syzbot


KASAN: global-out-of-bounds Read in bit_putcs

Status: upstream: reported on 2024/11/11 05:01
Reported-by: syzbot+6ba31a6c6c0465238a6a@syzkaller.appspotmail.com
First crash: 21d, last: 21d
Similar bugs (9)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: global-out-of-bounds Read in bit_putcs (2) fbdev 13 1512d 1528d 0/28 auto-closed as invalid on 2021/02/09 16:38
linux-4.14 KASAN: global-out-of-bounds Read in bit_putcs C error 241 812d 1822d 0/1 upstream: reported C repro on 2019/12/07 16:26
upstream KASAN: global-out-of-bounds Read in bit_putcs fbdev C done 262 1530d 1824d 15/28 fixed on 2020/09/25 01:17
linux-4.19 KASAN: global-out-of-bounds Read in bit_putcs C done 214 1288d 1825d 1/1 fixed on 2021/06/24 08:01
upstream KASAN: global-out-of-bounds Read in bit_putcs (3) fbdev 7 8d02h 124d 0/28 upstream: reported on 2024/07/31 11:38
linux-6.1 BUG: unable to handle kernel paging request in bit_putcs C done 4 274d 470d 3/3 fixed on 2024/04/03 01:55
linux-4.14 KASAN: slab-out-of-bounds Read in bit_putcs C error 95 814d 1826d 0/1 upstream: reported C repro on 2019/12/03 16:38
upstream general protection fault in bit_putcs fbdev C 5 271d 425d 0/28 auto-obsoleted due to no activity on 2024/06/14 11:38
linux-4.19 KASAN: slab-out-of-bounds Read in bit_putcs C inconclusive 138 1291d 1826d 0/1 upstream: reported C repro on 2019/12/03 12:47

Sample crash report:
==================================================================
BUG: KASAN: global-out-of-bounds in __fb_pad_aligned_buffer include/linux/fb.h:655 [inline]
BUG: KASAN: global-out-of-bounds in bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:96 [inline]
BUG: KASAN: global-out-of-bounds in bit_putcs+0x9b8/0xe30 drivers/video/fbdev/core/bitblit.c:185
Read of size 1 at addr ffff8000128f7550 by task syz.5.545/6759

CPU: 1 PID: 6759 Comm: syz.5.545 Not tainted 6.1.116-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call trace:
 dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:284 [inline]
 print_report+0x174/0x4c0 mm/kasan/report.c:395
 kasan_report+0xd4/0x130 mm/kasan/report.c:495
 __asan_report_load1_noabort+0x2c/0x38 mm/kasan/report_generic.c:348
 __fb_pad_aligned_buffer include/linux/fb.h:655 [inline]
 bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:96 [inline]
 bit_putcs+0x9b8/0xe30 drivers/video/fbdev/core/bitblit.c:185
 fbcon_putcs+0x318/0x4e8 drivers/video/fbdev/core/fbcon.c:1284
 do_update_region+0x2ec/0x5f8 drivers/tty/vt/vt.c:666
 update_region+0x1e0/0x478 drivers/tty/vt/vt.c:694
 vcs_write+0x988/0x1160 drivers/tty/vt/vc_screen.c:698
 vfs_write+0x2a4/0x91c fs/read_write.c:582
 ksys_write+0x15c/0x26c fs/read_write.c:637
 __do_sys_write fs/read_write.c:649 [inline]
 __se_sys_write fs/read_write.c:646 [inline]
 __arm64_sys_write+0x7c/0x90 fs/read_write.c:646
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
 do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:204
 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585

The buggy address belongs to the variable:
 fontdata_8x16+0x12f0/0x1480

The buggy address belongs to the virtual mapping at
 [ffff800012390000, ffff800015570000) created by:
 map_kernel+0x1b0/0x4a8 arch/arm64/mm/mmu.c:786

The buggy address belongs to the physical page:
page:000000001fb0536f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1a86f7
flags: 0x5ffc00000001000(reserved|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000001000 fffffc0005a1bdc8 fffffc0005a1bdc8 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8000128f7400: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
 ffff8000128f7480: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
>ffff8000128f7500: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
                                                 ^
 ffff8000128f7580: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
 ffff8000128f7600: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/11/11 05:01 linux-6.1.y d7039b844a1c 6b856513 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: global-out-of-bounds Read in bit_putcs
* Struck through repros no longer work on HEAD.