KASAN: use-after-free Write in vcs_read
20 views
Skip to first unread message
syzbot
Aug 21, 2020, 2:09:22 AM8/21/20
to gre...@linuxfoundation.org, jiri...@kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 605cbf3d Add linux-next specific files for 20200820
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=157e75ce900000
kernel config: https://syzkaller.appspot.com/x/.config?x=a61d44f28687f508
dashboard link: https://syzkaller.appspot.com/bug?extid=ad1f53726c3bd11180cb
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ad1f53...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in vcs_read_buf drivers/tty/vt/vc_screen.c:357 [inline]
BUG: KASAN: use-after-free in vcs_read+0xaa7/0xb40 drivers/tty/vt/vc_screen.c:449
Write of size 2 at addr ffff8880a8014000 by task syz-executor.5/16936
CPU: 1 PID: 16936 Comm: syz-executor.5 Not tainted 5.9.0-rc1-next-20200820-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x18f/0x20d lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
__kasan_report mm/kasan/report.c:513 [inline]
kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
vcs_read_buf drivers/tty/vt/vc_screen.c:357 [inline]
vcs_read+0xaa7/0xb40 drivers/tty/vt/vc_screen.c:449
vfs_read+0x1df/0x5a0 fs/read_write.c:479
ksys_read+0x12d/0x250 fs/read_write.c:607
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45d4d9
Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fa15c60dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 0000000000025ec0 RCX: 000000000045d4d9
RDX: 0000000000002020 RSI: 0000000020000340 RDI: 0000000000000003
RBP: 000000000118cf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cf4c
R13: 00007ffd27ec646f R14: 00007fa15c60e9c0 R15: 000000000118cf4c
Allocated by task 5:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
kasan_set_track mm/kasan/common.c:56 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
slab_post_alloc_hook mm/slab.h:517 [inline]
slab_alloc_node mm/slab.c:3254 [inline]
kmem_cache_alloc_node+0x136/0x3f0 mm/slab.c:3574
__alloc_skb+0x71/0x550 net/core/skbuff.c:198
alloc_skb include/linux/skbuff.h:1085 [inline]
nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:501 [inline]
nsim_dev_trap_report drivers/net/netdevsim/dev.c:558 [inline]
nsim_dev_trap_report_work+0x2b2/0xbe0 drivers/net/netdevsim/dev.c:599
process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
kthread+0x3b5/0x4a0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Freed by task 5:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
__kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422
__cache_free mm/slab.c:3418 [inline]
kmem_cache_free.part.0+0x67/0x1f0 mm/slab.c:3693
kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:622
__kfree_skb net/core/skbuff.c:679 [inline]
consume_skb net/core/skbuff.c:837 [inline]
consume_skb+0xcf/0x160 net/core/skbuff.c:831
nsim_dev_trap_report drivers/net/netdevsim/dev.c:574 [inline]
nsim_dev_trap_report_work+0x889/0xbe0 drivers/net/netdevsim/dev.c:599
process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
kthread+0x3b5/0x4a0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
The buggy address belongs to the object at ffff8880a8014000
which belongs to the cache skbuff_head_cache of size 224
The buggy address is located 0 bytes inside of
224-byte region [ffff8880a8014000, ffff8880a80140e0)
The buggy address belongs to the page:
page:00000000a263cd02 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xa8014
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea000277a2c8 ffffea0002551888 ffff8880a9050d00
raw: 0000000000000000 ffff8880a8014000 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a8013f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880a8013f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880a8014000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a8014080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
ffff8880a8014100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 605cbf3d Add linux-next specific files for 20200820
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=157e75ce900000
kernel config: https://syzkaller.appspot.com/x/.config?x=a61d44f28687f508
dashboard link: https://syzkaller.appspot.com/bug?extid=ad1f53726c3bd11180cb
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ad1f53...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in vcs_read_buf drivers/tty/vt/vc_screen.c:357 [inline]
BUG: KASAN: use-after-free in vcs_read+0xaa7/0xb40 drivers/tty/vt/vc_screen.c:449
Write of size 2 at addr ffff8880a8014000 by task syz-executor.5/16936
CPU: 1 PID: 16936 Comm: syz-executor.5 Not tainted 5.9.0-rc1-next-20200820-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x18f/0x20d lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
__kasan_report mm/kasan/report.c:513 [inline]
kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
vcs_read_buf drivers/tty/vt/vc_screen.c:357 [inline]
vcs_read+0xaa7/0xb40 drivers/tty/vt/vc_screen.c:449
vfs_read+0x1df/0x5a0 fs/read_write.c:479
ksys_read+0x12d/0x250 fs/read_write.c:607
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45d4d9
Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fa15c60dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 0000000000025ec0 RCX: 000000000045d4d9
RDX: 0000000000002020 RSI: 0000000020000340 RDI: 0000000000000003
RBP: 000000000118cf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cf4c
R13: 00007ffd27ec646f R14: 00007fa15c60e9c0 R15: 000000000118cf4c
Allocated by task 5:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
kasan_set_track mm/kasan/common.c:56 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
slab_post_alloc_hook mm/slab.h:517 [inline]
slab_alloc_node mm/slab.c:3254 [inline]
kmem_cache_alloc_node+0x136/0x3f0 mm/slab.c:3574
__alloc_skb+0x71/0x550 net/core/skbuff.c:198
alloc_skb include/linux/skbuff.h:1085 [inline]
nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:501 [inline]
nsim_dev_trap_report drivers/net/netdevsim/dev.c:558 [inline]
nsim_dev_trap_report_work+0x2b2/0xbe0 drivers/net/netdevsim/dev.c:599
process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
kthread+0x3b5/0x4a0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Freed by task 5:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
__kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422
__cache_free mm/slab.c:3418 [inline]
kmem_cache_free.part.0+0x67/0x1f0 mm/slab.c:3693
kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:622
__kfree_skb net/core/skbuff.c:679 [inline]
consume_skb net/core/skbuff.c:837 [inline]
consume_skb+0xcf/0x160 net/core/skbuff.c:831
nsim_dev_trap_report drivers/net/netdevsim/dev.c:574 [inline]
nsim_dev_trap_report_work+0x889/0xbe0 drivers/net/netdevsim/dev.c:599
process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
kthread+0x3b5/0x4a0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
The buggy address belongs to the object at ffff8880a8014000
which belongs to the cache skbuff_head_cache of size 224
The buggy address is located 0 bytes inside of
224-byte region [ffff8880a8014000, ffff8880a80140e0)
The buggy address belongs to the page:
page:00000000a263cd02 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xa8014
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea000277a2c8 ffffea0002551888 ffff8880a9050d00
raw: 0000000000000000 ffff8880a8014000 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a8013f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880a8013f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880a8014000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a8014080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
ffff8880a8014100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Aug 22, 2020, 12:17:22 AM8/22/20
to gre...@linuxfoundation.org, jiri...@kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 494d311a Add linux-next specific files for 20200821
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=12454db1900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1588a046900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ad1f53...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in vcs_read_buf drivers/tty/vt/vc_screen.c:357 [inline]
BUG: KASAN: use-after-free in vcs_read+0xaa7/0xb40 drivers/tty/vt/vc_screen.c:449
Write of size 2 at addr ffff888093948000 by task syz-executor760/6850
CPU: 0 PID: 6850 Comm: syz-executor760 Not tainted 5.9.0-rc1-next-20200821-syzkaller #0
do_loop_readv_writev fs/read_write.c:721 [inline]
do_iter_read+0x48e/0x6e0 fs/read_write.c:955
vfs_readv+0xe5/0x150 fs/read_write.c:1073
do_preadv fs/read_write.c:1165 [inline]
__do_sys_preadv fs/read_write.c:1215 [inline]
__se_sys_preadv fs/read_write.c:1210 [inline]
__x64_sys_preadv+0x231/0x310 fs/read_write.c:1210
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x441259
Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fffb3e6b7d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000127
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441259
RDX: 0000000000000006 RSI: 0000000020001b00 RDI: 0000000000000003
RBP: 00000000006cb018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000402000
R13: 0000000000402090 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:000000006b61c24f refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x93948
flags: 0xfffe0000000000()
raw: 00fffe0000000000 ffffea00029cd508 ffffea00024f3848 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffff7f 0000000000000000
ffff888093947f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888093948000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888093948080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888093948100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
HEAD commit: 494d311a Add linux-next specific files for 20200821
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=12454db1900000
kernel config: https://syzkaller.appspot.com/x/.config?x=a61d44f28687f508
dashboard link: https://syzkaller.appspot.com/bug?extid=ad1f53726c3bd11180cb
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16704b7e900000
dashboard link: https://syzkaller.appspot.com/bug?extid=ad1f53726c3bd11180cb
compiler: gcc (GCC) 10.1.0-syz 20200507
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1588a046900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ad1f53...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in vcs_read_buf drivers/tty/vt/vc_screen.c:357 [inline]
BUG: KASAN: use-after-free in vcs_read+0xaa7/0xb40 drivers/tty/vt/vc_screen.c:449
CPU: 0 PID: 6850 Comm: syz-executor760 Not tainted 5.9.0-rc1-next-20200821-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x18f/0x20d lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
__kasan_report mm/kasan/report.c:513 [inline]
kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
vcs_read_buf drivers/tty/vt/vc_screen.c:357 [inline]
vcs_read+0xaa7/0xb40 drivers/tty/vt/vc_screen.c:449
do_loop_readv_writev fs/read_write.c:734 [inline]
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x18f/0x20d lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
__kasan_report mm/kasan/report.c:513 [inline]
kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
vcs_read_buf drivers/tty/vt/vc_screen.c:357 [inline]
vcs_read+0xaa7/0xb40 drivers/tty/vt/vc_screen.c:449
do_loop_readv_writev fs/read_write.c:721 [inline]
do_iter_read+0x48e/0x6e0 fs/read_write.c:955
vfs_readv+0xe5/0x150 fs/read_write.c:1073
do_preadv fs/read_write.c:1165 [inline]
__do_sys_preadv fs/read_write.c:1215 [inline]
__se_sys_preadv fs/read_write.c:1210 [inline]
__x64_sys_preadv+0x231/0x310 fs/read_write.c:1210
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x441259
Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fffb3e6b7d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000127
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441259
RDX: 0000000000000006 RSI: 0000000020001b00 RDI: 0000000000000003
RBP: 00000000006cb018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000402000
R13: 0000000000402090 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
flags: 0xfffe0000000000()
raw: 00fffe0000000000 ffffea00029cd508 ffffea00024f3848 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888093947f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Memory state around the buggy address:
