KASAN: global-out-of-bounds Read in fbcon_get_font
25 views
Skip to first unread message
syzbot
Dec 3, 2019, 3:40:09 AM12/3/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 174651bd Linux 4.19.87
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1079382ee00000
kernel config: https://syzkaller.appspot.com/x/.config?x=d306897dc6e131b7
dashboard link: https://syzkaller.appspot.com/bug?extid=31388007bce57db44c24
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d37446e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17679446e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+313880...@syzkaller.appspotmail.com
audit: type=1400 audit(1575358552.108:36): avc: denied { map } for
pid=8073 comm="syz-executor287" path="/root/syz-executor287027879"
dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: global-out-of-bounds in memcpy include/linux/string.h:348
[inline]
BUG: KASAN: global-out-of-bounds in fbcon_get_font+0x2b2/0x5e0
drivers/video/fbdev/core/fbcon.c:2443
Read of size 28 at addr ffffffff87ec9dd8 by task syz-executor287/8074
CPU: 0 PID: 8074 Comm: syz-executor287 Not tainted 4.19.87-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.cold+0x5/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memcpy+0x24/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:348 [inline]
fbcon_get_font+0x2b2/0x5e0 drivers/video/fbdev/core/fbcon.c:2443
con_font_get drivers/tty/vt/vt.c:4400 [inline]
con_font_op+0x20b/0x1250 drivers/tty/vt/vt.c:4559
vt_ioctl+0xd2e/0x2530 drivers/tty/vt/vt_ioctl.c:913
tty_ioctl+0x7f3/0x1510 drivers/tty/tty_io.c:2669
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:688
ksys_ioctl+0xab/0xd0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:710
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4497f9
Code: e8 ec b9 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 ab d6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f4a156bfce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 00000000004497f9
RDX: 0000000020000140 RSI: 0000000000004b60 RDI: 0000000000000005
RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c
R13: 00007ffdcbecf8bf R14: 00007f4a156c09c0 R15: 20c49ba5e353f7cf
The buggy address belongs to the variable:
fontdata_8x16+0xff8/0x1120
Memory state around the buggy address:
ffffffff87ec9c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffff87ec9d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffffffff87ec9d80: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
^
ffffffff87ec9e00: 06 fa fa fa fa fa fa fa 05 fa fa fa fa fa fa fa
ffffffff87ec9e80: 06 fa fa fa fa fa fa fa 00 00 03 fa fa fa fa fa
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 174651bd Linux 4.19.87
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1079382ee00000
kernel config: https://syzkaller.appspot.com/x/.config?x=d306897dc6e131b7
dashboard link: https://syzkaller.appspot.com/bug?extid=31388007bce57db44c24
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d37446e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17679446e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+313880...@syzkaller.appspotmail.com
audit: type=1400 audit(1575358552.108:36): avc: denied { map } for
pid=8073 comm="syz-executor287" path="/root/syz-executor287027879"
dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: global-out-of-bounds in memcpy include/linux/string.h:348
[inline]
BUG: KASAN: global-out-of-bounds in fbcon_get_font+0x2b2/0x5e0
drivers/video/fbdev/core/fbcon.c:2443
Read of size 28 at addr ffffffff87ec9dd8 by task syz-executor287/8074
CPU: 0 PID: 8074 Comm: syz-executor287 Not tainted 4.19.87-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.cold+0x5/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memcpy+0x24/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:348 [inline]
fbcon_get_font+0x2b2/0x5e0 drivers/video/fbdev/core/fbcon.c:2443
con_font_get drivers/tty/vt/vt.c:4400 [inline]
con_font_op+0x20b/0x1250 drivers/tty/vt/vt.c:4559
vt_ioctl+0xd2e/0x2530 drivers/tty/vt/vt_ioctl.c:913
tty_ioctl+0x7f3/0x1510 drivers/tty/tty_io.c:2669
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:688
ksys_ioctl+0xab/0xd0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:710
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4497f9
Code: e8 ec b9 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 ab d6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f4a156bfce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 00000000004497f9
RDX: 0000000020000140 RSI: 0000000000004b60 RDI: 0000000000000005
RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c
R13: 00007ffdcbecf8bf R14: 00007f4a156c09c0 R15: 20c49ba5e353f7cf
The buggy address belongs to the variable:
fontdata_8x16+0xff8/0x1120
Memory state around the buggy address:
ffffffff87ec9c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffff87ec9d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffffffff87ec9d80: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
^
ffffffff87ec9e00: 06 fa fa fa fa fa fa fa 05 fa fa fa fa fa fa fa
ffffffff87ec9e80: 06 fa fa fa fa fa fa fa 00 00 03 fa fa fa fa fa
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Dec 3, 2019, 8:04:10 AM12/3/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: fbc5fe7a Linux 4.14.157
syzbot found the following crash on:
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=152aa90ee00000
kernel config: https://syzkaller.appspot.com/x/.config?x=d49d9f4045dcfa5d
dashboard link: https://syzkaller.appspot.com/bug?extid=b4b0445a9d0c9f5a0a45
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15612e41e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10f3742ae00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1575374389.467:36): avc: denied { map } for
pid=6967 comm="syz-executor404" path="/root/syz-executor404919193"
dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: global-out-of-bounds in memcpy include/linux/string.h:347
==================================================================
[inline]
BUG: KASAN: global-out-of-bounds in fbcon_get_font+0x288/0x550
drivers/video/fbdev/core/fbcon.c:2421
Read of size 28 at addr ffffffff87063798 by task syz-executor404/6970
CPU: 0 PID: 6970 Comm: syz-executor404 Not tainted 4.14.157-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
Google 01/01/2011
Call Trace:
dump_stack+0x142/0x197 lib/dump_stack.c:58
print_address_description.cold+0x5/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memcpy+0x24/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:347 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memcpy+0x24/0x50 mm/kasan/kasan.c:302
fbcon_get_font+0x288/0x550 drivers/video/fbdev/core/fbcon.c:2421
con_font_get drivers/tty/vt/vt.c:4078 [inline]
con_font_op+0x1d5/0x1060 drivers/tty/vt/vt.c:4229
vt_ioctl+0xb80/0x2170 drivers/tty/vt/vt_ioctl.c:927
tty_ioctl+0x841/0x1320 drivers/tty/tty_io.c:2661
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x7ae/0x1060 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x44a6f9
RSP: 002b:00007fb3ab111ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006dbc38 RCX: 000000000044a6f9
RDX: 0000000020000140 RSI: 0000000000004b60 RDI: 0000000000000005
RBP: 00000000006dbc30 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc3c
R13: 00007ffd7095347f R14: 00007fb3ab1129c0 R15: 20c49ba5e353f7cf
The buggy address belongs to the variable:
fontdata_8x16+0xff8/0x1120
Memory state around the buggy address:
ffffffff87063700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffffffff87063780: 00 00 00 00 fa fa fa fa 06 fa fa fa fa fa fa fa
^
ffffffff87063800: 05 fa fa fa fa fa fa fa 06 fa fa fa fa fa fa fa
ffffffff87063880: 00 00 03 fa fa fa fa fa 00 00 00 00 00 00 00 00
syzbot
Nov 8, 2020, 6:49:07 PM11/8/20
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit 43198a5b1c42e3d8aadc6524a73bb3aa3666cd43
Author: Peilin Ye <yepei...@gmail.com>
Date: Thu Sep 24 13:43:48 2020 +0000
fbcon: Fix global-out-of-bounds read in fbcon_get_font()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1452068a500000
start commit: c7ecf3e3 Linux 4.19.92
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=f1b833aa58e7216b
dashboard link: https://syzkaller.appspot.com/bug?extid=31388007bce57db44c24
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=147f549ee00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12f8649ee00000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: fbcon: Fix global-out-of-bounds read in fbcon_get_font()
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 43198a5b1c42e3d8aadc6524a73bb3aa3666cd43
Author: Peilin Ye <yepei...@gmail.com>
Date: Thu Sep 24 13:43:48 2020 +0000
fbcon: Fix global-out-of-bounds read in fbcon_get_font()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1452068a500000
start commit: c7ecf3e3 Linux 4.19.92
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=f1b833aa58e7216b
dashboard link: https://syzkaller.appspot.com/bug?extid=31388007bce57db44c24
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=147f549ee00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12f8649ee00000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: fbcon: Fix global-out-of-bounds read in fbcon_get_font()
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot
Nov 13, 2020, 10:37:15 AM11/13/20
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit 30386c13a1bfb0d1ce59ea83b825aa73bd516bc5
Author: Peilin Ye <yepei...@gmail.com>
Date: Thu Sep 24 13:43:48 2020 +0000
fbcon: Fix global-out-of-bounds read in fbcon_get_font()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=172e1cc2500000
Date: Thu Sep 24 13:43:48 2020 +0000
fbcon: Fix global-out-of-bounds read in fbcon_get_font()
start commit: 050272a0 Linux 4.14.177
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=b24dc669afb42f8b
dashboard link: https://syzkaller.appspot.com/bug?extid=b4b0445a9d0c9f5a0a45
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1607767fe00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=164fc4b0100000
Reply all
Reply to author
Forward
0 new messages