On Tue, 3 Sep 2019, syzbot wrote: > Hello, > > syzbot has tested the proposed patch but the reproducer still triggered > crash: > KASAN: slab-out-of-bounds Read in usb_reset_and_verify_device > > usb 4-1: Using ep0 maxpacket: 16 > usb 4-1: Old BOS ffff8881d516b780 Len 0xa8 > usb 4-1: New BOS ffff8881d5dd6d20 Len 0xa8 > ================================================================== > BUG: KASAN: slab-out-of-bounds in memcmp+0xa6/0xb0 lib/string.c:904 > Read of size 1 at addr ffff8881d5dd6db6 by task kworker/0:1/12 More debugging. If my guess is right, this is pretty malicious... Alan Stern #syz test: https://github.com/google/kasan.git eea39f24 drivers/usb/core/config.c | 2 ++ drivers/usb/core/hub.c | 7 +++++++ 2 files changed, 9 insertions(+) Index: usb-devel/drivers/usb/core/hub.c =================================================================== --- usb-devel.orig/drivers/usb/core/hub.c +++ usb-devel/drivers/usb/core/hub.c @@ -5721,6 +5721,13 @@ static int usb_reset_and_verify_device(s if (ret < 0) goto re_enumerate; + if (bos) + dev_info(&udev->dev, "Old BOS %px Len 0x%x\n", + bos, le16_to_cpu(bos->desc->wTotalLength)); + if (udev->bos) + dev_info(&udev->dev, "New BOS %px Len 0x%x\n", + udev->bos, le16_to_cpu(udev->bos->desc->wTotalLength)); + /* Device might have changed firmware (DFU or similar) */ if (descriptors_changed(udev, &descriptor, bos)) { dev_info(&udev->dev, "device firmware changed\n"); Index: usb-devel/drivers/usb/core/config.c =================================================================== --- usb-devel.orig/drivers/usb/core/config.c +++ usb-devel/drivers/usb/core/config.c @@ -966,6 +966,8 @@ int usb_get_bos_descriptor(struct usb_de ret = -ENOMSG; goto err; } + dev_info(ddev, "BOS total length %d, descriptor %d\n", total_len, + le16_to_cpu(dev->bos->desc->wTotalLength)); total_len -= length; for (i = 0; i < num; i++) {
