Extracting prog: 2m15.55675413s
Minimizing prog: 11m0.162730121s
Simplifying prog options: 0s
Extracting C: 1m12.323995955s
Simplifying C: 8m8.871517566s
extracting reproducer from 1 programs
testing a last program of every proc
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x23b, &(0x7f0000000280)={{0x12, 0x1, 0x201, 0x22, 0x8f, 0xe7, 0x20, 0x80e, 0x4eb9, 0xd7f6, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x229, 0x2, 0x1, 0x74, 0xb0, 0x40, [{{0x9, 0x4, 0xaa, 0x5, 0x5, 0x3, 0xe9, 0x1e, 0x1, [@uac_as={[@as_header={0x7, 0x24, 0x1, 0x1, 0x81, 0x1005}, @format_type_i_discrete={0x8, 0x24, 0x2, 0x1, 0x80, 0x3, 0x0, 0x6}, @format_type_i_discrete={0x8, 0x24, 0x2, 0x1, 0x1, 0x2, 0x81, 0x5}, @format_type_ii_discrete={0x9, 0x24, 0x2, 0x2, 0x2, 0x2d, 0x6}, @as_header={0x7, 0x24, 0x1, 0x1, 0x0, 0x3}, @format_type_i_continuous={0x8, 0x24, 0x2, 0x1, 0x1, 0x4, 0x63, 0x7}]}], [{{0x9, 0x5, 0xc, 0x10, 0x10, 0x8, 0x7, 0x7, [@generic={0x5b, 0x21, "1b54e5d373854de7f55fab03597e302bd4b089efdaa8f4bde6c5789f178a9e5c7e7dee400eb4abe57cd84c0473000e898a048b82a7e5aa32d8323ab0fe59d5e872a7fa6302bed4075e185016850cea8588c43e9d88d0270cb9"}]}}, {{0x9, 0x5, 0x2, 0x1, 0x10, 0x81, 0x1, 0x33, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x9e, 0x1}]}}, {{0x9, 0x5, 0x4, 0x0, 0x40, 0x9, 0x7, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x9, 0x9}]}}, {{0x9, 0x5, 0x4, 0x8, 0x20, 0x42, 0x20, 0x4, [@generic={0xc3, 0x5, "8257e51b21dc7d946f737d6e65aabaf964cb2653edba497665c80d258b84dbbfffba9155ac99f9d2b0955f8d12f39455f56076d8f30fc6142c73131543b9d993054c744af968ae669a760b20652a3489272767078ac09be24b0a62af6fd95decc4acc9ea5f1285b12859aa66d202dca715b17320989318169e74450d57a7639791c4f1e650ce38fb4c0a231edadc56e868ddeb5fedb9c32f7423bed8736847753cf2be2a710d76c94e24acb483e82b4abef8b371d0a89812e60b7477758aad3e85"}, @generic={0x2, 0xf}]}}, {{0x9, 0x5, 0x4, 0xc, 0x40, 0x1, 0x81, 0x81, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x45, 0x1}, @generic={0x2, 0x31}]}}]}}, {{0x9, 0x4, 0xea, 0x1, 0x3, 0xbe, 0x54, 0x96, 0x9, [@cdc_ecm={{0x5}, {0x5, 0x24, 0x0, 0x2}, {0xd, 0x24, 0xf, 0x1, 0x9, 0x3ff, 0x1, 0x9}, [@acm={0x4, 0x24, 0x2, 0xd}, @mdlm={0x15, 0x24, 0x12, 0x9}, @mbim={0xc, 0x24, 0x1b, 0x4, 0x80, 0x7, 0x0, 0x4, 0x3}, @dmm={0x7, 0x24, 0x14, 0x4, 0x2}, @mdlm_detail={0x4, 0x24, 0x13, 0xad}]}], [{{0x9, 0x5, 0x8, 0xc, 0x400, 0x0, 0x2b, 0xe1, [@generic={0x2, 0x22}, @generic={0x2, 0x10}]}}, {{0x9, 0x5, 0x80, 0x0, 0x20, 0x6, 0x7f, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0xfb, 0x4022}, @uac_iso={0x7, 0x25, 0x1, 0x1, 0x20}]}}, {{0x9, 0x5, 0xc, 0x0, 0x400, 0x60, 0x9b, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0xff, 0x3f91}]}}]}}]}}]}}, &(0x7f0000000840)={0x0, 0x0, 0x0, 0x0, 0x3, [{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0}]})
program crashed: UBSAN: array-index-out-of-bounds in usbhid_parse
single: successfully extracted reproducer
found reproducer with 1 syscalls
