KASAN: global-out-of-bounds Read in bit_putcs
26 views
Skip to first unread message
syzbot
Dec 4, 2019, 5:22:09 PM12/4/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 174651bd Linux 4.19.87
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14fa042ae00000
kernel config: https://syzkaller.appspot.com/x/.config?x=c8b1666d827aa49d
dashboard link: https://syzkaller.appspot.com/bug?extid=ad860af63ebefdb5ee25
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1687d59ce00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=132e7e41e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+ad860a...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: global-out-of-bounds in __fb_pad_aligned_buffer
include/linux/fb.h:674 [inline]
BUG: KASAN: global-out-of-bounds in bit_putcs_aligned
drivers/video/fbdev/core/bitblit.c:96 [inline]
BUG: KASAN: global-out-of-bounds in bit_putcs+0xd5d/0xf10
drivers/video/fbdev/core/bitblit.c:185
Read of size 1 at addr ffffffff87ecaea0 by task syz-executor617/16508
CPU: 0 PID: 16508 Comm: syz-executor617 Not tainted 4.19.87-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.cold+0x5/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
__fb_pad_aligned_buffer include/linux/fb.h:674 [inline]
bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:96 [inline]
bit_putcs+0xd5d/0xf10 drivers/video/fbdev/core/bitblit.c:185
fbcon_putcs+0x42b/0x4f0 drivers/video/fbdev/core/fbcon.c:1320
con_flush drivers/tty/vt/vt.c:2522 [inline]
do_con_write.part.0+0xfb1/0x1eb0 drivers/tty/vt/vt.c:2772
do_con_write drivers/tty/vt/vt.c:2541 [inline]
con_write+0x46/0xd0 drivers/tty/vt/vt.c:3110
process_output_block drivers/tty/n_tty.c:593 [inline]
n_tty_write+0x3f9/0x10f0 drivers/tty/n_tty.c:2331
do_tty_write drivers/tty/tty_io.c:960 [inline]
tty_write+0x458/0x7a0 drivers/tty/tty_io.c:1044
__vfs_write+0x114/0x810 fs/read_write.c:485
vfs_write+0x20c/0x560 fs/read_write.c:549
ksys_write+0x14f/0x2d0 fs/read_write.c:599
__do_sys_write fs/read_write.c:611 [inline]
__se_sys_write fs/read_write.c:608 [inline]
__x64_sys_write+0x73/0xb0 fs/read_write.c:608
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x448349
Code: e8 4c 15 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb 05 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f1127d83ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00000000006dec68 RCX: 0000000000448349
RDX: 0000000000800000 RSI: 0000000020000000 RDI: 0000000000000004
RBP: 00000000006dec60 R08: 00007f1127d84700 R09: 0000000000000000
R10: 00007f1127d84700 R11: 0000000000000246 R12: 00000000006dec6c
R13: 00007ffd67765a0f R14: 00007f1127d849c0 R15: 0000000000000003
The buggy address belongs to the variable:
str__msr__trace_system_name+0x140/0x940
Memory state around the buggy address:
ffffffff87ecad80: fa fa fa fa 00 00 01 fa fa fa fa fa 04 fa fa fa
ffffffff87ecae00: fa fa fa fa 00 00 00 00 06 fa fa fa fa fa fa fa
> ffffffff87ecae80: 00 00 00 fa fa fa fa fa 00 00 00 fa fa fa fa fa
^
ffffffff87ecaf00: 00 00 00 03 fa fa fa fa 00 00 00 04 fa fa fa fa
ffffffff87ecaf80: 00 00 00 00 03 fa fa fa fa fa fa fa 00 00 07 fa
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 174651bd Linux 4.19.87
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14fa042ae00000
kernel config: https://syzkaller.appspot.com/x/.config?x=c8b1666d827aa49d
dashboard link: https://syzkaller.appspot.com/bug?extid=ad860af63ebefdb5ee25
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1687d59ce00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=132e7e41e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+ad860a...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: global-out-of-bounds in __fb_pad_aligned_buffer
include/linux/fb.h:674 [inline]
BUG: KASAN: global-out-of-bounds in bit_putcs_aligned
drivers/video/fbdev/core/bitblit.c:96 [inline]
BUG: KASAN: global-out-of-bounds in bit_putcs+0xd5d/0xf10
drivers/video/fbdev/core/bitblit.c:185
Read of size 1 at addr ffffffff87ecaea0 by task syz-executor617/16508
CPU: 0 PID: 16508 Comm: syz-executor617 Not tainted 4.19.87-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.cold+0x5/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
__fb_pad_aligned_buffer include/linux/fb.h:674 [inline]
bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:96 [inline]
bit_putcs+0xd5d/0xf10 drivers/video/fbdev/core/bitblit.c:185
fbcon_putcs+0x42b/0x4f0 drivers/video/fbdev/core/fbcon.c:1320
con_flush drivers/tty/vt/vt.c:2522 [inline]
do_con_write.part.0+0xfb1/0x1eb0 drivers/tty/vt/vt.c:2772
do_con_write drivers/tty/vt/vt.c:2541 [inline]
con_write+0x46/0xd0 drivers/tty/vt/vt.c:3110
process_output_block drivers/tty/n_tty.c:593 [inline]
n_tty_write+0x3f9/0x10f0 drivers/tty/n_tty.c:2331
do_tty_write drivers/tty/tty_io.c:960 [inline]
tty_write+0x458/0x7a0 drivers/tty/tty_io.c:1044
__vfs_write+0x114/0x810 fs/read_write.c:485
vfs_write+0x20c/0x560 fs/read_write.c:549
ksys_write+0x14f/0x2d0 fs/read_write.c:599
__do_sys_write fs/read_write.c:611 [inline]
__se_sys_write fs/read_write.c:608 [inline]
__x64_sys_write+0x73/0xb0 fs/read_write.c:608
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x448349
Code: e8 4c 15 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb 05 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f1127d83ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00000000006dec68 RCX: 0000000000448349
RDX: 0000000000800000 RSI: 0000000020000000 RDI: 0000000000000004
RBP: 00000000006dec60 R08: 00007f1127d84700 R09: 0000000000000000
R10: 00007f1127d84700 R11: 0000000000000246 R12: 00000000006dec6c
R13: 00007ffd67765a0f R14: 00007f1127d849c0 R15: 0000000000000003
The buggy address belongs to the variable:
str__msr__trace_system_name+0x140/0x940
Memory state around the buggy address:
ffffffff87ecad80: fa fa fa fa 00 00 01 fa fa fa fa fa 04 fa fa fa
ffffffff87ecae00: fa fa fa fa 00 00 00 00 06 fa fa fa fa fa fa fa
> ffffffff87ecae80: 00 00 00 fa fa fa fa fa 00 00 00 fa fa fa fa fa
^
ffffffff87ecaf00: 00 00 00 03 fa fa fa fa 00 00 00 04 fa fa fa fa
ffffffff87ecaf80: 00 00 00 00 03 fa fa fa fa fa fa fa 00 00 07 fa
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Dec 7, 2019, 11:26:10 AM12/7/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: a844dc4c Linux 4.14.158
syzbot found the following crash on:
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=160c5c2ee00000
kernel config: https://syzkaller.appspot.com/x/.config?x=e820c54dee153942
dashboard link: https://syzkaller.appspot.com/bug?extid=8acda8a641bee9ac5ac3
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
RDX: 00000000000000a0 RSI: 0000000020000200 RDI: 0000000000000004
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fae1472b6d4
R13: 00000000004d3860 R14: 00000000004e5470 R15: 0000000000000005
==================================================================
BUG: KASAN: global-out-of-bounds in __fb_pad_aligned_buffer
include/linux/fb.h:663 [inline]
BUG: KASAN: global-out-of-bounds in __fb_pad_aligned_buffer
BUG: KASAN: global-out-of-bounds in bit_putcs_aligned
drivers/video/fbdev/core/bitblit.c:96 [inline]
BUG: KASAN: global-out-of-bounds in bit_putcs+0xc09/0xdb0
drivers/video/fbdev/core/bitblit.c:96 [inline]
drivers/video/fbdev/core/bitblit.c:185
Read of size 1 at addr ffffffff87064760 by task syz-executor.1/15667
CPU: 1 PID: 15667 Comm: syz-executor.1 Not tainted 4.14.158-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
Google 01/01/2011
Call Trace:
dump_stack+0x142/0x197 lib/dump_stack.c:58
print_address_description.cold+0x5/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427
__fb_pad_aligned_buffer include/linux/fb.h:663 [inline]
bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:96 [inline]
bit_putcs+0xc09/0xdb0 drivers/video/fbdev/core/bitblit.c:185
fbcon_putcs+0x3c2/0x480 drivers/video/fbdev/core/fbcon.c:1298
