KASAN: out-of-bounds Read in trace_event_raw_event_sys_enter
5 peržiūros
Praleisti ir pereiti prie pirmo neskaityto pranešimo
syzbot
2020-01-29 20:06:162020-01-29
kam: syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: b3a60822 Merge branch 'for-v5.6' of git://git.kernel.org:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12cd4776e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=5766bb49c0bc43b9
dashboard link: https://syzkaller.appspot.com/bug?extid=6b7461d615c77b3e2383
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
CC: [b.zoln...@samsung.com dri-...@lists.freedesktop.org linux...@vger.kernel.org linux-...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6b7461...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: out-of-bounds in syscall_get_arguments arch/x86/include/asm/syscall.h:131 [inline]
BUG: KASAN: out-of-bounds in trace_event_raw_event_sys_enter+0x12d/0x4d0 include/trace/events/syscalls.h:18
Read of size 8 at addr ffffc900086f7668 by task syz-executor.5/26701
CPU: 1 PID: 26701 Comm: syz-executor.5 Not tainted 5.5.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fb/0x318 lib/dump_stack.c:118
print_address_description+0x74/0x5c0 mm/kasan/report.c:374
__kasan_report+0x149/0x1c0 mm/kasan/report.c:506
kasan_report+0x26/0x50 mm/kasan/common.c:639
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
syscall_get_arguments arch/x86/include/asm/syscall.h:131 [inline]
trace_event_raw_event_sys_enter+0x12d/0x4d0 include/trace/events/syscalls.h:18
</IRQ>
RIP: 0010:__writeq arch/x86/include/asm/io.h:98 [inline]
RIP: 0010:bitfill_aligned+0x15d/0x200 drivers/video/fbdev/core/cfbfillrect.c:70
Code: 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 4d 89 34 24 4d 89 74 24 08 4d 89 74 24 10 4d 89 74 24 18 4d 89 74 24 20 4d 89 74 24 28 <4d> 89 74 24 30 4d 89 74 24 38 83 c3 f8 83 fb 07 76 16 49 83 c4 38
RSP: 0018:ffffc900086f7710 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
RAX: ffffffff83cbf478 RBX: 0000000003e13405 RCX: 0000000000040000
RDX: ffffc9001522b000 RSI: 000000000003ffff RDI: 0000000000040000
RBP: ffffc900086f7760 R08: ffffffff83cbf42d R09: 0000000000000040
R10: ffff888049f80300 R11: 0000000000000002 R12: ffff888001005fd8
R13: 0000000000000000 R14: 0000000000000000 R15: ffffffffffffffff
cfb_fillrect+0x57b/0x7a0 drivers/video/fbdev/core/cfbfillrect.c:327
vga16fb_fillrect+0x642/0x1470 drivers/video/fbdev/vga16fb.c:951
bit_clear_margins+0x25a/0x620 drivers/video/fbdev/core/bitblit.c:224
fbcon_clear_margins drivers/video/fbdev/core/fbcon.c:1372 [inline]
fbcon_switch+0x1504/0x1f10 drivers/video/fbdev/core/fbcon.c:2354
redraw_screen+0x56e/0x1830 drivers/tty/vt/vt.c:997
fbcon_modechanged+0x810/0xdf0 drivers/video/fbdev/core/fbcon.c:2991
fbcon_update_vcs+0x31/0x40 drivers/video/fbdev/core/fbcon.c:3038
fb_set_var+0x8f5/0xdc0 drivers/video/fbdev/core/fbmem.c:1051
do_fb_ioctl+0x55e/0x780 drivers/video/fbdev/core/fbmem.c:1104
fb_ioctl+0xb9/0xf0 drivers/video/fbdev/core/fbmem.c:1180
do_vfs_ioctl+0x6e2/0x19b0 fs/ioctl.c:47
ksys_ioctl fs/ioctl.c:749 [inline]
__do_sys_ioctl fs/ioctl.c:756 [inline]
__se_sys_ioctl fs/ioctl.c:754 [inline]
__x64_sys_ioctl+0xe3/0x120 fs/ioctl.c:754
do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45b349
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fefb1c25c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fefb1c266d4 RCX: 000000000045b349
RDX: 0000000020000000 RSI: 0000000000004601 RDI: 0000000000000004
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000002ea R14: 00000000004c3f3a R15: 000000000075bf2c
Memory state around the buggy address:
ffffc900086f7500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc900086f7580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc900086f7600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
