On Mon, Mar 03, 2025 at 04:52:33PM +0800, Strforexc yn wrote: > Dear Maintainers, When using our customized Syzkaller to fuzz the > latest Linux kernel, the following crash was triggered. > > Kernel commit: v6.14-rc4 (Commits on Feb 24, 2025) > Kernel Config : https://github.com/Strforexc/LinuxKernelbug/blob/main/.config > Kernel Log: https://github.com/Strforexc/LinuxKernelbug/blob/main/array-index-out-of-bounds_usbhid_parse/log0 > Reproduce C: https://github.com/Strforexc/LinuxKernelbug/blob/main/array-index-out-of-bounds_usbhid_parse/repro.cprog > > I’ve encountered a UBSAN-reported array-index-out-of-bounds issue in > the USB HID driver on Linux 6.14.0-rc4 during device probing, likely > triggered by a malformed USB descriptor. Here are the details: > > UBSAN detects an out-of-bounds access at > drivers/hid/usbhid/hid-core.c:1025:18 in usbhid_parse, where index 1 > exceeds the bounds of hid_class_descriptor [1] in struct > hid_descriptor. This occurs when parsing a HID device descriptor > during USB probing. > > Location: The fault occurs in a loop: for (n = 0; n < num_descriptors; > n++) if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT), accessing > hdesc->desc[n]. > > Cause: struct hid_descriptor defines desc as a fixed-size array [1], > but the loop iterates up to num_descriptors (based on > hdesc->bNumDescriptors). UBSAN flags n=1 as out-of-bounds, though the > underlying descriptor buffer may be larger. > > Context: Preceded by a USB descriptor error (-22), suggesting a > malformed HID device (likely Syzkaller-crafted), triggering the loop > with bNumDescriptors > 1. > > Impact: No immediate crash, but a code hygiene issue flagged by UBSAN. > Runtime safety depends on descriptor buffer allocation, but it’s a > potential source of confusion or future bugs. > > Could HID maintainers investigate? Suggested fixes: > 1. Use a flexible array member (desc[]) in struct hid_descriptor and > adjust parsing to rely on runtime buffer size. > 2. Add stricter validation of hdesc->bNumDescriptors against bLength > to reject malformed descriptors earlier. > > Our knowledge of the kernel is somewhat limited, and we'd appreciate > it if you could determine if there is such an issue. If this issue > doesn't have an impact, please ignore it ☺. > If you fix this issue, please add the following tag to the commit: > Reported-by: Zhizhuo Tang <strforexctzzchange@xxxxxxxxxxx>, Jianzhou > Zhao <xnxc22xnxc22@xxxxxx>, Haoran Liu <cherest_san@xxxxxxx> Have you seen this patch or tried to test it? https://lore.kernel.org/linux-usb/20250131151600.410242-1-n.zhandarovich@xxxxxxxxxx/ Alan Stern
