KASAN: slab-out-of-bounds Read in soft_cursor (2)
10 views
Skip to first unread message
syzbot
Jan 20, 2021, 3:35:16 AM1/20/21
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 43d555d8 Linux 4.19.169
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13ea9b00d00000
kernel config: https://syzkaller.appspot.com/x/.config?x=2c45e5cf79a63e8f
dashboard link: https://syzkaller.appspot.com/bug?extid=f1f9bc8c8cdcafc5ccfc
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f1f9bc...@syzkaller.appspotmail.com
ldm_validate_privheads(): Disk read failed.
loop3: p2 < >
loop3: partition table partially beyond EOD, truncated
==================================================================
BUG: KASAN: slab-out-of-bounds in soft_cursor+0x96b/0xa30 drivers/video/fbdev/core/softcursor.c:61
Read of size 1 at addr ffff88809db20548 by task kworker/0:3/15346
CPU: 0 PID: 15346 Comm: kworker/0:3 Not tainted 4.19.169-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events_power_efficient fb_flashcursor
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load1_noabort+0x88/0x90 mm/kasan/report.c:430
soft_cursor+0x96b/0xa30 drivers/video/fbdev/core/softcursor.c:61
bit_cursor+0x1126/0x1740 drivers/video/fbdev/core/bitblit.c:377
fb_flashcursor+0x38c/0x430 drivers/video/fbdev/core/fbcon.c:379
process_one_work+0x864/0x1570 kernel/workqueue.c:2155
worker_thread+0x64c/0x1130 kernel/workqueue.c:2298
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Allocated by task 27401:
__do_kmalloc mm/slab.c:3727 [inline]
__kmalloc+0x15a/0x3c0 mm/slab.c:3736
kmalloc include/linux/slab.h:520 [inline]
fbcon_set_font+0x34f/0x8a0 drivers/video/fbdev/core/fbcon.c:2479
con_font_set drivers/tty/vt/vt.c:4537 [inline]
con_font_op+0x92e/0xef0 drivers/tty/vt/vt.c:4581
vt_ioctl+0x116b/0x2380 drivers/tty/vt/vt_ioctl.c:938
tty_ioctl+0x5b0/0x15c0 drivers/tty/tty_io.c:2669
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 4696:
__cache_free mm/slab.c:3503 [inline]
kfree+0xcc/0x210 mm/slab.c:3822
kernfs_fop_release+0x120/0x190 fs/kernfs/file.c:783
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff88809db20340
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 8 bytes to the right of
512-byte region [ffff88809db20340, ffff88809db20540)
The buggy address belongs to the page:
page:ffffea000276c800 count:1 mapcount:0 mapping:ffff88813bff0940 index:0xffff88809db20ac0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea0002afe9c8 ffffea0001272408 ffff88813bff0940
raw: ffff88809db20ac0 ffff88809db200c0 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809db20400: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
ffff88809db20480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88809db20500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88809db20580: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
ffff88809db20600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 43d555d8 Linux 4.19.169
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13ea9b00d00000
kernel config: https://syzkaller.appspot.com/x/.config?x=2c45e5cf79a63e8f
dashboard link: https://syzkaller.appspot.com/bug?extid=f1f9bc8c8cdcafc5ccfc
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f1f9bc...@syzkaller.appspotmail.com
ldm_validate_privheads(): Disk read failed.
