syzbot


KASAN: slab-out-of-bounds Read in soft_cursor

Status: fixed on 2020/11/16 12:12
Subsystems: fbdev
[Documentation on labels]
Reported-by: syzbot+16469b5e8e5a72e9131e@syzkaller.appspotmail.com
Fix commit: 988d0763361b vt_ioctl: make VT_RESIZEX behave like VT_RESIZE
First crash: 1653d, last: 1344d
Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: KASAN: slab-out-of-bounds Read in soft_cursor (log)
Repro: C syz .config
  
Discussions (3)
Title Replies (including bot) Last reply
[PATCH] vt_ioctl: make VT_RESIZEX behave like VT_RESIZE 12 (12) 2021/04/12 13:30
[PATCH 5.9 00/15] 5.9.1-rc1 review 26 (26) 2020/10/19 17:02
KASAN: slab-out-of-bounds Read in soft_cursor 0 (2) 2020/01/06 09:21
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: slab-out-of-bounds Read in soft_cursor (2) C done 8 1118d 1240d 1/1 fixed on 2021/06/23 17:43
linux-4.14 KASAN: slab-out-of-bounds Read in soft_cursor C unreliable 57 1123d 1654d 0/1 upstream: reported C repro on 2019/12/03 14:54
linux-4.19 KASAN: slab-out-of-bounds Read in soft_cursor C done 61 1316d 1654d 1/1 fixed on 2020/12/05 19:30

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:381 [inline]
BUG: KASAN: slab-out-of-bounds in soft_cursor+0x439/0xa30 drivers/video/fbdev/core/softcursor.c:70
Read of size 64 at addr ffff88809e115950 by task syz-executor166/10582

CPU: 0 PID: 10582 Comm: syz-executor166 Not tainted 5.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x197/0x210 lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
 __kasan_report.cold+0x1b/0x32 mm/kasan/report.c:506
 kasan_report+0x12/0x20 mm/kasan/common.c:641
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192
 memcpy+0x24/0x50 mm/kasan/common.c:127
 memcpy include/linux/string.h:381 [inline]
 soft_cursor+0x439/0xa30 drivers/video/fbdev/core/softcursor.c:70
 bit_cursor+0x12fc/0x1a60 drivers/video/fbdev/core/bitblit.c:386
 fbcon_cursor+0x487/0x660 drivers/video/fbdev/core/fbcon.c:1409
 hide_cursor+0x9d/0x2b0 drivers/tty/vt/vt.c:895
 redraw_screen+0x60b/0x7d0 drivers/tty/vt/vt.c:999
 vc_do_resize+0x10c9/0x1460 drivers/tty/vt/vt.c:1295
 vc_resize+0x4d/0x60 drivers/tty/vt/vt.c:1315
 vt_ioctl+0x207b/0x26c0 drivers/tty/vt/vt_ioctl.c:891
 tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660
 vfs_ioctl fs/ioctl.c:47 [inline]
 ksys_ioctl+0x123/0x180 fs/ioctl.c:763
 __do_sys_ioctl fs/ioctl.c:772 [inline]
 __se_sys_ioctl fs/ioctl.c:770 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770
 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440269
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffc94be72d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440269
RDX: 0000000020000080 RSI: 000000000000560a RDI: 0000000000000004
RBP: 00000000006cb018 R08: 0000000000000001 R09: 00000000004002c8
R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000401b50
R13: 0000000000401be0 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 10582:
 save_stack+0x23/0x90 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc mm/kasan/common.c:515 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:488
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529
 __do_kmalloc mm/slab.c:3656 [inline]
 __kmalloc+0x163/0x770 mm/slab.c:3665
 kmalloc include/linux/slab.h:560 [inline]
 fbcon_set_font+0x32d/0x860 drivers/video/fbdev/core/fbcon.c:2670
 con_font_set drivers/tty/vt/vt.c:4549 [inline]
 con_font_op+0xe30/0x1270 drivers/tty/vt/vt.c:4614
 vt_ioctl+0x181a/0x26c0 drivers/tty/vt/vt_ioctl.c:970
 tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660
 vfs_ioctl fs/ioctl.c:47 [inline]
 ksys_ioctl+0x123/0x180 fs/ioctl.c:763
 __do_sys_ioctl fs/ioctl.c:772 [inline]
 __se_sys_ioctl fs/ioctl.c:770 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770
 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 10359:
 save_stack+0x23/0x90 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 kasan_set_free_info mm/kasan/common.c:337 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:476
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:485
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x10a/0x2c0 mm/slab.c:3757
 tomoyo_init_log+0x15b5/0x2070 security/tomoyo/audit.c:293
 tomoyo_supervisor+0x32c/0xee0 security/tomoyo/common.c:2097
 tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
 tomoyo_env_perm+0x18e/0x210 security/tomoyo/environ.c:63
 tomoyo_environ security/tomoyo/domain.c:674 [inline]
 tomoyo_find_next_domain+0x1354/0x1f6c security/tomoyo/domain.c:881
 tomoyo_bprm_check_security security/tomoyo/tomoyo.c:107 [inline]
 tomoyo_bprm_check_security+0x124/0x1a0 security/tomoyo/tomoyo.c:97
 security_bprm_check+0x63/0xb0 security/security.c:816
 search_binary_handler+0x71/0x570 fs/exec.c:1649
 exec_binprm fs/exec.c:1705 [inline]
 __do_execve_file.isra.0+0x12fc/0x2270 fs/exec.c:1825
 do_execveat_common fs/exec.c:1871 [inline]
 do_execve fs/exec.c:1888 [inline]
 __do_sys_execve fs/exec.c:1964 [inline]
 __se_sys_execve fs/exec.c:1959 [inline]
 __x64_sys_execve+0x8f/0xc0 fs/exec.c:1959
 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff88809e114000
 which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 6480 bytes inside of
 8192-byte region [ffff88809e114000, ffff88809e116000)
The buggy address belongs to the page:
page:ffffea0002784500 refcount:1 mapcount:0 mapping:ffff8880aa4021c0 index:0x0 compound_mapcount: 0
flags: 0xfffe0000010200(slab|head)
raw: 00fffe0000010200 ffffea000260a408 ffffea00021adf08 ffff8880aa4021c0
raw: 0000000000000000 ffff88809e114000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809e115800: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88809e115880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88809e115900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                 ^
 ffff88809e115980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88809e115a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (218):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/03/05 22:59 upstream 63623fd44972 c88c7b75 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/03/04 08:12 upstream 63623fd44972 c88c7b75 .config console log report syz C ci-upstream-kasan-gce-root
2020/02/29 08:19 upstream f8788d86ab28 59b57593 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/01/07 17:37 upstream ae6088216ce4 1bcd407e .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/01/06 23:00 upstream c79f46a28239 53430d97 .config console log report syz C ci-upstream-kasan-gce-root
2020/01/06 09:20 upstream c79f46a28239 438e1227 .config console log report syz C ci-upstream-kasan-gce-root
2020/03/17 11:25 linux-next 770fbb32d34e 749688d2 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/01/11 16:15 linux-next 6c09d7dbb7d3 4c04afaa .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/10/07 16:01 upstream c85fb28b6f99 1880b4a9 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/10/01 13:33 upstream 60e720931556 a9767fb2 .config console log report info ci-upstream-kasan-gce-smack-root
2020/09/30 08:26 upstream ccc1d052eff9 5abc3f1a .config console log report info ci-upstream-kasan-gce-smack-root
2020/09/24 04:43 upstream c9c9e6a49f89 54289b08 .config console log report info ci-upstream-kasan-gce-smack-root
2020/09/21 06:13 upstream ba4f184e126b 9564d2e9 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/09/20 08:36 upstream 325d0eab4f31 53ce8104 .config console log report info ci-upstream-kasan-gce-root
2020/09/20 06:40 upstream 325d0eab4f31 53ce8104 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/09/20 04:24 upstream eb5f95f1593f 53ce8104 .config console log report info ci-upstream-kasan-gce-root
2020/09/19 17:11 upstream eb5f95f1593f 53ce8104 .config console log report info ci-upstream-kasan-gce-root
2020/09/18 13:13 upstream 4cbffc461ec9 38962c8b .config console log report info ci-upstream-kasan-gce-selinux-root
2020/09/18 09:53 upstream 4cbffc461ec9 38962c8b .config console log report info ci-upstream-kasan-gce-selinux-root
2020/09/16 17:24 upstream fc4f28bb3daf 18d7d030 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/09/16 16:47 upstream fc4f28bb3daf 18d7d030 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/09/12 07:51 upstream e8878ab82545 79fb24e2 .config console log report ci-upstream-kasan-gce-smack-root
2020/09/09 23:55 upstream 34d4ddd359db 409809d8 .config console log report ci-upstream-kasan-gce-smack-root
2020/09/07 20:12 upstream f4d51dffc6c0 abf9ba4f .config console log report ci-upstream-kasan-gce-root
2020/09/05 13:44 upstream c70672d8d316 abf9ba4f .config console log report ci-upstream-kasan-gce-smack-root
2020/08/26 10:46 upstream abb3438d69fb 344da168 .config console log report ci-upstream-kasan-gce-smack-root
2020/08/26 01:39 upstream abb3438d69fb 344da168 .config console log report ci-upstream-kasan-gce-smack-root
2020/08/23 20:53 upstream c3d8f220d012 cef5ae68 .config console log report ci-upstream-kasan-gce-selinux-root
2020/08/20 15:37 upstream 7eac66d0456f ed282a3a .config console log report ci-upstream-kasan-gce-selinux-root
2020/08/18 05:16 upstream 06a4ec1d9dc6 424dd8e7 .config console log report ci-upstream-kasan-gce-selinux-root
2020/08/17 00:42 upstream 2cc3c4b3c2e9 424dd8e7 .config console log report ci-upstream-kasan-gce-smack-root
2020/08/12 17:04 upstream c636eef2ee36 bb3e5fe6 .config console log report ci-upstream-kasan-gce-smack-root
2020/08/11 01:18 upstream fc80c51fd4b2 7adc7b65 .config console log report ci-upstream-kasan-gce-root
2020/08/10 18:31 upstream fc80c51fd4b2 7adc7b65 .config console log report ci-upstream-kasan-gce-smack-root
2020/08/10 14:33 upstream 9420f1ce0186 70301872 .config console log report ci-upstream-kasan-gce-root
2020/08/09 15:35 upstream 06a81c1c7db9 70301872 .config console log report ci-upstream-kasan-gce-selinux-root
2020/08/09 06:38 upstream 06a81c1c7db9 f721e4a0 .config console log report ci-upstream-kasan-gce-root
2020/08/08 12:18 upstream 5631c5e0eb90 ff51e522 .config console log report ci-upstream-kasan-gce-root
2020/08/08 04:39 upstream 5631c5e0eb90 ff51e522 .config console log report ci-upstream-kasan-gce-selinux-root
2020/08/05 18:57 upstream 442489c21923 b7129355 .config console log report ci-upstream-kasan-gce-selinux-root
2020/08/05 13:01 upstream 442489c21923 b7129355 .config console log report ci-upstream-kasan-gce-smack-root
2020/08/03 18:27 upstream bcf876870b95 196277c4 .config console log report ci-upstream-kasan-gce-selinux-root
2020/08/03 05:28 upstream 5a30a78924ec 196277c4 .config console log report ci-upstream-kasan-gce-selinux-root
2020/08/03 02:40 upstream 5a30a78924ec 196277c4 .config console log report ci-upstream-kasan-gce-smack-root
2020/07/27 11:20 upstream 92ed30191993 51265195 .config console log report ci-upstream-kasan-gce-root
2020/07/25 21:43 upstream 23ee3e4e5bd2 1f7cc1ca .config console log report ci-upstream-kasan-gce-root
2020/07/24 16:17 upstream f37e99aca03f 554af388 .config console log report ci-upstream-kasan-gce-smack-root
2020/07/23 11:57 upstream d15be546031c 340ea530 .config console log report ci-upstream-kasan-gce-smack-root
2020/07/20 08:50 upstream 92188b41f139 9c812472 .config console log report ci-upstream-kasan-gce-selinux-root
2020/07/18 19:22 upstream 6a70f89cc58f 9c812472 .config console log report ci-upstream-kasan-gce-selinux-root
2020/07/18 12:20 upstream 6a70f89cc58f 9c812472 .config console log report ci-upstream-kasan-gce-smack-root
2020/07/16 06:43 upstream 994e99a96c9b f3bec699 .config console log report ci-upstream-kasan-gce-smack-root
2020/07/16 00:38 upstream 994e99a96c9b ada108d0 .config console log report ci-qemu-upstream
2020/07/14 06:06 upstream 0dc589da873b ce4c95b3 .config console log report ci-upstream-kasan-gce-root
2020/07/12 14:27 upstream 0aea6d5c5be3 115e1930 .config console log report ci-upstream-kasan-gce-smack-root
2019/12/04 11:11 upstream 63de37476ebd 0ecb9746 .config console log report ci-upstream-kasan-gce-root
2020/10/08 11:57 upstream c85fb28b6f99 92390980 .config console log report info ci-qemu-upstream-386
2020/07/30 22:39 upstream e2c46b5762c6 8df85ed9 .config console log report ci-qemu-upstream-386
2020/09/20 01:27 linux-next b652d2a5f2a4 53ce8104 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/07/22 22:37 linux-next 73aece61f643 340ea530 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/12 05:01 linux-next d31958b30ea3 18d18b59 .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.