Re: linux-next boot error: KASAN: slab-out-of-bounds Read in post_usb_notification
From: Dan Carpenter
Date: Mon Jan 20 2020 - 03:20:06 EST
Hey David,
This crash was from commit 72cc88648972 ("usb: Add USB subsystem
notifications").
drivers/usb/core/devio.c
2752 static noinline void post_usb_notification(const char *devname,
2753 enum usb_notification_type subtype,
2754 u32 error)
2755 {
2756 unsigned int name_len, n_len;
2757 u64 id = 0; /* We can put a device ID here for separate dev watches */
2758
2759 struct {
2760 struct usb_notification n;
2761 char more_name[USB_NOTIFICATION_MAX_NAME_LEN -
2762 (sizeof(struct usb_notification) -
2763 offsetof(struct usb_notification, name))];
2764 } n;
2765
2766 name_len = strlen(devname);
2767 name_len = min_t(size_t, name_len, USB_NOTIFICATION_MAX_NAME_LEN);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This limit is too high. It should be USB_NOTIFICATION_MAX_NAME_LEN -
sizeof(struct usb_notification). or just
"min_t(size_t, name_len, sizeof(n.more_name));". The n.n.name[] is a
zero size array.
2768 n_len = offsetof(struct usb_notification, name) + name_len;
2769
2770 memset(&n, 0, sizeof(n));
2771 memcpy(n.n.name, devname, n_len);
^^^^^
name_len was intended here.
2772
2773 n.n.watch.type = WATCH_TYPE_USB_NOTIFY;
2774 n.n.watch.subtype = subtype;
2775 n.n.watch.info = n_len;
2776 n.n.error = error;
2777 n.n.name_len = name_len;
2778
2779 post_device_notification(&n.n.watch, id);
2780 }
regards,
dan carpenter