalid bInterval 62, changing to 7 [ 50.597128][ T765] usb 2-1: config 1 interface 2 altsetting 1 endpoint 0x82 has invalid maxpacket 41992, setting to 1024 [ 50.749794][ T765] usb 2-1: New USB device found, idVendor=15c2, idProduct=0039, bcdDevice=80.f3 [ 50.751765][ T765] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 50.753415][ T765] usb 2-1: Product: syz [ 50.754255][ T765] usb 2-1: Manufacturer: syz [ 50.755247][ T765] usb 2-1: SerialNumber: syz [ 50.805761][ T765] imon:imon_find_endpoints: no valid input (IR) endpoint found [ 50.807506][ T765] imon 2-1:1.0: unable to initialize intf0, err -19 [ 50.808934][ T765] imon:imon_probe: failed to initialize context! [ 50.810288][ T765] imon 2-1:1.0: unable to register, err -19 [ 51.069921][ T765] usb 2-1: 2:1 : UAC_AS_GENERAL descriptor not found [ 51.113716][ T765] imon 2-1:1.1: inconsistent driver matching [ 51.121438][ T765] imon 2-1:1.1: unable to register, err -22 [ 51.122866][ T765] imon: probe of 2-1:1.1 failed with error -22 [ 51.132274][ T765] usb 2-1: USB disconnect, device number 2 [ 51.270491][ T4485] Bluetooth: hci0: command 0x0409 tx timeout 10:31:17 root@garage ~ #
On 23/09/22 10:46AM, Takashi Iwai wrote:
On Fri, 22 Sep 2023 02:51:53 +0200, Ricardo B. Marliere wrote:
Syzbot reports a slab-out-of-bounds read of a snd_card object. When snd_usb_audio_create calls snd_card_new, it passes sizeof(*chip) as the extra_size argument, which is not enough in this case.
Relevant logs below:
BUG: KASAN: slab-out-of-bounds in imon_probe+0x2983/0x3910 Read of size 1 at addr ffff8880436a2c71 by task kworker/1:2/777 (...) The buggy address belongs to the object at ffff8880436a2000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 1 bytes to the right of allocated 3184-byte region [ffff8880436a2000, ffff8880436a2c70)
Reported-by: syzbot+59875ffef5cb9c9b29e9@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000a838aa0603cc74d6@google.co/m Signed-off-by: Ricardo B. Marliere ricardo@marliere.net
sound/usb/card.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/usb/card.c b/sound/usb/card.c index 1b2edc0fd2e9..6578326d33e8 100644 --- a/sound/usb/card.c +++ b/sound/usb/card.c @@ -619,7 +619,7 @@ static int snd_usb_audio_create(struct usb_interface *intf, }
err = snd_card_new(&intf->dev, index[idx], id[idx], THIS_MODULE,
sizeof(*chip), &card);
sizeof(*chip) + 2, &card);
Sorry, it's no-no. We have to fix the cause of the OOB access instead of papering over with a random number of increase.
Hey Takashi, you are right.
Unfortunately, most important piece of information is trimmed in the changelog, so I can't judge what's going on. The only useful info there is that it's something to do with imon driver, but it's completely independent from USB-audio. How does it access to the external memory allocated by snd-usb-audio driver at all?
Before jumping to the solution, we must understand the problem.
The link mentioned in the "Closes:" tag contains the logs pasted below. I will continue to investigate the root cause of this oob access, please let me know if you have any clue I should look into.
Thanks for reviewing! - Ricardo
================================================================== BUG: KASAN: slab-out-of-bounds in imon_init_intf1 drivers/media/rc/imon.c:2323 [inline] BUG: KASAN: slab-out-of-bounds in imon_probe+0x298f/0x38f0 drivers/media/rc/imon.c:2449 Read of size 1 at addr ffff888069cbac71 by task kworker/1:3/5066
CPU: 1 PID: 5066 Comm: kworker/1:3 Not tainted 6.5.0-rc7-next-20230821-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xc4/0x620 mm/kasan/report.c:475 kasan_report+0xda/0x110 mm/kasan/report.c:588 imon_init_intf1 drivers/media/rc/imon.c:2323 [inline] imon_probe+0x298f/0x38f0 drivers/media/rc/imon.c:2449 usb_probe_interface+0x307/0x930 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x234/0xc90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830 __device_attach_driver+0x1d4/0x300 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532 device_add+0x11f1/0x1b40 drivers/base/core.c:3623 usb_set_configuration+0x10cb/0x1c40 drivers/usb/core/message.c:2207 usb_generic_driver_probe+0xca/0x130 drivers/usb/core/generic.c:238 usb_probe_device+0xda/0x2c0 drivers/usb/core/driver.c:293 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x234/0xc90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830 __device_attach_driver+0x1d4/0x300 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532 device_add+0x11f1/0x1b40 drivers/base/core.c:3623 usb_new_device+0xd80/0x1960 drivers/usb/core/hub.c:2589 hub_port_connect drivers/usb/core/hub.c:5440 [inline] hub_port_connect_change drivers/usb/core/hub.c:5580 [inline] port_event drivers/usb/core/hub.c:5740 [inline] hub_event+0x2daf/0x4e00 drivers/usb/core/hub.c:5822 process_one_work+0x887/0x15d0 kernel/workqueue.c:2630 process_scheduled_works kernel/workqueue.c:2703 [inline] worker_thread+0x8bb/0x1290 kernel/workqueue.c:2784 kthread+0x33a/0x430 kernel/kthread.c:388 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 </TASK>
Allocated by task 5066: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383 kasan_kmalloc include/linux/kasan.h:198 [inline] __do_kmalloc_node mm/slab_common.c:1004 [inline] __kmalloc+0x60/0x100 mm/slab_common.c:1017 kmalloc include/linux/slab.h:604 [inline] kzalloc include/linux/slab.h:721 [inline] snd_card_new+0x74/0x110 sound/core/init.c:184 snd_usb_audio_create sound/usb/card.c:621 [inline] usb_audio_probe+0x1905/0x3c60 sound/usb/card.c:827 usb_probe_interface+0x307/0x930 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x234/0xc90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830 __device_attach_driver+0x1d4/0x300 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532 device_add+0x11f1/0x1b40 drivers/base/core.c:3623 usb_set_configuration+0x10cb/0x1c40 drivers/usb/core/message.c:2207 usb_generic_driver_probe+0xca/0x130 drivers/usb/core/generic.c:238 usb_probe_device+0xda/0x2c0 drivers/usb/core/driver.c:293 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x234/0xc90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830 __device_attach_driver+0x1d4/0x300 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532 device_add+0x11f1/0x1b40 drivers/base/core.c:3623 usb_new_device+0xd80/0x1960 drivers/usb/core/hub.c:2589 hub_port_connect drivers/usb/core/hub.c:5440 [inline] hub_port_connect_change drivers/usb/core/hub.c:5580 [inline] port_event drivers/usb/core/hub.c:5740 [inline] hub_event+0x2daf/0x4e00 drivers/usb/core/hub.c:5822 process_one_work+0x887/0x15d0 kernel/workqueue.c:2630 process_scheduled_works kernel/workqueue.c:2703 [inline] worker_thread+0x8bb/0x1290 kernel/workqueue.c:2784 kthread+0x33a/0x430 kernel/kthread.c:388 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
The buggy address belongs to the object at ffff888069cba000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 1 bytes to the right of allocated 3184-byte region [ffff888069cba000, ffff888069cbac70)
The buggy address belongs to the physical page: page:ffffea0001a72e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x69cb8 head:ffffea0001a72e00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 00fff00000000840 ffff888012c42140 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 27, tgid 27 (kworker/1:1), ts 97911259229, free_ts 34249861969 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x2cf/0x340 mm/page_alloc.c:1530 prep_new_page mm/page_alloc.c:1537 [inline] get_page_from_freelist+0x10d7/0x31b0 mm/page_alloc.c:3213 __alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4469 alloc_pages+0x1a9/0x270 mm/mempolicy.c:2298 alloc_slab_page mm/slub.c:1870 [inline] allocate_slab+0x251/0x380 mm/slub.c:2017 new_slab mm/slub.c:2070 [inline] ___slab_alloc+0x8be/0x1570 mm/slub.c:3223 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322 __slab_alloc_node mm/slub.c:3375 [inline] slab_alloc_node mm/slub.c:3468 [inline] __kmem_cache_alloc_node+0x137/0x350 mm/slub.c:3517 __do_kmalloc_node mm/slab_common.c:1003 [inline] __kmalloc_node_track_caller+0x50/0x100 mm/slab_common.c:1024 kmalloc_reserve+0xef/0x270 net/core/skbuff.c:575 __alloc_skb+0x12b/0x330 net/core/skbuff.c:644 alloc_skb include/linux/skbuff.h:1286 [inline] nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:748 [inline] nsim_dev_trap_report drivers/net/netdevsim/dev.c:805 [inline] nsim_dev_trap_report_work+0x29e/0xc70 drivers/net/netdevsim/dev.c:850 process_one_work+0x887/0x15d0 kernel/workqueue.c:2630 process_scheduled_works kernel/workqueue.c:2703 [inline] worker_thread+0x8bb/0x1290 kernel/workqueue.c:2784 kthread+0x33a/0x430 kernel/kthread.c:388 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1130 [inline] free_unref_page_prepare+0x476/0xa40 mm/page_alloc.c:2342 free_unref_page+0x33/0x3b0 mm/page_alloc.c:2435 free_contig_range+0xb6/0x190 mm/page_alloc.c:6385 destroy_args+0x768/0x990 mm/debug_vm_pgtable.c:1028 debug_vm_pgtable+0x1d7e/0x3e00 mm/debug_vm_pgtable.c:1408 do_one_initcall+0x117/0x630 init/main.c:1232 do_initcall_level init/main.c:1294 [inline] do_initcalls init/main.c:1310 [inline] do_basic_setup init/main.c:1329 [inline] kernel_init_freeable+0x5c2/0x900 init/main.c:1547 kernel_init+0x1c/0x2a0 init/main.c:1437 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
Memory state around the buggy address: ffff888069cbab00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888069cbab80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888069cbac00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
^ ffff888069cbac80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888069cbad00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================
participants (2)
-
Ricardo B. Marliere
-
Takashi Iwai