ffffc900086f7680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc900086f7700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: b3a60822 Merge branch 'for-v5.6' of git://git.kernel.org:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12cd4776e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=5766bb49c0bc43b9
dashboard link: https://syzkaller.appspot.com/bug?extid=6b7461d615c77b3e2383
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
CC: [b.zoln...@samsung.com dri-...@lists.freedesktop.org linux...@vger.kernel.org linux-...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6b7461...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: out-of-bounds in syscall_get_arguments arch/x86/include/asm/syscall.h:131 [inline]
BUG: KASAN: out-of-bounds in trace_event_raw_event_sys_enter+0x12d/0x4d0 include/trace/events/syscalls.h:18
Read of size 8 at addr ffffc900086f7668 by task syz-executor.5/26701
CPU: 1 PID: 26701 Comm: syz-executor.5 Not tainted 5.5.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fb/0x318 lib/dump_stack.c:118
print_address_description+0x74/0x5c0 mm/kasan/report.c:374
__kasan_report+0x149/0x1c0 mm/kasan/report.c:506
kasan_report+0x26/0x50 mm/kasan/common.c:639
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
syscall_get_arguments arch/x86/include/asm/syscall.h:131 [inline]
trace_event_raw_event_sys_enter+0x12d/0x4d0 include/trace/events/syscalls.h:18
</IRQ>
RIP: 0010:__writeq arch/x86/include/asm/io.h:98 [inline]
RIP: 0010:bitfill_aligned+0x15d/0x200 drivers/video/fbdev/core/cfbfillrect.c:70
Code: 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 4d 89 34 24 4d 89 74 24 08 4d 89 74 24 10 4d 89 74 24 18 4d 89 74 24 20 4d 89 74 24 28 <4d> 89 74 24 30 4d 89 74 24 38 83 c3 f8 83 fb 07 76 16 49 83 c4 38
RSP: 0018:ffffc900086f7710 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
RAX: ffffffff83cbf478 RBX: 0000000003e13405 RCX: 0000000000040000
RDX: ffffc9001522b000 RSI: 000000000003ffff RDI: 0000000000040000
RBP: ffffc900086f7760 R08: ffffffff83cbf42d R09: 0000000000000040
R10: ffff888049f80300 R11: 0000000000000002 R12: ffff888001005fd8
R13: 0000000000000000 R14: 0000000000000000 R15: ffffffffffffffff
cfb_fillrect+0x57b/0x7a0 drivers/video/fbdev/core/cfbfillrect.c:327
vga16fb_fillrect+0x642/0x1470 drivers/video/fbdev/vga16fb.c:951
bit_clear_margins+0x25a/0x620 drivers/video/fbdev/core/bitblit.c:224
fbcon_clear_margins drivers/video/fbdev/core/fbcon.c:1372 [inline]
fbcon_switch+0x1504/0x1f10 drivers/video/fbdev/core/fbcon.c:2354
redraw_screen+0x56e/0x1830 drivers/tty/vt/vt.c:997
fbcon_modechanged+0x810/0xdf0 drivers/video/fbdev/core/fbcon.c:2991
fbcon_update_vcs+0x31/0x40 drivers/video/fbdev/core/fbcon.c:3038
fb_set_var+0x8f5/0xdc0 drivers/video/fbdev/core/fbmem.c:1051
do_fb_ioctl+0x55e/0x780 drivers/video/fbdev/core/fbmem.c:1104
fb_ioctl+0xb9/0xf0 drivers/video/fbdev/core/fbmem.c:1180
do_vfs_ioctl+0x6e2/0x19b0 fs/ioctl.c:47
ksys_ioctl fs/ioctl.c:749 [inline]
__do_sys_ioctl fs/ioctl.c:756 [inline]
__se_sys_ioctl fs/ioctl.c:754 [inline]
__x64_sys_ioctl+0xe3/0x120 fs/ioctl.c:754
do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45b349
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fefb1c25c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fefb1c266d4 RCX: 000000000045b349
RDX: 0000000020000000 RSI: 0000000000004601 RDI: 0000000000000004
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000002ea R14: 00000000004c3f3a R15: 000000000075bf2c
Memory state around the buggy address:
ffffc900086f7500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc900086f7580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc900086f7600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
ffffc900086f7680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc900086f7700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
2020-04-28 16:07:122020-04-28
kam: syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Atsakyti visiems
Atsakyti autoriui
Persiųsti
0 naujų pranešimų