syzbot

 sign-in | mailing list | source | docs
🐞 Open [1664]
Subsystems
🐞 Fixed [5974]
🐞 Invalid [14663]
Missing Backports [127]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: global-out-of-bounds Read in number

Status: upstream: reported C repro on 2025/01/12 18:56
Subsystems: fs
[Documentation on labels]
Reported-by: syzbot+fcee6b76cf2e261c51a4@syzkaller.appspotmail.com
First crash: 7d20h, last: 1d22h
Cause bisection: introduced by (bisect log) :
commit 8d4826cc8a8aca01a3b5e95438dfc0eb3bd589ab
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Thu Dec 19 21:52:53 2024 +0000

  vsnprintf: collapse the number format state into one single state

Crash: KASAN: global-out-of-bounds Read in number (log)
Repro: C syz .config
  
Discussions (3)
Title Replies (including bot) Last reply
[PATCH] block: no show partitions if partno corrupted 6 (6) 2025/01/15 06:46
Re: [PATCH V3] block: no show partitions if partno corrupted 5 (5) 2025/01/14 16:21
[syzbot] [fs?] KASAN: global-out-of-bounds Read in number 3 (8) 2025/01/14 05:29
Similar bugs (6)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream Internal error in number (2) net 1 253d 249d 0/28 auto-obsoleted due to no activity on 2024/08/04 18:51
upstream KMSAN: uninit-value in number (4) kernel C 7189 784d 1162d 0/28 closed as invalid on 2022/11/28 10:01
upstream Internal error in number net 1 426d 422d 0/28 auto-obsoleted due to no activity on 2024/02/13 14:45
upstream KMSAN: uninit-value in number (2) can C 168 1407d 1787d 19/28 fixed on 2021/03/10 01:48
upstream BUG: unable to handle kernel NULL pointer dereference in number (2) kernel 2 140d 147d 0/28 closed as invalid on 2024/09/13 11:13
upstream KMSAN: uninit-value in number (3) media C 8575 1162d 1405d 20/28 fixed on 2021/11/10 00:50
Last patch testing requests (3)
Created Duration User Patch Repo Result
2025/01/14 01:31 35m eadavis@qq.com https://github.com/ea1davis/linux lib/syz OK log
2025/01/14 01:05 24m eadavis@qq.com https://github.com/ea1davis/linux lib/syz OK log
2025/01/13 12:21 2h57m eadavis@qq.com https://github.com/ea1davis/linux lib/syz error

Sample crash report:
==================================================================
BUG: KASAN: global-out-of-bounds in number+0x3be/0xf40 lib/vsprintf.c:494
Read of size 1 at addr ffffffff8c5fc971 by task syz-executor351/5832

CPU: 0 UID: 0 PID: 5832 Comm: syz-executor351 Not tainted 6.13.0-rc6-next-20250107-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:489
 kasan_report+0x143/0x180 mm/kasan/report.c:602
 number+0x3be/0xf40 lib/vsprintf.c:494
 pointer+0x764/0x1210 lib/vsprintf.c:2484
 vsnprintf+0x75a/0x1220 lib/vsprintf.c:2846
 seq_vprintf fs/seq_file.c:391 [inline]
 seq_printf+0x172/0x270 fs/seq_file.c:406
 show_partition+0x29f/0x3f0 block/genhd.c:905
 seq_read_iter+0x969/0xd70 fs/seq_file.c:272
 proc_reg_read_iter+0x1c2/0x290 fs/proc/inode.c:299
 copy_splice_read+0x63a/0xb40 fs/splice.c:365
 do_splice_read fs/splice.c:985 [inline]
 splice_direct_to_actor+0x4af/0xc80 fs/splice.c:1089
 do_splice_direct_actor fs/splice.c:1207 [inline]
 do_splice_direct+0x289/0x3e0 fs/splice.c:1233
 do_sendfile+0x564/0x8a0 fs/read_write.c:1363
 __do_sys_sendfile64 fs/read_write.c:1424 [inline]
 __se_sys_sendfile64+0x17c/0x1e0 fs/read_write.c:1410
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3fa8cf4c69
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd536a0078 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3fa8cf4c69
RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000004
RBP: 00007f3fa8d685f0 R08: 000055558679c4c0 R09: 000055558679c4c0
R10: 000000000000023b R11: 0000000000000246 R12: 00007ffd536a00a0
R13: 00007ffd536a02c8 R14: 431bde82d7b634db R15: 00007f3fa8d3d03b
 </TASK>

The buggy address belongs to the variable:
 hex_asc_upper+0x11/0x40

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xc5fc
flags: 0xfff00000002000(reserved|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000002000 ffffea0000317f08 ffffea0000317f08 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffffffff8c5fc800: 00 03 f9 f9 02 f9 f9 f9 02 f9 f9 f9 00 02 f9 f9
 ffffffff8c5fc880: 00 04 f9 f9 00 03 f9 f9 07 f9 f9 f9 00 00 04 f9
>ffffffff8c5fc900: f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9 00 00 01 f9
                                                             ^
 ffffffff8c5fc980: f9 f9 f9 f9 00 04 f9 f9 02 f9 f9 f9 01 f9 f9 f9
 ffffffff8c5fca00: 00 f9 f9 f9 00 f9 f9 f9 00 04 f9 f9 00 06 f9 f9
==================================================================

Crashes (6):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/01/12 18:55 linux-next 7b4b9bf203da 6dbc6a9b .config strace log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-linux-next-kasan-gce-root KASAN: global-out-of-bounds Read in number
2025/01/13 10:20 linux-next 7b4b9bf203da 6dbc6a9b .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: global-out-of-bounds Read in number
2025/01/12 18:02 linux-next 7b4b9bf203da 6dbc6a9b .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: global-out-of-bounds Read in number
2025/01/12 16:43 linux-next 7b4b9bf203da 6dbc6a9b .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: global-out-of-bounds Read in number
2025/01/12 07:36 linux-next 7b4b9bf203da 6dbc6a9b .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: global-out-of-bounds Read in number
2025/01/07 12:23 linux-next 7b4b9bf203da f3558dbf .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: global-out-of-bounds Read in number
* Struck through repros no longer work on HEAD.