[syzbot] KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer (2)
20 views
Skip to first unread message
syzbot
Sep 5, 2021, 4:22:26 PM9/5/21
to linux-...@vger.kernel.org, linux...@vger.kernel.org, mch...@kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: f1583cb1be35 Merge tag 'linux-kselftest-next-5.15-rc1' of ..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1495987d300000
kernel config: https://syzkaller.appspot.com/x/.config?x=9c582b69de20dde2
dashboard link: https://syzkaller.appspot.com/bug?extid=272ce7abd8e49c0ddf42
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14f79ecd300000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1489a4c9300000
Bisection is inconclusive: the issue happens on the oldest tested release.
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11c072a5300000
final oops: https://syzkaller.appspot.com/x/report.txt?x=13c072a5300000
console output: https://syzkaller.appspot.com/x/log.txt?x=15c072a5300000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+272ce7...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in memcpy include/linux/fortify-string.h:191 [inline]
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2545 [inline]
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1325/0x38e0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2626
Write of size 128 at addr ffffc9000dbe2fe0 by task vivid-001-vid-c/14838
CPU: 0 PID: 14838 Comm: vivid-001-vid-c Not tainted 5.14.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105
print_address_description.constprop.0.cold+0xf/0x309 mm/kasan/report.c:256
__kasan_report mm/kasan/report.c:442 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
memcpy+0x39/0x60 mm/kasan/shadow.c:66
memcpy include/linux/fortify-string.h:191 [inline]
tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2545 [inline]
tpg_fill_plane_buffer+0x1325/0x38e0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2626
vivid_fillbuff+0x1ac1/0x3f00 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:469
vivid_thread_vid_cap_tick+0x88b/0x2360 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:729
vivid_thread_vid_cap+0x5d2/0xaf0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:868
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Memory state around the buggy address:
ffffc9000dbe2f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc9000dbe2f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc9000dbe3000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc9000dbe3080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc9000dbe3100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: f1583cb1be35 Merge tag 'linux-kselftest-next-5.15-rc1' of ..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1495987d300000
kernel config: https://syzkaller.appspot.com/x/.config?x=9c582b69de20dde2
dashboard link: https://syzkaller.appspot.com/bug?extid=272ce7abd8e49c0ddf42
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14f79ecd300000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1489a4c9300000
Bisection is inconclusive: the issue happens on the oldest tested release.
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11c072a5300000
final oops: https://syzkaller.appspot.com/x/report.txt?x=13c072a5300000
console output: https://syzkaller.appspot.com/x/log.txt?x=15c072a5300000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+272ce7...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in memcpy include/linux/fortify-string.h:191 [inline]
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2545 [inline]
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1325/0x38e0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2626
Write of size 128 at addr ffffc9000dbe2fe0 by task vivid-001-vid-c/14838
CPU: 0 PID: 14838 Comm: vivid-001-vid-c Not tainted 5.14.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105
print_address_description.constprop.0.cold+0xf/0x309 mm/kasan/report.c:256
__kasan_report mm/kasan/report.c:442 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
memcpy+0x39/0x60 mm/kasan/shadow.c:66
memcpy include/linux/fortify-string.h:191 [inline]
tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2545 [inline]
tpg_fill_plane_buffer+0x1325/0x38e0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2626
vivid_fillbuff+0x1ac1/0x3f00 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:469
vivid_thread_vid_cap_tick+0x88b/0x2360 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:729
vivid_thread_vid_cap+0x5d2/0xaf0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:868
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Memory state around the buggy address:
ffffc9000dbe2f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc9000dbe2f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc9000dbe3000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc9000dbe3080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc9000dbe3100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Jan 27, 2023, 4:45:24 PM1/27/23
to hverkui...@xs4all.nl, hver...@xs4all.nl, linux-...@vger.kernel.org, linux...@vger.kernel.org, liush...@huawei.com, mch...@kernel.org, syzkall...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit 94a7ad9283464b75b12516c5512541d467cefcf8
Author: Liu Shixin <liush...@huawei.com>
Date: Thu Oct 27 12:38:55 2022 +0000
media: vivid: fix compose size exceed boundary
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10a3509e480000
start commit: f1583cb1be35 Merge tag 'linux-kselftest-next-5.15-rc1' of ..
git tree: upstream
#syz fix: media: vivid: fix compose size exceed boundary
commit 94a7ad9283464b75b12516c5512541d467cefcf8
Author: Liu Shixin <liush...@huawei.com>
Date: Thu Oct 27 12:38:55 2022 +0000
media: vivid: fix compose size exceed boundary
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10a3509e480000
start commit: f1583cb1be35 Merge tag 'linux-kselftest-next-5.15-rc1' of ..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=9c582b69de20dde2
dashboard link: https://syzkaller.appspot.com/bug?extid=272ce7abd8e49c0ddf42
dashboard link: https://syzkaller.appspot.com/bug?extid=272ce7abd8e49c0ddf42
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14f79ecd300000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1489a4c9300000
If the result looks correct, please mark the issue as fixed by replying with:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1489a4c9300000
#syz fix: media: vivid: fix compose size exceed boundary
syzbot
Jan 30, 2023, 3:42:14 AM1/30/23
to hverkui...@xs4all.nl, hverkui...@xs4all.nl, syzkall...@googlegroups.com
> #syz fix: media: vivid: fix compose size exceed boundary
Your 'fix:' command is accepted, but please keep syzkall...@googlegroups.com mailing list in CC next time. It serves as a history of what happened with each bug report. Thank you.
Reply all
Reply to author
Forward
0 new messages