Re: BUG: bad host security descriptor; not enough data (4 vs 5 left)

From: Dmitry Vyukov
Date: Wed Nov 20 2019 - 06:25:07 EST


On Wed, Nov 20, 2019 at 12:19 PM Oliver Neukum <oneukum@xxxxxxxx> wrote:
>
> Am Montag, den 11.11.2019, 17:09 +0100 schrieb Greg KH:
> > On Mon, Nov 11, 2019 at 07:34:08AM -0800, syzbot wrote:
> > > Hello,
> > >
> > > syzbot found the following crash on:
> > >
> > > HEAD commit: 3183c037 usb: gadget: add raw-gadget interface
> > > git tree: https://github.com/google/kasan.git usb-fuzzer
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=12525dc6e00000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=79de80330003b5f7
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=d934a9036346e0215d8f
> > > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14ac7406e00000
> > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13eea39ae00000
> > >
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: syzbot+d934a9036346e0215d8f@xxxxxxxxxxxxxxxxxxxxxxxxx
> > >
> > > usb 1-1: config 0 interface 0 altsetting 0 has 3 endpoint descriptors,
> > > different from the interface descriptor's value: 4
> > > usb 1-1: New USB device found, idVendor=13dc, idProduct=5611,
> > > bcdDevice=2f.15
> > > usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
> > > usb 1-1: config 0 descriptor??
> > > hwa-hc 1-1:0.0: Wire Adapter v106.52 newer than groked v1.0
> > > hwa-hc 1-1:0.0: FIXME: USB_MAXCHILDREN too low for WUSB adapter (194 ports)
> > > usb 1-1: BUG: bad host security descriptor; not enough data (4 vs 5 left)
> > > usb 1-1: supported encryption types: ïS Ðïïï|c Ðïïïïc Ðïïï
> > > usb 1-1: E: host doesn't support CCM-1 crypto
> > > hwa-hc 1-1:0.0: Wireless USB HWA host controller
> > > hwa-hc 1-1:0.0: new USB bus registered, assigned bus number 11
> >
> > wusb code, hah. It's about to be deleted from the kernel because no one
> > uses it and there is no hardware out there. I wouldn't spend a ton of
> > time fuzzing it.
> >
> > One more good reason to just delete it soon...
>
> Unfortunately that is not an option for the stable trees. Before I try
> something quick and dirty here, I have a question for the testing team.
>
> What exactly crashed? There is nothing in the logs? Did you undergo
> an absolute freeze of the machine? Or do you tested for the word "BUG"
> in the logs?

Hi Oliver,

Yes, it's the "BUG:" on the console that's detected as kernel bug
(what's being produced by BUG_ON).

There are only 2 special bug types in syzkaller that are detected
based not on kernel output matching:
"lost connection to test machine":
https://syzkaller.appspot.com/bug?id=b97ec15bfe317ac1ddccb41f2a913d4f7a31c6d7
and "no output from test machine":
https://syzkaller.appspot.com/bug?id=0b210638616bb68109e9642158d4c0072770ae1c
(hopefully self-explanatory from the title).

The rest are based on output matching and what's matched is pretty
much the bug title/email subject.