do_update_region+0x3b3/0x650 drivers/tty/vt/vt.c:373
redraw_screen+0x589/0x7c0 drivers/tty/vt/vt.c:704
fbcon_do_set_font+0x6d1/0x9a0 drivers/video/fbdev/core/fbcon.c:2561
fbcon_copy_font+0x12c/0x190 drivers/video/fbdev/core/fbcon.c:2576
con_font_copy drivers/tty/vt/vt.c:4218 [inline]
con_font_op+0x5c6/0x1060 drivers/tty/vt/vt.c:4233
vt_ioctl+0x179f/0x2170 drivers/tty/vt/vt_ioctl.c:979
tty_ioctl+0x841/0x1320 drivers/tty/tty_io.c:2661
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x7ae/0x1060 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45a6f9
RSP: 002b:00007ff458081c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a6f9
RDX: 0000000020000000 RSI: 0000000000004b72 RDI: 0000000000000008
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff4580826d4
R13: 00000000004c382b R14: 00000000004d8cd8 R15: 00000000ffffffff
The buggy address belongs to the variable:
Memory state around the buggy address:
ffffffff87064680: 00 00 00 fa fa fa fa fa 00 00 00 fa fa fa fa fa
> ffffffff87064700: 00 00 00 03 fa fa fa fa 00 00 00 04 fa fa fa fa
^
ffffffff87064780: 00 00 00 00 03 fa fa fa fa fa fa fa 00 00 07 fa
ffffffff87064800: fa fa fa fa 00 00 00 00 00 00 03 fa fa fa fa fa
syzbot
Dec 18, 2019, 7:16:08 PM12/18/19
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: bfb9e5c0 Linux 4.14.159
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16520671e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=8b2dd838381e2c80
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11a5c849e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+8acda8...@syzkaller.appspotmail.com
audit: type=1400 audit(1576714386.432:36): avc: denied { map } for
pid=7074 comm="syz-executor337" path="/root/syz-executor337776476"
dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
CPU: 0 PID: 7074 Comm: syz-executor337 Not tainted 4.14.159-syzkaller #0
redraw_screen+0x589/0x7c0 drivers/tty/vt/vt.c:704
vc_do_resize+0xc8a/0xec0 drivers/tty/vt/vt.c:954
vc_resize+0x4d/0x60 drivers/tty/vt/vt.c:974
vt_ioctl+0x10a8/0x2170 drivers/tty/vt/vt_ioctl.c:901
RSP: 002b:00007ffd273c5f58 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000443f89
RDX: 0000000020000000 RSI: 000000000000560a RDI: 0000000000000004
RBP: 00000000006cf018 R08: 0000000000000000 R09: 00000000004002e0
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401c90
R13: 0000000000401d20 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the variable:
oid_index+0x600/0x9a0
Memory state around the buggy address:
ffffffff87065580: fa fa fa fa 00 00 00 00 fa fa fa fa 00 00 00 fa
ffffffff87065600: fa fa fa fa 00 00 00 00 fa fa fa fa 04 fa fa fa
> ffffffff87065680: fa fa fa fa 00 01 fa fa fa fa fa fa 04 fa fa fa
^
ffffffff87065700: fa fa fa fa 04 fa fa fa fa fa fa fa 07 fa fa fa
ffffffff87065780: fa fa fa fa 04 fa fa fa fa fa fa fa 05 fa fa fa
==================================================================
HEAD commit: bfb9e5c0 Linux 4.14.159
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16520671e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=8b2dd838381e2c80
dashboard link: https://syzkaller.appspot.com/bug?extid=8acda8a641bee9ac5ac3
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=103abf2ee00000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11a5c849e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+8acda8...@syzkaller.appspotmail.com
pid=7074 comm="syz-executor337" path="/root/syz-executor337776476"
dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: global-out-of-bounds in __fb_pad_aligned_buffer
include/linux/fb.h:663 [inline]
BUG: KASAN: global-out-of-bounds in bit_putcs_aligned
drivers/video/fbdev/core/bitblit.c:96 [inline]
BUG: KASAN: global-out-of-bounds in bit_putcs+0xc09/0xdb0
drivers/video/fbdev/core/bitblit.c:185
Read of size 1 at addr ffffffff87065680 by task syz-executor337/7074
BUG: KASAN: global-out-of-bounds in __fb_pad_aligned_buffer
