KASAN: use-after-free Read in soft_cursor
16 views
Skip to first unread message
syzbot
Dec 4, 2019, 8:11:09 AM12/4/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: fbc5fe7a Linux 4.14.157
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1088d1bce00000
kernel config: https://syzkaller.appspot.com/x/.config?x=253d29a660cb0d
dashboard link: https://syzkaller.appspot.com/bug?extid=f57ac5d99d8733e94387
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10d7742ae00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14667aeae00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f57ac5...@syzkaller.appspotmail.com
audit: type=1400 audit(1575461251.847:36): avc: denied { map } for
pid=7015 comm="syz-executor252" path="/root/syz-executor252987772"
dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: use-after-free in memcpy include/linux/string.h:347 [inline]
BUG: KASAN: use-after-free in soft_cursor+0x43d/0xa50
drivers/video/fbdev/core/softcursor.c:70
Read of size 9 at addr ffff88809f7e2e51 by task syz-executor252/7015
CPU: 1 PID: 7015 Comm: syz-executor252 Not tainted 4.14.157-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memcpy+0x24/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:347 [inline]
soft_cursor+0x43d/0xa50 drivers/video/fbdev/core/softcursor.c:70
bit_cursor+0x11be/0x1830 drivers/video/fbdev/core/bitblit.c:386
fbcon_cursor+0x4e3/0x6f0 drivers/video/fbdev/core/fbcon.c:1347
hide_cursor+0x9d/0x2e0 drivers/tty/vt/vt.c:589
redraw_screen+0x2a5/0x7c0 drivers/tty/vt/vt.c:679
vc_do_resize+0xc8a/0xec0 drivers/tty/vt/vt.c:954
vc_resize+0x4d/0x60 drivers/tty/vt/vt.c:974
vt_ioctl+0x10a8/0x2170 drivers/tty/vt/vt_ioctl.c:901
tty_ioctl+0x841/0x1320 drivers/tty/tty_io.c:2661
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x7ae/0x1060 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x440219
RSP: 002b:00007fff5036ec48 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440219
RDX: 00000000200002c0 RSI: 000000000000560a RDI: 0000000000000004
RBP: 00000000006ca018 R08: 0000000000000001 R09: 00000000004002c8
R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000401b00
R13: 0000000000401b90 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 4051:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
kmem_cache_alloc_trace+0x152/0x790 mm/slab.c:3618
kmalloc include/linux/slab.h:488 [inline]
kzalloc include/linux/slab.h:661 [inline]
alloc_pipe_info+0xb0/0x380 fs/pipe.c:647
get_pipe_inode fs/pipe.c:726 [inline]
create_pipe_files+0xc4/0x880 fs/pipe.c:759
__do_pipe_flags+0x38/0x210 fs/pipe.c:816
SYSC_pipe2 fs/pipe.c:864 [inline]
SyS_pipe2 fs/pipe.c:858 [inline]
SYSC_pipe fs/pipe.c:882 [inline]
SyS_pipe+0x65/0x110 fs/pipe.c:880
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 4051:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
free_pipe_info+0x209/0x2b0 fs/pipe.c:698
put_pipe_info+0xb3/0xd0 fs/pipe.c:575
pipe_release+0x1b6/0x250 fs/pipe.c:596
__fput+0x275/0x7a0 fs/file_table.c:210
____fput+0x16/0x20 fs/file_table.c:244
task_work_run+0x114/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x1da/0x220 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4bc/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff88809f7e2c80
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 465 bytes inside of
512-byte region [ffff88809f7e2c80, ffff88809f7e2e80)
The buggy address belongs to the page:
page:ffffea00027df880 count:1 mapcount:0 mapping:ffff88809f7e2000 index:0x0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff88809f7e2000 0000000000000000 0000000100000006
raw: ffffea00023b9b60 ffffea00024c1120 ffff8880aa800940 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809f7e2d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88809f7e2d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88809f7e2e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88809f7e2e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88809f7e2f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: fbc5fe7a Linux 4.14.157
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1088d1bce00000
kernel config: https://syzkaller.appspot.com/x/.config?x=253d29a660cb0d
dashboard link: https://syzkaller.appspot.com/bug?extid=f57ac5d99d8733e94387
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10d7742ae00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14667aeae00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f57ac5...@syzkaller.appspotmail.com
audit: type=1400 audit(1575461251.847:36): avc: denied { map } for
pid=7015 comm="syz-executor252" path="/root/syz-executor252987772"
dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: use-after-free in memcpy include/linux/string.h:347 [inline]
BUG: KASAN: use-after-free in soft_cursor+0x43d/0xa50
drivers/video/fbdev/core/softcursor.c:70
Read of size 9 at addr ffff88809f7e2e51 by task syz-executor252/7015
CPU: 1 PID: 7015 Comm: syz-executor252 Not tainted 4.14.157-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memcpy+0x24/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:347 [inline]
soft_cursor+0x43d/0xa50 drivers/video/fbdev/core/softcursor.c:70
bit_cursor+0x11be/0x1830 drivers/video/fbdev/core/bitblit.c:386
fbcon_cursor+0x4e3/0x6f0 drivers/video/fbdev/core/fbcon.c:1347
hide_cursor+0x9d/0x2e0 drivers/tty/vt/vt.c:589
redraw_screen+0x2a5/0x7c0 drivers/tty/vt/vt.c:679
vc_do_resize+0xc8a/0xec0 drivers/tty/vt/vt.c:954
vc_resize+0x4d/0x60 drivers/tty/vt/vt.c:974
vt_ioctl+0x10a8/0x2170 drivers/tty/vt/vt_ioctl.c:901
tty_ioctl+0x841/0x1320 drivers/tty/tty_io.c:2661
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x7ae/0x1060 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x440219
RSP: 002b:00007fff5036ec48 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440219
RDX: 00000000200002c0 RSI: 000000000000560a RDI: 0000000000000004
RBP: 00000000006ca018 R08: 0000000000000001 R09: 00000000004002c8
R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000401b00
R13: 0000000000401b90 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 4051:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
kmem_cache_alloc_trace+0x152/0x790 mm/slab.c:3618
kmalloc include/linux/slab.h:488 [inline]
kzalloc include/linux/slab.h:661 [inline]
alloc_pipe_info+0xb0/0x380 fs/pipe.c:647
get_pipe_inode fs/pipe.c:726 [inline]
create_pipe_files+0xc4/0x880 fs/pipe.c:759
__do_pipe_flags+0x38/0x210 fs/pipe.c:816
SYSC_pipe2 fs/pipe.c:864 [inline]
SyS_pipe2 fs/pipe.c:858 [inline]
SYSC_pipe fs/pipe.c:882 [inline]
SyS_pipe+0x65/0x110 fs/pipe.c:880
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 4051:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
free_pipe_info+0x209/0x2b0 fs/pipe.c:698
put_pipe_info+0xb3/0xd0 fs/pipe.c:575
pipe_release+0x1b6/0x250 fs/pipe.c:596
__fput+0x275/0x7a0 fs/file_table.c:210
____fput+0x16/0x20 fs/file_table.c:244
task_work_run+0x114/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x1da/0x220 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4bc/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff88809f7e2c80
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 465 bytes inside of
512-byte region [ffff88809f7e2c80, ffff88809f7e2e80)
The buggy address belongs to the page:
page:ffffea00027df880 count:1 mapcount:0 mapping:ffff88809f7e2000 index:0x0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff88809f7e2000 0000000000000000 0000000100000006
raw: ffffea00023b9b60 ffffea00024c1120 ffff8880aa800940 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809f7e2d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88809f7e2d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88809f7e2e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88809f7e2e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88809f7e2f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Dec 4, 2019, 8:15:09 AM12/4/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 174651bd Linux 4.19.87
syzbot found the following crash on:
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17f227f2e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=c8b1666d827aa49d
dashboard link: https://syzkaller.appspot.com/bug?extid=78f3eb4775da1505c7e6
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12481282e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=162bcc2ae00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
audit: type=1400 audit(1575461460.667:36): avc: denied { map } for
pid=7685 comm="syz-executor975" path="/root/syz-executor975556075"
dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: use-after-free in memcpy include/linux/string.h:348 [inline]
==================================================================
BUG: KASAN: use-after-free in soft_cursor+0x439/0xa30
drivers/video/fbdev/core/softcursor.c:70
Read of size 9 at addr ffff8880a5169c51 by task syz-executor975/7685
CPU: 0 PID: 7685 Comm: syz-executor975 Not tainted 4.19.87-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
Google 01/01/2011
Call Trace:
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memcpy+0x24/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:348 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memcpy+0x24/0x50 mm/kasan/kasan.c:302
soft_cursor+0x439/0xa30 drivers/video/fbdev/core/softcursor.c:70
bit_cursor+0x12fc/0x1a60 drivers/video/fbdev/core/bitblit.c:386
fbcon_cursor+0x58a/0x7b0 drivers/video/fbdev/core/fbcon.c:1369
hide_cursor+0x9e/0x300 drivers/tty/vt/vt.c:895
redraw_screen+0x2ee/0x8e0 drivers/tty/vt/vt.c:988
vc_do_resize+0x118e/0x14a0 drivers/tty/vt/vt.c:1287
vc_resize+0x4d/0x60 drivers/tty/vt/vt.c:1307
vt_ioctl+0x1fe0/0x2530 drivers/tty/vt/vt_ioctl.c:887
tty_ioctl+0x7f3/0x1510 drivers/tty/tty_io.c:2669
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:688
ksys_ioctl+0xab/0xd0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:710
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440219
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffc5a43c378 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440219
RDX: 00000000200002c0 RSI: 000000000000560a RDI: 0000000000000004
RBP: 00000000006ca018 R08: 0000000000000001 R09: 00000000004002c8
R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000401b00
R13: 0000000000401b90 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 6003:
RDX: 00000000200002c0 RSI: 000000000000560a RDI: 0000000000000004
RBP: 00000000006ca018 R08: 0000000000000001 R09: 00000000004002c8
R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000401b00
R13: 0000000000401b90 R14: 0000000000000000 R15: 0000000000000000
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
__do_kmalloc mm/slab.c:3727 [inline]
__kmalloc+0x15d/0x750 mm/slab.c:3736
kmalloc include/linux/slab.h:520 [inline]
load_elf_phdrs+0x157/0x200 fs/binfmt_elf.c:441
load_elf_binary+0x94a/0x53a0 fs/binfmt_elf.c:838
search_binary_handler fs/exec.c:1653 [inline]
search_binary_handler+0x179/0x570 fs/exec.c:1631
exec_binprm fs/exec.c:1695 [inline]
__do_execve_file.isra.0+0x1227/0x2150 fs/exec.c:1819
do_execveat_common fs/exec.c:1866 [inline]
do_execve fs/exec.c:1883 [inline]
__do_sys_execve fs/exec.c:1964 [inline]
__se_sys_execve fs/exec.c:1959 [inline]
__x64_sys_execve+0x8f/0xc0 fs/exec.c:1959
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 6003:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kfree+0xcf/0x220 mm/slab.c:3822
load_elf_binary+0x249e/0x53a0 fs/binfmt_elf.c:1117
search_binary_handler fs/exec.c:1653 [inline]
search_binary_handler+0x179/0x570 fs/exec.c:1631
exec_binprm fs/exec.c:1695 [inline]
__do_execve_file.isra.0+0x1227/0x2150 fs/exec.c:1819
do_execveat_common fs/exec.c:1866 [inline]
do_execve fs/exec.c:1883 [inline]
__do_sys_execve fs/exec.c:1964 [inline]
__se_sys_execve fs/exec.c:1959 [inline]
__x64_sys_execve+0x8f/0xc0 fs/exec.c:1959
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880a5169a80
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 465 bytes inside of
512-byte region [ffff8880a5169a80, ffff8880a5169c80)
The buggy address is located 465 bytes inside of
The buggy address belongs to the page:
page:ffffea0002945a40 count:1 mapcount:0 mapping:ffff88812c31c940 index:0x0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea0002153ac8 ffffea000281f648 ffff88812c31c940
raw: 0000000000000000 ffff8880a5169080 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a5169b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff8880a5169b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8880a5169c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a5169c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880a5169d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
syzbot
Oct 26, 2020, 11:02:10 AM10/26/20
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit 76fe92986c5c2fff36d8fb83e86332113b6c1725
Author: Tetsuo Handa <penguin...@I-love.SAKURA.ne.jp>
Date: Thu Sep 10 22:57:06 2020 +0000
fbcon: Fix user font detection test at fbcon_resize().
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1529c438500000
start commit: 174651bd Linux 4.19.87
git tree: linux-4.19.y
#syz fix: fbcon: Fix user font detection test at fbcon_resize().
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 76fe92986c5c2fff36d8fb83e86332113b6c1725
Author: Tetsuo Handa <penguin...@I-love.SAKURA.ne.jp>
Date: Thu Sep 10 22:57:06 2020 +0000
fbcon: Fix user font detection test at fbcon_resize().
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1529c438500000
start commit: 174651bd Linux 4.19.87
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=c8b1666d827aa49d
dashboard link: https://syzkaller.appspot.com/bug?extid=78f3eb4775da1505c7e6
dashboard link: https://syzkaller.appspot.com/bug?extid=78f3eb4775da1505c7e6
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12481282e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=162bcc2ae00000
If the result looks correct, please mark the issue as fixed by replying with:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=162bcc2ae00000
#syz fix: fbcon: Fix user font detection test at fbcon_resize().
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages