syzbot


KASAN: vmalloc-out-of-bounds Write in imageblit (2)

Status: fixed on 2023/02/24 13:50
Subsystems: fbdev
[Documentation on labels]
Reported-by: syzbot+14b0e8f3fd1612e35350@syzkaller.appspotmail.com
Fix commit: 566f9c9f8933 vt: Clear selection before changing the font
First crash: 880d, last: 588d
Cause bisection: introduced by (bisect log) :
commit 0499f419b76f94ede08304aad5851144813ac55c
Author: Javier Martinez Canillas <javierm@redhat.com>
Date: Mon Jan 10 09:56:25 2022 +0000

  video: vga16fb: Only probe for EGA and VGA 16 color graphic cards

Crash: KASAN: stack-out-of-bounds Write in imageblit (log)
Repro: C syz .config
  
Discussions (11)
Title Replies (including bot) Last reply
[PATCH 4.9 00/42] 4.9.328-rc1 review 49 (49) 2022/11/30 16:41
[PATCH 5.4 000/108] 5.4.212-rc1 review 114 (114) 2022/09/17 03:06
[PATCH 4.19 00/79] 4.19.257-rc1 review 88 (88) 2022/09/17 02:04
[PATCH 5.15 000/107] 5.15.66-rc1 review 131 (131) 2022/09/16 16:25
[PATCH 4.14 00/61] 4.14.293-rc1 review 64 (64) 2022/09/15 00:15
[PATCH 5.19 000/155] 5.19.8-rc1 review 167 (167) 2022/09/08 09:40
[PATCH 5.10 00/80] 5.10.142-rc1 review 88 (88) 2022/09/08 04:04
[PATCH] tty: vt: selection: Add check for valid tiocl_selection values 6 (6) 2022/08/05 11:13
Re: [syzbot] KASAN: vmalloc-out-of-bounds Write in imageblit (2) 1 (2) 2022/08/01 15:53
[syzbot] KASAN: vmalloc-out-of-bounds Write in imageblit (2) 12 (17) 2022/08/01 14:06
[PATCH] vt: Clear selection before changing the font 2 (2) 2022/07/31 11:32
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: vmalloc-out-of-bounds Write in imageblit fbdev C 104 899d 1193d 20/26 fixed on 2021/11/10 00:50
upstream KASAN: vmalloc-out-of-bounds Write in imageblit (3) fbdev 2 263d 259d 0/26 auto-obsoleted due to no activity on 2023/10/23 10:50
Last patch testing requests (3)
Created Duration User Patch Repo Result
2022/08/01 15:42 10m khalid.masum.92@gmail.com patch https://github.com/torvalds/linux.git 3d7cb6b04c3f report log
2022/07/30 11:46 10m khalid.masum.92@gmail.com patch https://github.com/torvalds/linux.git e0dccc3b76fb report log
2022/07/30 08:13 10m khalid.masum.92@gmail.com patch https://github.com/torvalds/linux.git e0dccc3b76fb report log

Sample crash report:
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in fast_imageblit drivers/video/fbdev/core/sysimgblt.c:257 [inline]
BUG: KASAN: vmalloc-out-of-bounds in sys_imageblit+0x1ed0/0x2240 drivers/video/fbdev/core/sysimgblt.c:323
Write of size 4 at addr ffffc90004521000 by task syz-executor127/3605

CPU: 0 PID: 3605 Comm: syz-executor127 Not tainted 5.19.0-syzkaller-02972-g200e340f2196 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0xf/0x495 mm/kasan/report.c:313
 print_report mm/kasan/report.c:429 [inline]
 kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
 fast_imageblit drivers/video/fbdev/core/sysimgblt.c:257 [inline]
 sys_imageblit+0x1ed0/0x2240 drivers/video/fbdev/core/sysimgblt.c:323
 drm_fb_helper_sys_imageblit drivers/gpu/drm/drm_fb_helper.c:825 [inline]
 drm_fbdev_fb_imageblit+0x15c/0x350 drivers/gpu/drm/drm_fb_helper.c:2328
 bit_putcs_unaligned drivers/video/fbdev/core/bitblit.c:139 [inline]
 bit_putcs+0x6e1/0xd20 drivers/video/fbdev/core/bitblit.c:188
 fbcon_putcs+0x314/0x3e0 drivers/video/fbdev/core/fbcon.c:1285
 do_update_region+0x399/0x630 drivers/tty/vt/vt.c:676
 redraw_screen+0x61f/0x740 drivers/tty/vt/vt.c:1035
 fbcon_do_set_font+0x5eb/0x6f0 drivers/video/fbdev/core/fbcon.c:2435
 fbcon_set_font+0x89d/0xab0 drivers/video/fbdev/core/fbcon.c:2522
 con_font_set drivers/tty/vt/vt.c:4666 [inline]
 con_font_op+0x73a/0xc90 drivers/tty/vt/vt.c:4710
 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline]
 vt_ioctl+0x1efa/0x2b20 drivers/tty/vt/vt_ioctl.c:752
 tty_ioctl+0xbbd/0x15e0 drivers/tty/tty_io.c:2778
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:870 [inline]
 __se_sys_ioctl fs/ioctl.c:856 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f1d8eba0239
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf66ac9a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f1d8eba0239
RDX: 0000000020000040 RSI: 0000000000004b72 RDI: 0000000000000004
RBP: 00007ffcf66ac9c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005
R13: 0000000000000000 R14: 00007ffcf66ac9e0 R15: 00007ffcf66ac9d0
 </TASK>

