KASAN: global-out-of-bounds Read in fb_pad_aligned_buffer
13 views
Skip to first unread message
syzbot
Dec 7, 2019, 5:12:09 PM12/7/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: fb683b5e Linux 4.19.88
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10f1a42ae00000
kernel config: https://syzkaller.appspot.com/x/.config?x=aa0c39a6a0078b1c
dashboard link: https://syzkaller.appspot.com/bug?extid=fec1bdfeaaacb3730f1c
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16b5042ae00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11589c2ae00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fec1bd...@syzkaller.appspotmail.com
audit: type=1400 audit(1575756543.617:36): avc: denied { map } for
pid=7604 comm="syz-executor052" path="/root/syz-executor052727936"
dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: global-out-of-bounds in __fb_pad_aligned_buffer
include/linux/fb.h:674 [inline]
BUG: KASAN: global-out-of-bounds in fb_pad_aligned_buffer+0x138/0x160
drivers/video/fbdev/core/fbmem.c:122
Read of size 1 at addr ffffffff87ecb836 by task syz-executor052/7604
CPU: 1 PID: 7604 Comm: syz-executor052 Not tainted 4.19.88-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.cold+0x5/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
__fb_pad_aligned_buffer include/linux/fb.h:674 [inline]
fb_pad_aligned_buffer+0x138/0x160 drivers/video/fbdev/core/fbmem.c:122
bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:99 [inline]
bit_putcs+0xd14/0xf10 drivers/video/fbdev/core/bitblit.c:185
fbcon_putcs+0x42b/0x4f0 drivers/video/fbdev/core/fbcon.c:1320
do_update_region+0x42b/0x6f0 drivers/tty/vt/vt.c:677
redraw_screen+0x602/0x8e0 drivers/tty/vt/vt.c:1013
fbcon_do_set_font+0x73a/0xa40 drivers/video/fbdev/core/fbcon.c:2583
fbcon_copy_font+0x12c/0x190 drivers/video/fbdev/core/fbcon.c:2598
con_font_copy drivers/tty/vt/vt.c:4548 [inline]
con_font_op+0x69a/0x1250 drivers/tty/vt/vt.c:4563
vt_ioctl+0x1784/0x2530 drivers/tty/vt/vt_ioctl.c:965
tty_ioctl+0x7f3/0x1510 drivers/tty/tty_io.c:2669
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:688
ksys_ioctl+0xab/0xd0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:710
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440269
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffc34d461a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440269
RDX: 0000000020000000 RSI: 0000000000004b72 RDI: 0000000000000004
RBP: 00000000006cb018 R08: 000000000000000d R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b50
R13: 0000000000401be0 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the variable:
oid_index+0x76/0xa60
Memory state around the buggy address:
ffffffff87ecb700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffff87ecb780: 00 00 00 05 fa fa fa fa 00 00 00 00 00 00 00 00
> ffffffff87ecb800: 00 00 00 00 00 00 06 fa fa fa fa fa 00 02 fa fa
^
ffffffff87ecb880: fa fa fa fa 00 01 fa fa fa fa fa fa 00 00 02 fa
ffffffff87ecb900: fa fa fa fa 00 03 fa fa fa fa fa fa 00 06 fa fa
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: fb683b5e Linux 4.19.88
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10f1a42ae00000
kernel config: https://syzkaller.appspot.com/x/.config?x=aa0c39a6a0078b1c
dashboard link: https://syzkaller.appspot.com/bug?extid=fec1bdfeaaacb3730f1c
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16b5042ae00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11589c2ae00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fec1bd...@syzkaller.appspotmail.com
audit: type=1400 audit(1575756543.617:36): avc: denied { map } for
pid=7604 comm="syz-executor052" path="/root/syz-executor052727936"
dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: global-out-of-bounds in __fb_pad_aligned_buffer
include/linux/fb.h:674 [inline]
BUG: KASAN: global-out-of-bounds in fb_pad_aligned_buffer+0x138/0x160
drivers/video/fbdev/core/fbmem.c:122
Read of size 1 at addr ffffffff87ecb836 by task syz-executor052/7604
CPU: 1 PID: 7604 Comm: syz-executor052 Not tainted 4.19.88-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.cold+0x5/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
__fb_pad_aligned_buffer include/linux/fb.h:674 [inline]
fb_pad_aligned_buffer+0x138/0x160 drivers/video/fbdev/core/fbmem.c:122
bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:99 [inline]
bit_putcs+0xd14/0xf10 drivers/video/fbdev/core/bitblit.c:185
fbcon_putcs+0x42b/0x4f0 drivers/video/fbdev/core/fbcon.c:1320
do_update_region+0x42b/0x6f0 drivers/tty/vt/vt.c:677
redraw_screen+0x602/0x8e0 drivers/tty/vt/vt.c:1013
fbcon_do_set_font+0x73a/0xa40 drivers/video/fbdev/core/fbcon.c:2583
fbcon_copy_font+0x12c/0x190 drivers/video/fbdev/core/fbcon.c:2598
con_font_copy drivers/tty/vt/vt.c:4548 [inline]
con_font_op+0x69a/0x1250 drivers/tty/vt/vt.c:4563
vt_ioctl+0x1784/0x2530 drivers/tty/vt/vt_ioctl.c:965
tty_ioctl+0x7f3/0x1510 drivers/tty/tty_io.c:2669
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:688
ksys_ioctl+0xab/0xd0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:710
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440269
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffc34d461a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440269
RDX: 0000000020000000 RSI: 0000000000004b72 RDI: 0000000000000004
RBP: 00000000006cb018 R08: 000000000000000d R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b50
R13: 0000000000401be0 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the variable:
oid_index+0x76/0xa60
Memory state around the buggy address:
ffffffff87ecb700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffff87ecb780: 00 00 00 05 fa fa fa fa 00 00 00 00 00 00 00 00
> ffffffff87ecb800: 00 00 00 00 00 00 06 fa fa fa fa fa 00 02 fa fa
^
ffffffff87ecb880: fa fa fa fa 00 01 fa fa fa fa fa fa 00 00 02 fa
ffffffff87ecb900: fa fa fa fa 00 03 fa fa fa fa fa fa 00 06 fa fa
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Dec 7, 2019, 5:52:09 PM12/7/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: a844dc4c Linux 4.14.158
syzbot found the following crash on:
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=144ae59ce00000
kernel config: https://syzkaller.appspot.com/x/.config?x=c02bef505ffc02ff
dashboard link: https://syzkaller.appspot.com/bug?extid=d18e3321e4e1384d4441
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1609c282e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1296d1bce00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1575758976.688:36): avc: denied { map } for
pid=7036 comm="syz-executor540" path="/root/syz-executor540613663"
dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: global-out-of-bounds in __fb_pad_aligned_buffer
include/linux/fb.h:663 [inline]
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: global-out-of-bounds in __fb_pad_aligned_buffer
BUG: KASAN: global-out-of-bounds in fb_pad_aligned_buffer+0x102/0x120
drivers/video/fbdev/core/fbmem.c:122
Read of size 1 at addr ffffffff87064ff6 by task syz-executor540/7036
CPU: 1 PID: 7036 Comm: syz-executor540 Not tainted 4.14.158-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
Google 01/01/2011
Call Trace:
dump_stack+0x142/0x197 lib/dump_stack.c:58
print_address_description.cold+0x5/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427
__fb_pad_aligned_buffer include/linux/fb.h:663 [inline]
fb_pad_aligned_buffer+0x102/0x120 drivers/video/fbdev/core/fbmem.c:122
bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:99 [inline]
bit_putcs+0xbc4/0xdb0 drivers/video/fbdev/core/bitblit.c:185
fbcon_putcs+0x3c2/0x480 drivers/video/fbdev/core/fbcon.c:1298
do_update_region+0x3b3/0x650 drivers/tty/vt/vt.c:373
redraw_screen+0x589/0x7c0 drivers/tty/vt/vt.c:704
fbcon_do_set_font+0x6d1/0x9a0 drivers/video/fbdev/core/fbcon.c:2561
fbcon_copy_font+0x12c/0x190 drivers/video/fbdev/core/fbcon.c:2576
con_font_copy drivers/tty/vt/vt.c:4218 [inline]
con_font_op+0x5c6/0x1060 drivers/tty/vt/vt.c:4233
vt_ioctl+0x179f/0x2170 drivers/tty/vt/vt_ioctl.c:979
tty_ioctl+0x841/0x1320 drivers/tty/tty_io.c:2661
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x7ae/0x1060 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x440269
RSP: 002b:00007ffc87e75d78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440269
RDX: 0000000020000000 RSI: 0000000000004b72 RDI: 0000000000000004
RBP: 00000000006cb018 R08: 000000000000000d R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b50
R13: 0000000000401be0 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the variable:
oid_index+0x76/0x9a0
RDX: 0000000020000000 RSI: 0000000000004b72 RDI: 0000000000000004
RBP: 00000000006cb018 R08: 000000000000000d R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b50
R13: 0000000000401be0 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the variable:
Memory state around the buggy address:
ffffffff87064f00: 00 00 00 00 00 00 00 00 00 00 00 05 fa fa fa fa
> ffffffff87064f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 fa
^
ffffffff87065000: fa fa fa fa 00 02 fa fa fa fa fa fa 00 01 fa fa
ffffffff87065080: fa fa fa fa 00 00 02 fa fa fa fa fa 00 03 fa fa
syzbot
Nov 27, 2020, 2:02:09 PM11/27/20
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit 6612b754ac0c85ca8b1181b5d3ea4461a8c1bbcb
Author: Daniel Vetter <daniel...@ffwll.ch>
Date: Sun Nov 8 15:38:06 2020 +0000
vt: Disable KD_FONT_OP_COPY
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1101ce8b500000
start commit: fb683b5e Linux 4.19.88
git tree: linux-4.19.y
#syz fix: vt: Disable KD_FONT_OP_COPY
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 6612b754ac0c85ca8b1181b5d3ea4461a8c1bbcb
Author: Daniel Vetter <daniel...@ffwll.ch>
Date: Sun Nov 8 15:38:06 2020 +0000
vt: Disable KD_FONT_OP_COPY
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1101ce8b500000
start commit: fb683b5e Linux 4.19.88
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=aa0c39a6a0078b1c
dashboard link: https://syzkaller.appspot.com/bug?extid=fec1bdfeaaacb3730f1c
dashboard link: https://syzkaller.appspot.com/bug?extid=fec1bdfeaaacb3730f1c
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16b5042ae00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11589c2ae00000
If the result looks correct, please mark the issue as fixed by replying with:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11589c2ae00000
#syz fix: vt: Disable KD_FONT_OP_COPY
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages