syzbot


KASAN: vmalloc-out-of-bounds Write in imageblit

Status: fixed on 2021/11/10 00:50
Subsystems: fbdev
[Documentation on labels]
Reported-by: syzbot+858dc7a2f7ef07c2c219@syzkaller.appspotmail.com
Fix commit: 3b0c40612471 tty: Fix out-of-bound vmalloc access in imageblit
First crash: 1172d, last: 874d
Discussions (13)
Title Replies (including bot) Last reply
[PATCH 4.14 00/75] 4.14.249-rc1 review 81 (81) 2021/10/07 16:21
[PATCH 5.4 00/56] 5.4.151-rc1 review 62 (62) 2021/10/05 06:56
[PATCH 4.9 00/57] 4.9.285-rc1 review 62 (62) 2021/10/05 06:54
[PATCH 4.19 00/95] 4.19.209-rc1 review 103 (103) 2021/10/05 06:47
[PATCH 5.14 000/172] 5.14.10-rc1 review 184 (184) 2021/10/05 06:41
[PATCH 5.10 00/93] 5.10.71-rc1 review 100 (100) 2021/10/05 02:40
[PATCH 4.4 00/41] 4.4.286-rc1 review 45 (45) 2021/10/05 02:13
[PATCH v5] tty: Fix out-of-bound vmalloc access in imageblit 1 (1) 2021/06/28 13:45
[PATCH v4] tty: Fix out-of-bound vmalloc access in imageblit 3 (3) 2021/06/25 21:09
[PATCH v3] tty: Fix out-of-bound vmalloc access in imageblit 2 (2) 2021/06/24 12:57
[PATCH v2] tty: Fix out-of-bound vmalloc access in imageblit 2 (2) 2021/06/15 13:28
[PATCH RFC] tty: Fix out-of-bound vmalloc access in imageblit 5 (5) 2021/06/08 14:30
KASAN: vmalloc-out-of-bounds Write in imageblit 0 (2) 2021/02/15 17:49
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: vmalloc-out-of-bounds Write in imageblit (3) fbdev 2 237d 233d 0/26 auto-obsoleted due to no activity on 2023/10/23 10:50
upstream KASAN: vmalloc-out-of-bounds Write in imageblit (2) fbdev C done 701 563d 850d 22/26 fixed on 2023/02/24 13:50
Last patch testing requests (5)
Created Duration User Patch Repo Result
2021/06/11 14:13 38m igormtorrente@gmail.com https://github.com/Igortorrente/linux.git out-of-bound_imgblit OK
2021/06/11 12:16 0m igormtorrente@gmail.com https://github.com/Igortorrente/linux.git out-of-bound_imgblit error OK
2021/06/09 13:14 0m igormtorrente@gmail.com https://github.com/Igortorrente/linux.git out-of-bound_imgblit error OK
2021/05/27 14:53 37m igormtorrente@gmail.com https://github.com/Igortorrente/linux.git out-of-bound_imgblit OK
2021/03/25 21:12 23m igormtorrente@gmail.com https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ master report log

Sample crash report:
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in fast_imageblit drivers/video/fbdev/core/sysimgblt.c:229 [inline]
BUG: KASAN: vmalloc-out-of-bounds in sys_imageblit+0x12f4/0x1430 drivers/video/fbdev/core/sysimgblt.c:275
Write of size 4 at addr ffffc9000bc91000 by task syz-executor566/8649

CPU: 3 PID: 8649 Comm: syz-executor566 Not tainted 5.11.0-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 print_address_description.constprop.0.cold+0x5/0x2c6 mm/kasan/report.c:230
 __kasan_report mm/kasan/report.c:396 [inline]
 kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413
 fast_imageblit drivers/video/fbdev/core/sysimgblt.c:229 [inline]
 sys_imageblit+0x12f4/0x1430 drivers/video/fbdev/core/sysimgblt.c:275
 drm_fb_helper_sys_imageblit drivers/gpu/drm/drm_fb_helper.c:794 [inline]
 drm_fbdev_fb_imageblit+0x15c/0x350 drivers/gpu/drm/drm_fb_helper.c:2266
 bit_putcs_unaligned drivers/video/fbdev/core/bitblit.c:139 [inline]
 bit_putcs+0x6e1/0xd20 drivers/video/fbdev/core/bitblit.c:188
 fbcon_putcs+0x35a/0x450 drivers/video/fbdev/core/fbcon.c:1304
 do_update_region+0x399/0x630 drivers/tty/vt/vt.c:676
 redraw_screen+0x658/0x790 drivers/tty/vt/vt.c:1035
 fbcon_modechanged+0x593/0x6d0 drivers/video/fbdev/core/fbcon.c:2656
 fbcon_update_vcs+0x3a/0x50 drivers/video/fbdev/core/fbcon.c:2701
 do_fb_ioctl+0x62e/0x690 drivers/video/fbdev/core/fbmem.c:1110
 fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1185
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl fs/ioctl.c:739 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x43fd49
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff0eaf1448 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000019c10 RCX: 000000000043fd49
RDX: 0000000020000080 RSI: 0000000000004601 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00007fff0eaf15e8 R09: 00007fff0eaf15e8
R10: 00007fff0eaf0ec0 R11: 0000000000000246 R12: 00007fff0eaf145c
R13: 431bde82d7b634db R14: 00000000004ae018 R15: 0000000000400488


Memory state around the buggy address:
 ffffc9000bc90f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc9000bc90f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc9000bc91000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                   ^
 ffffc9000bc91080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc9000bc91100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================

Crashes (104):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/02/15 17:48 upstream f40ddce88593 98682e5e .config console log report syz C ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in imageblit
2021/10/26 14:07 upstream 3906fe9bb7f1 d50eb50a .config console log report info ci-upstream-kasan-gce-root KASAN: vmalloc-out-of-bounds Write in imageblit
2021/09/20 15:41 upstream e4e737bb5c17 af796c18 .config console log report info ci-upstream-kasan-gce-selinux-root KASAN: vmalloc-out-of-bounds Write in imageblit
2021/08/09 12:49 upstream 66745863ecde 6972b106 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Write in imageblit
2021/08/05 22:45 upstream 902e7f373fff d2d6e680 .config console log report info ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in imageblit
2021/08/05 16:23 upstream 251a1524293d d2d6e680 .config console log report info ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in imageblit
2021/08/05 12:47 upstream 251a1524293d 7f7bb950 .config console log report info ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in imageblit
2021/08/05 03:31 upstream d5ad8ec3cfb5 b97d64c9 .config console log report info ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in imageblit
2021/08/04 11:34 upstream d5ad8ec3cfb5 6c236867 .config console log report info ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in imageblit
2021/08/03 23:50 upstream d5ad8ec3cfb5 6c236867 .config console log report info ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in imageblit
2021/08/03 02:45 upstream c500bee1c5b2 6c236867 .config console log report info ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in imageblit
2021/08/02 04:51 upstream d4affd6b6e81 6c236867 .config console log report info ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in imageblit
2021/07/31 21:38 upstream c7d102232649 6c236867 .config console log report info ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in imageblit
2021/07/30 23:55 upstream 4669e13cd67f 6c236867 .config console log report info ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in imageblit
2021/07/19 04:42 upstream 2734d6c1b1a0 f115ae98 .config console log report info ci-upstream-kasan-gce KASAN: vmalloc-out-of-bounds Write in imageblit
2021/07/17 16:29 upstream d980cc0620ae f115ae98 .config console log report info ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in imageblit
2021/06/25 10:01 upstream 4a09d388f2ab 0edbbe31 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Write in imageblit
2021/06/18 06:01 upstream fd0aa1a4567d aba2b2fb .config console log report info ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in imageblit
2021/06/17 13:51 upstream 70585216fe77 aba2b2fb .config console log report info ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in imageblit
2021/06/17 01:27 upstream 6b00bc639f1f aba2b2fb .config console log report info ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in imageblit
2021/06/01 02:19 upstream c2131f7e73c9 032639db .config console log report info ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in imageblit
2021/05/09 08:34 upstream b741596468b0 bc5434be .config console log report info ci-qemu-upstream KASAN: vmalloc-out-of-bounds Write in imageblit
2021/08/02 18:58 upstream c500bee1c5b2 6c236867 .config console log report info ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in imageblit
2021/08/01 01:11 upstream f3438b4c4e69 6c236867 .config console log report info ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in imageblit
2021/07/29 05:43 upstream 4010a528219e b44001ce .config console log report info ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in imageblit
2021/07/29 03:10 upstream 4010a528219e b44001ce .config console log report info ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in imageblit
2021/07/23 15:31 upstream 8baef6386baa bc5f1d88 .config console log report info ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in imageblit
2021/07/23 10:45 upstream 9bead1b58c4c bc5f1d88 .config console log report info ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in imageblit
2021/07/22 06:42 upstream 7b6ae471e541 29c3f20f .config console log report info ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in imageblit
2021/07/21 19:31 upstream 8cae8cd89f05 29c3f20f .config console log report info ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in imageblit
2021/07/20 10:43 upstream 2734d6c1b1a0 bc48c9ab .config console log report info ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in imageblit
2021/06/20 20:34 upstream cba5e97280f5 aba2b2fb .config console log report info ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in imageblit
2021/06/20 07:01 upstream 913ec3c22ef4 aba2b2fb .config console log report info ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in imageblit
2021/06/19 16:42 upstream 9ed13a17e38e aba2b2fb .config console log report info ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in imageblit
2021/06/19 15:20 upstream 9ed13a17e38e aba2b2fb .config console log report info ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in imageblit
2021/06/05 00:53 upstream 16f0596fc1d7 966a236b .config console log report info ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in imageblit
2021/06/03 12:56 upstream 324c92e5e0ee 0740de69 .config console log report info ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in imageblit
2021/06/03 00:27 upstream 324c92e5e0ee 0740de69 .config console log report info ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in imageblit
2021/05/27 15:40 upstream 7ac3a1c1ae51 858ea628 .config console log report info ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in imageblit
2021/05/16 18:27 upstream 63d1cb53e26a f54a5c09 .config console log report info ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in imageblit
2021/04/20 16:53 upstream 7af08140979a c0ced557 .config console log report info ci-qemu-upstream-386 KASAN: vmalloc-out-of-bounds Write in imageblit
2021/08/26 12:15 upstream bf152b0b41dc b599f2fc .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel paging request in imageblit
2021/08/24 07:09 upstream bf152b0b41dc b599f2fc .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel paging request in imageblit
2021/08/11 19:22 upstream bf152b0b41dc 6972b106 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel paging request in imageblit
2021/07/14 12:36 upstream 40226a3d96ef 94e0b707 .config console log report info ci-qemu-upstream-386 BUG: unable to handle kernel paging request in imageblit
2021/07/05 03:11 upstream bf152b0b41dc 55aa55c2 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel paging request in imageblit
2021/06/05 15:10 upstream bf152b0b41dc 500c2339 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel paging request in imageblit
2021/05/02 11:10 upstream bf152b0b41dc 77e2b668 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel paging request in imageblit
2021/04/28 00:39 upstream bf152b0b41dc 805b5003 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel paging request in imageblit
2021/03/29 16:24 upstream bf152b0b41dc a8529b82 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel paging request in imageblit
2021/01/13 23:05 upstream 65f0d2414b70 269d24e8 .config console log report info ci-qemu-upstream-386
2021/01/06 00:17 upstream 6207214a70bf b1c228e1 .config console log report info ci-qemu-upstream-386
2021/01/02 02:15 upstream eda809aef534 79264ae3 .config console log report info ci-qemu-upstream-386
* Struck through repros no longer work on HEAD.