syzbot

 sign-in | mailing list | source | docs
🐞 Open [1225]
Subsystems
🐞 Fixed [5626]
🐞 Invalid [13553]
Missing Backports [97]
Kernel Health Bugs/Month Bug Lifetimes Fuzzing Crashes
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: global-out-of-bounds Read in bit_putcs (3)

Status: upstream: reported on 2024/07/31 11:38
Subsystems: fbdev
[Documentation on labels]
Reported-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
First crash: 47d, last: 11d
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [fbdev?] KASAN: global-out-of-bounds Read in bit_putcs (3) 0 (1) 2024/07/31 11:38
Similar bugs (8)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: global-out-of-bounds Read in bit_putcs (2) fbdev 13 1430d 1447d 0/27 auto-closed as invalid on 2021/02/09 16:38
linux-4.14 KASAN: global-out-of-bounds Read in bit_putcs C error 241 730d 1740d 0/1 upstream: reported C repro on 2019/12/07 16:26
upstream KASAN: global-out-of-bounds Read in bit_putcs fbdev C done 262 1449d 1742d 15/27 fixed on 2020/09/25 01:17
linux-4.19 KASAN: global-out-of-bounds Read in bit_putcs C done 214 1206d 1743d 1/1 fixed on 2021/06/24 08:01
linux-6.1 BUG: unable to handle kernel paging request in bit_putcs C done 4 193d 388d 3/3 fixed on 2024/04/03 01:55
linux-4.14 KASAN: slab-out-of-bounds Read in bit_putcs C error 95 732d 1744d 0/1 upstream: reported C repro on 2019/12/03 16:38
upstream general protection fault in bit_putcs fbdev C 5 190d 344d 0/27 auto-obsoleted due to no activity on 2024/06/14 11:38
linux-4.19 KASAN: slab-out-of-bounds Read in bit_putcs C inconclusive 138 1210d 1745d 0/1 upstream: reported C repro on 2019/12/03 12:47

Sample crash report:
BUG: KASAN: global-out-of-bounds in __fb_pad_aligned_buffer include/linux/fb.h:634 [inline]
BUG: KASAN: global-out-of-bounds in bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:96 [inline]
BUG: KASAN: global-out-of-bounds in bit_putcs+0xa64/0xdf0 drivers/video/fbdev/core/bitblit.c:185
Read of size 1 at addr ffffffff8bb44800 by task syz.1.1074/10711

CPU: 1 UID: 0 PID: 10711 Comm: syz.1.1074 Not tainted 6.11.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:93 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 __fb_pad_aligned_buffer include/linux/fb.h:634 [inline]
 bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:96 [inline]
 bit_putcs+0xa64/0xdf0 drivers/video/fbdev/core/bitblit.c:185
 fbcon_putcs+0x314/0x3d0 drivers/video/fbdev/core/fbcon.c:1288
 do_update_region+0x1f8/0x3f0 drivers/tty/vt/vt.c:609
 update_region+0xc1/0x160 drivers/tty/vt/vt.c:633
 vcs_write+0x7d3/0xdb0 drivers/tty/vt/vc_screen.c:698
 do_loop_readv_writev fs/read_write.c:764 [inline]
 do_loop_readv_writev fs/read_write.c:749 [inline]
 vfs_writev+0x6ec/0xde0 fs/read_write.c:973
 do_writev+0x137/0x370 fs/read_write.c:1018
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb984179eb9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb984fcb038 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 00007fb984315f80 RCX: 00007fb984179eb9
RDX: 0000000000000002 RSI: 0000000020001580 RDI: 0000000000000005
RBP: 00007fb9841e793e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fb984315f80 R15: 00007fff90092a28
 </TASK>

The buggy address belongs to the variable:
 type_check_kinds+0x900/0xcc0

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xbb44
flags: 0xfff00000002000(reserved|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000002000 ffffea00002ed108 ffffea00002ed108 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffffffff8bb44700: 00 00 00 00 06 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
 ffffffff8bb44780: 00 00 01 f9 f9 f9 f9 f9 00 00 00 00 00 00 f9 f9
>ffffffff8bb44800: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9
                   ^
 ffffffff8bb44880: 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
 ffffffff8bb44900: 00 01 f9 f9 f9 f9 f9 f9 00 00 07 f9 f9 f9 f9 f9
==================================================================

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/09/01 12:00 upstream 431c1646e1f8 1eda0d14 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: global-out-of-bounds Read in bit_putcs
2024/08/04 04:45 upstream d3426a6ed9d8 1786a2a8 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: global-out-of-bounds Read in bit_putcs
2024/07/27 05:26 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci c912bf709078 46eb10b7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: global-out-of-bounds Read in bit_putcs
* Struck through repros no longer work on HEAD.