Skip to content

Instantly share code, notes, and snippets.

@xrivendell7

xrivendell7/report Secret

Created March 2, 2024 08:00
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save xrivendell7/65437409377f91fc28a04867956fa9e0 to your computer and use it in GitHub Desktop.
Save xrivendell7/65437409377f91fc28a04867956fa9e0 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
report
TITLE: KASAN: slab-use-after-free Read in v4l2_fh_init
CORRUPTED: false ()
MAINTAINERS (TO): [linux-kernel@vger.kernel.org]
MAINTAINERS (CC): [linux-media@vger.kernel.org mchehab@kernel.org]
==================================================================
BUG: KASAN: slab-use-after-free in v4l2_fh_init+0x278/0x2c0 drivers/media/v4l2-core/v4l2-fh.c:25
Read of size 8 at addr ffff888053f9a738 by task v4l_id/21260
CPU: 0 PID: 21260 Comm: v4l_id Not tainted 6.8.0-rc6-00238-g5ad3cb0ed525 #17
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x5c/0xb0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc4/0x620 mm/kasan/report.c:488
kasan_report+0xda/0x110 mm/kasan/report.c:601
v4l2_fh_init+0x278/0x2c0 drivers/media/v4l2-core/v4l2-fh.c:25
v4l2_fh_open+0x7c/0xb0 drivers/media/v4l2-core/v4l2-fh.c:63
em28xx_v4l2_open+0x1ea/0x6a0 drivers/media/usb/em28xx/em28xx-video.c:2155
v4l2_open+0x1ed/0x400 drivers/media/v4l2-core/v4l2-dev.c:427
chrdev_open+0x215/0x610 fs/char_dev.c:414
do_dentry_open+0x5da/0x14f0 fs/open.c:953
do_open fs/namei.c:3645 [inline]
path_openat+0x1983/0x2740 fs/namei.c:3802
do_filp_open+0x1bc/0x400 fs/namei.c:3829
do_sys_openat2+0x12c/0x170 fs/open.c:1404
do_sys_open fs/open.c:1419 [inline]
__do_sys_openat fs/open.c:1435 [inline]
__se_sys_openat fs/open.c:1430 [inline]
__x64_sys_openat+0x134/0x1d0 fs/open.c:1430
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x78/0x1c0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f30564a0e01
Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d ea 27 0e 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b5
RSP: 002b:00007ffffe493a00 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f30564a0e01
RDX: 0000000000000000 RSI: 00007ffffe493f05 RDI: 00000000ffffff9c
RBP: 00007ffffe493f05 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffffe493c30 R14: 0000560ca266fbf8 R15: 00007f30565c1020
</TASK>
Allocated by task 15533:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:387
kmalloc include/linux/slab.h:590 [inline]
kzalloc include/linux/slab.h:711 [inline]
em28xx_v4l2_init+0xe6/0x3b00 drivers/media/usb/em28xx/em28xx-video.c:2534
em28xx_init_extension+0x10a/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1116
process_one_work+0x789/0x12a0 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2706 [inline]
worker_thread+0x6fb/0x1170 kernel/workqueue.c:2787
kthread+0x2ed/0x3d0 kernel/kthread.c:388
ret_from_fork+0x2c/0x70 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:243
Freed by task 15533:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:589
poison_slab_object mm/kasan/common.c:240 [inline]
__kasan_slab_free+0x11d/0x1a0 mm/kasan/common.c:256
kasan_slab_free include/linux/kasan.h:184 [inline]
slab_free_hook mm/slub.c:2121 [inline]
slab_free mm/slub.c:4299 [inline]
kfree+0x124/0x360 mm/slub.c:4409
em28xx_free_v4l2 drivers/media/usb/em28xx/em28xx-video.c:2120 [inline]
kref_put include/linux/kref.h:65 [inline]
em28xx_v4l2_init+0x1d6c/0x3b00 drivers/media/usb/em28xx/em28xx-video.c:2903
em28xx_init_extension+0x10a/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1116
process_one_work+0x789/0x12a0 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2706 [inline]
worker_thread+0x6fb/0x1170 kernel/workqueue.c:2787
kthread+0x2ed/0x3d0 kernel/kthread.c:388
ret_from_fork+0x2c/0x70 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:243
The buggy address belongs to the object at ffff888053f9a000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 1848 bytes inside of
freed 8192-byte region [ffff888053f9a000, ffff888053f9c000)
The buggy address belongs to the physical page:
page:ffffea00014fe600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x53f98
head:ffffea00014fe600 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888012443540 ffffea000151fc10 ffff888012441228
raw: 0000000000000000 0000000000010001 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|_2
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2cf/0x340 mm/page_alloc.c:1533
prep_new_page mm/page_alloc.c:1540 [inline]
get_page_from_freelist+0xa28/0x3770 mm/page_alloc.c:3311
__alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4567
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page mm/slub.c:2190 [inline]
allocate_slab+0xa3/0x360 mm/slub.c:2354
new_slab mm/slub.c:2407 [inline]
___slab_alloc+0x4d2/0x1950 mm/slub.c:3540
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3625
__slab_alloc_node mm/slub.c:3678 [inline]
slab_alloc_node mm/slub.c:3850 [inline]
kmalloc_trace+0x399/0x3e0 mm/slub.c:4007
kmalloc include/linux/slab.h:590 [inline]
kzalloc include/linux/slab.h:711 [inline]
em28xx_v4l2_init+0xe6/0x3b00 drivers/media/usb/em28xx/em28xx-video.c:2534
em28xx_init_extension+0x10a/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1116
process_one_work+0x789/0x12a0 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2706 [inline]
worker_thread+0x6fb/0x1170 kernel/workqueue.c:2787
kthread+0x2ed/0x3d0 kernel/kthread.c:388
ret_from_fork+0x2c/0x70 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:243
page last free pid 14951 tgid 14951 stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1140 [inline]
free_unref_page_prepare+0x51e/0xb10 mm/page_alloc.c:2346
free_unref_page+0x33/0x3c0 mm/page_alloc.c:2486
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3813 [inline]
slab_alloc_node mm/slub.c:3860 [inline]
kmalloc_trace+0x13a/0x3e0 mm/slub.c:4007
kmalloc include/linux/slab.h:590 [inline]
usb_control_msg+0xb2/0x470 drivers/usb/core/message.c:144
get_port_status drivers/usb/core/hub.c:604 [inline]
hub_ext_port_status+0xf0/0x400 drivers/usb/core/hub.c:621
usb_hub_port_status drivers/usb/core/hub.c:643 [inline]
hub_port_debounce+0x168/0x300 drivers/usb/core/hub.c:4619
hub_port_debounce_be_stable drivers/usb/core/hub.h:181 [inline]
hub_port_connect drivers/usb/core/hub.c:5335 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5623 [inline]
port_event drivers/usb/core/hub.c:5783 [inline]
hub_event+0x294c/0x4370 drivers/usb/core/hub.c:5865
process_one_work+0x789/0x12a0 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2706 [inline]
worker_thread+0x6fb/0x1170 kernel/workqueue.c:2787
kthread+0x2ed/0x3d0 kernel/kthread.c:388
ret_from_fork+0x2c/0x70 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:243
Memory state around the buggy address:
ffff888053f9a600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888053f9a680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888053f9a700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888053f9a780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888053f9a800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
TITLE: kernel panic: KASAN: panic_on_warn set ...
CORRUPTED: false ()
MAINTAINERS (TO): [linux-kernel@vger.kernel.org]
MAINTAINERS (CC): [linux-media@vger.kernel.org mchehab@kernel.org]
The buggy address is located 1848 bytes inside of
freed 8192-byte region [ffff888053f9a000, ffff888053f9c000)
The buggy address belongs to the physical page:
page:ffffea00014fe600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x53f98
head:ffffea00014fe600 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888012443540 ffffea000151fc10 ffff888012441228
raw: 0000000000000000 0000000000010001 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|_2
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2cf/0x340 mm/page_alloc.c:1533
prep_new_page mm/page_alloc.c:1540 [inline]
get_page_from_freelist+0xa28/0x3770 mm/page_alloc.c:3311
__alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4567
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page mm/slub.c:2190 [inline]
allocate_slab+0xa3/0x360 mm/slub.c:2354
new_slab mm/slub.c:2407 [inline]
___slab_alloc+0x4d2/0x1950 mm/slub.c:3540
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3625
__slab_alloc_node mm/slub.c:3678 [inline]
slab_alloc_node mm/slub.c:3850 [inline]
kmalloc_trace+0x399/0x3e0 mm/slub.c:4007
kmalloc include/linux/slab.h:590 [inline]
kzalloc include/linux/slab.h:711 [inline]
em28xx_v4l2_init+0xe6/0x3b00 drivers/media/usb/em28xx/em28xx-video.c:2534
em28xx_init_extension+0x10a/0x1c0 drivers/media/usb/em28xx/em28xx-core.c:1116
process_one_work+0x789/0x12a0 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2706 [inline]
worker_thread+0x6fb/0x1170 kernel/workqueue.c:2787
kthread+0x2ed/0x3d0 kernel/kthread.c:388
ret_from_fork+0x2c/0x70 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:243
page last free pid 14951 tgid 14951 stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1140 [inline]
free_unref_page_prepare+0x51e/0xb10 mm/page_alloc.c:2346
free_unref_page+0x33/0x3c0 mm/page_alloc.c:2486
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3813 [inline]
slab_alloc_node mm/slub.c:3860 [inline]
kmalloc_trace+0x13a/0x3e0 mm/slub.c:4007
kmalloc include/linux/slab.h:590 [inline]
usb_control_msg+0xb2/0x470 drivers/usb/core/message.c:144
get_port_status drivers/usb/core/hub.c:604 [inline]
hub_ext_port_status+0xf0/0x400 drivers/usb/core/hub.c:621
usb_hub_port_status drivers/usb/core/hub.c:643 [inline]
hub_port_debounce+0x168/0x300 drivers/usb/core/hub.c:4619
hub_port_debounce_be_stable drivers/usb/core/hub.h:181 [inline]
hub_port_connect drivers/usb/core/hub.c:5335 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5623 [inline]
port_event drivers/usb/core/hub.c:5783 [inline]
hub_event+0x294c/0x4370 drivers/usb/core/hub.c:5865
process_one_work+0x789/0x12a0 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2706 [inline]
worker_thread+0x6fb/0x1170 kernel/workqueue.c:2787
kthread+0x2ed/0x3d0 kernel/kthread.c:388
ret_from_fork+0x2c/0x70 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:243
Memory state around the buggy address:
ffff888053f9a600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888053f9a680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888053f9a700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888053f9a780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888053f9a800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Kernel panic - not syncing: KASAN: panic_on_warn set ...