minimizing guilty program
testing program (duration=1m3.291582267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x0, 0x0, &(0x7f0000000840)={0x0, 0x0, 0x0, 0x0, 0x3, [{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0}]})
program did not crash
testing program (duration=1m3.291582267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x20b, &(0x7f0000000280)={{0x12, 0x1, 0x201, 0x22, 0x8f, 0xe7, 0x20, 0x80e, 0x4eb9, 0xd7f6, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1f9, 0x2, 0x1, 0x74, 0xb0, 0x40, [{{0x9, 0x4, 0xaa, 0x5, 0x5, 0x3, 0xe9, 0x1e, 0x1, [@uac_as={[@as_header={0x7, 0x24, 0x1, 0x1, 0x81, 0x1005}, @format_type_i_discrete={0x8, 0x24, 0x2, 0x1, 0x80, 0x3, 0x0, 0x6}, @format_type_i_discrete={0x8, 0x24, 0x2, 0x1, 0x1, 0x2, 0x81, 0x5}, @format_type_ii_discrete={0x9, 0x24, 0x2, 0x2, 0x2, 0x2d, 0x6}, @as_header={0x7, 0x24, 0x1, 0x1, 0x0, 0x3}, @format_type_i_continuous={0x8, 0x24, 0x2, 0x1, 0x1, 0x4, 0x63, 0x7}]}], [{{0x9, 0x5, 0xc, 0x10, 0x10, 0x8, 0x7, 0x7, [@generic={0x5b, 0x21, "1b54e5d373854de7f55fab03597e302bd4b089efdaa8f4bde6c5789f178a9e5c7e7dee400eb4abe57cd84c0473000e898a048b82a7e5aa32d8323ab0fe59d5e872a7fa6302bed4075e185016850cea8588c43e9d88d0270cb9"}]}}, {{0x9, 0x5, 0x2, 0x1, 0x10, 0x81, 0x1, 0x33, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x9e, 0x1}]}}, {{0x9, 0x5, 0x4, 0x0, 0x40, 0x9, 0x7, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x9, 0x9}]}}, {{0x9, 0x5, 0x4, 0x8, 0x20, 0x42, 0x20, 0x4, [@generic={0xc3, 0x5, "8257e51b21dc7d946f737d6e65aabaf964cb2653edba497665c80d258b84dbbfffba9155ac99f9d2b0955f8d12f39455f56076d8f30fc6142c73131543b9d993054c744af968ae669a760b20652a3489272767078ac09be24b0a62af6fd95decc4acc9ea5f1285b12859aa66d202dca715b17320989318169e74450d57a7639791c4f1e650ce38fb4c0a231edadc56e868ddeb5fedb9c32f7423bed8736847753cf2be2a710d76c94e24acb483e82b4abef8b371d0a89812e60b7477758aad3e85"}, @generic={0x2, 0xf}]}}, {{0x9, 0x5, 0x4, 0xc, 0x40, 0x1, 0x81, 0x81, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x45, 0x1}, @generic={0x2, 0x31}]}}]}}, {{0x9, 0x4, 0xea, 0x1, 0x3, 0xbe, 0x54, 0x96, 0x9, [@cdc_ecm={{0x5}, {0x5, 0x24, 0x0, 0x2}, {0xd, 0x24, 0xf, 0x1, 0x9, 0x3ff, 0x1, 0x9}}], [{{0x9, 0x5, 0x8, 0xc, 0x400, 0x0, 0x2b, 0xe1, [@generic={0x2, 0x22}, @generic={0x2, 0x10}]}}, {{0x9, 0x5, 0x80, 0x0, 0x20, 0x6, 0x7f, 0x5, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0xfb, 0x4022}, @uac_iso={0x7, 0x25, 0x1, 0x1, 0x20}]}}, {{0x9, 0x5, 0xc, 0x0, 0x400, 0x60, 0x9b, 0x4, [@uac_iso={0x7, 0x25, 0x1, 0x2, 0xff, 0x3f91}]}}]}}]}}]}}, &(0x7f0000000840)={0x0, 0x0, 0x0, 0x0, 0x3, [{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0}]})
program crashed: UBSAN: array-index-out-of-bounds in usbhid_parse
testing program (duration=1m3.291582267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x1d7, &(0x7f0000000280)={{0x12, 0x1, 0x201, 0x22, 0x8f, 0xe7, 0x20, 0x80e, 0x4eb9, 0xd7f6, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1c5, 0x2, 0x1, 0x74, 0xb0, 0x40, [{{0x9, 0x4, 0xaa, 0x5, 0x5, 0x3, 0xe9, 0x1e, 0x1, [@uac_as={[@as_header={0x7, 0x24, 0x1, 0x1, 0x81, 0x1005}, @format_type_i_discrete={0x8, 0x24, 0x2, 0x1, 0x80, 0x3, 0x0, 0x6}, @format_type_i_discrete={0x8, 0x24, 0x2, 0x1, 0x1, 0x2, 0x81, 0x5}, @format_type_ii_discrete={0x9, 0x24, 0x2, 0x2, 0x2, 0x2d, 0x6}, @as_header={0x7, 0x24, 0x1, 0x1, 0x0, 0x3}, @format_type_i_continuous={0x8, 0x24, 0x2, 0x1, 0x1, 0x4, 0x63, 0x7}]}], [{{0x9, 0x5, 0xc, 0x10, 0x10, 0x8, 0x7, 0x7, [@generic={0x5b, 0x21, "1b54e5d373854de7f55fab03597e302bd4b089efdaa8f4bde6c5789f178a9e5c7e7dee400eb4abe57cd84c0473000e898a048b82a7e5aa32d8323ab0fe59d5e872a7fa6302bed4075e185016850cea8588c43e9d88d0270cb9"}]}}, {{0x9, 0x5, 0x2, 0x1, 0x10, 0x81, 0x1, 0x33, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x9e, 0x1}]}}, {{0x9, 0x5, 0x4, 0x0, 0x40, 0x9, 0x7, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x9, 0x9}]}}, {{0x9, 0x5, 0x4, 0x8, 0x20, 0x42, 0x20, 0x4, [@generic={0xc3, 0x5, "8257e51b21dc7d946f737d6e65aabaf964cb2653edba497665c80d258b84dbbfffba9155ac99f9d2b0955f8d12f39455f56076d8f30fc6142c73131543b9d993054c744af968ae669a760b20652a3489272767078ac09be24b0a62af6fd95decc4acc9ea5f1285b12859aa66d202dca715b17320989318169e74450d57a7639791c4f1e650ce38fb4c0a231edadc56e868ddeb5fedb9c32f7423bed8736847753cf2be2a710d76c94e24acb483e82b4abef8b371d0a89812e60b7477758aad3e85"}, @generic={0x2, 0xf}]}}, {{0x9, 0x5, 0x4, 0xc, 0x40, 0x1, 0x81, 0x81, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x45, 0x1}, @generic={0x2, 0x31}]}}]}}, {{0x9, 0x4, 0xea, 0x1, 0x0, 0xbe, 0x54, 0x96, 0x9, [@cdc_ecm={{0x5}, {0x5, 0x24, 0x0, 0x2}, {0xd, 0x24, 0xf, 0x1, 0x9, 0x3ff, 0x1, 0x9}}]}}]}}]}}, &(0x7f0000000840)={0x0, 0x0, 0x0, 0x0, 0x3, [{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0}]})
program crashed: UBSAN: array-index-out-of-bounds in usbhid_parse
testing program (duration=1m3.291582267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x1a8, &(0x7f0000000280)={{0x12, 0x1, 0x201, 0x22, 0x8f, 0xe7, 0x20, 0x80e, 0x4eb9, 0xd7f6, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x196, 0x2, 0x1, 0x74, 0xb0, 0x40, [{{0x9, 0x4, 0xaa, 0x5, 0x5, 0x3, 0xe9, 0x1e, 0x1, [@uac_as], [{{0x9, 0x5, 0xc, 0x10, 0x10, 0x8, 0x7, 0x7, [@generic={0x5b, 0x21, "1b54e5d373854de7f55fab03597e302bd4b089efdaa8f4bde6c5789f178a9e5c7e7dee400eb4abe57cd84c0473000e898a048b82a7e5aa32d8323ab0fe59d5e872a7fa6302bed4075e185016850cea8588c43e9d88d0270cb9"}]}}, {{0x9, 0x5, 0x2, 0x1, 0x10, 0x81, 0x1, 0x33, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x9e, 0x1}]}}, {{0x9, 0x5, 0x4, 0x0, 0x40, 0x9, 0x7, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x9, 0x9}]}}, {{0x9, 0x5, 0x4, 0x8, 0x20, 0x42, 0x20, 0x4, [@generic={0xc3, 0x5, "8257e51b21dc7d946f737d6e65aabaf964cb2653edba497665c80d258b84dbbfffba9155ac99f9d2b0955f8d12f39455f56076d8f30fc6142c73131543b9d993054c744af968ae669a760b20652a3489272767078ac09be24b0a62af6fd95decc4acc9ea5f1285b12859aa66d202dca715b17320989318169e74450d57a7639791c4f1e650ce38fb4c0a231edadc56e868ddeb5fedb9c32f7423bed8736847753cf2be2a710d76c94e24acb483e82b4abef8b371d0a89812e60b7477758aad3e85"}, @generic={0x2, 0xf}]}}, {{0x9, 0x5, 0x4, 0xc, 0x40, 0x1, 0x81, 0x81, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x45, 0x1}, @generic={0x2, 0x31}]}}]}}, {{0x9, 0x4, 0xea, 0x1, 0x0, 0xbe, 0x54, 0x96, 0x9, [@cdc_ecm={{0x5}, {0x5, 0x24, 0x0, 0x2}, {0xd, 0x24, 0xf, 0x1, 0x9, 0x3ff, 0x1, 0x9}}]}}]}}]}}, &(0x7f0000000840)={0x0, 0x0, 0x0, 0x0, 0x3, [{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0}]})
program crashed: UBSAN: array-index-out-of-bounds in usbhid_parse
testing program (duration=1m3.291582267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x44, &(0x7f0000000280)={{0x12, 0x1, 0x201, 0x22, 0x8f, 0xe7, 0x20, 0x80e, 0x4eb9, 0xd7f6, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x32, 0x2, 0x1, 0x74, 0xb0, 0x40, [{{0x9, 0x4, 0xaa, 0x5, 0x0, 0x3, 0xe9, 0x1e, 0x1, [@uac_as]}}, {{0x9, 0x4, 0xea, 0x1, 0x0, 0xbe, 0x54, 0x96, 0x9, [@cdc_ecm={{0x5}, {0x5, 0x24, 0x0, 0x2}, {0xd, 0x24, 0xf, 0x1, 0x9, 0x3ff, 0x1, 0x9}}]}}]}}]}}, &(0x7f0000000840)={0x0, 0x0, 0x0, 0x0, 0x3, [{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0}]})
program did not crash
testing program (duration=1m3.291582267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0xe7, &(0x7f0000000280)={{0x12, 0x1, 0x201, 0x22, 0x8f, 0xe7, 0x20, 0x80e, 0x4eb9, 0xd7f6, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0xd5, 0x2, 0x1, 0x74, 0xb0, 0x40, [{{0x9, 0x4, 0xaa, 0x5, 0x5, 0x3, 0xe9, 0x1e, 0x1, [@uac_as], [{{0x9, 0x5, 0xc, 0x10, 0x10, 0x8, 0x7, 0x7, [@generic={0x5b, 0x21, "1b54e5d373854de7f55fab03597e302bd4b089efdaa8f4bde6c5789f178a9e5c7e7dee400eb4abe57cd84c0473000e898a048b82a7e5aa32d8323ab0fe59d5e872a7fa6302bed4075e185016850cea8588c43e9d88d0270cb9"}]}}, {{0x9, 0x5, 0x2, 0x1, 0x10, 0x81, 0x1, 0x33, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x9e, 0x1}]}}, {{0x9, 0x5, 0x4, 0x0, 0x40, 0x9, 0x7, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x9, 0x9}]}}, {{0x9, 0x5, 0x4, 0x8, 0x20, 0x42, 0x20, 0x4, [@generic={0x2, 0x5}, @generic={0x2, 0xf}]}}, {{0x9, 0x5, 0x4, 0xc, 0x40, 0x1, 0x81, 0x81, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x45, 0x1}, @generic={0x2, 0x31}]}}]}}, {{0x9, 0x4, 0xea, 0x1, 0x0, 0xbe, 0x54, 0x96, 0x9, [@cdc_ecm={{0x5}, {0x5, 0x24, 0x0, 0x2}, {0xd, 0x24, 0xf, 0x1, 0x9, 0x3ff, 0x1, 0x9}}]}}]}}]}}, &(0x7f0000000840)={0x0, 0x0, 0x0, 0x0, 0x3, [{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0}]})
program did not crash