The buggy address belongs to the virtual mapping at
 [ffffc90004221000, ffffc90004522000) created by:
 drm_gem_shmem_vmap_locked drivers/gpu/drm/drm_gem_shmem_helper.c:319 [inline]
 drm_gem_shmem_vmap+0x3d7/0x5a0 drivers/gpu/drm/drm_gem_shmem_helper.c:366

Memory state around the buggy address:
 ffffc90004520f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc90004520f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc90004521000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                   ^
 ffffc90004521080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc90004521100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================

Crashes (701):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/08/11 02:51 upstream 200e340f2196 a6201f11 .config strace log report syz C ci-upstream-kasan-gce-root KASAN: vmalloc-out-of-bounds Write in imageblit
2022/07/12 08:32 upstream 5a29232d870d da3d6955 .config strace log report syz C ci-upstream-kasan-gce-root KASAN: vmalloc-out-of-bounds Write in imageblit
2022/07/18 09:35 upstream 55ea9bd66688 95cb00d1 .config strace log report syz C ci-upstream-kasan-gce-selinux-root KASAN: stack-out-of-bounds Write in imageblit
2022/04/28 04:16 upstream 8f4dd16603ce 8a1f1f07 .config console log report syz C ci-upstream-kasan-gce-root BUG: unable to handle kernel paging request in imageblit
2022/01/20 22:57 linux-next 7fc5253f5a13 b838eb76 .config console log report syz C ci-upstream-linux-next-kasan-gce-root BUG: unable to handle kernel paging request in imageblit
2022/09/03 04:12 upstream d895ec7938c4 49e94a20 .config console log report info ci-upstream-kasan-gce-root KASAN: vmalloc-out-of-bounds Write in imageblit
2022/08/26 21:53 upstream 3e5c673f0d75 e5a303f1 .config console log report info ci-upstream-kasan-gce-root KASAN: vmalloc-out-of-bounds Write in imageblit
2022/08/26 16:38 upstream 4c612826bec1 e5a303f1 .config console log report info ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in imageblit
2022/08/26 10:59 upstream 4c612826bec1 15195ea3 .config console log report info ci-upstream-kasan-gce-root KASAN: vmalloc-out-of-bounds Write in imageblit
2022/08/24 02:39 upstream df0219d11b6f cea8b0f7 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Write in imageblit
2022/08/21 02:15 upstream 15b3f48a4339 26a13b38 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Write in imageblit
2022/08/20 19:23 upstream 50cd95ac4654 26a13b38 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Write in imageblit
2022/08/20 11:38 upstream 50cd95ac4654 26a13b38 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Write in imageblit
2022/08/18 20:11 upstream 3b06a2755758 d58e263f .config console log report info ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Write in imageblit
2022/08/18 03:21 upstream 274a2eebf80c d58e263f .config console log report info ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Write in imageblit
2022/08/17 07:53 upstream 7ebfc85e2cd7 4e72d229 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Write in imageblit
2022/08/17 06:24 upstream 7ebfc85e2cd7 4e72d229 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Write in imageblit
2022/08/16 07:07 upstream 7ebfc85e2cd7 7a7cb304 .config console log report info ci-upstream-kasan-gce-root KASAN: vmalloc-out-of-bounds Write in imageblit
2022/08/16 04:04 upstream 7ebfc85e2cd7 8dfcaa3d .config console log report info ci-upstream-kasan-gce-root KASAN: vmalloc-out-of-bounds Write in imageblit
2022/08/15 15:06 upstream 7ebfc85e2cd7 8dfcaa3d .config console log report info ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Write in imageblit
2022/08/15 13:57 upstream 7ebfc85e2cd7 8dfcaa3d .config console log report info ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Write in imageblit
2022/08/15 07:42 upstream 7ebfc85e2cd7 8dfcaa3d .config console log report info ci-upstream-kasan-gce-selinux-root KASAN: vmalloc-out-of-bounds Write in imageblit
2022/08/13 01:31 upstream 7ebfc85e2cd7 8dfcaa3d .config console log report info ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Write in imageblit
2022/08/11 13:42 upstream 200e340f2196 787ed7e0 .config console log report info ci-upstream-kasan-gce-selinux-root KASAN: vmalloc-out-of-bounds Write in imageblit
2022/08/04 20:40 upstream 200e340f2196 1c9013ac .config console log report info ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Write in imageblit
2022/08/01 04:05 upstream 334c0ef6429f fef302b1 .config console log report info ci-upstream-kasan-gce-root KASAN: vmalloc-out-of-bounds Write in imageblit
2022/07/30 11:29 upstream e65c6a46df94 fef302b1 .config console log report info ci-upstream-kasan-gce-root KASAN: vmalloc-out-of-bounds Write in imageblit
2022/07/28 06:33 upstream 6e7765cb477a fb95c74d .config console log report info ci-upstream-kasan-gce-selinux-root KASAN: vmalloc-out-of-bounds Write in imageblit
2022/07/20 16:22 upstream ca85855bdcae 775344bc .config console log report info ci-upstream-kasan-gce-root KASAN: vmalloc-out-of-bounds Write in imageblit
