Re: [syzbot] [usb?] KASAN: slab-out-of-bounds Read in mon_copy_to_buff

From: Alan Stern
Date: Mon Jul 07 2025 - 14:09:47 EST

Next message: James Houghton: "Re: [RFC PATCH v2 18/51] mm: hugetlb: Cleanup interpretation of map_chg_state within alloc_hugetlb_folio()"
Previous message: Zi Yan: "Re: [PATCH v2 0/5] add static PMD zero page support"
In reply to: syzbot: "Re: [syzbot] [usb?] KASAN: slab-out-of-bounds Read in mon_copy_to_buff"
Next in thread: syzbot: "Re: [syzbot] [usb?] KASAN: slab-out-of-bounds Read in mon_copy_to_buff"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jul 07, 2025 at 08:05:27AM -0700, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: d7b8f8e20813 Linux 6.16-rc5
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=17e89582580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=f51185bd4f40ad44
> dashboard link: https://syzkaller.appspot.com/bug?extid=8258d5439c49d4c35f43
> compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11b3cbd4580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11b19f70580000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/f933e0e4a6c5/disk-d7b8f8e2.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/a82be954c91b/vmlinux-d7b8f8e2.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/66dbc3de1264/bzImage-d7b8f8e2.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+8258d5439c49d4c35f43@xxxxxxxxxxxxxxxxxxxxxxxxx
>
> microsoft 0003:045E:07DA.0001: unknown main item tag 0x0
> microsoft 0003:045E:07DA.0001: ignoring exceeding usage max
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in mon_copy_to_buff+0xc2/0x170 drivers/usb/mon/mon_bin.c:252
> Read of size 3904 at addr ffff8880216bc6e1 by task kworker/0:2/1204

Test my guess that the report length and ID are both 0, which would
cause the length to be decremented erroneously.

Alan Stern

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ d7b8f8e20813

drivers/hid/usbhid/hid-core.c | 1 +
1 file changed, 1 insertion(+)

Index: usb-devel/drivers/hid/usbhid/hid-core.c
===================================================================
--- usb-devel.orig/drivers/hid/usbhid/hid-core.c
+++ usb-devel/drivers/hid/usbhid/hid-core.c
@@ -918,6 +918,7 @@ static int usbhid_set_raw_report(struct
else
buf[0] = reportnum;

+ dev_info(&intf->dev, "count %u reportnum %u buf[0] %u\n", count, reportnum, buf[0]);
if (buf[0] == 0x0) {
/* Don't send the Report ID */
buf++;

Next message: James Houghton: "Re: [RFC PATCH v2 18/51] mm: hugetlb: Cleanup interpretation of map_chg_state within alloc_hugetlb_folio()"
Previous message: Zi Yan: "Re: [PATCH v2 0/5] add static PMD zero page support"
In reply to: syzbot: "Re: [syzbot] [usb?] KASAN: slab-out-of-bounds Read in mon_copy_to_buff"
Next in thread: syzbot: "Re: [syzbot] [usb?] KASAN: slab-out-of-bounds Read in mon_copy_to_buff"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]