syzbot


KASAN: global-out-of-bounds Read in tpg_print_str_4

Status: fixed on 2019/01/11 01:22
Subsystems: media
[Documentation on labels]
Reported-by: syzbot+ccf0a61ed12f2a7313ee@syzkaller.appspotmail.com
Fix commit: e5f71a27fa12 media: v4l2-tpg: array index could become negative
First crash: 2167d, last: 2142d
Discussions (6)
Title Replies (including bot) Last reply
[PATCH 4.19 000/170] 4.19.14-stable review 194 (194) 2019/01/11 07:09
[PATCH 4.20 000/145] 4.20.1-stable review 164 (164) 2019/01/09 23:18
[PATCH 4.14 000/101] 4.14.92-stable review 130 (130) 2019/01/09 15:47
[PATCH 4.9 00/71] 4.9.149-stable review 85 (85) 2019/01/09 10:46
KASAN: global-out-of-bounds Read in tpg_print_str_4 0 (2) 2018/11/13 14:12
[PATCH] v4l2-tpg: array index could become negative 1 (1) 2018/11/08 16:12

Sample crash report:
==================================================================
BUG: KASAN: global-out-of-bounds in tpg_print_str_4+0xbc9/0xd70 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:1820
Read of size 1 at addr ffffffff88632850 by task vivid-000-vid-c/5989

CPU: 0 PID: 5989 Comm: vivid-000-vid-c Not tainted 4.20.0-rc2+ #236
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x244/0x39d lib/dump_stack.c:113
 print_address_description.cold.7+0x58/0x1ff mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412
 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
 tpg_print_str_4+0xbc9/0xd70 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:1820
 tpg_gen_text+0x4ba/0x540 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:1874
 vivid_fillbuff+0x3ff7/0x68e0 drivers/media/platform/vivid/vivid-kthread-cap.c:532
 vivid_thread_vid_cap_tick drivers/media/platform/vivid/vivid-kthread-cap.c:709 [inline]
 vivid_thread_vid_cap+0xbc1/0x2650 drivers/media/platform/vivid/vivid-kthread-cap.c:813
 kthread+0x35a/0x440 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