ffff888093947f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888093948000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888093948080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888093948100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
syzbot
Aug 22, 2020, 3:31:11 AM8/22/20
to ak...@linux-foundation.org, gre...@linuxfoundation.org, jiri...@kernel.org, jsl...@suse.com, jsl...@suse.cz, linux-...@vger.kernel.org, linu...@kvack.org, ni...@fluxnic.net, syzkall...@googlegroups.com
syzbot has bisected this issue to:
commit b1c32fcfadf5593ab7a63261cc8a5747c36e627e
Author: Jiri Slaby <jsl...@suse.cz>
Date: Tue Aug 18 08:57:05 2020 +0000
vc_screen: extract vcs_read_buf_header
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13259dee900000
start commit: 494d311a Add linux-next specific files for 20200821
git tree: linux-next
final oops: https://syzkaller.appspot.com/x/report.txt?x=10a59dee900000
console output: https://syzkaller.appspot.com/x/log.txt?x=17259dee900000
Fixes: b1c32fcfadf5 ("vc_screen: extract vcs_read_buf_header")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit b1c32fcfadf5593ab7a63261cc8a5747c36e627e
Author: Jiri Slaby <jsl...@suse.cz>
Date: Tue Aug 18 08:57:05 2020 +0000
vc_screen: extract vcs_read_buf_header
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13259dee900000
start commit: 494d311a Add linux-next specific files for 20200821
git tree: linux-next
final oops: https://syzkaller.appspot.com/x/report.txt?x=10a59dee900000
console output: https://syzkaller.appspot.com/x/log.txt?x=17259dee900000
kernel config: https://syzkaller.appspot.com/x/.config?x=a61d44f28687f508
dashboard link: https://syzkaller.appspot.com/bug?extid=ad1f53726c3bd11180cb
dashboard link: https://syzkaller.appspot.com/bug?extid=ad1f53726c3bd11180cb
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16704b7e900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1588a046900000
Reported-by: syzbot+ad1f53...@syzkaller.appspotmail.com
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1588a046900000
Fixes: b1c32fcfadf5 ("vc_screen: extract vcs_read_buf_header")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Jiri Slaby
Aug 22, 2020, 3:34:43 AM8/22/20
to syzbot, ak...@linux-foundation.org, gre...@linuxfoundation.org, jsl...@suse.com, jsl...@suse.cz, linux-...@vger.kernel.org, linu...@kvack.org, ni...@fluxnic.net, syzkall...@googlegroups.com
On 22. 08. 20, 9:31, syzbot wrote:
> syzbot has bisected this issue to:
>
> commit b1c32fcfadf5593ab7a63261cc8a5747c36e627e
> Author: Jiri Slaby <jsl...@suse.cz>
> Date: Tue Aug 18 08:57:05 2020 +0000
>
> vc_screen: extract vcs_read_buf_header
It's like 7th e-mail about the very same issue. Can it be
> syzbot has bisected this issue to:
>
> commit b1c32fcfadf5593ab7a63261cc8a5747c36e627e
> Author: Jiri Slaby <jsl...@suse.cz>
> Date: Tue Aug 18 08:57:05 2020 +0000
>
> vc_screen: extract vcs_read_buf_header
suspended/acknowledged somehow?
> Reported-by: syzbot+ad1f53...@syzkaller.appspotmail.com
I haven't managed to find the root cause on Fri yet, I will chase it on
Mon again.
thanks,
--
js
suse labs
Jiri Slaby
Aug 24, 2020, 4:03:58 AM8/24/20
to syzbot, ak...@linux-foundation.org, gre...@linuxfoundation.org, jsl...@suse.cz, linux-...@vger.kernel.org, linu...@kvack.org, ni...@fluxnic.net, syzkall...@googlegroups.com
commit now, re-think and redo during the next merge window.
There are two issues with the patch:
1) vcs_read rounds the 'count' up to an even number. So if we read odd
bytes from the header (3 in the reproducer), the second byte of
(2-byte/ushort) write to temporary con_buf won't fit. It is because with
the patch applied, we only subtract the real number read (3 bytes) and
not the whole header (4 bytes).
2) in this scenario, we perform unaligned accesses now. 2-byte/ushort
writes to odd addresses. Due to the same reason as above.
So Greg, could you revert with the above reasoning? It reverts cleanly.
Or do you want me to send a revert?
Greg KH
Aug 24, 2020, 4:21:59 AM8/24/20
to Jiri Slaby, syzbot, ak...@linux-foundation.org, jsl...@suse.cz, linux-...@vger.kernel.org, linu...@kvack.org, ni...@fluxnic.net, syzkall...@googlegroups.com
thanks,
greg k-h
Reply all
Reply to author
Forward
0 new messages