Re: [linus:master] [kasan, fortify] 2e577732e8: BUG:KASAN:global-out-of-bounds_in_usb_copy_descriptors
From: Kees Cook
Date: Tue Jul 23 2024 - 19:35:35 EST
On Tue, Jul 23, 2024 at 04:51:36PM +0800, kernel test robot wrote:
> [ 25.775287][ T1] BUG: KASAN: global-out-of-bounds in usb_copy_descriptors+0x15f/0x370
> [ 25.776048][ T1] Read of size 192 at addr ffffffff90c3e4c0 by task swapper/0/1
> ...
> [ 25.777833][ T1] __asan_memcpy+0x1f/0x60
> [ 25.777833][ T1] usb_copy_descriptors+0x15f/0x370
> [ 25.777833][ T1] usb_assign_descriptors+0xad/0x410
> [ 25.777833][ T1] f_audio_bind+0xe25/0x24f0
> [ 25.785907][ T1] usb_add_function+0x192/0x4e0
> [ 25.785907][ T1] audio_do_config+0xf9/0x160
> [ 25.785907][ T1] usb_add_config+0x38/0x460
The memcpy is:
usb_copy_descriptors(struct usb_descriptor_header **src)
...
memcpy(mem, *src, (*src)->bLength);
I can't find a bLength for a struct usb_descriptor_header::bLength that is 192...
...
audio_do_config()
usb_add_function()
function->bind(config, function);
gadget/legacy/audio.c:audio_bind()
usb_add_config()
audio_do_config()
usb_add_function()
function->bind(config, function);
f_audio_bind()
usb_assign_descriptors()
usb_copy_descriptors()
Is this thing in a loop?
--
Kees Cook