testing program (duration=1m3.291582267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x14f, &(0x7f0000000280)={{0x12, 0x1, 0x201, 0x22, 0x8f, 0xe7, 0x20, 0x80e, 0x4eb9, 0xd7f6, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x13d, 0x2, 0x1, 0x74, 0xb0, 0x40, [{{0x9, 0x4, 0xaa, 0x5, 0x5, 0x3, 0xe9, 0x1e, 0x1, [@uac_as], [{{0x9, 0x5, 0xc, 0x10, 0x10, 0x8, 0x7, 0x7, [@generic={0x2, 0x21}]}}, {{0x9, 0x5, 0x2, 0x1, 0x10, 0x81, 0x1, 0x33, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x9e, 0x1}]}}, {{0x9, 0x5, 0x4, 0x0, 0x40, 0x9, 0x7, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x9, 0x9}]}}, {{0x9, 0x5, 0x4, 0x8, 0x20, 0x42, 0x20, 0x4, [@generic={0xc3, 0x5, "8257e51b21dc7d946f737d6e65aabaf964cb2653edba497665c80d258b84dbbfffba9155ac99f9d2b0955f8d12f39455f56076d8f30fc6142c73131543b9d993054c744af968ae669a760b20652a3489272767078ac09be24b0a62af6fd95decc4acc9ea5f1285b12859aa66d202dca715b17320989318169e74450d57a7639791c4f1e650ce38fb4c0a231edadc56e868ddeb5fedb9c32f7423bed8736847753cf2be2a710d76c94e24acb483e82b4abef8b371d0a89812e60b7477758aad3e85"}, @generic={0x2, 0xf}]}}, {{0x9, 0x5, 0x4, 0xc, 0x40, 0x1, 0x81, 0x81, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x45, 0x1}, @generic={0x2, 0x31}]}}]}}, {{0x9, 0x4, 0xea, 0x1, 0x0, 0xbe, 0x54, 0x96, 0x9, [@cdc_ecm={{0x5}, {0x5, 0x24, 0x0, 0x2}, {0xd, 0x24, 0xf, 0x1, 0x9, 0x3ff, 0x1, 0x9}}]}}]}}]}}, &(0x7f0000000840)={0x0, 0x0, 0x0, 0x0, 0x3, [{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0}]})
program did not crash
testing program (duration=1m3.291582267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x1a8, &(0x7f0000000280)={{0x12, 0x1, 0x201, 0x22, 0x8f, 0xe7, 0x20, 0x80e, 0x4eb9, 0xd7f6, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x196, 0x2, 0x1, 0x74, 0xb0, 0x40, [{{0x9, 0x4, 0xaa, 0x5, 0x5, 0x3, 0xe9, 0x1e, 0x1, [@uac_as], [{{0x9, 0x5, 0xc, 0x10, 0x10, 0x8, 0x7, 0x7, [@generic={0x5b, 0x21, "1b54e5d373854de7f55fab03597e302bd4b089efdaa8f4bde6c5789f178a9e5c7e7dee400eb4abe57cd84c0473000e898a048b82a7e5aa32d8323ab0fe59d5e872a7fa6302bed4075e185016850cea8588c43e9d88d0270cb9"}]}}, {{0x9, 0x5, 0x2, 0x1, 0x10, 0x81, 0x1, 0x33, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x9e, 0x1}]}}, {{0x9, 0x5, 0x4, 0x0, 0x40, 0x9, 0x7, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x9, 0x9}]}}, {{0x9, 0x5, 0x4, 0x8, 0x20, 0x42, 0x20, 0x4, [@generic={0xc3, 0x5, "8257e51b21dc7d946f737d6e65aabaf964cb2653edba497665c80d258b84dbbfffba9155ac99f9d2b0955f8d12f39455f56076d8f30fc6142c73131543b9d993054c744af968ae669a760b20652a3489272767078ac09be24b0a62af6fd95decc4acc9ea5f1285b12859aa66d202dca715b17320989318169e74450d57a7639791c4f1e650ce38fb4c0a231edadc56e868ddeb5fedb9c32f7423bed8736847753cf2be2a710d76c94e24acb483e82b4abef8b371d0a89812e60b7477758aad3e85"}, @generic={0x2, 0xf}]}}, {{0x9, 0x5, 0x4, 0xc, 0x40, 0x1, 0x81, 0x81, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x45, 0x1}, @generic={0x2, 0x31}]}}]}}, {{0x9, 0x4, 0xea, 0x1, 0x0, 0xbe, 0x54, 0x96, 0x9, [@cdc_ecm={{0x5}, {0x5, 0x24, 0x0, 0x2}, {0xd, 0x24, 0xf, 0x1, 0x9, 0x3ff, 0x1, 0x9}}]}}]}}]}}, 0x0)
program did not crash
testing program (duration=1m3.291582267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x0, 0x1a8, &(0x7f0000000280)={{0x12, 0x1, 0x201, 0x22, 0x8f, 0xe7, 0x20, 0x80e, 0x4eb9, 0xd7f6, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x196, 0x2, 0x1, 0x74, 0xb0, 0x40, [{{0x9, 0x4, 0xaa, 0x5, 0x5, 0x3, 0xe9, 0x1e, 0x1, [@uac_as], [{{0x9, 0x5, 0xc, 0x10, 0x10, 0x8, 0x7, 0x7, [@generic={0x5b, 0x21, "1b54e5d373854de7f55fab03597e302bd4b089efdaa8f4bde6c5789f178a9e5c7e7dee400eb4abe57cd84c0473000e898a048b82a7e5aa32d8323ab0fe59d5e872a7fa6302bed4075e185016850cea8588c43e9d88d0270cb9"}]}}, {{0x9, 0x5, 0x2, 0x1, 0x10, 0x81, 0x1, 0x33, [@uac_iso={0x7, 0x25, 0x1, 0x1, 0x9e, 0x1}]}}, {{0x9, 0x5, 0x4, 0x0, 0x40, 0x9, 0x7, 0x0, [@uac_iso={0x7, 0x25, 0x1, 0x0, 0x9, 0x9}]}}, {{0x9, 0x5, 0x4, 0x8, 0x20, 0x42, 0x20, 0x4, [@generic={0xc3, 0x5, "8257e51b21dc7d946f737d6e65aabaf964cb2653edba497665c80d258b84dbbfffba9155ac99f9d2b0955f8d12f39455f56076d8f30fc6142c73131543b9d993054c744af968ae669a760b20652a3489272767078ac09be24b0a62af6fd95decc4acc9ea5f1285b12859aa66d202dca715b17320989318169e74450d57a7639791c4f1e650ce38fb4c0a231edadc56e868ddeb5fedb9c32f7423bed8736847753cf2be2a710d76c94e24acb483e82b4abef8b371d0a89812e60b7477758aad3e85"}, @generic={0x2, 0xf}]}}, {{0x9, 0x5, 0x4, 0xc, 0x40, 0x1, 0x81, 0x81, [@uac_iso={0x7, 0x25, 0x1, 0x3, 0x45, 0x1}, @generic={0x2, 0x31}]}}]}}, {{0x9, 0x4, 0xea, 0x1, 0x0, 0xbe, 0x54, 0x96, 0x9, [@cdc_ecm={{0x5}, {0x5, 0x24, 0x0, 0x2}, {0xd, 0x24, 0xf, 0x1, 0x9, 0x3ff, 0x1, 0x9}}]}}]}}]}}, &(0x7f0000000840)={0x0, 0x0, 0x0, 0x0})
program crashed: UBSAN: array-index-out-of-bounds in usbhid_parse
extracting C reproducer
testing compiled C program (duration=1m3.291582267s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: UBSAN: array-index-out-of-bounds in usbhid_parse
simplifying C reproducer
testing compiled C program (duration=1m3.291582267s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: UBSAN: array-index-out-of-bounds in usbhid_parse
testing compiled C program (duration=1m3.291582267s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: UBSAN: array-index-out-of-bounds in usbhid_parse
testing compiled C program (duration=1m3.291582267s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: UBSAN: array-index-out-of-bounds in usbhid_parse
testing compiled C program (duration=1m3.291582267s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: UBSAN: array-index-out-of-bounds in usbhid_parse
testing compiled C program (duration=1m3.291582267s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: UBSAN: array-index-out-of-bounds in usbhid_parse
testing compiled C program (duration=1m3.291582267s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: UBSAN: array-index-out-of-bounds in usbhid_parse
testing compiled C program (duration=1m3.291582267s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: UBSAN: array-index-out-of-bounds in usbhid_parse
reproducing took 22m36.915015593s
repro crashed as (corrupted=false):
usb 1-1: New USB device found, idVendor=080e, idProduct=4eb9, bcdDevice=d7.f6
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 1-1: Product: syz
usb 1-1: Manufacturer: syz
usb 1-1: SerialNumber: syz
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in drivers/hid/usbhid/hid-core.c:1025:18
index 1 is out of range for type 'hid_class_descriptor [1]'
CPU: 1 UID: 0 PID: 46 Comm: kworker/1:1 Not tainted 6.13.0-rc1-syzkaller-00005-gceb8bf2ceaa7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
ubsan_epilogue lib/ubsan.c:231 [inline]
__ubsan_handle_out_of_bounds+0x110/0x150 lib/ubsan.c:429
usbhid_parse+0x960/0xa30 drivers/hid/usbhid/hid-core.c:1025
hid_add_device+0x18b/0xa60 drivers/hid/hid-core.c:2875
usbhid_probe+0xd32/0x1400 drivers/hid/usbhid/hid-core.c:1431
usb_probe_interface+0x300/0x9c0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x23e/0xa90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534
device_add+0x114b/0x1a70 drivers/base/core.c:3665
usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254
usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x23e/0xa90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534
device_add+0x114b/0x1a70 drivers/base/core.c:3665
usb_new_device+0xd90/0x1a10 drivers/usb/core/hub.c:2651
hub_port_connect drivers/usb/core/hub.c:5521 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]
hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
---[ end trace ]---
final repro crashed as (corrupted=false):
usb 1-1: New USB device found, idVendor=080e, idProduct=4eb9, bcdDevice=d7.f6
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 1-1: Product: syz
usb 1-1: Manufacturer: syz
usb 1-1: SerialNumber: syz
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in drivers/hid/usbhid/hid-core.c:1025:18
index 1 is out of range for type 'hid_class_descriptor [1]'
CPU: 1 UID: 0 PID: 46 Comm: kworker/1:1 Not tainted 6.13.0-rc1-syzkaller-00005-gceb8bf2ceaa7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
ubsan_epilogue lib/ubsan.c:231 [inline]
__ubsan_handle_out_of_bounds+0x110/0x150 lib/ubsan.c:429
usbhid_parse+0x960/0xa30 drivers/hid/usbhid/hid-core.c:1025
hid_add_device+0x18b/0xa60 drivers/hid/hid-core.c:2875
usbhid_probe+0xd32/0x1400 drivers/hid/usbhid/hid-core.c:1431
usb_probe_interface+0x300/0x9c0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x23e/0xa90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534
device_add+0x114b/0x1a70 drivers/base/core.c:3665
usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254
usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x23e/0xa90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534
device_add+0x114b/0x1a70 drivers/base/core.c:3665
usb_new_device+0xd90/0x1a10 drivers/usb/core/hub.c:2651
hub_port_connect drivers/usb/core/hub.c:5521 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]
hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
---[ end trace ]---