syzbot

 sign-in | mailing list | source | docs
🐞 Open [1424]
Subsystems
🐞 Fixed [5830]
🐞 Invalid [14231]
Missing Backports [92]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: global-out-of-bounds Read in vga16fb_imageblit

Status: fixed on 2020/10/10 01:52
Reported-by: syzbot+69fbd3e01470f169c8c4@syzkaller.appspotmail.com
Fix commit: bd018a6a75ce video: fbdev: fix OOB read in vga_8planes_imageblit()
First crash: 1816d, last: 1531d
Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: no output from test machine (log)
Repro: C syz .config
  
Discussions (8)
Title Replies (including bot) Last reply
[PATCH 4.4 00/46] 4.4.237-rc1 review 53 (53) 2020/09/28 12:17
[PATCH 4.19 00/78] 4.19.146-rc1 review 95 (95) 2020/09/23 18:57
[PATCH 4.14 00/94] 4.14.199-rc1 review 97 (97) 2020/09/22 20:18
[PATCH 4.9 00/70] 4.9.237-rc1 review 73 (73) 2020/09/22 20:17
[PATCH 5.8 000/177] 5.8.10-rc1 review 196 (196) 2020/09/17 17:40
[PATCH 5.4 000/132] 5.4.66-rc1 review 139 (139) 2020/09/15 16:41
[PATCH] video: fbdev: fix potential OOB read in vga_8planes_imageblit() 5 (5) 2020/09/04 15:24
KASAN: global-out-of-bounds Read in vga16fb_imageblit 0 (1) 2019/12/03 20:15
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: global-out-of-bounds Read in vga16fb_imageblit C done 723 1493d 1816d 1/1 fixed on 2020/11/20 16:27
linux-4.19 KASAN: global-out-of-bounds Read in vga16fb_imageblit C error 331 1527d 1816d 0/1 upstream: reported C repro on 2019/12/02 21:13
Last patch testing requests (2)
Created Duration User Patch Repo Result
2020/08/25 11:47 9m penguin-kernel@i-love.sakura.ne.jp upstream report log
2020/08/25 11:04 16m penguin-kernel@i-love.sakura.ne.jp patch upstream OK

Sample crash report:
==================================================================
BUG: KASAN: global-out-of-bounds in vga_8planes_imageblit drivers/video/fbdev/vga16fb.c:1140 [inline]
BUG: KASAN: global-out-of-bounds in vga_imageblit_expand drivers/video/fbdev/vga16fb.c:1203 [inline]
BUG: KASAN: global-out-of-bounds in vga16fb_imageblit+0x1c36/0x2210 drivers/video/fbdev/vga16fb.c:1260
Read of size 2 at addr ffffffff8899f6be by task syz-executor740/6849

CPU: 1 PID: 6849 Comm: syz-executor740 Not tainted 5.9.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x198/0x1fd lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0x5/0x497 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 vga_8planes_imageblit drivers/video/fbdev/vga16fb.c:1140 [inline]
 vga_imageblit_expand drivers/video/fbdev/vga16fb.c:1203 [inline]
 vga16fb_imageblit+0x1c36/0x2210 drivers/video/fbdev/vga16fb.c:1260
 soft_cursor+0x514/0xa30 drivers/video/fbdev/core/softcursor.c:74
 bit_cursor+0x1166/0x17d0 drivers/video/fbdev/core/bitblit.c:386
 fbcon_cursor+0x537/0x660 drivers/video/fbdev/core/fbcon.c:1411
 set_cursor drivers/tty/vt/vt.c:919 [inline]
 set_cursor+0x1d2/0x240 drivers/tty/vt/vt.c:910
 redraw_screen+0x4b9/0x770 drivers/tty/vt/vt.c:1036
 fbcon_modechanged+0x575/0x710 drivers/video/fbdev/core/fbcon.c:3022
 fbcon_update_vcs+0x3a/0x50 drivers/video/fbdev/core/fbcon.c:3069
 do_fb_ioctl+0x62e/0x690 drivers/video/fbdev/core/fbmem.c:1106
 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1181
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl fs/ioctl.c:739 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4403d9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffc862886c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403d9
RDX: 00000000200001c0 RSI: 0000000000004601 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401be0
R13: 0000000000401c70 R14: 0000000000000000 R15: 0000000000000000

The buggy address belongs to the variable:
 transl_h+0x3e/0x40

Memory state around the buggy address:
 ffffffff8899f580: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffff8899f600: 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9
>ffffffff8899f680: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
                                        ^
 ffffffff8899f700: 00 01 f9 f9 f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9
 ffffffff8899f780: 00 00 04 f9 f9 f9 f9 f9 00 00 00 00 00 00 02 f9
==================================================================