loop3: p2 < >
loop3: partition table partially beyond EOD, truncated
==================================================================
BUG: KASAN: slab-out-of-bounds in soft_cursor+0x96b/0xa30 drivers/video/fbdev/core/softcursor.c:61
Read of size 1 at addr ffff88809db20548 by task kworker/0:3/15346
CPU: 0 PID: 15346 Comm: kworker/0:3 Not tainted 4.19.169-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events_power_efficient fb_flashcursor
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load1_noabort+0x88/0x90 mm/kasan/report.c:430
soft_cursor+0x96b/0xa30 drivers/video/fbdev/core/softcursor.c:61
bit_cursor+0x1126/0x1740 drivers/video/fbdev/core/bitblit.c:377
fb_flashcursor+0x38c/0x430 drivers/video/fbdev/core/fbcon.c:379
process_one_work+0x864/0x1570 kernel/workqueue.c:2155
worker_thread+0x64c/0x1130 kernel/workqueue.c:2298
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Allocated by task 27401:
__do_kmalloc mm/slab.c:3727 [inline]
__kmalloc+0x15a/0x3c0 mm/slab.c:3736
kmalloc include/linux/slab.h:520 [inline]
fbcon_set_font+0x34f/0x8a0 drivers/video/fbdev/core/fbcon.c:2479
con_font_set drivers/tty/vt/vt.c:4537 [inline]
con_font_op+0x92e/0xef0 drivers/tty/vt/vt.c:4581
vt_ioctl+0x116b/0x2380 drivers/tty/vt/vt_ioctl.c:938
tty_ioctl+0x5b0/0x15c0 drivers/tty/tty_io.c:2669
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 4696:
__cache_free mm/slab.c:3503 [inline]
kfree+0xcc/0x210 mm/slab.c:3822
kernfs_fop_release+0x120/0x190 fs/kernfs/file.c:783
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff88809db20340
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 8 bytes to the right of
512-byte region [ffff88809db20340, ffff88809db20540)
The buggy address belongs to the page:
page:ffffea000276c800 count:1 mapcount:0 mapping:ffff88813bff0940 index:0xffff88809db20ac0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea0002afe9c8 ffffea0001272408 ffff88813bff0940
raw: ffff88809db20ac0 ffff88809db200c0 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809db20400: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
ffff88809db20480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88809db20500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88809db20580: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
ffff88809db20600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Apr 10, 2021, 1:10:27 PM4/10/21
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 830a059c Linux 4.19.186
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1306df7ed00000
kernel config: https://syzkaller.appspot.com/x/.config?x=7415cc95f9edb7b9
dashboard link: https://syzkaller.appspot.com/bug?extid=f1f9bc8c8cdcafc5ccfc
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11f62c6ad00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15dd9381d00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f1f9bc...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:377 [inline]
BUG: KASAN: slab-out-of-bounds in soft_cursor+0x44b/0xa30 drivers/video/fbdev/core/softcursor.c:70
Read of size 15 at addr ffff8880a997c970 by task kworker/0:2/3545
CPU: 0 PID: 3545 Comm: kworker/0:2 Not tainted 4.19.186-syzkaller #0
memcpy+0x20/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:377 [inline]
soft_cursor+0x44b/0xa30 drivers/video/fbdev/core/softcursor.c:70
worker_thread+0x64c/0x1130 kernel/workqueue.c:2295
con_font_set drivers/tty/vt/vt.c:4537 [inline]
con_font_op+0x94b/0xf20 drivers/tty/vt/vt.c:4581
search_binary_handler.part.0+0xf9/0x4e0 fs/exec.c:1668
search_binary_handler fs/exec.c:1657 [inline]
exec_binprm fs/exec.c:1710 [inline]
__do_execve_file+0x1357/0x2360 fs/exec.c:1832
do_execveat_common fs/exec.c:1879 [inline]
do_execve+0x35/0x50 fs/exec.c:1896
__do_sys_execve fs/exec.c:1977 [inline]
__se_sys_execve fs/exec.c:1972 [inline]
__x64_sys_execve+0x7c/0xa0 fs/exec.c:1972
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880a997c780
512-byte region [ffff8880a997c780, ffff8880a997c980)
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea00028ceb88 ffffea0002c2a9c8 ffff88813bff0940
raw: 0000000000000000 ffff8880a997c000 0000000100000006 0000000000000000
ffff8880a997c880: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a997c900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880a997c980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880a997ca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
HEAD commit: 830a059c Linux 4.19.186
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1306df7ed00000
kernel config: https://syzkaller.appspot.com/x/.config?x=7415cc95f9edb7b9
dashboard link: https://syzkaller.appspot.com/bug?extid=f1f9bc8c8cdcafc5ccfc
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11f62c6ad00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15dd9381d00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f1f9bc...@syzkaller.appspotmail.com
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:377 [inline]
BUG: KASAN: slab-out-of-bounds in soft_cursor+0x44b/0xa30 drivers/video/fbdev/core/softcursor.c:70
Read of size 15 at addr ffff8880a997c970 by task kworker/0:2/3545
CPU: 0 PID: 3545 Comm: kworker/0:2 Not tainted 4.19.186-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events_power_efficient fb_flashcursor
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report+0x8f/0xa0 mm/kasan/report.c:412
Workqueue: events_power_efficient fb_flashcursor
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
memcpy+0x20/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:377 [inline]
soft_cursor+0x44b/0xa30 drivers/video/fbdev/core/softcursor.c:70
bit_cursor+0x1126/0x1740 drivers/video/fbdev/core/bitblit.c:377
fb_flashcursor+0x38c/0x430 drivers/video/fbdev/core/fbcon.c:379
process_one_work+0x864/0x1570 kernel/workqueue.c:2152
fb_flashcursor+0x38c/0x430 drivers/video/fbdev/core/fbcon.c:379
worker_thread+0x64c/0x1130 kernel/workqueue.c:2295
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Allocated by task 8107:
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
__do_kmalloc mm/slab.c:3727 [inline]
__kmalloc+0x15a/0x3c0 mm/slab.c:3736
kmalloc include/linux/slab.h:520 [inline]
fbcon_set_font+0x34f/0x8a0 drivers/video/fbdev/core/fbcon.c:2482
__kmalloc+0x15a/0x3c0 mm/slab.c:3736
kmalloc include/linux/slab.h:520 [inline]
con_font_set drivers/tty/vt/vt.c:4537 [inline]
con_font_op+0x94b/0xf20 drivers/tty/vt/vt.c:4581
vt_ioctl+0x116b/0x2380 drivers/tty/vt/vt_ioctl.c:938
tty_ioctl+0x5b0/0x15c0 drivers/tty/tty_io.c:2669
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 7808:
tty_ioctl+0x5b0/0x15c0 drivers/tty/tty_io.c:2669
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
__cache_free mm/slab.c:3503 [inline]
kfree+0xcc/0x210 mm/slab.c:3822
load_elf_binary+0x2349/0x5050 fs/binfmt_elf.c:1117
kfree+0xcc/0x210 mm/slab.c:3822
search_binary_handler.part.0+0xf9/0x4e0 fs/exec.c:1668
search_binary_handler fs/exec.c:1657 [inline]
exec_binprm fs/exec.c:1710 [inline]
__do_execve_file+0x1357/0x2360 fs/exec.c:1832
do_execveat_common fs/exec.c:1879 [inline]
do_execve+0x35/0x50 fs/exec.c:1896
__do_sys_execve fs/exec.c:1977 [inline]
__se_sys_execve fs/exec.c:1972 [inline]
__x64_sys_execve+0x7c/0xa0 fs/exec.c:1972
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880a997c780
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 496 bytes inside of
512-byte region [ffff8880a997c780, ffff8880a997c980)
The buggy address belongs to the page:
page:ffffea0002a65f00 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea00028ceb88 ffffea0002c2a9c8 ffff88813bff0940
raw: 0000000000000000 ffff8880a997c000 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a997c800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Memory state around the buggy address:
ffff8880a997c880: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a997c900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880a997c980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880a997ca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
syzbot
Jun 22, 2021, 12:37:06 AM6/22/21
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit 8c5ec4a731e1e2d9b6906bcde62de57a609a9b86
Author: Maciej W. Rozycki <ma...@orcam.me.uk>
Date: Thu May 13 09:51:50 2021 +0000
vt: Fix character height handling with VT_RESIZEX
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=127330c8300000
start commit: 3c8c2309 Linux 4.19.190
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=d3c2572d41264a3d
dashboard link: https://syzkaller.appspot.com/bug?extid=f1f9bc8c8cdcafc5ccfc
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=127f27add00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15f76de7d00000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: vt: Fix character height handling with VT_RESIZEX
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 8c5ec4a731e1e2d9b6906bcde62de57a609a9b86
Author: Maciej W. Rozycki <ma...@orcam.me.uk>
Date: Thu May 13 09:51:50 2021 +0000
vt: Fix character height handling with VT_RESIZEX
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=127330c8300000
start commit: 3c8c2309 Linux 4.19.190
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=d3c2572d41264a3d
dashboard link: https://syzkaller.appspot.com/bug?extid=f1f9bc8c8cdcafc5ccfc
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=127f27add00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15f76de7d00000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: vt: Fix character height handling with VT_RESIZEX
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages