Re: usb/core: slab-out-of-bounds read in cdc_parse_cdc_header

2017-09-21 Thread Andrey Konovalov 
On Thu, Sep 21, 2017 at 4:07 PM, Greg Kroah-Hartman
 wrote:
> On Thu, Sep 21, 2017 at 03:51:44PM +0200, Andrey Konovalov wrote:
>> On Thu, Sep 21, 2017 at 10:04 AM, Greg Kroah-Hartman
>>  wrote:
>> > On Thu, Sep 21, 2017 at 09:31:54AM +0200, Greg Kroah-Hartman wrote:
>> >> On Wed, Sep 20, 2017 at 04:45:08PM +0200, Andrey Konovalov wrote:
>> >> > Hi!
>> >> >
>> >> > I've got the following crash while fuzzing the kernel with syzkaller.
>> >> >
>> >> > On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
>> >> >
>> >> > It looks like cdc_parse_cdc_header() doesn't validate buflen before
>> >> > accessing buffer[1], buffer[2] and so on. The only check present is
>> >> > while (buflen > 0).
>> >>
>> >> Ugh, you are right, let me go work on a patch, thanks for the report...
>> >
>> > Here's a first cut at a fix for this.  I think this should solve it, but
>> > it's early and my coffee has not fully kicked in...
>> >
>> > thanks,
>> >
>> > greg k-h
>> > -
>> >
>> > diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
>> > index 4c38ea41ae96..028feaf01aa5 100644
>> > --- a/drivers/usb/core/message.c
>> > +++ b/drivers/usb/core/message.c
>> > @@ -2069,6 +2069,10 @@ int cdc_parse_cdc_header(struct 
>> > usb_cdc_parsed_header *hdr,
>> > elength = 1;
>> > goto next_desc;
>> > }
>> > +   if ((buflen < elength) || (elength < 2)) {
>>
>> Hi Greg,
>>
>> I think this should check (elength < 3), since we access both
>> buffer[1] and buffer[2] after this check.
>
> {sigh}  yes, you are right, counted this one wrong.
>
> With this patch, updated one below, does it fix your crash?

It does, thanks!

Tested-by: Andrey Konovalov 

>
> thanks,
>
> greg k-h
>
>
> diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
> index 4c38ea41ae96..028feaf01aa5 100644
> --- a/drivers/usb/core/message.c
> +++ b/drivers/usb/core/message.c
> @@ -2069,6 +2069,10 @@ int cdc_parse_cdc_header(struct usb_cdc_parsed_header 
> *hdr,
> elength = 1;
> goto next_desc;
> }
> +   if ((buflen < elength) || (elength < 3)) {
> +   dev_err(>dev, "invalid descriptor buffer 
> length\n");
> +   break;
> +   }
> if (buffer[1] != USB_DT_CS_INTERFACE) {
> dev_err(>dev, "skipping garbage\n");
> goto next_desc;
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: usb/core: slab-out-of-bounds read in cdc_parse_cdc_header

2017-09-21 Thread Greg Kroah-Hartman 
On Thu, Sep 21, 2017 at 03:51:44PM +0200, Andrey Konovalov wrote:
> On Thu, Sep 21, 2017 at 10:04 AM, Greg Kroah-Hartman
>  wrote:
> > On Thu, Sep 21, 2017 at 09:31:54AM +0200, Greg Kroah-Hartman wrote:
> >> On Wed, Sep 20, 2017 at 04:45:08PM +0200, Andrey Konovalov wrote:
> >> > Hi!
> >> >
> >> > I've got the following crash while fuzzing the kernel with syzkaller.
> >> >
> >> > On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
> >> >
> >> > It looks like cdc_parse_cdc_header() doesn't validate buflen before
> >> > accessing buffer[1], buffer[2] and so on. The only check present is
> >> > while (buflen > 0).
> >>
> >> Ugh, you are right, let me go work on a patch, thanks for the report...
> >
> > Here's a first cut at a fix for this.  I think this should solve it, but
> > it's early and my coffee has not fully kicked in...
> >
> > thanks,
> >
> > greg k-h
> > -
> >
> > diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
> > index 4c38ea41ae96..028feaf01aa5 100644
> > --- a/drivers/usb/core/message.c
> > +++ b/drivers/usb/core/message.c
> > @@ -2069,6 +2069,10 @@ int cdc_parse_cdc_header(struct 
> > usb_cdc_parsed_header *hdr,
> > elength = 1;
> > goto next_desc;
> > }
> > +   if ((buflen < elength) || (elength < 2)) {
> 
> Hi Greg,
> 
> I think this should check (elength < 3), since we access both
> buffer[1] and buffer[2] after this check.

{sigh}  yes, you are right, counted this one wrong.

With this patch, updated one below, does it fix your crash?

thanks,

greg k-h


diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
index 4c38ea41ae96..028feaf01aa5 100644
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -2069,6 +2069,10 @@ int cdc_parse_cdc_header(struct usb_cdc_parsed_header 
*hdr,
elength = 1;
goto next_desc;
}
+   if ((buflen < elength) || (elength < 3)) {
+   dev_err(>dev, "invalid descriptor buffer 
length\n");
+   break;
+   }
if (buffer[1] != USB_DT_CS_INTERFACE) {
dev_err(>dev, "skipping garbage\n");
goto next_desc;
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: usb/core: slab-out-of-bounds read in cdc_parse_cdc_header

2017-09-21 Thread Andrey Konovalov 
On Thu, Sep 21, 2017 at 10:04 AM, Greg Kroah-Hartman
 wrote:
> On Thu, Sep 21, 2017 at 09:31:54AM +0200, Greg Kroah-Hartman wrote:
>> On Wed, Sep 20, 2017 at 04:45:08PM +0200, Andrey Konovalov wrote:
>> > Hi!
>> >
>> > I've got the following crash while fuzzing the kernel with syzkaller.
>> >
>> > On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
>> >
>> > It looks like cdc_parse_cdc_header() doesn't validate buflen before
>> > accessing buffer[1], buffer[2] and so on. The only check present is
>> > while (buflen > 0).
>>
>> Ugh, you are right, let me go work on a patch, thanks for the report...
>
> Here's a first cut at a fix for this.  I think this should solve it, but
> it's early and my coffee has not fully kicked in...
>
> thanks,
>
> greg k-h
> -
>
> diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
> index 4c38ea41ae96..028feaf01aa5 100644
> --- a/drivers/usb/core/message.c
> +++ b/drivers/usb/core/message.c
> @@ -2069,6 +2069,10 @@ int cdc_parse_cdc_header(struct usb_cdc_parsed_header 
> *hdr,
> elength = 1;
> goto next_desc;
> }
> +   if ((buflen < elength) || (elength < 2)) {

Hi Greg,

I think this should check (elength < 3), since we access both
buffer[1] and buffer[2] after this check.

Thanks!

> +   dev_err(>dev, "invalid descriptor buffer 
> length\n");
> +   break;
> +   }
> if (buffer[1] != USB_DT_CS_INTERFACE) {
> dev_err(>dev, "skipping garbage\n");
> goto next_desc;
>
> --
> You received this message because you are subscribed to the Google Groups 
> "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to syzkaller+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: usb/core: slab-out-of-bounds read in cdc_parse_cdc_header

2017-09-21 Thread Greg Kroah-Hartman 
On Thu, Sep 21, 2017 at 09:31:54AM +0200, Greg Kroah-Hartman wrote:
> On Wed, Sep 20, 2017 at 04:45:08PM +0200, Andrey Konovalov wrote:
> > Hi!
> > 
> > I've got the following crash while fuzzing the kernel with syzkaller.
> > 
> > On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
> > 
> > It looks like cdc_parse_cdc_header() doesn't validate buflen before
> > accessing buffer[1], buffer[2] and so on. The only check present is
> > while (buflen > 0).
> 
> Ugh, you are right, let me go work on a patch, thanks for the report...

Here's a first cut at a fix for this.  I think this should solve it, but
it's early and my coffee has not fully kicked in...

thanks,

greg k-h
-

diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
index 4c38ea41ae96..028feaf01aa5 100644
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -2069,6 +2069,10 @@ int cdc_parse_cdc_header(struct usb_cdc_parsed_header 
*hdr,
elength = 1;
goto next_desc;
}
+   if ((buflen < elength) || (elength < 2)) {
+   dev_err(>dev, "invalid descriptor buffer 
length\n");
+   break;
+   }
if (buffer[1] != USB_DT_CS_INTERFACE) {
dev_err(>dev, "skipping garbage\n");
goto next_desc;
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: usb/core: slab-out-of-bounds read in cdc_parse_cdc_header

2017-09-21 Thread Greg Kroah-Hartman 
On Wed, Sep 20, 2017 at 04:45:08PM +0200, Andrey Konovalov wrote:
> Hi!
> 
> I've got the following crash while fuzzing the kernel with syzkaller.
> 
> On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
> 
> It looks like cdc_parse_cdc_header() doesn't validate buflen before
> accessing buffer[1], buffer[2] and so on. The only check present is
> while (buflen > 0).

Ugh, you are right, let me go work on a patch, thanks for the report...

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

usb/core: slab-out-of-bounds read in cdc_parse_cdc_header

2017-09-20 Thread Andrey Konovalov 
Hi!

I've got the following crash while fuzzing the kernel with syzkaller.

On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).

It looks like cdc_parse_cdc_header() doesn't validate buflen before
accessing buffer[1], buffer[2] and so on. The only check present is
while (buflen > 0).

==
BUG: KASAN: slab-out-of-bounds in cdc_parse_cdc_header+0x611/0x6b0
Read of size 1 at addr 88006b03e554 by task kworker/1:2/2573

CPU: 1 PID: 2573 Comm: kworker/1:2 Not tainted 4.14.0-rc1+ #191
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:16
 dump_stack+0x192/0x22c lib/dump_stack.c:52
 print_address_description+0x78/0x280 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351
 kasan_report+0x230/0x340 mm/kasan/report.c:409
 __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427
 cdc_parse_cdc_header+0x611/0x6b0 drivers/usb/core/message.c:2077
 usbnet_generic_cdc_bind+0x284/0x1b10 drivers/net/usb/cdc_ether.c:158
 usbnet_ether_cdc_bind drivers/net/usb/cdc_ether.c:329
 usbnet_cdc_bind+0x2a/0x190 drivers/net/usb/cdc_ether.c:437
 usbnet_probe+0xcfd/0x2ba0 drivers/net/usb/usbnet.c:1726
 usb_probe_interface+0x351/0x8d0 drivers/usb/core/driver.c:361
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x15e/0x210 drivers/base/bus.c:463
 __device_attach+0x269/0x3c0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1da/0x280 drivers/base/bus.c:523
 device_add+0xcf9/0x1640 drivers/base/core.c:1835
 usb_set_configuration+0x1064/0x1890 drivers/usb/core/message.c:1932
 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
 really_probe drivers/base/dd.c:413
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653
 bus_for_each_drv+0x15e/0x210 drivers/base/bus.c:463
 __device_attach+0x269/0x3c0 drivers/base/dd.c:710
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757
 bus_probe_device+0x1da/0x280 drivers/base/bus.c:523
 device_add+0xcf9/0x1640 drivers/base/core.c:1835
 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
 hub_port_connect drivers/usb/core/hub.c:4903
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x23c8/0x37c0 drivers/usb/core/hub.c:5195
 process_one_work+0x9fb/0x1570 kernel/workqueue.c:2119
 worker_thread+0x1e4/0x1350 kernel/workqueue.c:2253
 kthread+0x324/0x3f0 kernel/kthread.c:231
 ret_from_fork+0x25/0x30 arch/x86/entry/entry_64.S:431

Allocated by task 2573:
 save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
 __kmalloc+0x81/0x1d0 mm/slub.c:3782
 kmalloc ./include/linux/slab.h:498
 usb_get_configuration+0x372/0x2a70 drivers/usb/core/config.c:848
 usb_enumerate_device drivers/usb/core/hub.c:2290
 usb_new_device+0xaae/0x1020 drivers/usb/core/hub.c:2426
 hub_port_connect drivers/usb/core/hub.c:4903
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x23c8/0x37c0 drivers/usb/core/hub.c:5195
 process_one_work+0x9fb/0x1570 kernel/workqueue.c:2119
 worker_thread+0x1e4/0x1350 kernel/workqueue.c:2253
 kthread+0x324/0x3f0 kernel/kthread.c:231
 ret_from_fork+0x25/0x30 arch/x86/entry/entry_64.S:43

Freed by task 3637:
 save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459
 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
 slab_free_hook mm/slub.c:1390
 slab_free_freelist_hook mm/slub.c:1412
 slab_free mm/slub.c:2988
 kfree+0x96/0x1a0 mm/slub.c:3919
 kvfree+0x3b/0x60 mm/util.c:416
 __vunmap+0x1de/0x270 mm/vmalloc.c:1542
 vfree+0x55/0xe0 mm/vmalloc.c:1606
 n_tty_close+0xb7/0x120 drivers/tty/n_tty.c:1864
 tty_ldisc_close.isra.0+0x9e/0xd0 drivers/tty/tty_ldisc.c:490
 tty_ldisc_kill+0x4a/0xc0 drivers/tty/tty_ldisc.c:639
 tty_ldisc_release+0x10b/0x220 drivers/tty/tty_ldisc.c:807
 tty_release_struct+0x1f/0x50 drivers/tty/tty_io.c:1571
 tty_release+0xe60/0x15f0 drivers/tty/tty_io.c:1744
 __fput+0x324/0x7e0 fs/file_table.c:210
 fput+0x1a/0x20 fs/file_table.c:244
 task_work_run+0x22e/0x2e0 kernel/task_work.c:112
 tracehook_notify_resume ./include/linux/tracehook.h:191
 exit_to_usermode_loop+0x1d7/0x210 arch/x86/entry/common.c:162
 prepare_exit_to_usermode arch/x86/entry/common.c:197
 syscall_return_slowpath+0x2a7/0x310 arch/x86/entry/common.c:266
 entry_SYSCALL_64_fastpath+0xa3/0xa5 arch/x86/entry/entry_64.S:238

The buggy address belongs to the object at 88006b03e540
 which belongs to the cache kmalloc-32 of size 32
The buggy address is located 20