include/linux/fb.h:663 [inline]
BUG: KASAN: global-out-of-bounds in bit_putcs_aligned
drivers/video/fbdev/core/bitblit.c:96 [inline]
BUG: KASAN: global-out-of-bounds in bit_putcs+0xc09/0xdb0
drivers/video/fbdev/core/bitblit.c:185
CPU: 0 PID: 7074 Comm: syz-executor337 Not tainted 4.14.159-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
print_address_description.cold+0x5/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427
__fb_pad_aligned_buffer include/linux/fb.h:663 [inline]
bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:96 [inline]
bit_putcs+0xc09/0xdb0 drivers/video/fbdev/core/bitblit.c:185
fbcon_putcs+0x3c2/0x480 drivers/video/fbdev/core/fbcon.c:1298
do_update_region+0x2c6/0x650 drivers/tty/vt/vt.c:363
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
print_address_description.cold+0x5/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427
__fb_pad_aligned_buffer include/linux/fb.h:663 [inline]
bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:96 [inline]
bit_putcs+0xc09/0xdb0 drivers/video/fbdev/core/bitblit.c:185
fbcon_putcs+0x3c2/0x480 drivers/video/fbdev/core/fbcon.c:1298
redraw_screen+0x589/0x7c0 drivers/tty/vt/vt.c:704
vc_do_resize+0xc8a/0xec0 drivers/tty/vt/vt.c:954
vc_resize+0x4d/0x60 drivers/tty/vt/vt.c:974
vt_ioctl+0x10a8/0x2170 drivers/tty/vt/vt_ioctl.c:901
tty_ioctl+0x841/0x1320 drivers/tty/tty_io.c:2661
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x7ae/0x1060 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x443f89
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x7ae/0x1060 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RSP: 002b:00007ffd273c5f58 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000443f89
RDX: 0000000020000000 RSI: 000000000000560a RDI: 0000000000000004
RBP: 00000000006cf018 R08: 0000000000000000 R09: 00000000004002e0
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401c90
R13: 0000000000401d20 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the variable:
Memory state around the buggy address:
ffffffff87065600: fa fa fa fa 00 00 00 00 fa fa fa fa 04 fa fa fa
> ffffffff87065680: fa fa fa fa 00 01 fa fa fa fa fa fa 04 fa fa fa
^
ffffffff87065700: fa fa fa fa 04 fa fa fa fa fa fa fa 07 fa fa fa
ffffffff87065780: fa fa fa fa 04 fa fa fa fa fa fa fa 05 fa fa fa
==================================================================
syzbot
Jun 23, 2021, 11:36:05 PM6/23/21
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit 8c5ec4a731e1e2d9b6906bcde62de57a609a9b86
Author: Maciej W. Rozycki <ma...@orcam.me.uk>
Date: Thu May 13 09:51:50 2021 +0000
vt: Fix character height handling with VT_RESIZEX
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17cd4ae8300000
start commit: 610bdbf6 Linux 4.19.166
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=18ac8e7164be61b2
dashboard link: https://syzkaller.appspot.com/bug?extid=ad860af63ebefdb5ee25
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16afb6e0d00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10095648d00000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: vt: Fix character height handling with VT_RESIZEX
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 8c5ec4a731e1e2d9b6906bcde62de57a609a9b86
Author: Maciej W. Rozycki <ma...@orcam.me.uk>
Date: Thu May 13 09:51:50 2021 +0000
vt: Fix character height handling with VT_RESIZEX
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17cd4ae8300000
start commit: 610bdbf6 Linux 4.19.166
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=18ac8e7164be61b2
dashboard link: https://syzkaller.appspot.com/bug?extid=ad860af63ebefdb5ee25
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16afb6e0d00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10095648d00000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: vt: Fix character height handling with VT_RESIZEX
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages