syzbot


KASAN: global-out-of-bounds Read in bit_putcs

Status: fixed on 2020/09/25 01:17
Subsystems: fbdev
[Documentation on labels]
Reported-by: syzbot+38a3699c7eaf165b97a6@syzkaller.appspotmail.com
Fix commit: 39b3cffb8cf3 fbcon: prevent user font height or width change from causing potential out-of-bounds access bc5269ca7650 vt_ioctl: change VT_RESIZEX ioctl to check for error return from vc_resize()
First crash: 1775d, last: 1481d
Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: KASAN: global-out-of-bounds Read in bit_putcs (log)
Repro: syz .config
  
Discussions (9)
Title Replies (including bot) Last reply
[PATCH 4.19 000/125] 4.19.143-rc1 review 147 (147) 2020/10/26 00:54
[PATCH 4.4 00/62] 4.4.235-rc1 review 70 (70) 2020/09/30 09:01
[PATCH 5.8 000/255] 5.8.6-rc1 review 263 (263) 2020/09/03 09:29
[PATCH 4.14 00/91] 4.14.196-rc1 review 95 (95) 2020/09/02 16:46
[PATCH 4.9 00/78] 4.9.235-rc1 review 82 (82) 2020/09/02 16:46
[PATCH 5.4 000/214] 5.4.62-rc1 review 219 (219) 2020/09/02 07:24
[PATCH 1/2] fbcon: prevent user font height or width change from causing potential out-of-bounds access 2 (2) 2020/07/31 16:33
[PATCH 1/1] vt_ioctl: prevent VT_RESIZEX font height change from causing potential out-of-bounds access 4 (4) 2020/07/29 18:50
KASAN: global-out-of-bounds Read in bit_putcs 0 (3) 2019/12/18 19:21
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: global-out-of-bounds Read in bit_putcs (2) fbdev 13 1463d 1479d 0/28 auto-closed as invalid on 2021/02/09 16:38
linux-4.14 KASAN: global-out-of-bounds Read in bit_putcs C error 241 763d 1773d 0/1 upstream: reported C repro on 2019/12/07 16:26
linux-4.19 KASAN: global-out-of-bounds Read in bit_putcs C done 214 1238d 1775d 1/1 fixed on 2021/06/24 08:01
upstream KASAN: global-out-of-bounds Read in bit_putcs (3) fbdev 4 26d 75d 0/28 upstream: reported on 2024/07/31 11:38
Last patch testing requests (3)
Created Duration User Patch Repo Result
2020/09/12 15:31 9m penguin-kernel@i-love.sakura.ne.jp patch upstream report log
2020/09/12 07:27 9m penguin-kernel@i-love.sakura.ne.jp patch upstream report log
2020/09/12 07:25 18m penguin-kernel@i-love.sakura.ne.jp upstream report log

Sample crash report:
==================================================================
BUG: KASAN: global-out-of-bounds in __fb_pad_aligned_buffer include/linux/fb.h:655 [inline]
BUG: KASAN: global-out-of-bounds in bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:96 [inline]
BUG: KASAN: global-out-of-bounds in bit_putcs+0xbb6/0xd20 drivers/video/fbdev/core/bitblit.c:185
Read of size 1 at addr ffffffff88965a16 by task syz-executor471/8020

CPU: 0 PID: 8020 Comm: syz-executor471 Not tainted 5.8.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0x5/0x436 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 __fb_pad_aligned_buffer include/linux/fb.h:655 [inline]
 bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:96 [inline]
 bit_putcs+0xbb6/0xd20 drivers/video/fbdev/core/bitblit.c:185
 fbcon_putcs+0x33c/0x3f0 drivers/video/fbdev/core/fbcon.c:1362
 con_flush drivers/tty/vt/vt.c:2574 [inline]
 do_con_write+0xd7a/0x7400 drivers/tty/vt/vt.c:2822
 con_write+0x22/0xb0 drivers/tty/vt/vt.c:3159
 process_output_block drivers/tty/n_tty.c:595 [inline]
 n_tty_write+0x3ce/0xf80 drivers/tty/n_tty.c:2333
 do_tty_write drivers/tty/tty_io.c:962 [inline]
 tty_write+0x4d9/0x870 drivers/tty/tty_io.c:1046
 vfs_write+0x2b0/0x6b0 fs/read_write.c:576
 ksys_write+0x12d/0x250 fs/read_write.c:631
 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x44b209
Code: Bad RIP value.
RSP: 002b:00007f1c50a3dce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00000000006e8a38 RCX: 000000000044b209
RDX: 0000000000001006 RSI: 0000000020001040 RDI: 0000000000000006
RBP: 00000000006e8a30 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006e8a3c
R13: 00007ffc8580f5cf R14: 00007f1c50a3e9c0 R15: 20c49ba5e353f7cf

The buggy address belongs to the variable:
 oid_index+0x516/0xa00

Memory state around the buggy address:
 ffffffff88965900: 00 06 fa fa fa fa fa fa 06 fa fa fa fa fa fa fa
 ffffffff88965980: 00 00 00 04 fa fa fa fa 00 00 fa fa fa fa fa fa
>ffffffff88965a00: 00 00 06 fa fa fa fa fa 00 00 06 fa fa fa fa fa
                         ^
 ffffffff88965a80: 00 00 01 fa fa fa fa fa 06 fa fa fa fa fa fa fa
 ffffffff88965b00: 05 fa fa fa fa fa fa fa 00 06 fa fa fa fa fa fa
==================================================================

Crashes (262):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/07/25 03:52 upstream f37e99aca03f 554af388 .config console log report syz C ci-upstream-kasan-gce-root
2020/06/06 14:51 upstream 7ae77150d94d e6b89e4e .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/06/06 14:09 upstream 7ae77150d94d e6b89e4e .config console log report syz C ci-upstream-kasan-gce-root
2020/01/12 00:30 upstream bef1d88263ff 4c04afaa .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/01/11 17:47 upstream bef1d88263ff 4c04afaa .config console log report syz C ci-upstream-kasan-gce-root
2020/01/10 08:12 upstream e69ec487b2c7 4de4e9f0 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/01/09 06:33 upstream b07f636fca1c ddc3e859 .config console log report syz C ci-upstream-kasan-gce-root
2019/12/19 06:38 upstream 2187f215ebaa 79b211f7 .config console log report syz C ci-upstream-kasan-gce-root
2019/12/19 03:12 upstream 2187f215ebaa 79b211f7 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/06/07 07:31 linux-next e7b08814b16b e6b89e4e .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2019/12/19 05:40 linux-next b9c5ef25038d 79b211f7 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2019/12/18 19:20 linux-next b9c5ef25038d f2fe0772 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/07/29 06:01 upstream 6ba1b005ffc3 cb93dc6a .config console log report syz ci-upstream-kasan-gce-root
2020/07/28 07:39 upstream 92ed30191993 cb93dc6a .config console log report syz ci-upstream-kasan-gce-selinux-root
2019/12/06 16:33 upstream b0d4beaa5a4b 98b4ef2d .config console log report syz ci-upstream-kasan-gce-root
2020/07/31 08:26 linux-next 7b287a5c6ac5 8df85ed9 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2020/09/24 02:52 upstream 805c6d3c1921 287cd75a .config console log report info ci-upstream-kasan-gce-root
2020/09/15 15:18 upstream fc4f28bb3daf 6989d6f6 .config console log report info ci-upstream-kasan-gce-root
2020/09/11 07:07 upstream 581cb3a26baf 409809d8 .config console log report ci-upstream-kasan-gce-root
2020/09/09 02:56 upstream 612ab8ad6414 abf9ba4f .config console log report ci-upstream-kasan-gce-selinux-root
2020/09/08 14:19 upstream f4d51dffc6c0 abf9ba4f .config console log report ci-upstream-kasan-gce-selinux-root
2020/09/08 11:21 upstream f4d51dffc6c0 abf9ba4f .config console log report ci-upstream-kasan-gce-selinux-root
2020/08/28 03:01 upstream 15bc20c6af4c 816e0689 .config console log report ci-upstream-kasan-gce-selinux-root
2020/08/24 21:16 upstream d012a7190fc1 67b599d1 .config console log report ci-upstream-kasan-gce-root
2020/08/22 09:06 upstream f873db9acd3c 6436ce4b .config console log report ci-upstream-kasan-gce-root
2020/08/10 10:20 upstream 9420f1ce0186 70301872 .config console log report ci-upstream-kasan-gce-root
2020/08/10 03:42 upstream 9420f1ce0186 70301872 .config console log report ci-upstream-kasan-gce-selinux-root
2020/08/09 18:27 upstream 06a81c1c7db9 70301872 .config console log report ci-upstream-kasan-gce-selinux-root
2020/08/08 06:30 upstream 5631c5e0eb90 ff51e522 .config console log report ci-upstream-kasan-gce-selinux-root
2020/08/07 10:05 upstream d6efb3ac3e6c cb436c69 .config console log report ci-upstream-kasan-gce-root
2020/08/06 04:48 upstream fffe3ae0ee84 0487ea6f .config console log report ci-upstream-kasan-gce-selinux-root
2020/08/04 16:33 upstream c0842fbc1b18 80a06902 .config console log report ci-upstream-kasan-gce-selinux-root
2020/08/01 10:12 upstream d8b9faec54ae d895b3be .config console log report ci-upstream-kasan-gce-root
2020/07/25 05:37 upstream f37e99aca03f 554af388 .config console log report ci-upstream-kasan-gce-root
2020/07/24 05:29 upstream d15be546031c 70c104a1 .config console log report ci-upstream-kasan-gce-selinux-root
2020/07/24 01:37 upstream d15be546031c 70c104a1 .config console log report ci-upstream-kasan-gce-selinux-root
2020/07/23 06:32 upstream 8c26c87b0532 340ea530 .config console log report ci-upstream-kasan-gce-root
2020/07/20 20:55 upstream 5714ee50bb43 4285ffa3 .config console log report ci-upstream-kasan-gce-root
2020/07/18 20:19 upstream 6a70f89cc58f 9c812472 .config console log report ci-upstream-kasan-gce-selinux-root
2020/07/18 04:07 upstream 8882572675c1 9c812472 .config console log report ci-upstream-kasan-gce-root
2020/07/17 08:00 upstream f8456690ba8e 54b3c45e .config console log report ci-upstream-kasan-gce-selinux-root
2020/07/14 18:52 upstream 0dc589da873b 609fb517 .config console log report ci-upstream-kasan-gce-root
2020/07/13 15:18 upstream 11ba468877bb f90ec899 .config console log report ci-upstream-kasan-gce-root
2020/07/13 13:32 upstream 11ba468877bb f90ec899 .config console log report ci-upstream-kasan-gce-root
2020/07/12 20:30 upstream 0aea6d5c5be3 115e1930 .config console log report ci-upstream-kasan-gce-selinux-root
2020/07/12 09:55 upstream 0aea6d5c5be3 115e1930 .config console log report ci-upstream-kasan-gce-selinux-root
2020/07/11 06:36 upstream a581387e415b 18d18b59 .config console log report ci-upstream-kasan-gce-root
2020/07/11 00:44 upstream a581387e415b 18d18b59 .config console log report ci-upstream-kasan-gce-selinux-root
2020/01/15 12:05 upstream 95e20af9fb9c fa12bd3c .config console log report ci-qemu-upstream
2019/12/05 14:53 upstream 2f13437b8917 4fb74474 .config console log report ci-upstream-kasan-gce-root
2020/01/18 21:26 upstream 8965de70cbaf bc8bc756 .config console log report ci-qemu-upstream-386
2020/08/25 19:15 linux-next 3a00d3dfd4b6 344da168 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/08/16 19:17 linux-next 4993e4fe12af 424dd8e7 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/08/13 13:14 linux-next bc09acc9f224 bc15f7db .config console log report ci-upstream-linux-next-kasan-gce-root
2020/08/12 02:11 linux-next 4c9b89d8981b bb3e5fe6 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/21 17:46 linux-next de2e69cfe54a 21f1765e .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/20 19:23 linux-next ab8be66e724e 4285ffa3 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/17 07:52 linux-next 4c43049f19a2 54b3c45e .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/14 22:33 linux-next 5fb3d6042387 609fb517 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/14 04:23 linux-next be978f8feb1d ce4c95b3 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/12 23:51 linux-next d31958b30ea3 9ebcc5b1 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/12 07:29 linux-next d31958b30ea3 115e1930 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/11 22:47 linux-next d31958b30ea3 18d18b59 .config console log report ci-upstream-linux-next-kasan-gce-root
2019/12/05 14:51 linux-next 282ffdf30a3e 4fb74474 .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.