Crashes (1071):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/09/05 17:42 upstream c70672d8d316 abf9ba4f .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/09/04 14:34 upstream e28f0104343d abf9ba4f .config console log report syz C ci-upstream-kasan-gce-root
2020/09/02 18:39 upstream 9c7d619be5a0 abf9ba4f .config console log report syz C ci-upstream-kasan-gce
2020/08/31 13:48 upstream dcc5c6f013d8 d5a3ae1f .config console log report syz C ci-upstream-kasan-gce-root
2020/08/31 08:39 upstream dcc5c6f013d8 d5a3ae1f .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/02/12 17:21 upstream 359c92c02bfa 84f4fc8a .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/02/11 07:36 upstream 0a679e13ea30 084454ae .config console log report syz C ci-upstream-kasan-gce-root
2020/02/09 16:34 upstream fdfa3a6778b1 6ece2ea5 .config console log report syz C ci-upstream-kasan-gce
2019/12/16 14:59 upstream 07c4b9e9f71a eef6e580 .config console log report syz C ci-upstream-kasan-gce
2019/12/16 14:54 upstream 07c4b9e9f71a eef6e580 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2019/12/16 14:54 upstream 07c4b9e9f71a eef6e580 .config console log report syz C ci-upstream-kasan-gce-root
2019/12/04 04:36 upstream 76bb8b05960c ae13a849 .config console log report syz C ci-upstream-kasan-gce-root
2019/12/04 04:19 upstream 76bb8b05960c ae13a849 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2019/12/04 01:00 upstream 76bb8b05960c ae13a849 .config console log report syz C ci-upstream-kasan-gce-root
2019/12/04 00:03 upstream 76bb8b05960c ae13a849 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2019/12/03 20:16 upstream 76bb8b05960c ae13a849 .config console log report syz C ci-upstream-kasan-gce-root
2019/12/03 16:25 upstream 76bb8b05960c ab342da3 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2019/12/03 07:39 upstream 596cf45cbf6e ab342da3 .config console log report syz C ci-upstream-kasan-gce
2019/12/03 05:18 upstream 596cf45cbf6e ab342da3 .config console log report syz C ci-upstream-kasan-gce
2020/09/01 11:37 upstream b51594df17d0 d5a3ae1f .config console log report syz C ci-upstream-kasan-gce-386
2020/08/30 14:54 upstream 1127b219ce94 d5a3ae1f .config console log report syz C ci-upstream-kasan-gce-386
2020/07/04 05:58 upstream 7cc2a8ea1048 51095195 .config console log report syz C ci-upstream-kasan-gce-386
2020/02/09 13:17 upstream fdfa3a6778b1 6ece2ea5 .config console log report syz C ci-upstream-kasan-gce-386
2019/12/16 14:58 upstream 07c4b9e9f71a eef6e580 .config console log report syz C ci-upstream-kasan-gce-386
2019/12/03 08:52 upstream 596cf45cbf6e ab342da3 .config console log report syz C ci-upstream-kasan-gce-386
2019/12/03 06:09 upstream 596cf45cbf6e ab342da3 .config console log report syz C ci-upstream-kasan-gce-386
2020/08/30 02:33 linux-next b36c969764ab d5a3ae1f .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/07/04 09:12 linux-next 9e50b94b3eb0 51095195 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/02/25 14:45 linux-next bdc5461b23ca 59b57593 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2019/12/26 22:17 linux-next 7ddd09fc4b74 be5c2c81 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2019/12/16 15:23 linux-next 32b8acf85223 eef6e580 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2019/12/16 14:39 linux-next 32b8acf85223 eef6e580 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2019/12/16 11:19 linux-next 32b8acf85223 eef6e580 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/07/04 16:59 upstream 7cc2a8ea1048 51095195 .config console log report syz ci-upstream-kasan-gce-root
2020/07/04 14:47 upstream 7cc2a8ea1048 51095195 .config console log report syz ci-upstream-kasan-gce-selinux-root
2020/07/04 06:33 upstream 7cc2a8ea1048 51095195 .config console log report syz ci-upstream-kasan-gce
2020/09/13 05:18 upstream ef2e9a563b0c ce441f06 .config console log report ci-upstream-kasan-gce
2020/09/12 22:34 upstream 729e3d091984 ce441f06 .config console log report ci-upstream-kasan-gce
2020/09/11 01:12 upstream 7fe10096c150 409809d8 .config console log report ci-upstream-kasan-gce-root
2020/09/10 22:47 upstream 7fe10096c150 409809d8 .config console log report ci-upstream-kasan-gce-selinux-root
