syzbot

 sign-in | mailing list | source | docs
🐞 Open [1028] Subsystems 🐞 Fixed [5274] 🐞 Invalid [12598] Missing Backports [86] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: stack-out-of-bounds Read in vsnprintf

Status: closed as dup on 2018/07/05 16:15
Subsystems: kernel
[Documentation on labels]
Reported-by: syzbot+6c2cea0bde1db71846f4@syzkaller.appspotmail.com
First crash: 2135d, last: 2121d
Duplicate of
Title Repro Cause bisect Fix bisect Count Last Reported
BUG: unable to handle kernel paging request in ttwu_do_activate kernel 1 2135d 2134d

Sample crash report:
==================================================================
BUG: KASAN: stack-out-of-bounds in vsnprintf+0x18de/0x1b60 lib/vsprintf.c:2267
Read of size 8 at addr ffff88019b786768 by task udevd/12368

CPU: 0 PID: 12368 Comm: udevd Not tainted 4.18.0-rc3+ #57
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 vsnprintf+0x18de/0x1b60 lib/vsprintf.c:2267
 vscnprintf+0x2d/0x80 lib/vsprintf.c:2370
 vprintk_emit+0x1ab/0xdf0 kernel/printk/printk.c:1853
 vprintk_default+0x28/0x30 kernel/printk/printk.c:1948
 vprintk_func+0x7a/0xe7 kernel/printk/printk_safe.c:382
 printk+0xa7/0xcf kernel/printk/printk.c:1981
 show_fault_oops arch/x86/mm/fault.c:671 [inline]
 no_context.cold.36+0x6a/0x98 arch/x86/mm/fault.c:798
 __bad_area_nosemaphore+0x33b/0x3f0 arch/x86/mm/fault.c:902
 bad_area_nosemaphore+0x33/0x40 arch/x86/mm/fault.c:909
 __do_page_fault+0x1db/0xe50 arch/x86/mm/fault.c:1328
 do_page_fault+0xf6/0x8c0 arch/x86/mm/fault.c:1471
 page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1160
RIP: 0010:0x41b58ab3
Code: Bad RIP value.
RSP: 0018:ffff88019b786c18 EFLAGS: 00010082
RAX: ffff8801c8da0100 RBX: ffff8801d8e1e6c0 RCX: 0000000000000000
RDX: 1ffff100391b4020 RSI: 00000000d44617a0 RDI: ffffffff892a7060
RBP: 0000000000000000 R08: 1ffff10035173eeb R09: ffffed00363e91e4
R10: ffffed00363e91e4 R11: ffff8801b1f48f23 R12: ffff8801a8e54c00
R13: ffff8801b1f48a40 R14: ffff8801dae2c9d8 R15: 1ffff100336f0d82

The buggy address belongs to the page:
page:ffffea00066de180 count:0 mapcount:0 mapping:0000000000000000 index:0xffff88019b786640
flags: 0x2fffc0000000000()
raw: 02fffc0000000000 dead000000000100 dead000000000200 0000000000000000
raw: ffff88019b786640 ffff88019b786640 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88019b786600: 01 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 00 00 00 00
 ffff88019b786680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88019b786700: f1 f1 f1 f1 00 00 00 f2 00 00 00 f2 f2 f2 f2 00
                                                          ^
 ffff88019b786780: f2 f2 f2 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
 ffff88019b786800: f1 f8 f2 f2 f2 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
==================================================================

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/07/18 10:08 bpf-next dc989d2ce2c2 6d5bd5b5 .config console log report ci-upstream-bpf-next-kasan-gce
2018/07/06 07:33 bpf-next 6fcf9b1d4d6c d3b2a0e2 .config console log report ci-upstream-bpf-next-kasan-gce
2018/07/04 20:56 bpf-next 2bdea157b999 e1b966c6 .config console log report ci-upstream-bpf-next-kasan-gce
* Struck through repros no longer work on HEAD.