On Sun, Jan 26, 2025 at 08:10:22PM -0800, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 21266b8df522 Merge tag 'AT_EXECVE_CHECK-v6.14-rc1' of git:.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=14bd9c24580000 > kernel config: https://syzkaller.appspot.com/x/.config?x=f9e008bfc27b14db > dashboard link: https://syzkaller.appspot.com/bug?extid=9c9179ac46169c56c1ad > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 > > Unfortunately, I don't have any reproducer for this issue yet. > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/5249b29d55f2/disk-21266b8d.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/8413507597a1/vmlinux-21266b8d.xz > kernel image: https://storage.googleapis.com/syzbot-assets/9c84998b8cfb/bzImage-21266b8d.xz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+9c9179ac46169c56c1ad@xxxxxxxxxxxxxxxxxxxxxxxxx > > hid-thrustmaster 0003:044F:B65D.0004: hidraw0: USB HID v0.00 Device [HID 044f:b65d] on usb-dummy_hcd.2-1/input0 > ================================================================== > BUG: KASAN: stack-out-of-bounds in usb_check_int_endpoints+0x1fe/0x280 drivers/usb/core/usb.c:277 > Read of size 1 at addr ffffc9000213e831 by task kworker/1:1/80 > > CPU: 1 UID: 0 PID: 80 Comm: kworker/1:1 Not tainted 6.13.0-syzkaller-04858-g21266b8df522 #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 > Workqueue: usb_hub_wq hub_event > Call Trace: > <TASK> > __dump_stack lib/dump_stack.c:94 [inline] > dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 > print_address_description mm/kasan/report.c:378 [inline] > print_report+0x169/0x550 mm/kasan/report.c:489 > kasan_report+0x143/0x180 mm/kasan/report.c:602 > usb_check_int_endpoints+0x1fe/0x280 drivers/usb/core/usb.c:277 > thrustmaster_interrupts drivers/hid/hid-thrustmaster.c:176 [inline] > thrustmaster_probe+0x47d/0xcb0 drivers/hid/hid-thrustmaster.c:347 Karol: Your commit 50420d7c79c3 ("HID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding endpoint check") does this: + /* Are the expected endpoints present? */ + u8 ep_addr[1] = {b_ep}; + + if (!usb_check_int_endpoints(usbif, ep_addr)) { + hid_err(hdev, "Unexpected non-int endpoint\n"); + return; + } usb_check_int_endpoints() expects its second argument to be a 0-terminated byte array (see the kerneldoc). Lack of the terminating 0 is what caused the syzbot error reported above. Also, usb_check_int_endpoints() is meant to be used by drivers in which the endpoint number is a compile-time constant. It's not appropriate here. You should have written the test as: if (!usb_endpoint_is_int_out(&ep->desc)) { Alternatively, you could have called usb_find_common_endpoints(). Would you like to submit a patch to fix this error? Alan Stern
