On Mon, Sep 23, 2019 at 11:21 AM Oliver Neukum wrote:
>
> Am Freitag, den 20.09.2019, 18:01 +0200 schrieb Andrey Konovalov:
>
> > > Reported-and-tested-by:
> > > syzbot+d93dff37e6a89431c...@syzkaller.appspotmail.com
>
> [..]
> > Hi Oliver,
> >
>
On Tue, Jul 30, 2019 at 10:30 AM syzbot
wrote:
>
> Hello,
>
> syzbot has tested the proposed patch and the reproducer did not trigger
> crash:
>
> Reported-and-tested-by:
> syzbot+d93dff37e6a89431c...@syzkaller.appspotmail.com
>
> Tested on:
>
> commit: 9a33b369 usb-fuzzer: main usb gadget
On Fri, Aug 23, 2019 at 3:56 PM Cristian Marussi
wrote:
>
> Hi Andrey
>
> On 24/06/2019 15:33, Andrey Konovalov wrote:
> > This patch is a part of a series that extends kernel ABI to allow to pass
> > tagged user pointers (with the top byte set to something else other t
On Tue, Aug 13, 2019 at 2:28 PM Andrey Konovalov wrote:
>
> On Sun, Apr 14, 2019 at 10:06 PM syzbot
> wrote:
> >
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit:9a33b369 usb-fuzzer: main usb gadget fuzzer driver
> &
On Wed, Jul 17, 2019 at 1:58 PM Jason Gunthorpe wrote:
>
> On Wed, Jul 17, 2019 at 01:44:07PM +0200, Andrey Konovalov wrote:
> > On Tue, Jul 16, 2019 at 2:06 PM Jason Gunthorpe wrote:
> > >
> > > On Tue, Jul 16, 2019 at 12:42:07PM +0200, Andrey Konovalov wrote:
>
eodev() is calling by hdpvr_probe at last.
>> So No need to flash any work here.
>> Unregister v4l2, free buffers and memory. If hdpvr_probe() will fail.
>>
>> Signed-off-by: Arvind Yadav
>> Reported-by: Andrey Konovalov
>> Tested-by: Andrey Konovalov
>
>
On Thu, Nov 23, 2017 at 8:25 AM, Matthias Schwarzott wrote:
> Am 21.11.2017 um 14:51 schrieb Andrey Konovalov:
>> Hi!
>>
> Hi Andrey,
>
>> I've got the following report while fuzzing the kernel with syzkaller.
>>
>> On commit e1d1ea549b57790a3d8cf6300
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit e1d1ea549b57790a3d8cf6300e6ef86118d692a3 (4.15-rc1).
em28xx 1-1:9.0: Disconnecting
tc90522 1-0015: Toshiba TC90522 attached.
qm1d1c0042 2-0061: Sharp QM1D1C0042 attached.
dvbdev: DVB: registering new adapter (1-
On Fri, Nov 10, 2017 at 6:35 PM, Gustavo A. R. Silva
wrote:
>
> Quoting Andrey Konovalov :
>
>> On Fri, Nov 10, 2017 at 1:21 AM, Gustavo A. R. Silva
>> wrote:
>>>
>>> Hi Andrey,
>>>
>>> Could you please try this patch?
>>>
>>
On Fri, Nov 10, 2017 at 1:21 AM, Gustavo A. R. Silva
wrote:
> Hi Andrey,
>
> Could you please try this patch?
>
> Thank you
Hi Gustavo,
With your patch I get a different crash. Not sure if it's another bug
or the same one manifesting differently.
au0828: recv_control_msg() Failed receiving cont
fb fb fb fb fb fb fb fb fb fb fb fb
======
> ---
> This bug report by Andrey Konovalov "net/media/em28xx: use-after-free in
> v4l2_fh_init"
>
> drivers/media/usb/em28xx/em28xx-video.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> d
e trying to do though and I'd say a better patch would
be to reset the UVC_TERM_INPUT flag or fail when this flag is set. But
it's up to maintainers.
Thanks!
>
>
> On Monday, November 6, 2017 at 8:27:23 AM UTC-5, Andrey Konovalov wrote:
>>
>> Hi!
>>
>> I
On Tue, Nov 7, 2017 at 11:31 AM, Mauro Carvalho Chehab
wrote:
> Em Mon, 23 Oct 2017 20:58:09 +0200
> Matthias Schwarzott escreveu:
>
>> Am 23.10.2017 um 16:41 schrieb Andrey Konovalov:
>> > Hi!
>> >
>> > I've got the following report while fuzzing
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 39dae59d66acd86d1de24294bd2f343fd5e7a625 (4.14-rc8).
It seems that type == UVC_ITT_CAMERA | 0x8000, that's why the (type ==
UVC_ITT_CAMERA) check fails and (UVC_ENTITY_TYPE(term) ==
UVC_ITT_CAMERA) passes, so le
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 39dae59d66acd86d1de24294bd2f343fd5e7a625 (4.14-rc8).
usb 1-1: USB disconnect, device number 11
tm6000: disconnecting tm6000 #0
xc2028 0-0061: destroying instance
=
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 39dae59d66acd86d1de24294bd2f343fd5e7a625 (4.14-rc8).
It seems that there's no check of the received buffer length in
technisat_usb2_get_ir().
==
B
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+).
The report is a little confusing, as the top stack frame is not
actually present. As far as my debugging showed, the NULL pointer
that's being executed actua
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+).
em28xx 1-1:0.0: analog set to bulk mode.
em28xx 1-1:0.0: Registering V4L2 extension
usb 1-1: USB disconnect, device number 39
em28xx 1-1:0.0: Disconnecting
e
On Fri, Nov 3, 2017 at 3:44 PM, Andrey Konovalov wrote:
> Hi!
>
> I've got the following report while fuzzing the kernel with syzkaller.
>
> On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+).
>
> em28xx 1-1:2.0: New device a @ 480 Mbps (eb1a:2801, interfac
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+).
pvrusb2: Hardware description: OnAir Creator Hybrid USB tuner
pvrusb2: Invalid write control endpoint
...
pvrusb2: Invalid write control endpoint
pvrusb2: Mo
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 3a99df9a3d14cd866b5516f8cba515a3bfd554ab (4.14-rc7+).
em28xx 1-1:2.0: New device a @ 480 Mbps (eb1a:2801, interface 0, class 0)
em28xx 1-1:2.0: Audio interface 0 found (Vendor Class)
em28xx 1-1:2.0: chip ID is
24 48 89 c7 e8 48 ea ff ff bf 01 00 00 00 e8
de 20 e3 ff 65 8b 05 b7 2f c2 7e 85 c0 75 c9 e8 f9 0b c1 ff eb c2 <0f>
0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 b8 00 00
RIP: symbol_put_addr+0x54/0x60 RSP: 88006a7ce210
---[ end trace b75b357739e7e116 ]---
Signed-off-by: Andr
On Thu, Nov 2, 2017 at 2:52 PM, Andrey Konovalov wrote:
> As syzkaller detected, pvrusb2 driver submits bulk urb withount checking
> the the endpoint type is actually blunk. Add a check.
>
> usb 1-1: BOGUS urb xfer, pipe 3 != type 1
> [ cut here ]
> W
ff ff 48 8d b8 98 00 00 00 e8 ee 82 89 fe 45 89
e8 44 89 f1 4c 89 fa 48 89 c6 48 c7 c7 40 c0 ea 86 e8 30 1b dc fc <0f>
ff e9 9b f7 ff ff e8 aa 95 25 fd e9 80 f7 ff ff e8 50 74 f3
---[ end trace 6919030503719da6 ]---
Signed-off-by: Andrey Konovalov
---
drivers/media/usb/pvrusb2/pvrusb2-hdw.
contain the commit that seems
to have caused the bug (ead666000a5fe34bdc82d61838e4df2d416ea15e).
Thanks!
>
> Signed-off-by: Arvind Yadav
> ---
> This bug report by Andrey Konovalov (usb/media/dtt200u: use-after-free
> in __dvb_frontend_free).
>
> drivers/media/dvb-core/d
On Mon, Oct 23, 2017 at 8:58 PM, Matthias Schwarzott wrote:
> Am 23.10.2017 um 16:41 schrieb Andrey Konovalov:
>> Hi!
>>
>> I've got the following report while fuzzing the kernel with syzkaller.
>>
>> On commit 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-r
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-rc5+).
au0828: recv_control_msg() Failed receiving control message, error -71.
au0828: recv_control_msg() Failed receiving control message, error -71.
au0828: recv_
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-rc5+).
usb 1-1: New USB device found, idVendor=2040, idProduct=c602
usb 1-1: New USB device strings: Mfr=0, Product=1, SerialNumber=0
usb 1-1: Product: a
usb 1-1: d
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 3e0cc09a3a2c40ec1ffb6b4e12da86e98feccb11 (4.14-rc5+).
dvb-usb: found a 'WideView WT-220U PenType Receiver (based on ZL353)'
in warm state.
dvb-usb: bulk message failed: -22 (2/1102416563)
dvb-usb: will use the d
On Mon, Oct 9, 2017 at 8:14 PM, Arvind Yadav wrote:
> It seems that the return value of usb_ifnum_to_if() can be NULL and
> needs to be checked.
Hi Arvind,
Your patch fixes the issue.
Thanks!
Tested-by: Andrey Konovalov
>
> Signed-off-by: Arvind Yadav
> ---
> This bu
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 8a5776a5f49812d29fe4b2d0a2d71675c3facf3f (4.14-rc4).
It seems that the return value of usb_ifnum_to_if() can be NULL and
needs to be checked.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NUL
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 8a5776a5f49812d29fe4b2d0a2d71675c3facf3f (4.14-rc4).
It seems that imon_ir_raw doesn't have the .key_table initializer,
which causes out-of-bounds access when iterating over the key table.
=
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 9e66317d3c92ddaab330c125dfe9d06eee268aff (4.14-rc3).
uvcvideo: Found UVC 0.00 device a (2833:0201)
uvcvideo 1-1:3.92: Entity type for entity Output 2 was not initialized!
[ cut here ]
ker
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 9e66317d3c92ddaab330c125dfe9d06eee268aff (4.14-rc3).
usb 1-1: config 48 interface 0 altsetting 0 endpoint 0x4 has invalid
maxpacket 1956, setting to 64
usb 1-1: New USB device found, idVendor=0573, idProduct=4d3
On Wed, Sep 27, 2017 at 8:38 PM, arvind wrote:
>
>
> On Wednesday 27 September 2017 05:47 PM, Andrey Konovalov wrote:
>
> On Wed, Sep 27, 2017 at 2:00 PM, Andrey Konovalov
> wrote:
>
> On Wed, Sep 27, 2017 at 11:21 AM, Arvind Yadav
> wrote:
>
> If CONFIG_MEDIA
fb fb fb fb fb
==
Thanks!
> ---
> This bug report by Andrey Konovalov "usb/media/smsusb: use-after-free in
> worker_thread".
> changes in v2 :
> call flush_work() in smsusb_stop_streaming().
>
> drivers/media/
On Wed, Sep 27, 2017 at 2:00 PM, Andrey Konovalov wrote:
> On Wed, Sep 27, 2017 at 11:21 AM, Arvind Yadav
> wrote:
>> If CONFIG_MEDIA_CONTROLLER_DVB is enable, We are not releasing
>> media device and memory on any failure or disconnect a device.
>>
>> Adding st
fb fb fb fb fb fb
88006a2b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
======
> ---
> This bug report by Andrey Konovalov "usb/media/smsusb: use-after-free in
> worker_thread".
>
> drivers/media/u
emory access
> general protection fault: 0000 [#1] PREEMPT SMP KASAN
>
> Reported-by: Andrey Konovalov
> Signed-off-by: Malcolm Priestley
Tested-by: Andrey Konovalov
These 2 patches fix the crash with the reproducer that I have.
Thanks!
> ---
> drivers/media/usb/dvb-usb-
On Tue, Sep 26, 2017 at 2:50 PM, Laurent Pinchart
wrote:
> Hi Andrey,
>
> On Tuesday, 26 September 2017 15:41:45 EEST Andrey Konovalov wrote:
>> On Tue, Sep 26, 2017 at 10:43 AM, Laurent Pinchart wrote:
>> > On Monday, 25 September 2017 15:40:13 EEST Andrey K
On Tue, Sep 26, 2017 at 10:43 AM, Laurent Pinchart
wrote:
> Hi Andrey,
>
> On Monday, 25 September 2017 15:40:13 EEST Andrey Konovalov wrote:
>> Hi!