2022/07/17 07:25 upstream c658cabbfd32 95cb00d1 .config console log report info ci-upstream-kasan-gce-selinux-root KASAN: vmalloc-out-of-bounds Write in imageblit
2022/07/09 19:23 upstream e5524c2a1fc4 b5765a15 .config console log report info ci-upstream-kasan-gce-root KASAN: vmalloc-out-of-bounds Write in imageblit
2022/07/01 23:19 upstream a175eca0f3d7 1434eec0 .config console log report info ci-upstream-kasan-gce KASAN: vmalloc-out-of-bounds Write in imageblit
2022/08/19 00:49 upstream 573ae4f13f63 26a13b38 .config console log report info ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in imageblit
2022/08/13 11:46 upstream 69dac8e431af 8dfcaa3d .config console log report info ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in imageblit
2022/07/13 10:54 upstream b047602d579b 5d921b08 .config console log report info ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in imageblit
2022/07/09 23:45 upstream b1c428b6c368 b5765a15 .config console log report info ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in imageblit
2022/05/31 20:20 upstream 8ab2afa23bd1 af70c3a9 .config console log report info ci-upstream-kasan-gce-386 KASAN: vmalloc-out-of-bounds Write in imageblit
2021/11/15 01:57 upstream fa55b7dcdc43 83f5c9b5 .config console log report info ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in imageblit
2022/08/16 13:13 linux-next 6c8f479764eb 7a7cb304 .config console log report info ci-upstream-linux-next-kasan-gce-root KASAN: vmalloc-out-of-bounds Write in imageblit
2022/08/12 19:26 linux-next 6c8f479764eb 402cd70d .config console log report info ci-upstream-linux-next-kasan-gce-root KASAN: vmalloc-out-of-bounds Write in imageblit
2022/08/26 18:56 upstream 3e5c673f0d75 e5a303f1 .config console log report info ci-upstream-kasan-gce-smack-root BUG: unable to handle kernel paging request in imageblit
2022/08/25 22:29 upstream 3f5c20055a64 9b5bf4cd .config console log report info ci-upstream-kasan-gce-root BUG: unable to handle kernel paging request in imageblit
2022/08/25 07:24 upstream c40e8341e3b3 514514f6 .config console log report info ci-upstream-kasan-gce-root BUG: unable to handle kernel paging request in imageblit
2022/08/22 17:52 upstream 1c23f9e627a7 26a13b38 .config console log report info ci-upstream-kasan-gce-selinux-root BUG: unable to handle kernel paging request in imageblit
2022/08/19 20:15 upstream 4c2d0b039c5c 26a13b38 .config console log report info ci-upstream-kasan-gce-root KASAN: stack-out-of-bounds Write in imageblit
2022/08/14 19:44 upstream 7ebfc85e2cd7 8dfcaa3d .config console log report info ci-upstream-kasan-gce-root BUG: unable to handle kernel paging request in imageblit
2022/07/25 11:58 upstream e0dccc3b76fb 664c519c .config console log report info ci-upstream-kasan-gce-smack-root BUG: unable to handle kernel paging request in imageblit
2022/07/22 16:35 upstream 68e77ffbfd06 22343af4 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: stack-out-of-bounds Write in imageblit
2022/03/25 18:07 upstream 34af78c4e616 89bc8608 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: slab-out-of-bounds Read in imageblit
2022/04/01 04:36 upstream 478f74a3d808 68fc921a .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel paging request in imageblit
2022/08/28 12:06 linux-next 8d0c42c9e807 07177916 .config console log report info ci-upstream-linux-next-kasan-gce-root BUG: unable to handle kernel paging request in imageblit
2022/08/19 09:15 linux-next 8755ae45a9e8 26a13b38 .config console log report info ci-upstream-linux-next-kasan-gce-root KASAN: stack-out-of-bounds Write in imageblit
2022/09/02 11:17 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 85413d1e802e a805568e .config console log report info ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in imageblit
2022/08/30 16:13 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci a41a877bc12d 4a380809 .config console log report info ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in imageblit
2022/08/30 01:17 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci a41a877bc12d 5b44472d .config console log report info ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in imageblit
2022/08/29 14:07 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci a41a877bc12d 5b44472d .config console log report info ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in imageblit
2022/08/26 13:34 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci a41a877bc12d e5a303f1 .config console log report info ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in imageblit
2022/08/25 01:48 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci a41a877bc12d 514514f6 .config console log report info ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in imageblit
2022/08/24 14:39 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci a41a877bc12d 514514f6 .config console log report info ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in imageblit
2022/08/21 09:28 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 680fb5b009e8 26a13b38 .config console log report info ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in imageblit
* Struck through repros no longer work on HEAD.