syzbot


KASAN: slab-out-of-bounds Read in soft_cursor

Status: fixed on 2020/12/05 19:30
Reported-by: syzbot+3c1761f3a15eb7727765@syzkaller.appspotmail.com
Fix commit: 3e1600cc10df ALSA: hda: fix a runtime pm issue in SOF when integrated GPU is disabled
First crash: 1695d, last: 1357d
Fix bisection: fixed by (bisect log) :
commit 3e1600cc10dffe654e2699fe9ec4d546cb7c1a30
Author: Rander Wang <rander.wang@intel.com>
Date: Wed Sep 2 15:42:18 2020 +0000

  ALSA: hda: fix a runtime pm issue in SOF when integrated GPU is disabled

  
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: slab-out-of-bounds Read in soft_cursor (2) C done 8 1159d 1281d 1/1 fixed on 2021/06/23 17:43
linux-4.14 KASAN: slab-out-of-bounds Read in soft_cursor C unreliable 57 1164d 1695d 0/1 upstream: reported C repro on 2019/12/03 14:54
upstream KASAN: slab-out-of-bounds Read in soft_cursor fbdev C done 218 1385d 1694d 15/27 fixed on 2020/11/16 12:12

Sample crash report:
audit: type=1400 audit(1582984968.118:36): avc:  denied  { map } for  pid=8546 comm="syz-executor577" path="/root/syz-executor577970905" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:348 [inline]
BUG: KASAN: slab-out-of-bounds in soft_cursor+0x448/0xa20 drivers/video/fbdev/core/softcursor.c:70
Read of size 64 at addr ffff888093cab3d0 by task syz-executor577/8546

CPU: 0 PID: 8546 Comm: syz-executor577 Not tainted 4.19.107-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x188/0x20d lib/dump_stack.c:118
 print_address_description.cold+0x7c/0x212 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report mm/kasan/report.c:412 [inline]
 kasan_report.cold+0x88/0x2b9 mm/kasan/report.c:396
 memcpy+0x20/0x50 mm/kasan/kasan.c:302
 memcpy include/linux/string.h:348 [inline]
 soft_cursor+0x448/0xa20 drivers/video/fbdev/core/softcursor.c:70
 bit_cursor+0x1230/0x1900 drivers/video/fbdev/core/bitblit.c:386
 fbcon_cursor+0x572/0x760 drivers/video/fbdev/core/fbcon.c:1369
 hide_cursor+0x99/0x2f0 drivers/tty/vt/vt.c:895
 redraw_screen+0x2ed/0x870 drivers/tty/vt/vt.c:999
 vc_do_resize+0x109e/0x13a0 drivers/tty/vt/vt.c:1298
 vt_ioctl+0x1dff/0x2310 drivers/tty/vt/vt_ioctl.c:891
 tty_ioctl+0x7a1/0x1420 drivers/tty/tty_io.c:2669
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:501 [inline]
 do_vfs_ioctl+0xcda/0x12e0 fs/ioctl.c:688
 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705
 __do_sys_ioctl fs/ioctl.c:712 [inline]
 __se_sys_ioctl fs/ioctl.c:710 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440269
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffec15e1b38 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440269
RDX: 0000000020000080 RSI: 000000000000560a RDI: 0000000000000004
RBP: 00000000006cb018 R08: 0000000000000001 R09: 00000000004002c8
R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000401b50
R13: 0000000000401be0 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 8546:
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc mm/kasan/kasan.c:553 [inline]
 kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:531
 __do_kmalloc mm/slab.c:3727 [inline]
 __kmalloc+0x15b/0x770 mm/slab.c:3736
 kmalloc include/linux/slab.h:520 [inline]
 fbcon_set_font+0x331/0x870 drivers/video/fbdev/core/fbcon.c:2641
 con_font_set drivers/tty/vt/vt.c:4503 [inline]
 con_font_op+0xd3e/0x1130 drivers/tty/vt/vt.c:4568
 vt_ioctl+0x1615/0x2310 drivers/tty/vt/vt_ioctl.c:970
 tty_ioctl+0x7a1/0x1420 drivers/tty/tty_io.c:2669
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:501 [inline]
 do_vfs_ioctl+0xcda/0x12e0 fs/ioctl.c:688
 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705
 __do_sys_ioctl fs/ioctl.c:712 [inline]
 __se_sys_ioctl fs/ioctl.c:710 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff888093ca9a80
 which belongs to the cache kmalloc-8192 of size 8192
The buggy address is located 6480 bytes inside of
 8192-byte region [ffff888093ca9a80, ffff888093caba80)
The buggy address belongs to the page:
page:ffffea00024f2a00 count:1 mapcount:0 mapping:ffff88812c3d5080 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffffea00024faa08 ffffea00024ea208 ffff88812c3d5080
raw: 0000000000000000 ffff888093ca9a80 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888093cab280: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888093cab300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888093cab380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                 ^
 ffff888093cab400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888093cab480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (61):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/02/29 14:05 linux-4.19.y a083db76118d c88c7b75 .config console log report syz C ci2-linux-4-19
2020/01/06 10:21 linux-4.19.y 3d40d7117e35 438e1227 .config console log report syz C ci2-linux-4-19
2019/12/03 10:39 linux-4.19.y 174651bdf802 ab342da3 .config console log report syz C ci2-linux-4-19
2020/11/05 14:57 linux-4.19.y b94de4d19498 cba33199 .config console log report info ci2-linux-4-19
2020/10/27 11:25 linux-4.19.y ad326970d25c 94942294 .config console log report info ci2-linux-4-19
2020/10/11 00:06 linux-4.19.y a1b977b49b66 4a77ae0b .config console log report info ci2-linux-4-19
2020/10/07 15:58 linux-4.19.y a1b977b49b66 1880b4a9 .config console log report info ci2-linux-4-19
2020/09/16 22:18 linux-4.19.y a87f96283793 77507d02 .config console log report info ci2-linux-4-19
2020/09/07 04:35 linux-4.19.y c37da90efff5 abf9ba4f .config console log report ci2-linux-4-19
2020/08/26 17:38 linux-4.19.y f6d5cb9e2c06 318430cb .config console log report ci2-linux-4-19
2020/08/24 13:12 linux-4.19.y d18b78abc0c6 67b599d1 .config console log report ci2-linux-4-19
2020/08/01 19:13 linux-4.19.y 13af6c74b14a 8df85ed9 .config console log report ci2-linux-4-19
2020/07/30 22:18 linux-4.19.y 205a42ce2861 8df85ed9 .config console log report ci2-linux-4-19
2020/07/25 11:41 linux-4.19.y 20b3a3dfdf6c 1f7cc1ca .config console log report ci2-linux-4-19
2020/07/20 10:48 linux-4.19.y 17a87580a885 8caeeeb7 .config console log report ci2-linux-4-19
2020/07/16 11:26 linux-4.19.y 17a87580a885 b090c643 .config console log report ci2-linux-4-19
2020/06/26 12:02 linux-4.19.y a39e75458e1c b202c7a8 .config console log report ci2-linux-4-19
2020/06/25 14:54 linux-4.19.y a39e75458e1c c7b4497a .config console log report ci2-linux-4-19
2020/06/22 22:17 linux-4.19.y b3a99fd385fa 1afe1535 .config console log report ci2-linux-4-19
2020/06/19 02:46 linux-4.19.y 3fc898571b97 bc258b50 .config console log report ci2-linux-4-19
2020/06/17 05:22 linux-4.19.y 3fc898571b97 b9f3810b .config console log report ci2-linux-4-19
2020/06/13 07:11 linux-4.19.y 3fc898571b97 f4724dd3 .config console log report ci2-linux-4-19
2020/06/08 23:45 linux-4.19.y 106fa147d3da 0d60b78a .config console log report ci2-linux-4-19
2020/06/07 09:55 linux-4.19.y 4707d8e57273 2c2b926c .config console log report ci2-linux-4-19
2020/05/27 19:51 linux-4.19.y 2d16cf4817bc 9072c126 .config console log report ci2-linux-4-19
2020/05/27 17:17 linux-4.19.y 2d16cf4817bc 9072c126 .config console log report ci2-linux-4-19
2020/05/18 10:36 linux-4.19.y 258f0cf7ac3b 24d91142 .config console log report ci2-linux-4-19
2020/05/09 15:38 linux-4.19.y 84920cc7fbe1 88cb3e92 .config console log report ci2-linux-4-19
2020/05/06 15:02 linux-4.19.y 84920cc7fbe1 4618eb2d .config console log report ci2-linux-4-19
2020/05/05 17:39 linux-4.19.y fdc072324f3c 4b76dd25 .config console log report ci2-linux-4-19
2020/05/05 13:22 linux-4.19.y fdc072324f3c 4b76dd25 .config console log report ci2-linux-4-19
2020/05/04 21:02 linux-4.19.y fdc072324f3c 9941337c .config console log report ci2-linux-4-19
2020/04/29 16:18 linux-4.19.y 765675379b62 ba2806db .config console log report ci2-linux-4-19
2020/04/19 21:21 linux-4.19.y 8488c3f3bc86 9f7c6d12 .config console log report ci2-linux-4-19
2020/04/19 09:24 linux-4.19.y 8488c3f3bc86 6dfd45e1 .config console log report ci2-linux-4-19
2020/04/16 20:40 linux-4.19.y 6dd0e32665e5 c743fcb3 .config console log report ci2-linux-4-19
2020/04/13 22:25 linux-4.19.y 6dd0e32665e5 7c54686a .config console log report ci2-linux-4-19
2020/04/02 12:39 linux-4.19.y 54b4fa6d3955 a34e2c33 .config console log report ci2-linux-4-19
2020/03/26 03:15 linux-4.19.y 54b4fa6d3955 e8e6c7d2 .config console log report ci2-linux-4-19
2020/03/24 10:32 linux-4.19.y 14cfdbd39e31 33e14df3 .config console log report ci2-linux-4-19
2020/03/17 03:53 linux-4.19.y 339485c9a80f 749688d2 .config console log report ci2-linux-4-19
2020/03/03 18:22 linux-4.19.y a083db76118d 350a7a26 .config console log report ci2-linux-4-19
2020/03/02 07:43 linux-4.19.y a083db76118d 4a4e0509 .config console log report ci2-linux-4-19
2020/02/28 17:27 linux-4.19.y a083db76118d c88c7b75 .config console log report ci2-linux-4-19
2020/02/22 13:01 linux-4.19.y 4fccc2503536 2c36e7a7 .config console log report ci2-linux-4-19
2020/02/21 04:16 linux-4.19.y 4fccc2503536 bd2a74a3 .config console log report ci2-linux-4-19
2020/02/19 20:01 linux-4.19.y 4fccc2503536 47fae6e9 .config console log report ci2-linux-4-19
2020/02/12 21:58 linux-4.19.y 357668399cf7 84f4fc8a .config console log report ci2-linux-4-19
2020/02/07 15:25 linux-4.19.y b499cf4b3a90 06150bf1 .config console log report ci2-linux-4-19
2020/02/05 14:11 linux-4.19.y 32ee7492f104 662cf49a .config console log report ci2-linux-4-19
2020/01/22 00:24 linux-4.19.y dc4ba5be1bab 8eda0b95 .config console log report ci2-linux-4-19
2020/01/16 12:40 linux-4.19.y db5b9190ff82 3de7aabb .config console log report ci2-linux-4-19
2020/01/15 16:09 linux-4.19.y db5b9190ff82 069a5a44 .config console log report ci2-linux-4-19
2020/01/07 22:52 linux-4.19.y 3d40d7117e35 6738e0b3 .config console log report ci2-linux-4-19
2020/01/07 22:29 linux-4.19.y 3d40d7117e35 6738e0b3 .config console log report ci2-linux-4-19
2020/01/07 09:51 linux-4.19.y 3d40d7117e35 1bcd407e .config console log report ci2-linux-4-19
2020/01/03 11:37 linux-4.19.y c7ecf3e3a71c 9dcc1191 .config console log report ci2-linux-4-19
2020/01/02 13:43 linux-4.19.y c7ecf3e3a71c 25a0186e .config console log report ci2-linux-4-19
2019/12/21 14:33 linux-4.19.y 672481c2deff bc586918 .config console log report ci2-linux-4-19
2019/12/10 15:52 linux-4.19.y fb683b5e3f53 4b83c8fb .config console log report ci2-linux-4-19
* Struck through repros no longer work on HEAD.