2020/09/10 16:12 upstream 7fe10096c150 409809d8 .config console log report ci-upstream-kasan-gce-root
2020/09/10 14:48 upstream 34d4ddd359db 409809d8 .config console log report ci-upstream-kasan-gce-root
2020/09/10 11:27 upstream 34d4ddd359db 409809d8 .config console log report ci-upstream-kasan-gce
2020/09/10 10:20 upstream 34d4ddd359db 409809d8 .config console log report ci-upstream-kasan-gce-selinux-root
2020/09/10 06:23 upstream 34d4ddd359db 409809d8 .config console log report ci-upstream-kasan-gce
2020/09/10 02:28 upstream 34d4ddd359db 409809d8 .config console log report ci-upstream-kasan-gce
2020/09/09 19:53 upstream 34d4ddd359db 0ea7a887 .config console log report ci-upstream-kasan-gce
2020/09/09 18:43 upstream 34d4ddd359db 0ea7a887 .config console log report ci-upstream-kasan-gce
2020/09/09 17:27 upstream 34d4ddd359db 0ea7a887 .config console log report ci-upstream-kasan-gce-selinux-root
2020/09/09 16:22 upstream 34d4ddd359db 0ea7a887 .config console log report ci-upstream-kasan-gce-root
2020/09/09 06:00 upstream 612ab8ad6414 abf9ba4f .config console log report ci-upstream-kasan-gce
2020/09/09 05:43 upstream 612ab8ad6414 abf9ba4f .config console log report ci-upstream-kasan-gce
2020/09/08 21:10 upstream 612ab8ad6414 abf9ba4f .config console log report ci-upstream-kasan-gce-root
2020/09/08 19:47 upstream 612ab8ad6414 abf9ba4f .config console log report ci-upstream-kasan-gce
2020/09/08 17:28 upstream f4d51dffc6c0 abf9ba4f .config console log report ci-upstream-kasan-gce
2020/09/08 16:25 upstream f4d51dffc6c0 abf9ba4f .config console log report ci-upstream-kasan-gce-selinux-root
2020/09/08 16:20 upstream f4d51dffc6c0 abf9ba4f .config console log report ci-upstream-kasan-gce-root
2020/09/08 15:17 upstream f4d51dffc6c0 abf9ba4f .config console log report ci-upstream-kasan-gce
2020/09/08 13:52 upstream f4d51dffc6c0 abf9ba4f .config console log report ci-upstream-kasan-gce-root
2020/09/08 11:47 upstream f4d51dffc6c0 abf9ba4f .config console log report ci-upstream-kasan-gce
2020/09/08 09:51 upstream f4d51dffc6c0 abf9ba4f .config console log report ci-upstream-kasan-gce
2020/09/07 22:23 upstream f4d51dffc6c0 abf9ba4f .config console log report ci-upstream-kasan-gce-selinux-root
2020/09/07 20:56 upstream f4d51dffc6c0 abf9ba4f .config console log report ci-upstream-kasan-gce
2020/09/07 12:56 upstream f4d51dffc6c0 abf9ba4f .config console log report ci-upstream-kasan-gce-selinux-root
2020/09/07 10:53 upstream a8205e310011 abf9ba4f .config console log report ci-upstream-kasan-gce
2020/09/07 08:52 upstream f4d51dffc6c0 abf9ba4f .config console log report ci-upstream-kasan-gce-root
2020/09/07 03:37 upstream a8205e310011 abf9ba4f .config console log report ci-upstream-kasan-gce
2020/09/06 23:15 upstream dd9fb9bb3340 abf9ba4f .config console log report ci-upstream-kasan-gce
2020/09/11 04:13 upstream 7fe10096c150 409809d8 .config console log report ci-upstream-kasan-gce-386
2020/09/10 20:31 upstream 7fe10096c150 409809d8 .config console log report ci-upstream-kasan-gce-386
2020/09/10 13:46 upstream 34d4ddd359db 409809d8 .config console log report ci-upstream-kasan-gce-386
2020/09/09 14:58 upstream 34d4ddd359db 0ea7a887 .config console log report ci-upstream-kasan-gce-386
2020/09/09 13:25 upstream 34d4ddd359db 0ea7a887 .config console log report ci-upstream-kasan-gce-386
2020/09/09 07:07 upstream 6f6a73c8b715 abf9ba4f .config console log report ci-upstream-kasan-gce-386
2020/09/08 22:45 upstream 6f6a73c8b715 abf9ba4f .config console log report ci-upstream-kasan-gce-386
2020/09/07 04:47 upstream f4d51dffc6c0 abf9ba4f .config console log report ci-upstream-kasan-gce-386
2020/09/06 22:07 upstream dd9fb9bb3340 abf9ba4f .config console log report ci-upstream-kasan-gce-386
2020/09/08 05:07 linux-next 7a6956579ce6 abf9ba4f .config console log report ci-upstream-linux-next-kasan-gce-root
2020/09/08 03:46 linux-next 7a6956579ce6 abf9ba4f .config console log report ci-upstream-linux-next-kasan-gce-root
2020/09/07 23:46 linux-next 7a6956579ce6 abf9ba4f .config console log report ci-upstream-linux-next-kasan-gce-root
2020/09/07 13:58 linux-next 7a6956579ce6 abf9ba4f .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.