CPU: 0 PID: 21260 Comm: v4l_id Not tainted 6.8.0-rc6-00238-g5ad3cb0ed525 #17
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x5c/0xb0 lib/dump_stack.c:106
panic+0x50c/0x5b0 kernel/panic.c:344
check_panic_on_warn+0x58/0x70 kernel/panic.c:237
end_report+0x108/0x150 mm/kasan/report.c:226
kasan_report+0xea/0x110 mm/kasan/report.c:603
v4l2_fh_init+0x278/0x2c0 drivers/media/v4l2-core/v4l2-fh.c:25
v4l2_fh_open+0x7c/0xb0 drivers/media/v4l2-core/v4l2-fh.c:63
em28xx_v4l2_open+0x1ea/0x6a0 drivers/media/usb/em28xx/em28xx-video.c:2155
v4l2_open+0x1ed/0x400 drivers/media/v4l2-core/v4l2-dev.c:427
chrdev_open+0x215/0x610 fs/char_dev.c:414
do_dentry_open+0x5da/0x14f0 fs/open.c:953
do_open fs/namei.c:3645 [inline]
path_openat+0x1983/0x2740 fs/namei.c:3802
do_filp_open+0x1bc/0x400 fs/namei.c:3829
do_sys_openat2+0x12c/0x170 fs/open.c:1404
do_sys_open fs/open.c:1419 [inline]
__do_sys_openat fs/open.c:1435 [inline]
__se_sys_openat fs/open.c:1430 [inline]
__x64_sys_openat+0x134/0x1d0 fs/open.c:1430
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x78/0x1c0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f30564a0e01
Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d ea 27 0e 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b5
Raw
repro.c
#define _GNU_SOURCE
#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
#include <linux/usb/ch9.h>
static unsigned long long procid;
static void sleep_ms(uint64_t ms) {
usleep(ms * 1000);
}
static uint64_t current_time_ms(void) {
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static bool write_file(const char* file, const char* what, ...) {
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1)
return false;
if (write(fd, buf, len) != len) {
int err = errno;
close(fd);
errno = err;
return false;
}
close(fd);
return true;
}
#define MAX_FDS 30
#define USB_MAX_IFACE_NUM 4
#define USB_MAX_EP_NUM 32
#define USB_MAX_FDS 6
struct usb_endpoint_index {
struct usb_endpoint_descriptor desc;
int handle;
};
struct usb_iface_index {
struct usb_interface_descriptor* iface;
uint8_t bInterfaceNumber;
uint8_t bAlternateSetting;
uint8_t bInterfaceClass;
struct usb_endpoint_index eps[USB_MAX_EP_NUM];
int eps_num;
};
struct usb_device_index {
struct usb_device_descriptor* dev;
struct usb_config_descriptor* config;
uint8_t bDeviceClass;
uint8_t bMaxPower;
int config_length;
struct usb_iface_index ifaces[USB_MAX_IFACE_NUM];
int ifaces_num;
int iface_cur;
};
struct usb_info {
int fd;
struct usb_device_index index;
};
static struct usb_info usb_devices[USB_MAX_FDS];
static struct usb_device_index* lookup_usb_index(int fd) {
for (int i = 0; i < USB_MAX_FDS; i++) {
if (__atomic_load_n(&usb_devices[i].fd, __ATOMIC_ACQUIRE) == fd)
return &usb_devices[i].index;
}
return NULL;
}
static int usb_devices_num;
static bool parse_usb_descriptor(const char* buffer,
size_t length,
struct usb_device_index* index) {
if (length < sizeof(*index->dev) + sizeof(*index->config))
return false;
memset(index, 0, sizeof(*index));
index->dev = (struct usb_device_descriptor*)buffer;
index->config = (struct usb_config_descriptor*)(buffer + sizeof(*index->dev));
index->bDeviceClass = index->dev->bDeviceClass;
index->bMaxPower = index->config->bMaxPower;
index->config_length = length - sizeof(*index->dev);
index->iface_cur = -1;
size_t offset = 0;
while (true) {
if (offset + 1 >= length)
break;
uint8_t desc_length = buffer[offset];
uint8_t desc_type = buffer[offset + 1];
if (desc_length <= 2)
break;
if (offset + desc_length > length)
break;
if (desc_type == USB_DT_INTERFACE &&
index->ifaces_num < USB_MAX_IFACE_NUM) {
struct usb_interface_descriptor* iface =
(struct usb_interface_descriptor*)(buffer + offset);
index->ifaces[index->ifaces_num].iface = iface;
index->ifaces[index->ifaces_num].bInterfaceNumber =
iface->bInterfaceNumber;
index->ifaces[index->ifaces_num].bAlternateSetting =
iface->bAlternateSetting;
index->ifaces[index->ifaces_num].bInterfaceClass = iface->bInterfaceClass;
index->ifaces_num++;
}
if (desc_type == USB_DT_ENDPOINT && index->ifaces_num > 0) {
struct usb_iface_index* iface = &index->ifaces[index->ifaces_num - 1];
if (iface->eps_num < USB_MAX_EP_NUM) {
memcpy(&iface->eps[iface->eps_num].desc, buffer + offset,
sizeof(iface->eps[iface->eps_num].desc));
iface->eps_num++;
}
}
offset += desc_length;
}
return true;
}
static struct usb_device_index* add_usb_index(int fd,
const char* dev,
size_t dev_len) {
int i = __atomic_fetch_add(&usb_devices_num, 1, __ATOMIC_RELAXED);
if (i >= USB_MAX_FDS)
return NULL;
if (!parse_usb_descriptor(dev, dev_len, &usb_devices[i].index))
return NULL;
__atomic_store_n(&usb_devices[i].fd, fd, __ATOMIC_RELEASE);
return &usb_devices[i].index;
}
struct vusb_connect_string_descriptor {
uint32_t len;
char* str;
} __attribute__((packed));
struct vusb_connect_descriptors {
uint32_t qual_len;
char* qual;
uint32_t bos_len;
char* bos;
uint32_t strs_len;
struct vusb_connect_string_descriptor strs[0];
} __attribute__((packed));
static const char default_string[] = {8, USB_DT_STRING, 's', 0, 'y', 0, 'z', 0};
static const char default_lang_id[] = {4, USB_DT_STRING, 0x09, 0x04};
static bool lookup_connect_response_in(
int fd,
const struct vusb_connect_descriptors* descs,
const struct usb_ctrlrequest* ctrl,
struct usb_qualifier_descriptor* qual,
char** response_data,
uint32_t* response_length) {
struct usb_device_index* index = lookup_usb_index(fd);
uint8_t str_idx;
if (!index)
return false;
switch (ctrl->bRequestType & USB_TYPE_MASK) {
case USB_TYPE_STANDARD:
switch (ctrl->bRequest) {
case USB_REQ_GET_DESCRIPTOR:
switch (ctrl->wValue >> 8) {
case USB_DT_DEVICE:
*response_data = (char*)index->dev;
*response_length = sizeof(*index->dev);
return true;
case USB_DT_CONFIG:
*response_data = (char*)index->config;
*response_length = index->config_length;
return true;
case USB_DT_STRING:
str_idx = (uint8_t)ctrl->wValue;
if (descs && str_idx < descs->strs_len) {
*response_data = descs->strs[str_idx].str;
*response_length = descs->strs[str_idx].len;
return true;
}
if (str_idx == 0) {
*response_data = (char*)&default_lang_id[0];
*response_length = default_lang_id[0];
return true;
}
*response_data = (char*)&default_string[0];
*response_length = default_string[0];
return true;
case USB_DT_BOS:
*response_data = descs->bos;
*response_length = descs->bos_len;
return true;
case USB_DT_DEVICE_QUALIFIER:
if (!descs->qual) {
qual->bLength = sizeof(*qual);
qual->bDescriptorType = USB_DT_DEVICE_QUALIFIER;
qual->bcdUSB = index->dev->bcdUSB;
qual->bDeviceClass = index->dev->bDeviceClass;
qual->bDeviceSubClass = index->dev->bDeviceSubClass;
qual->bDeviceProtocol = index->dev->bDeviceProtocol;
qual->bMaxPacketSize0 = index->dev->bMaxPacketSize0;
qual->bNumConfigurations = index->dev->bNumConfigurations;
qual->bRESERVED = 0;
*response_data = (char*)qual;
*response_length = sizeof(*qual);
return true;
}
*response_data = descs->qual;
*response_length = descs->qual_len;
return true;
default:
break;
}
break;
default:
break;
}
break;
default:
break;
}
return false;
}
typedef bool (*lookup_connect_out_response_t)(
int fd,
const struct vusb_connect_descriptors* descs,
const struct usb_ctrlrequest* ctrl,
bool* done);
static bool lookup_connect_response_out_generic(
int fd,
const struct vusb_connect_descriptors* descs,
const struct usb_ctrlrequest* ctrl,
bool* done) {
switch (ctrl->bRequestType & USB_TYPE_MASK) {
case USB_TYPE_STANDARD:
switch (ctrl->bRequest) {
case USB_REQ_SET_CONFIGURATION:
*done = true;
return true;
default:
break;
}
break;
}
return false;
}
#define UDC_NAME_LENGTH_MAX 128
struct usb_raw_init {
__u8 driver_name[UDC_NAME_LENGTH_MAX];
__u8 device_name[UDC_NAME_LENGTH_MAX];
__u8 speed;
};
enum usb_raw_event_type {
USB_RAW_EVENT_INVALID = 0,
USB_RAW_EVENT_CONNECT = 1,
USB_RAW_EVENT_CONTROL = 2,
};
struct usb_raw_event {
__u32 type;
__u32 length;
__u8 data[0];
};
struct usb_raw_ep_io {
__u16 ep;
__u16 flags;
__u32 length;
__u8 data[0];
};
#define USB_RAW_EPS_NUM_MAX 30
#define USB_RAW_EP_NAME_MAX 16
#define USB_RAW_EP_ADDR_ANY 0xff
struct usb_raw_ep_caps {
__u32 type_control : 1;
__u32 type_iso : 1;
__u32 type_bulk : 1;
__u32 type_int : 1;
__u32 dir_in : 1;
__u32 dir_out : 1;
};
struct usb_raw_ep_limits {
__u16 maxpacket_limit;
__u16 max_streams;
__u32 reserved;
};
struct usb_raw_ep_info {
__u8 name[USB_RAW_EP_NAME_MAX];
__u32 addr;
struct usb_raw_ep_caps caps;
struct usb_raw_ep_limits limits;
};
struct usb_raw_eps_info {
struct usb_raw_ep_info eps[USB_RAW_EPS_NUM_MAX];
};
#define USB_RAW_IOCTL_INIT _IOW('U', 0, struct usb_raw_init)
#define USB_RAW_IOCTL_RUN _IO('U', 1)
#define USB_RAW_IOCTL_EVENT_FETCH _IOR('U', 2, struct usb_raw_event)
#define USB_RAW_IOCTL_EP0_WRITE _IOW('U', 3, struct usb_raw_ep_io)
#define USB_RAW_IOCTL_EP0_READ _IOWR('U', 4, struct usb_raw_ep_io)
#define USB_RAW_IOCTL_EP_ENABLE _IOW('U', 5, struct usb_endpoint_descriptor)
#define USB_RAW_IOCTL_EP_DISABLE _IOW('U', 6, __u32)
#define USB_RAW_IOCTL_EP_WRITE _IOW('U', 7, struct usb_raw_ep_io)
#define USB_RAW_IOCTL_EP_READ _IOWR('U', 8, struct usb_raw_ep_io)
#define USB_RAW_IOCTL_CONFIGURE _IO('U', 9)
#define USB_RAW_IOCTL_VBUS_DRAW _IOW('U', 10, __u32)
#define USB_RAW_IOCTL_EPS_INFO _IOR('U', 11, struct usb_raw_eps_info)
#define USB_RAW_IOCTL_EP0_STALL _IO('U', 12)
#define USB_RAW_IOCTL_EP_SET_HALT _IOW('U', 13, __u32)
#define USB_RAW_IOCTL_EP_CLEAR_HALT _IOW('U', 14, __u32)
#define USB_RAW_IOCTL_EP_SET_WEDGE _IOW('U', 15, __u32)
static int usb_raw_open() {
return open("/dev/raw-gadget", O_RDWR);
}
static int usb_raw_init(int fd,
uint32_t speed,
const char* driver,
const char* device) {
struct usb_raw_init arg;
strncpy((char*)&arg.driver_name[0], driver, sizeof(arg.driver_name));
strncpy((char*)&arg.device_name[0], device, sizeof(arg.device_name));
arg.speed = speed;
return ioctl(fd, USB_RAW_IOCTL_INIT, &arg);
}
static int usb_raw_run(int fd) {
return ioctl(fd, USB_RAW_IOCTL_RUN, 0);
}
static int usb_raw_configure(int fd) {
return ioctl(fd, USB_RAW_IOCTL_CONFIGURE, 0);
}
static int usb_raw_vbus_draw(int fd, uint32_t power) {
return ioctl(fd, USB_RAW_IOCTL_VBUS_DRAW, power);
}
static int usb_raw_ep0_write(int fd, struct usb_raw_ep_io* io) {
return ioctl(fd, USB_RAW_IOCTL_EP0_WRITE, io);
}
static int usb_raw_ep0_read(int fd, struct usb_raw_ep_io* io) {
return ioctl(fd, USB_RAW_IOCTL_EP0_READ, io);
}
static int usb_raw_event_fetch(int fd, struct usb_raw_event* event) {
return ioctl(fd, USB_RAW_IOCTL_EVENT_FETCH, event);
}
static int usb_raw_ep_enable(int fd, struct usb_endpoint_descriptor* desc) {
return ioctl(fd, USB_RAW_IOCTL_EP_ENABLE, desc);
}
static int usb_raw_ep_disable(int fd, int ep) {
return ioctl(fd, USB_RAW_IOCTL_EP_DISABLE, ep);
}
static int usb_raw_ep0_stall(int fd) {
return ioctl(fd, USB_RAW_IOCTL_EP0_STALL, 0);
}
#define USB_MAX_PACKET_SIZE 4096
struct usb_raw_control_event {
struct usb_raw_event inner;
struct usb_ctrlrequest ctrl;
char data[USB_MAX_PACKET_SIZE];
};
struct usb_raw_ep_io_data {
struct usb_raw_ep_io inner;
char data[USB_MAX_PACKET_SIZE];
};
static void set_interface(int fd, int n) {
struct usb_device_index* index = lookup_usb_index(fd);
if (!index)
return;
if (index->iface_cur >= 0 && index->iface_cur < index->ifaces_num) {
for (int ep = 0; ep < index->ifaces[index->iface_cur].eps_num; ep++) {
int rv = usb_raw_ep_disable(
fd, index->ifaces[index->iface_cur].eps[ep].handle);
if (rv < 0) {
} else {
}
}
}
if (n >= 0 && n < index->ifaces_num) {
for (int ep = 0; ep < index->ifaces[n].eps_num; ep++) {
int rv = usb_raw_ep_enable(fd, &index->ifaces[n].eps[ep].desc);
if (rv < 0) {
} else {
index->ifaces[n].eps[ep].handle = rv;
}
}
index->iface_cur = n;
}
}
static int configure_device(int fd) {
struct usb_device_index* index = lookup_usb_index(fd);
if (!index)
return -1;
int rv = usb_raw_vbus_draw(fd, index->bMaxPower);
if (rv < 0) {
return rv;
}
rv = usb_raw_configure(fd);
if (rv < 0) {
return rv;
}
set_interface(fd, 0);
return 0;
}
static volatile long syz_usb_connect_impl(
uint64_t speed,
uint64_t dev_len,
const char* dev,
const struct vusb_connect_descriptors* descs,
lookup_connect_out_response_t lookup_connect_response_out) {
if (!dev) {
return -1;
}
int fd = usb_raw_open();
if (fd < 0) {
return fd;
}
if (fd >= MAX_FDS) {
close(fd);
return -1;
}
struct usb_device_index* index = add_usb_index(fd, dev, dev_len);
if (!index) {
return -1;
}
char device[32];
sprintf(&device[0], "dummy_udc.%llu", procid);
int rv = usb_raw_init(fd, speed, "dummy_udc", &device[0]);
if (rv < 0) {
return rv;
}
rv = usb_raw_run(fd);
if (rv < 0) {
return rv;
}
bool done = false;
while (!done) {
struct usb_raw_control_event event;
event.inner.type = 0;
event.inner.length = sizeof(event.ctrl);
rv = usb_raw_event_fetch(fd, (struct usb_raw_event*)&event);
if (rv < 0) {
return rv;
}
if (event.inner.type != USB_RAW_EVENT_CONTROL)
continue;
char* response_data = NULL;
uint32_t response_length = 0;
struct usb_qualifier_descriptor qual;
if (event.ctrl.bRequestType & USB_DIR_IN) {
if (!lookup_connect_response_in(fd, descs, &event.ctrl, &qual,
&response_data, &response_length)) {
usb_raw_ep0_stall(fd);
continue;
}
} else {
if (!lookup_connect_response_out(fd, descs, &event.ctrl, &done)) {
usb_raw_ep0_stall(fd);
continue;
}
response_data = NULL;
response_length = event.ctrl.wLength;
}
if ((event.ctrl.bRequestType & USB_TYPE_MASK) == USB_TYPE_STANDARD &&
event.ctrl.bRequest == USB_REQ_SET_CONFIGURATION) {
rv = configure_device(fd);
if (rv < 0) {
return rv;
}
}
struct usb_raw_ep_io_data response;
response.inner.ep = 0;
response.inner.flags = 0;
if (response_length > sizeof(response.data))
response_length = 0;
if (event.ctrl.wLength < response_length)
response_length = event.ctrl.wLength;
response.inner.length = response_length;
if (response_data)
memcpy(&response.data[0], response_data, response_length);
else
memset(&response.data[0], 0, response_length);
if (event.ctrl.bRequestType & USB_DIR_IN) {
rv = usb_raw_ep0_write(fd, (struct usb_raw_ep_io*)&response);
} else {
rv = usb_raw_ep0_read(fd, (struct usb_raw_ep_io*)&response);
}
if (rv < 0) {
return rv;
}
}
sleep_ms(200);
return fd;
}
static volatile long syz_usb_connect(volatile long a0,
volatile long a1,
volatile long a2,
volatile long a3) {
uint64_t speed = a0;
uint64_t dev_len = a1;
const char* dev = (const char*)a2;
const struct vusb_connect_descriptors* descs =
(const struct vusb_connect_descriptors*)a3;
return syz_usb_connect_impl(speed, dev_len, dev, descs,
&lookup_connect_response_out_generic);
}
static void kill_and_wait(int pid, int* status) {
kill(-pid, SIGKILL);
kill(pid, SIGKILL);
for (int i = 0; i < 100; i++) {
if (waitpid(-1, status, WNOHANG | __WALL) == pid)
return;
usleep(1000);
}
DIR* dir = opendir("/sys/fs/fuse/connections");
if (dir) {
for (;;) {
struct dirent* ent = readdir(dir);
if (!ent)
break;
if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
continue;
char abort[300];
snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
ent->d_name);
int fd = open(abort, O_WRONLY);
if (fd == -1) {
continue;
}
if (write(fd, abort, 1) < 0) {
}
close(fd);
}
closedir(dir);
} else {
}
while (waitpid(-1, status, __WALL) != pid) {
}
}
static void setup_test() {
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
write_file("/proc/self/oom_score_adj", "1000");
}
static void execute_one(void);
#define WAIT_FLAGS __WALL
static void loop(void) {
int iter = 0;
for (;; iter++) {
int pid = fork();
if (pid < 0)
exit(1);
if (pid == 0) {
setup_test();
execute_one();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
break;
sleep_ms(1);
if (current_time_ms() - start < 5000)
continue;
kill_and_wait(pid, &status);
break;
}
}
}
void execute_one(void) {
*(uint8_t*)0x20000040 = 0x12;
*(uint8_t*)0x20000041 = 1;
*(uint16_t*)0x20000042 = 0;
*(uint8_t*)0x20000044 = 0x42;
*(uint8_t*)0x20000045 = 0x21;
*(uint8_t*)0x20000046 = 0x7a;
*(uint8_t*)0x20000047 = 0x40;
*(uint16_t*)0x20000048 = 0x413;
*(uint16_t*)0x2000004a = 0x6023;
*(uint16_t*)0x2000004c = 0xc128;
*(uint8_t*)0x2000004e = 0;
*(uint8_t*)0x2000004f = 0;
*(uint8_t*)0x20000050 = 0;
*(uint8_t*)0x20000051 = 1;
*(uint8_t*)0x20000052 = 9;
*(uint8_t*)0x20000053 = 2;
*(uint16_t*)0x20000054 = 0xdb;
*(uint8_t*)0x20000056 = 1;
*(uint8_t*)0x20000057 = 0;
*(uint8_t*)0x20000058 = 0;
*(uint8_t*)0x20000059 = 0;
*(uint8_t*)0x2000005a = 0;
*(uint8_t*)0x2000005b = 9;
*(uint8_t*)0x2000005c = 4;
*(uint8_t*)0x2000005d = 0x44;
*(uint8_t*)0x2000005e = 0;
*(uint8_t*)0x2000005f = 0xf;
*(uint8_t*)0x20000060 = 0x2b;
*(uint8_t*)0x20000061 = 0xb6;
*(uint8_t*)0x20000062 = 0x34;
*(uint8_t*)0x20000063 = 0;
*(uint8_t*)0x20000064 = 9;
*(uint8_t*)0x20000065 = 5;
*(uint8_t*)0x20000066 = 0x40;
*(uint8_t*)0x20000067 = 8;
*(uint16_t*)0x20000068 = 0x10;
*(uint8_t*)0x2000006a = 0x7f;
*(uint8_t*)0x2000006b = 0x80;
*(uint8_t*)0x2000006c = 0xdb;
*(uint8_t*)0x2000006d = 2;
*(uint8_t*)0x2000006e = 0x22;
*(uint8_t*)0x2000006f = 7;
*(uint8_t*)0x20000070 = 0x25;
*(uint8_t*)0x20000071 = 1;
*(uint8_t*)0x20000072 = 0x80;
*(uint8_t*)0x20000073 = 7;
*(uint16_t*)0x20000074 = 9;
*(uint8_t*)0x20000076 = 9;
*(uint8_t*)0x20000077 = 5;
*(uint8_t*)0x20000078 = 0x82;
*(uint8_t*)0x20000079 = 4;
*(uint16_t*)0x2000007a = 0x200;
*(uint8_t*)0x2000007c = 0x2c;
*(uint8_t*)0x2000007d = 0x33;
*(uint8_t*)0x2000007e = 9;
*(uint8_t*)0x2000007f = 7;
*(uint8_t*)0x20000080 = 0x25;
*(uint8_t*)0x20000081 = 1;
*(uint8_t*)0x20000082 = 3;
*(uint8_t*)0x20000083 = 0x3f;
*(uint16_t*)0x20000084 = 0xf49;
*(uint8_t*)0x20000086 = 7;
*(uint8_t*)0x20000087 = 0x25;
*(uint8_t*)0x20000088 = 1;
*(uint8_t*)0x20000089 = 2;
*(uint8_t*)0x2000008a = 7;
*(uint16_t*)0x2000008b = 0x400;
*(uint8_t*)0x2000008d = 9;
*(uint8_t*)0x2000008e = 5;
*(uint8_t*)0x2000008f = 0xa;
*(uint8_t*)0x20000090 = 4;
*(uint16_t*)0x20000091 = 0x20;
*(uint8_t*)0x20000093 = 4;
*(uint8_t*)0x20000094 = 3;
*(uint8_t*)0x20000095 = 0x80;
*(uint8_t*)0x20000096 = 9;
*(uint8_t*)0x20000097 = 5;
*(uint8_t*)0x20000098 = 0xf;
*(uint8_t*)0x20000099 = 0;
*(uint16_t*)0x2000009a = 0x200;
*(uint8_t*)0x2000009c = 0xbb;
*(uint8_t*)0x2000009d = 0x17;
*(uint8_t*)0x2000009e = 1;
*(uint8_t*)0x2000009f = 9;
*(uint8_t*)0x200000a0 = 5;
*(uint8_t*)0x200000a1 = 0xb;
*(uint8_t*)0x200000a2 = 0x10;
*(uint16_t*)0x200000a3 = 8;
*(uint8_t*)0x200000a5 = 5;
*(uint8_t*)0x200000a6 = 0x3f;
*(uint8_t*)0x200000a7 = 0;
*(uint8_t*)0x200000a8 = 7;
*(uint8_t*)0x200000a9 = 0x25;
*(uint8_t*)0x200000aa = 1;
*(uint8_t*)0x200000ab = 0x80;
*(uint8_t*)0x200000ac = 0x81;
*(uint16_t*)0x200000ad = 0xa62b;
*(uint8_t*)0x200000af = 9;
*(uint8_t*)0x200000b0 = 5;
*(uint8_t*)0x200000b1 = 4;
*(uint8_t*)0x200000b2 = 0;
*(uint16_t*)0x200000b3 = 0x200;
*(uint8_t*)0x200000b5 = 1;
*(uint8_t*)0x200000b6 = 4;
*(uint8_t*)0x200000b7 = 0x1f;
*(uint8_t*)0x200000b8 = 9;
*(uint8_t*)0x200000b9 = 5;
*(uint8_t*)0x200000ba = 0xb;
*(uint8_t*)0x200000bb = 4;
*(uint16_t*)0x200000bc = 0x10;
*(uint8_t*)0x200000be = 0x12;
*(uint8_t*)0x200000bf = 0xea;
*(uint8_t*)0x200000c0 = 0xc;
*(uint8_t*)0x200000c1 = 2;
*(uint8_t*)0x200000c2 = 0x21;
*(uint8_t*)0x200000c3 = 2;
*(uint8_t*)0x200000c4 = 0xb;
*(uint8_t*)0x200000c5 = 9;
*(uint8_t*)0x200000c6 = 5;
*(uint8_t*)0x200000c7 = 0xc;
*(uint8_t*)0x200000c8 = 0xc;
*(uint16_t*)0x200000c9 = 0x40;
*(uint8_t*)0x200000cb = 6;
*(uint8_t*)0x200000cc = 0xa4;
*(uint8_t*)0x200000cd = 8;
*(uint8_t*)0x200000ce = 9;
*(uint8_t*)0x200000cf = 5;
*(uint8_t*)0x200000d0 = 0xb;
*(uint8_t*)0x200000d1 = 0x10;
*(uint16_t*)0x200000d2 = 0x10;
*(uint8_t*)0x200000d4 = 4;
*(uint8_t*)0x200000d5 = 0x20;
*(uint8_t*)0x200000d6 = 7;
*(uint8_t*)0x200000d7 = 7;
*(uint8_t*)0x200000d8 = 0x25;
*(uint8_t*)0x200000d9 = 1;
*(uint8_t*)0x200000da = 3;
*(uint8_t*)0x200000db = 3;
*(uint16_t*)0x200000dc = 0xff34;
*(uint8_t*)0x200000de = 9;
*(uint8_t*)0x200000df = 5;
*(uint8_t*)0x200000e0 = 2;
*(uint8_t*)0x200000e1 = 0xc;
*(uint16_t*)0x200000e2 = 0x10;
*(uint8_t*)0x200000e4 = 2;
*(uint8_t*)0x200000e5 = 1;
*(uint8_t*)0x200000e6 = -1;
*(uint8_t*)0x200000e7 = 7;
*(uint8_t*)0x200000e8 = 0x25;
*(uint8_t*)0x200000e9 = 1;
*(uint8_t*)0x200000ea = 0x80;
*(uint8_t*)0x200000eb = 4;
*(uint16_t*)0x200000ec = 6;
*(uint8_t*)0x200000ee = 7;
*(uint8_t*)0x200000ef = 0x25;
*(uint8_t*)0x200000f0 = 1;
*(uint8_t*)0x200000f1 = 0x82;
*(uint8_t*)0x200000f2 = 1;
*(uint16_t*)0x200000f3 = 9;
*(uint8_t*)0x200000f5 = 9;
*(uint8_t*)0x200000f6 = 5;
*(uint8_t*)0x200000f7 = 0xa;
*(uint8_t*)0x200000f8 = 0;
*(uint16_t*)0x200000f9 = 0x40;
*(uint8_t*)0x200000fb = 0x80;
*(uint8_t*)0x200000fc = 0x7f;
*(uint8_t*)0x200000fd = 0xf9;
*(uint8_t*)0x200000fe = 7;
*(uint8_t*)0x200000ff = 0x25;
*(uint8_t*)0x20000100 = 1;
*(uint8_t*)0x20000101 = 0x80;
*(uint8_t*)0x20000102 = 0x40;
*(uint16_t*)0x20000103 = 0x800;
*(uint8_t*)0x20000105 = 9;
*(uint8_t*)0x20000106 = 5;
*(uint8_t*)0x20000107 = 5;
*(uint8_t*)0x20000108 = 0xc;
*(uint16_t*)0x20000109 = 0x20;
*(uint8_t*)0x2000010b = 6;
*(uint8_t*)0x2000010c = 0;
*(uint8_t*)0x2000010d = 5;
*(uint8_t*)0x2000010e = 2;
*(uint8_t*)0x2000010f = 5;
*(uint8_t*)0x20000110 = 2;
*(uint8_t*)0x20000111 = 7;
*(uint8_t*)0x20000112 = 9;
*(uint8_t*)0x20000113 = 5;
*(uint8_t*)0x20000114 = 7;
*(uint8_t*)0x20000115 = 3;
*(uint16_t*)0x20000116 = 0x10;
*(uint8_t*)0x20000118 = 0xfd;
*(uint8_t*)0x20000119 = 4;
*(uint8_t*)0x2000011a = 0x40;
*(uint8_t*)0x2000011b = 9;
*(uint8_t*)0x2000011c = 5;
*(uint8_t*)0x2000011d = 7;
*(uint8_t*)0x2000011e = 7;
*(uint16_t*)0x2000011f = 8;
*(uint8_t*)0x20000121 = 0;
*(uint8_t*)0x20000122 = 9;
*(uint8_t*)0x20000123 = 0x81;
*(uint8_t*)0x20000124 = 9;
*(uint8_t*)0x20000125 = 5;
*(uint8_t*)0x20000126 = 0xe;
*(uint8_t*)0x20000127 = 0x10;
*(uint16_t*)0x20000128 = 0x400;
*(uint8_t*)0x2000012a = 1;
*(uint8_t*)0x2000012b = 8;
*(uint8_t*)0x2000012c = 0x20;
syz_usb_connect(/*speed=*/0, /*dev_len=*/0xed, /*dev=*/0x20000040,
/*conn_descs=*/0);
}
int main(void) {
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
loop();
return 0;
}
Raw
repro.txt
syz_usb_connect(0x0, 0xed, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0x42, 0x21, 0x7a, 0x40, 0x413, 0x6023, 0xc128, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0xdb, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x44, 0x0, 0xf, 0x2b, 0xb6, 0x34, 0x0, [], [{{0x9, 0x5, 0x65268aa22f44d640, 0x8, 0x10, 0x7f, 0x80, 0xdb, [@generic={0x2, 0x22}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0x7, 0x9}]}}, {{0x9, 0x5, 0x82, 0x4, 0x200, 0x2c, 0x33, 0x9, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x3f, 0xf49}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x7, 0x400}]}}, {{0x9, 0x5, 0xa, 0x4, 0x20, 0x4, 0x3, 0x80}}, {{0x9, 0x5, 0xf, 0x0, 0x200, 0xbb, 0x17, 0x1}}, {{0x9, 0x5, 0xb, 0x10, 0x8, 0x5, 0x3f, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x81, 0xa62b}]}}, {{0x9, 0x5, 0x4, 0x0, 0x200, 0x1, 0x4, 0x1f}}, {{0x9, 0x5, 0xb, 0x4, 0x10, 0x12, 0xea, 0xc, [@generic={0x2, 0x21}, @generic={0x2, 0xb}]}}, {{0x9, 0x5, 0xc, 0xc, 0x40, 0x6, 0xa4, 0x8}}, {{0x9, 0x5, 0xb, 0x10, 0x10, 0x4, 0x20, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x3, 0xff34}]}}, {{0x9, 0x5, 0x2, 0xc, 0x10, 0x2, 0x1, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x4, 0x6}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x1, 0x9}]}}, {{0x9, 0x5, 0xa, 0x0, 0x40, 0x80, 0x7f, 0xf9, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x40, 0x800}]}}, {{0x9, 0x5, 0x5, 0xc, 0x20, 0x6, 0x0, 0x5, [@generic={0x2, 0x5}, @generic={0x2, 0x7}]}}, {{0x9, 0x5, 0x7, 0x3, 0x10, 0xfd, 0x4, 0x40}}, {{0x9, 0x5, 0x7, 0x7, 0x8, 0x0, 0x9, 0x81}}, {{0x9, 0x5, 0xe, 0x10, 0x400, 0x1, 0x8, 0x20}}]}}]}}]}}, 0x0)
Raw
repro1.txt
syz_usb_connect(0x0, 0x432, &(0x7f0000000040)={{0x12, 0x1, 0x0, 0x42, 0x21, 0x7a, 0x40, 0x413, 0x6023, 0xc128, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x420, 0x1, 0x0, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x44, 0x0, 0xf, 0x2b, 0xb6, 0x34, 0x0, [], [{{0x9, 0x5, 0x65268aa22f44d640, 0x8, 0x10, 0x7f, 0x80, 0xdb, [@generic={0x57, 0x22, "6842ca7bf31d0143618a52cac09b83bff3f60fa0736b77c6eccaf7eb500c0ec59af07a8ce80cef3c2c0d57a13d8171c83cddcf772e53cdd9c1c10b732a821410d572c5528ac48f055a3844538aada94f2d8702fab1"}, @uac_iso={0x7, 0x25, 0x1, 0x80, 0x7, 0x9}]}}, {{0x9, 0x5, 0x82, 0x4, 0x200, 0x2c, 0x33, 0x9, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x3f, 0xf49}, @uac_iso={0x7, 0x25, 0x1, 0x2, 0x7, 0x400}]}}, {{0x9, 0x5, 0xa, 0x4, 0x20, 0x4, 0x3, 0x80}}, {{0x9, 0x5, 0xf, 0x0, 0x200, 0xbb, 0x17, 0x1}}, {{0x9, 0x5, 0xb, 0x10, 0x8, 0x5, 0x3f, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x81, 0xa62b}]}}, {{0x9, 0x5, 0x4, 0x0, 0x200, 0x1, 0x4, 0x1f}}, {{0x9, 0x5, 0xb, 0x4, 0x10, 0x12, 0xea, 0xc, [@generic={0xed, 0x21, "08127f0f4f83fec83e08741a32c7e58422f72562136cd7b9d82db0c264c2fc37abfca1db646e6be411deadb2b650255eac8917df8f3f36c97efef0d23c90c281df73c0c07a5f3cdd23b1249a7465827a62acb89f43161251f496e961b2bada6e06551dafd2a52c93cc8685180dc1eca124e289ba9f1deddbb6ad0cf34b8a36d61937c472ae928155ca9943bc2b6eb3c3a8169951a8e8c6e9bc1b4eaa236e90b9694fc42b1a0712581cfd2ad60c63017370e0cc354856748351a049eb031b63d4539aa4cea7e62b4ab706d01ed6947263c2453a87e4d288df723b76f2481ef425dc2799ff3816d5095a9835"}, @generic={0xf9, 0xb, "dce59870ed7c15d59e2f62353374609704da54e4b507d263b09deb7c3c01236058718d919238a938221dc97681d20c639a5ebcd2dfe08c2c20672e3afd1121783144061974eb7d818536515d97db0cc1983cfa4de27b9ac3f8363a7da644886592f39a00d799c8887bc3300bb508a62afd0fc9a5f366b06fd04ede53b62cec94845eab41b138fffb86e04ed868592e463119faf7453c77b4b1f12c01d94c187279a5e3f673105824531de3cc89b127a03843e874f051ab35af668d61efc294cfe8c8726fc1d0ec4754fea52c35b61682af3d6c722edb819128cb95320e6e72a74073fcb14bfada62a389d25d0cce2fdaa4922b8d167f89"}]}}, {{0x9, 0x5, 0xc, 0xc, 0x40, 0x6, 0xa4, 0x8}}, {{0x9, 0x5, 0xb, 0x10, 0x10, 0x4, 0x20, 0x7, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x3, 0xff34}]}}, {{0x9, 0x5, 0x2, 0xc, 0x10, 0x2, 0x1, 0xff, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x4, 0x6}, @uac_iso={0x7, 0x25, 0x1, 0x82, 0x1, 0x9}]}}, {{0x9, 0x5, 0xa, 0x0, 0x40, 0x80, 0x7f, 0xf9, [@uac_iso={0x7, 0x25, 0x1, 0x80, 0x40, 0x800}]}}, {{0x9, 0x5, 0x5, 0xc, 0x20, 0x6, 0x0, 0x5, [@generic={0x7a, 0x5, "e39ae978b524cf1a138e7d85bbb05621f8bb638e46c34283cbd6133b287a2d0fdca0a81b5bf5844913d5b648914f94cc9c7fafb04471e90e5aab900141c5ba31a10afefa666446c570700e0a324ab93f48eb9c2ea15970f19ecec27fa412f8c549bad2cd378512dbd4820973d7fd56ec1f0ef6003187ca18"}, @generic={0x98, 0x7, "1d595e30b5dd2d17a99443dba7bd307a99e0018050c69bbdaa0917291dd754ef39acd49ecbe36f9e8086f0d7ec384ba81f18056b4f4cb4c08189589e63a0e7366681d16d77837b9961f34c5e1e162c51d51f848edda2c9a81d696383e11cc7ee3bca076aeadf60b158cf17084872b168377c928b5dd80c2612de496483e06076cf4d456e8d26dca9b1dbc42d89ef8518e4f6457ae8d7"}]}}, {{0x9, 0x5, 0x7, 0x3, 0x10, 0xfd, 0x4, 0x40}}, {{0x9, 0x5, 0x7, 0x7, 0x8, 0x0, 0x9, 0x81}}, {{0x9, 0x5, 0xe, 0x10, 0x400, 0x1, 0x8, 0x20}}]}}]}}]}}, 0x0)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment