[Linux-kernel-mentees] Syzbot analysis; KASAN: null-ptr-deref Read in zr364xx_vidioc_querycap

Hans Verkuil hverkuil at xs4all.nl
Tue May 21 12:01:21 UTC 2019 

Hi Vandana,

Sorry for the late reply, it appears that I missed this one.

On 5/11/19 9:44 AM, Vandana BN wrote:
> This is a NULL pointer derefrence bug in USB_ZR364XX driver.
> 
> KASAN: null-ptr-deref Read in zr364xx_vidioc_querycap <https://syzkaller.appspot.com/bug?id=9c0c178c24d828a7378f483309001329750aad64>
> 
> 
> The ioctl vidioc_querycap() is used to get capablity of driver and hardware.
> USB_ZR364XX driver registers zr364xx_vidioc_querycap() as .vidioc_querycap funtion which is part of v4l2_ioctl_ops in v4l2.
> When VIDIOC_QUERYCAP ioctl is called, the below function path is traversed
> 
>  v4l2_ioctl()->video_usercopy()->__video_do_ioctl()->v4l_querycap()->zr364xx_vidioc_querycap()
> 
> which further calls below funtions
> 
>   strcpy()->read_word_at_a_time()->kasan_check_read()->check_memory_region()->check_memory_region_inline->kasan_report().
> 
> In function check_memory_region(), if the input addr is not valid, that is,
> if addr is greater than KASAN_SHADOW_START which is VA_START - the first kernel virtual address.
> then, kasan_report() get called which prints the stack seen in bug report via dump_stack().
> 
> The stack trace in the bug points at below line in zr364xx_vidioc_querycap()
> 
> "706 strscpy(cap->card, cam->udev->product, sizeof(cap->card));"
> 
> The bug report has the below line which  tells that the addr which is src(cam->udev->product) in the above strcpy() is NULL.
> 
> "Read of size 1 at addr 0000000000000000 by task v4l_id/5287"
> 
> So, for this device the Product is not initialized and accessing it causes a NULL pointer deref.
> 
> Also, in usb.h in comment on struct usb_device it says
> "@product: iProduct string, if present (static)" .
> I deduce that product can be NULL from this, and in all other places where udev->product is accessed does NULL check before accessing it.
> 
> The fix would be to check for NULL before strcpy or/and copy DRIVER_DESC or "zr364xx" to cap->card insted in zr364xx_vidioc_querycap().

Can you post a patch fixing this? If udev->product == NULL, then just set cap->card
to an empty string.

Regards,

	Hans

> 
> I could not reproduce this as i dont have the device to test it.
> 
> Please let me know your feedback.
> 
> Thanks,
> 
> Vandana.
> 
> 
> _______________________________________________
> Linux-kernel-mentees mailing list
> Linux-kernel-mentees at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
>

More information about the Linux-kernel-mentees mailing list