Re: KASAN: slab-out-of-bounds Read in usb_reset_and_verify_device

From: Alan Stern
Date: Wed Sep 04 2019 - 11:23:26 EST


On Wed, 4 Sep 2019, Andrey Konovalov wrote:

> On Wed, Sep 4, 2019 at 4:41 PM Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> wrote:
> >
> > On Tue, 3 Sep 2019, syzbot wrote:
> >
> > > Hello,
> > >
> > > syzbot has tested the proposed patch but the reproducer still triggered
> > > crash:
> > > KASAN: slab-out-of-bounds Read in usb_reset_and_verify_device
> > >
> > > usb 6-1: Using ep0 maxpacket: 16
> > > usb 6-1: BOS total length 54, descriptor 168
> > > usb 6-1: Old BOS ffff8881cd814f60 Len 0xa8
> > > usb 6-1: New BOS ffff8881cd257ae0 Len 0xa8
> > > ==================================================================
> > > BUG: KASAN: slab-out-of-bounds in memcmp+0xa6/0xb0 lib/string.c:904
> > > Read of size 1 at addr ffff8881cd257c36 by task kworker/1:0/17
> >
> > Very sneaky! A BOS descriptor whose wTotalLength field varies
> > depending on how many bytes you read.
> >
> > This should fix it. It's the same approach we use for the Config
> > descriptor.
>
> Nice, core USB bug :)
>
> Can this potentially lead to something worse than a out-of-bounds memcmp?

I tend to doubt it. It would require some code that does its own
parsing of the BOS descriptors. If there is any code like that in the
kernel, I'm not aware of it.

Still, you never know...

Alan Stern