syzbot

 sign-in | mailing list | source | docs
🐞 Open [1486]
Subsystems
🐞 Fixed [6521]
🐞 Invalid [16597]
Missing Backports [204]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

UBSAN: shift-out-of-bounds in s32ton (2)

Status: upstream: reported C repro on 2025/07/14 17:10
Subsystems: input usb
[Documentation on labels]
Reported-by: syzbot+b63d677d63bcac06cf90@syzkaller.appspotmail.com
Fix commit: a6b87bfc2ab5 HID: core: Harden s32ton() against conversion to 0 bits
Patched on: [ci-qemu-gce-upstream-auto ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-qemu2-riscv64 ci-snapshot-upstream-root ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-badwrites-root ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kmsan-gce-386-root ci-upstream-kmsan-gce-root ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci-upstream-rust-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-usb], missing on: [ci-qemu-native-arm64-kvm ci-upstream-kasan-gce-smack-root]
First crash: 38d, last: 30d
Discussions (2)
Title Replies (including bot) Last reply
[syzbot] [input?] [usb?] UBSAN: shift-out-of-bounds in s32ton (2) 11 (18) 2025/07/25 11:46
[PATCH] HID: core: Reject report fields with a size or count of 0 9 (9) 2025/07/23 14:37
Similar bugs (2)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream UBSAN: shift-out-of-bounds in s32ton input usb -1 18 177d 282d 0/29 auto-obsoleted due to no activity on 2025/05/23 12:14
android-6-12 UBSAN: shift-out-of-bounds in s32ton origin:upstream -1 C 1 23d 37d 0/1 premoderation: reported C repro on 2025/07/14 11:42
Last patch testing requests (6)
Created Duration User Patch Repo Result
2025/07/21 14:37 28m stern@rowland.harvard.edu patch git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git c2ca42f190b6 OK log
2025/07/17 15:10 27m stern@rowland.harvard.edu patch git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git c2ca42f190b6 OK log
2025/07/16 14:29 19m stern@rowland.harvard.edu patch git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git c2ca42f1 report log
2025/07/15 19:29 19m stern@rowland.harvard.edu patch git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git c2ca42f190b6 report log
2025/07/14 19:48 17m stern@rowland.harvard.edu git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git c2ca42f190b6 report log
2025/07/14 18:38 0m stern@rowland.harvard.edu https://git.kernel.org/pub/scm/linux/kernel/git/hid.git c2ca42f190b6 error

Sample crash report:
usb 1-1: config 0 descriptor??
microsoft 0003:045E:07DA.0001: ignoring exceeding usage max
microsoft 0003:045E:07DA.0001: unsupported Resolution Multiplier 0
------------[ cut here ]------------
UBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:69:16
shift exponent 4294967295 is too large for 32-bit type '__s32' (aka 'int')
CPU: 1 UID: 0 PID: 24 Comm: kworker/1:0 Not tainted 6.16.0-rc6-next-20250714-syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 ubsan_epilogue+0xa/0x40 lib/ubsan.c:233
 __ubsan_handle_shift_out_of_bounds+0x386/0x410 lib/ubsan.c:494
 s32ton+0xde/0x140 drivers/hid/hid-core.c:69
 hid_output_field drivers/hid/hid-core.c:1842 [inline]
 hid_output_report+0x419/0x790 drivers/hid/hid-core.c:1874
 __hid_request+0x14a/0x420 drivers/hid/hid-core.c:1997
 hidinput_change_resolution_multipliers drivers/hid/hid-input.c:1950 [inline]
 hidinput_connect+0x218a/0x3030 drivers/hid/hid-input.c:2327
 hid_connect+0x499/0x19a0 drivers/hid/hid-core.c:2248
 hid_hw_start+0xa8/0x120 drivers/hid/hid-core.c:2366
 ms_probe+0x180/0x430 drivers/hid/hid-microsoft.c:391
 __hid_device_probe drivers/hid/hid-core.c:2736 [inline]
 hid_device_probe+0x3a0/0x710 drivers/hid/hid-core.c:2773
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x26d/0x9e0 drivers/base/dd.c:659
 __driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:801
 driver_probe_device+0x4f/0x430 drivers/base/dd.c:831
 __device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959
 bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:462
 __device_attach+0x2b8/0x400 drivers/base/dd.c:1031
 bus_probe_device+0x185/0x260 drivers/base/bus.c:537
 device_add+0x7b6/0xb50 drivers/base/core.c:3689
 hid_add_device+0x398/0x540 drivers/hid/hid-core.c:2919
 usbhid_probe+0xe13/0x12a0 drivers/hid/usbhid/hid-core.c:1435
 usb_probe_interface+0x637/0xbf0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x26d/0x9e0 drivers/base/dd.c:659
 __driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:801
 driver_probe_device+0x4f/0x430 drivers/base/dd.c:831
 __device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959
 bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:462
 __device_attach+0x2b8/0x400 drivers/base/dd.c:1031
 bus_probe_device+0x185/0x260 drivers/base/bus.c:537
 device_add+0x7b6/0xb50 drivers/base/core.c:3689
 usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
 usb_probe_device+0x1c1/0x390 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x26d/0x9e0 drivers/base/dd.c:659
 __driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:801
 driver_probe_device+0x4f/0x430 drivers/base/dd.c:831
 __device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959
 bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:462
 __device_attach+0x2b8/0x400 drivers/base/dd.c:1031
 bus_probe_device+0x185/0x260 drivers/base/bus.c:537
 device_add+0x7b6/0xb50 drivers/base/core.c:3689
 usb_new_device+0xa39/0x16f0 drivers/usb/core/hub.c:2694
 hub_port_connect drivers/usb/core/hub.c:5566 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
 port_event drivers/usb/core/hub.c:5866 [inline]
 hub_event+0x2941/0x4a00 drivers/usb/core/hub.c:5948
 process_one_work kernel/workqueue.c:3239 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3322
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3403
 kthread+0x70e/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
---[ end trace ]---

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/07/15 10:31 linux-next 0be23810e32e 03fcfc4b .config strace log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-rust-kasan-gce UBSAN: shift-out-of-bounds in s32ton
2025/07/13 22:47 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing b4b4dbfa96de 3cda49cf .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci2-upstream-usb UBSAN: shift-out-of-bounds in s32ton
2025/07/18 00:36 upstream e2291551827f 0d1223f1 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in s32ton
2025/07/21 17:14 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing a83c371c4b6c 56d87229 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-usb UBSAN: shift-out-of-bounds in s32ton
* Struck through repros no longer work on HEAD.