The buggy address belongs to the variable:
 font_vga_8x16+0x50/0x60

Memory state around the buggy address:
 ffffffff88632700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffff88632780: 00 00 00 00 fa fa fa fa 00 fa fa fa fa fa fa fa
>ffffffff88632800: 00 00 00 00 00 fa fa fa fa fa fa fa 00 00 00 00
                                                 ^
 ffffffff88632880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffff88632900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (52):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/11/13 14:11 upstream ccda4af0f4b9 5f5f6d14 .config console log report syz C ci-upstream-kasan-gce-386
2018/12/03 13:06 upstream 2595646791c3 819002b0 .config console log report ci-upstream-kasan-gce-386
2018/12/03 00:40 upstream 6a512726090a 7dcaeaf3 .config console log report ci-upstream-kasan-gce-386
2018/12/02 18:25 upstream 4b78317679c4 e0d8c853 .config console log report ci-upstream-kasan-gce-386
2018/12/02 10:57 upstream 4b78317679c4 e0d8c853 .config console log report ci-upstream-kasan-gce-386
2018/12/02 02:11 upstream d8f190ee836a 5a581673 .config console log report ci-upstream-kasan-gce-386
2018/11/29 01:25 upstream 121b018f8c74 4b6d14f2 .config console log report ci-upstream-kasan-gce-386
2018/11/28 19:08 upstream 121b018f8c74 4b6d14f2 .config console log report ci-upstream-kasan-gce-386
2018/11/28 16:58 upstream ef78e5ec9214 4b6d14f2 .config console log report ci-upstream-kasan-gce-386
2018/11/27 13:06 upstream ef78e5ec9214 4b6d14f2 .config console log report ci-upstream-kasan-gce-386
2018/11/26 11:18 upstream 2e6e902d1850 ac912200 .config console log report ci-upstream-kasan-gce-386
2018/11/25 23:11 upstream d6d460b89378 3d3ec907 .config console log report ci-upstream-kasan-gce-386
2018/11/25 08:56 upstream e195ca6cb6f2 3d3ec907 .config console log report ci-upstream-kasan-gce-386
2018/11/24 15:35 upstream 7c98a4261827 ecc7c870 .config console log report ci-upstream-kasan-gce-386
2018/11/24 14:58 upstream 7c98a4261827 ecc7c870 .config console log report ci-upstream-kasan-gce-386
2018/11/24 06:18 upstream e6005d3c4233 eb9ed731 .config console log report ci-upstream-kasan-gce-386
2018/11/24 03:49 upstream e6005d3c4233 eb9ed731 .config console log report ci-upstream-kasan-gce-386
2018/11/24 02:42 upstream e6005d3c4233 eb9ed731 .config console log report ci-upstream-kasan-gce-386
2018/11/23 21:33 upstream e6005d3c4233 eb9ed731 .config console log report ci-upstream-kasan-gce-386
2018/11/23 15:38 upstream edeca3a769ad 2b0dc848 .config console log report ci-upstream-kasan-gce-386
2018/11/23 14:26 upstream edeca3a769ad 2b0dc848 .config console log report ci-upstream-kasan-gce-386
2018/11/23 09:32 upstream edeca3a769ad 2b0dc848 .config console log report ci-upstream-kasan-gce-386
2018/11/23 09:12 upstream edeca3a769ad 2b0dc848 .config console log report ci-upstream-kasan-gce-386
2018/11/22 20:03 upstream edeca3a769ad 87815d9d .config console log report ci-upstream-kasan-gce-386
2018/11/21 21:17 upstream 92b419289cee 9db828b5 .config console log report ci-upstream-kasan-gce-386
2018/11/21 11:24 upstream c8ce94b8fe53 5d9a3924 .config console log report ci-upstream-kasan-gce-386
2018/11/21 04:28 upstream 06e68fed3282 9aca6b52 .config console log report ci-upstream-kasan-gce-386
2018/11/21 03:52 upstream 06e68fed3282 9aca6b52 .config console log report ci-upstream-kasan-gce-386
2018/11/20 20:33 upstream 06e68fed3282 9aca6b52 .config console log report ci-upstream-kasan-gce-386
2018/11/20 19:09 upstream 06e68fed3282 9aca6b52 .config console log report ci-upstream-kasan-gce-386
2018/11/20 05:03 upstream f2ce1065e767 9bc2a903 .config console log report ci-upstream-kasan-gce-386
2018/11/19 17:15 upstream 9ff01193a20d adf636a8 .config console log report ci-upstream-kasan-gce-386
2018/11/19 12:41 upstream 9ff01193a20d adf636a8 .config console log report ci-upstream-kasan-gce-386
2018/11/18 23:28 upstream c67a98c00ea3 adf636a8 .config console log report ci-upstream-kasan-gce-386
2018/11/18 22:09 upstream c67a98c00ea3 adf636a8 .config console log report ci-upstream-kasan-gce-386
2018/11/18 20:38 upstream 1ce80e0fe98e adf636a8 .config console log report ci-upstream-kasan-gce-386
2018/11/18 11:30 upstream 1ce80e0fe98e adf636a8 .config console log report ci-upstream-kasan-gce-386
2018/11/17 11:18 upstream 1ce80e0fe98e b08ee62a .config console log report ci-upstream-kasan-gce-386
2018/11/14 22:54 upstream d41217aac0a5 5f5f6d14 .config console log report ci-upstream-kasan-gce-386
2018/11/14 11:19 upstream ccda4af0f4b9 5f5f6d14 .config console log report ci-upstream-kasan-gce-386
2018/11/13 10:09 upstream ccda4af0f4b9 5f5f6d14 .config console log report ci-upstream-kasan-gce-386
2018/11/13 05:08 upstream ccda4af0f4b9 74dbb806 .config console log report ci-upstream-kasan-gce-386
2018/11/12 01:42 upstream e12e00e388de 7b5f8621 .config console log report ci-upstream-kasan-gce-386
2018/11/09 20:18 upstream 3541833fd1f2 f9815aaf .config console log report ci-upstream-kasan-gce-386
2018/11/09 18:29 upstream 3541833fd1f2 8fd01d3a .config console log report ci-upstream-kasan-gce-386
2018/11/09 14:26 upstream 24ccea7e102d 8fd01d3a .config console log report ci-upstream-kasan-gce-386
2018/11/09 12:58 upstream 24ccea7e102d 8fd01d3a .config console log report ci-upstream-kasan-gce-386
2018/11/08 15:42 upstream 85758777c2a2 e85d2a61 .config console log report ci-upstream-kasan-gce-386
2018/11/08 09:48 upstream 85758777c2a2 e85d2a61 .config console log report ci-upstream-kasan-gce-386
2018/11/08 07:41 upstream 85758777c2a2 e85d2a61 .config console log report ci-upstream-kasan-gce-386
* Struck through repros no longer work on HEAD.