[BUG] KASAN: vmalloc-out-of-bounds Write in __vb2_perform_fileio on v6.17
9 views
Skip to first unread message
Bai, Shuangpeng
Oct 12, 2025, 8:04:29 PM (7 days ago) Oct 12
to tf...@chromium.org, m.szyp...@samsung.com, mch...@kernel.org, linux...@vger.kernel.org, linux-...@vger.kernel.org, syzk...@googlegroups.com
Hi Kernel Maintainers,
Our tool found a new kernel bug "KASAN: vmalloc-out-of-bounds Write in __vb2_perform_fileio". Please see the details below.
Kernel commit: 6.17
Kernel config: attachment
C/Syz reproducer: attachment
I’m happy to test debug patches or provide additional information.
BUG: KASAN: vmalloc-out-of-bounds in instrument_copy_from_user_before include/linux/instrumented.h:129 [inline]
BUG: KASAN: vmalloc-out-of-bounds in _inline_copy_from_user include/linux/uaccess.h:177 [inline]
BUG: KASAN: vmalloc-out-of-bounds in _copy_from_user+0x6a/0xb0 lib/usercopy.c:18
Write of size 4096 at addr ffffc9001032b000 by task syz.0.17/11062
CPU: 1 UID: 0 PID: 11062 Comm: syz.0.17 Not tainted 6.17.0 #1 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x19e/0x560 mm/kasan/report.c:482
kasan_report+0x143/0x180 mm/kasan/report.c:595
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x2b4/0x2c0 mm/kasan/generic.c:189
instrument_copy_from_user_before include/linux/instrumented.h:129 [inline]
_inline_copy_from_user include/linux/uaccess.h:177 [inline]
_copy_from_user+0x6a/0xb0 lib/usercopy.c:18
copy_from_user include/linux/uaccess.h:212 [inline]
__vb2_perform_fileio+0xac2/0x1990 drivers/media/common/videobuf2/videobuf2-core.c:3103
vb2_fop_write+0x21c/0x330 drivers/media/common/videobuf2/videobuf2-v4l2.c:1189
v4l2_write+0x1a6/0x2c0 drivers/media/v4l2-core/v4l2-dev.c:333
vfs_write+0x2be/0xe00 fs/read_write.c:684
ksys_pwrite64 fs/read_write.c:793 [inline]
__do_sys_pwrite64 fs/read_write.c:801 [inline]
__se_sys_pwrite64 fs/read_write.c:798 [inline]
__x64_sys_pwrite64+0x1b3/0x240 fs/read_write.c:798
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf7/0x470 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5625dae49d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff20154028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
RAX: ffffffffffffffda RBX: 00007f5626025fa0 RCX: 00007f5625dae49d
RDX: 0000000000001000 RSI: 0000200000000480 RDI: 0000000000000003
RBP: 00007f5625e48268 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f5626025fac R14: 00007f5626025fa0 R15: 0000000000000000
</TASK>
The buggy address belongs to a vmalloc virtual mapping
Memory state around the buggy address:
ffffc9001032af00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc9001032af80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc9001032b000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc9001032b080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc9001032b100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
Best,
Shuangpeng
Our tool found a new kernel bug "KASAN: vmalloc-out-of-bounds Write in __vb2_perform_fileio". Please see the details below.
Kernel commit: 6.17
Kernel config: attachment
C/Syz reproducer: attachment
I’m happy to test debug patches or provide additional information.
BUG: KASAN: vmalloc-out-of-bounds in instrument_copy_from_user_before include/linux/instrumented.h:129 [inline]
BUG: KASAN: vmalloc-out-of-bounds in _inline_copy_from_user include/linux/uaccess.h:177 [inline]
BUG: KASAN: vmalloc-out-of-bounds in _copy_from_user+0x6a/0xb0 lib/usercopy.c:18
Write of size 4096 at addr ffffc9001032b000 by task syz.0.17/11062
CPU: 1 UID: 0 PID: 11062 Comm: syz.0.17 Not tainted 6.17.0 #1 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x19e/0x560 mm/kasan/report.c:482
kasan_report+0x143/0x180 mm/kasan/report.c:595
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x2b4/0x2c0 mm/kasan/generic.c:189
instrument_copy_from_user_before include/linux/instrumented.h:129 [inline]
_inline_copy_from_user include/linux/uaccess.h:177 [inline]
_copy_from_user+0x6a/0xb0 lib/usercopy.c:18
copy_from_user include/linux/uaccess.h:212 [inline]
__vb2_perform_fileio+0xac2/0x1990 drivers/media/common/videobuf2/videobuf2-core.c:3103
vb2_fop_write+0x21c/0x330 drivers/media/common/videobuf2/videobuf2-v4l2.c:1189
v4l2_write+0x1a6/0x2c0 drivers/media/v4l2-core/v4l2-dev.c:333
vfs_write+0x2be/0xe00 fs/read_write.c:684
ksys_pwrite64 fs/read_write.c:793 [inline]
__do_sys_pwrite64 fs/read_write.c:801 [inline]
__se_sys_pwrite64 fs/read_write.c:798 [inline]
__x64_sys_pwrite64+0x1b3/0x240 fs/read_write.c:798
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf7/0x470 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5625dae49d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff20154028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
RAX: ffffffffffffffda RBX: 00007f5626025fa0 RCX: 00007f5625dae49d
RDX: 0000000000001000 RSI: 0000200000000480 RDI: 0000000000000003
RBP: 00007f5625e48268 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f5626025fac R14: 00007f5626025fa0 R15: 0000000000000000
</TASK>
The buggy address belongs to a vmalloc virtual mapping
Memory state around the buggy address:
ffffc9001032af00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc9001032af80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc9001032b000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc9001032b080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc9001032b100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
Best,
Shuangpeng
Marek Szyprowski
Oct 16, 2025, 7:21:45 AM (3 days ago) Oct 16
to Bai, Shuangpeng, tf...@chromium.org, mch...@kernel.org, Hans Verkuil, syzk...@googlegroups.com
Hi
On 13.10.2025 02:04, Bai, Shuangpeng wrote:
> Hi Kernel Maintainers,
>
> Our tool found a new kernel bug "KASAN: vmalloc-out-of-bounds Write in
> __vb2_perform_fileio". Please see the details below.
>
>
> Kernel commit: 6.17
> Kernel config: attachment
> C/Syz reproducer: attachment
>
> I’m happy to test debug patches or provide additional information.
Thanks for the report and the example that reproduces this bug. I've
sent a patch fixing this issue:
https://lore.kernel.org/all/20251016111154.993...@samsung.com/
I didn't add 'Reported-by' or 'Closes' tags, because this report didn't
reach any public mailing list. If You like to have some credits with
that patch, feel free to reply the above thread with the fix.
Best regards
--
Marek Szyprowski, PhD
Samsung R&D Institute Poland
On 13.10.2025 02:04, Bai, Shuangpeng wrote:
> Hi Kernel Maintainers,
>
> Our tool found a new kernel bug "KASAN: vmalloc-out-of-bounds Write in
> __vb2_perform_fileio". Please see the details below.
>
>
> Kernel commit: 6.17
> Kernel config: attachment
> C/Syz reproducer: attachment
>
> I’m happy to test debug patches or provide additional information.
sent a patch fixing this issue:
https://lore.kernel.org/all/20251016111154.993...@samsung.com/
I didn't add 'Reported-by' or 'Closes' tags, because this report didn't
reach any public mailing list. If You like to have some credits with
that patch, feel free to reply the above thread with the fix.
--
Marek Szyprowski, PhD
Samsung R&D Institute Poland
Reply all
Reply to author
Forward
0 new messages