>>
>> I've got the following report while fuzzing the kernel with syzkaller.
>
> Th
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit e19b205be43d11bff638cad4487008c48d21c103 (4.14-rc2).
It seems that there's no check on the actual number of endpoints.
usb 1-1: New USB device strings: Mfr=212, Product=0, SerialNumber=6
usb 1-1: Manufacturer:
On Mon, Sep 25, 2017 at 3:30 PM, Malcolm Priestley wrote:
>
>
> On 25/09/17 13:39, Andrey Konovalov wrote:
>>
>> Hi!
>>
>> I've got the following report while fuzzing the kernel with syzkaller.
>>
>> On commit e19b205be43d11bff638cad4487008c48d21
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit e19b205be43d11bff638cad4487008c48d21c103 (4.14-rc2).
list_add double add: new=880069084010, prev=880069084010,
next=880067d22298.
[ cut here ]
WARNING: CPU: 1 PID: 1846 at lib
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit e19b205be43d11bff638cad4487008c48d21c103 (4.14-rc2).
usb 1-1: new full-speed USB device number 2 using dummy_hcd
gadgetfs: connected
gadgetfs: disconnected
gadgetfs: connected
usb 1-1: config 63 interface 0 alts
On Fri, Sep 22, 2017 at 3:09 PM, Arvind Yadav wrote:
> Hi Andrey,
>
>
> On Friday 22 September 2017 05:16 PM, Andrey Konovalov wrote:
>>
>> On Fri, Sep 22, 2017 at 9:41 AM, Arvind Yadav
>> wrote:
>>>
>>> Hi,
>>>
>>> I ha
> Unregister v4l2, free buffers and memory. If hdpvr_probe() will fail.
>
> Signed-off-by: Arvind Yadav
Reported-by: Andrey Konovalov
Thanks, this fixes the crash!
Tested-by: Andrey Konovalov
> ---
> drivers/media/usb/hdpvr/hdpvr-core.c | 26 +++---
>
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
==
BUG: KASAN: use-after-free in v4l2_ctrl_handler_free+0x9e1/0x9f0
Read of size 8 at addr 8
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
dib0700: stk7070p_frontend_attach: state->dib7000p_ops.i2c_enumeration
failed. Cannot continue
[ cut here ]
kernel BUG at kernel/module
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
usb 1-1: new full-speed USB device number 2 using dummy_hcd
gadgetfs: connected
gadgetfs: disconnected
gadgetfs: connected
usb 1-1: config 225 has an invalid in
nitialized.
Could you send a fix?
I'm able to reproduce the issue, so I can test your patches if needed.
Thanks!
>
>
> On Thursday 21 September 2017 09:09 PM, Andrey Konovalov wrote:
>>
>> Hi!
>>
>> I've got the following report while fuzzing the kernel wit
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
INFO: trying to register non-static key.
the code is fine but needs lockdep annotation.
turning off the locking correctness validator.
CPU: 0 PID: 24 Comm: kwor
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
smsusb:smsusb_probe: board id=1, interface number 0
smsusb:siano_media_device_register: media controller created
smsusb:smsusb1_detectmode: product string not f
river")
> Cc: stable # 2.6.30
> Cc: Sri Deevi
> Reported-by: Andrey Konovalov
> Signed-off-by: Johan Hovold
Tested-by: Andrey Konovalov
Thanks!
> ---
> drivers/media/usb/cx231xx/cx231xx-cards.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> di
leads
to being able to do a DMA attack. But sure, exploitable bugs in
PCE-Express device drivers would be a viable attack vector for systems
with proper IOMMU support. Same goes for any other hot-pluggable
externally accessible port/protocol.
>
> -Mike
[1] https://int3.cc/products/face
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
There seems to be no check on endpoint type before submitting bulk urb
in pvr2_send_request_ex().
usb 1-1: New USB device found, idVendor=2040, idProduct=7500
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
The null-ptr-deref happens on
dev->udev->ep_in[1]->desc.wMaxPacketSize. There seems to be no check
on the number of endpoints.
usb 1-1: New USB device found, i
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
The null-ptr-deref happens on assoc_desc->bFirstInterface, where
assoc_desc = udev->actconfig->intf_assoc[0]. There seems to be no
check that the device actuall
58 matches
Mail list logo
