KASAN: user-memory-access Write in n_tty_set_termios
35 views
Skip to first unread message
syzbot
Apr 10, 2019, 12:04:11 PM4/10/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 47350a9f ANDROID: x86_64_cuttlefish_defconfig: Enable lz4 ..
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=12a7fe0a400000
kernel config: https://syzkaller.appspot.com/x/.config?x=10d236078f3378a3
dashboard link: https://syzkaller.appspot.com/bug?extid=f79f965eb444cb4d361f
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=136b38ca400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f79f96...@syzkaller.appspotmail.com
pts pts382: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
pts pts384: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
pts pts383: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
pts pts385: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
==================================================================
BUG: KASAN: user-memory-access in memset include/linux/string.h:329 [inline]
BUG: KASAN: user-memory-access in bitmap_zero include/linux/bitmap.h:197
[inline]
BUG: KASAN: user-memory-access in n_tty_set_termios+0xee/0xcb0
drivers/tty/n_tty.c:1786
Write of size 512 at addr 0000000000001060 by task syz-executor3/6352
CPU: 0 PID: 6352 Comm: syz-executor3 Not tainted 4.14.67+ #1
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x11b lib/dump_stack.c:53
kasan_report_error mm/kasan/report.c:349 [inline]
kasan_report.cold.6+0x6d/0x2dd mm/kasan/report.c:409
memset+0x1f/0x40 mm/kasan/kasan.c:285
memset include/linux/string.h:329 [inline]
bitmap_zero include/linux/bitmap.h:197 [inline]
n_tty_set_termios+0xee/0xcb0 drivers/tty/n_tty.c:1786
tty_set_termios+0x5fd/0x860 drivers/tty/tty_ioctl.c:340
set_termios+0x2bf/0x440 drivers/tty/tty_ioctl.c:413
tty_mode_ioctl+0x870/0x920 drivers/tty/tty_ioctl.c:748
n_tty_ioctl_helper+0x3f/0x350 drivers/tty/tty_ioctl.c:939
n_tty_ioctl+0x43/0x2e0 drivers/tty/n_tty.c:2452
tty_ioctl+0x551/0x13e0 drivers/tty/tty_io.c:2654
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x1a0/0x1030 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7e/0xb0 fs/ioctl.c:692
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x457099
RSP: 002b:00007f1329091c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f13290926d4 RCX: 0000000000457099
RDX: 00000000200000c0 RSI: 0000000000005402 RDI: 0000000000000005
RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004d0b10 R14: 00000000004c64f6 R15: 0000000000000000
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 47350a9f ANDROID: x86_64_cuttlefish_defconfig: Enable lz4 ..
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=12a7fe0a400000
kernel config: https://syzkaller.appspot.com/x/.config?x=10d236078f3378a3
dashboard link: https://syzkaller.appspot.com/bug?extid=f79f965eb444cb4d361f
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=136b38ca400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f79f96...@syzkaller.appspotmail.com
pts pts382: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
pts pts384: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
pts pts383: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
pts pts385: tty_release: tty->count(2) != (#fd's(1) + #kopen's(0))
==================================================================
BUG: KASAN: user-memory-access in memset include/linux/string.h:329 [inline]
BUG: KASAN: user-memory-access in bitmap_zero include/linux/bitmap.h:197
[inline]
BUG: KASAN: user-memory-access in n_tty_set_termios+0xee/0xcb0
drivers/tty/n_tty.c:1786
Write of size 512 at addr 0000000000001060 by task syz-executor3/6352
CPU: 0 PID: 6352 Comm: syz-executor3 Not tainted 4.14.67+ #1
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x11b lib/dump_stack.c:53
kasan_report_error mm/kasan/report.c:349 [inline]
kasan_report.cold.6+0x6d/0x2dd mm/kasan/report.c:409
memset+0x1f/0x40 mm/kasan/kasan.c:285
memset include/linux/string.h:329 [inline]
bitmap_zero include/linux/bitmap.h:197 [inline]
n_tty_set_termios+0xee/0xcb0 drivers/tty/n_tty.c:1786
tty_set_termios+0x5fd/0x860 drivers/tty/tty_ioctl.c:340
set_termios+0x2bf/0x440 drivers/tty/tty_ioctl.c:413
tty_mode_ioctl+0x870/0x920 drivers/tty/tty_ioctl.c:748
n_tty_ioctl_helper+0x3f/0x350 drivers/tty/tty_ioctl.c:939
n_tty_ioctl+0x43/0x2e0 drivers/tty/n_tty.c:2452
tty_ioctl+0x551/0x13e0 drivers/tty/tty_io.c:2654
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x1a0/0x1030 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7e/0xb0 fs/ioctl.c:692
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x457099
RSP: 002b:00007f1329091c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f13290926d4 RCX: 0000000000457099
RDX: 00000000200000c0 RSI: 0000000000005402 RDI: 0000000000000005
RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004d0b10 R14: 00000000004c64f6 R15: 0000000000000000
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Apr 12, 2019, 8:00:50 PM4/12/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 71fce1ed UPSTREAM: tracing: always define trace_{irq,preem..
syzbot found the following crash on:
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=13e747bb800000
kernel config: https://syzkaller.appspot.com/x/.config?x=a54f56879744de40
dashboard link: https://syzkaller.appspot.com/bug?extid=480e1a761deacb965709
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13e42dc7800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=128c3c47800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
==================================================================
BUG: KASAN: user-memory-access in bitmap_zero include/linux/bitmap.h:197
[inline]
BUG: KASAN: user-memory-access in n_tty_set_termios+0xf6/0xd30
[inline]
drivers/tty/n_tty.c:1768
Write of size 512 at addr 0000000000001060 by task syz-executor970/3813
CPU: 1 PID: 3813 Comm: syz-executor970 Not tainted 4.9.96-g71fce1e #10
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
ffff8801d94c7708 ffffffff81eb0b69 0000000000001060 0000000000000200
0000000000000001 000000000000005d ffff8801d94c7848 ffff8801d94c7750
ffffffff81565640 ffffffff8211b4f6 0000000000000286 c8781b594e4e9e9e
Call Trace:
[<ffffffff81eb0b69>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81eb0b69>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff81565640>] kasan_report_error mm/kasan/report.c:353 [inline]
[<ffffffff81565640>] kasan_report.cold.6+0x6d/0x2fe mm/kasan/report.c:412
[<ffffffff815382ff>] check_memory_region_inline mm/kasan/kasan.c:318
[inline]
[<ffffffff815382ff>] check_memory_region+0x14f/0x1b0 mm/kasan/kasan.c:325
[<ffffffff815388b3>] memset+0x23/0x40 mm/kasan/kasan.c:343
[<ffffffff8211b4f6>] bitmap_zero include/linux/bitmap.h:197 [inline]
[<ffffffff8211b4f6>] n_tty_set_termios+0xf6/0xd30 drivers/tty/n_tty.c:1768
[<ffffffff821251d6>] tty_set_termios+0x626/0x8a0
drivers/tty/tty_ioctl.c:562
[<ffffffff8212623f>] set_termios+0x38f/0x620 drivers/tty/tty_ioctl.c:635
[<ffffffff82126d92>] tty_mode_ioctl+0x8c2/0x980 drivers/tty/tty_ioctl.c:970
[<ffffffff82126ef4>] n_tty_ioctl_helper+0x44/0x370
drivers/tty/tty_ioctl.c:1161
[<ffffffff8211a036>] n_tty_ioctl+0x46/0x2c0 drivers/tty/n_tty.c:2443
[<ffffffff82113404>] tty_ioctl+0x5a4/0x2270 drivers/tty/tty_io.c:3009
[<ffffffff815b051c>] vfs_ioctl fs/ioctl.c:43 [inline]
[<ffffffff815b051c>] file_ioctl fs/ioctl.c:493 [inline]
[<ffffffff815b051c>] do_vfs_ioctl+0x1ac/0x11a0 fs/ioctl.c:677
[<ffffffff815b159f>] SYSC_ioctl fs/ioctl.c:694 [inline]
[<ffffffff815b159f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
[<ffffffff81006316>] do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
[<ffffffff839f3313>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Reply all
Reply to author
Forward
0 new messages