Title | Replies (including bot) | Last reply |
---|---|---|
KASAN: use-after-free Read in soft_cursor | 1 (3) | 2019/12/07 07:22 |
syzbot |
sign-in | mailing list | source | docs |
Title | Replies (including bot) | Last reply |
---|---|---|
KASAN: use-after-free Read in soft_cursor | 1 (3) | 2019/12/07 07:22 |
Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
---|---|---|---|---|---|---|---|---|---|
linux-4.19 | KASAN: use-after-free Read in soft_cursor | C | done | 16 | 1470d | 1767d | 1/1 | fixed on 2020/10/26 21:28 | |
linux-4.19 | KASAN: use-after-free Read in soft_cursor (2) | 2 | 1378d | 1417d | 0/1 | auto-closed as invalid on 2021/04/26 05:01 | |||
linux-4.14 | KASAN: use-after-free Read in soft_cursor | C | inconclusive | 7 | 1256d | 1767d | 0/1 | upstream: reported C repro on 2019/12/04 13:11 |
================================================================== BUG: KASAN: use-after-free in memcpy include/linux/string.h:380 [inline] BUG: KASAN: use-after-free in soft_cursor+0x439/0xa30 drivers/video/fbdev/core/softcursor.c:70 Read of size 9 at addr ffff88809826c851 by task syz-executor602/9482 CPU: 1 PID: 9482 Comm: syz-executor602 Not tainted 5.4.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:639 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192 memcpy+0x24/0x50 mm/kasan/common.c:125 memcpy include/linux/string.h:380 [inline] soft_cursor+0x439/0xa30 drivers/video/fbdev/core/softcursor.c:70 bit_cursor+0x12fc/0x1a60 drivers/video/fbdev/core/bitblit.c:386 fbcon_cursor+0x487/0x660 drivers/video/fbdev/core/fbcon.c:1402 hide_cursor+0x9d/0x2b0 drivers/tty/vt/vt.c:895 redraw_screen+0x60b/0x7d0 drivers/tty/vt/vt.c:988 vc_do_resize+0x10c9/0x1460 drivers/tty/vt/vt.c:1284 vc_resize+0x4d/0x60 drivers/tty/vt/vt.c:1304 vt_ioctl+0x2076/0x26d0 drivers/tty/vt/vt_ioctl.c:887 tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:545 [inline] do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 __do_sys_ioctl fs/ioctl.c:756 [inline] __se_sys_ioctl fs/ioctl.c:754 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x440219 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fff7d7f09e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440219 RDX: 00000000200002c0 RSI: 000000000000560a RDI: 0000000000000004 RBP: 00000000006ca018 R08: 0000000000000001 R09: 00000000004002c8 R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000401b00 R13: 0000000000401b90 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 9477: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc mm/kasan/common.c:513 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527 __do_kmalloc_node mm/slab.c:3616 [inline] __kmalloc_node_track_caller+0x4e/0x70 mm/slab.c:3630 __kmalloc_reserve.isra.0+0x40/0xf0 net/core/skbuff.c:141 __alloc_skb+0x10b/0x5e0 net/core/skbuff.c:209 alloc_skb include/linux/skbuff.h:1049 [inline] sock_wmalloc+0xd9/0x120 net/core/sock.c:2093 unix_stream_connect+0x22a/0x146b net/unix/af_unix.c:1249 __sys_connect_file+0x25d/0x2e0 net/socket.c:1848 __sys_connect+0x51/0x90 net/socket.c:1861 __do_sys_connect net/socket.c:1872 [inline] __se_sys_connect net/socket.c:1869 [inline] __x64_sys_connect+0x73/0xb0 net/socket.c:1869 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 9477: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:335 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474 kasan_slab_free+0xe/0x10 mm/kasan/common.c:483 __cache_free mm/slab.c:3426 [inline] kfree+0x10a/0x2c0 mm/slab.c:3757 skb_free_head+0x93/0xb0 net/core/skbuff.c:591 skb_release_data+0x551/0x8d0 net/core/skbuff.c:611 skb_release_all+0x4d/0x60 net/core/skbuff.c:665 __kfree_skb net/core/skbuff.c:679 [inline] kfree_skb net/core/skbuff.c:697 [inline] kfree_skb+0x101/0x420 net/core/skbuff.c:691 unix_stream_connect+0x1342/0x146b net/unix/af_unix.c:1391 __sys_connect_file+0x25d/0x2e0 net/socket.c:1848 __sys_connect+0x51/0x90 net/socket.c:1861 __do_sys_connect net/socket.c:1872 [inline] __se_sys_connect net/socket.c:1869 [inline] __x64_sys_connect+0x73/0xb0 net/socket.c:1869 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff88809826c800 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 81 bytes inside of 512-byte region [ffff88809826c800, ffff88809826ca00) The buggy address belongs to the page: page:ffffea0002609b00 refcount:1 mapcount:0 mapping:ffff8880aa400a80 index:0xffff88809826c000 raw: 00fffe0000000200 ffffea00029e84c8 ffffea0002594288 ffff8880aa400a80 raw: ffff88809826c000 ffff88809826c000 0000000100000003 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88809826c700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88809826c780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88809826c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88809826c880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88809826c900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2019/12/06 11:48 | upstream | b0d4beaa5a4b | 98b4ef2d | .config | console log | report | syz | C | ci-upstream-kasan-gce-selinux-root | |||
2019/12/06 11:06 | upstream | b0d4beaa5a4b | 98b4ef2d | .config | console log | report | syz | C | ci-upstream-kasan-gce-root | |||
2019/12/18 13:06 | linux-next | b9c5ef25038d | f2fe0772 | .config | console log | report | syz | C | ci-upstream-linux-next-kasan-gce-root | |||
2020/09/07 20:05 | upstream | f4d51dffc6c0 | abf9ba4f | .config | console log | report | ci-upstream-kasan-gce-selinux-root | |||||
2020/08/09 06:24 | upstream | 06a81c1c7db9 | f721e4a0 | .config | console log | report | ci-upstream-kasan-gce-root | |||||
2020/04/28 04:05 | upstream | 51184ae37e05 | 0ce7569e | .config | console log | report | ci-upstream-kasan-gce-root | |||||
2020/03/18 17:50 | upstream | 5076190daded | 0a96a13c | .config | console log | report | ci-upstream-kasan-gce-smack-root | |||||
2020/03/14 18:54 | upstream | 69a4d0baeeb1 | 749688d2 | .config | console log | report | ci-upstream-kasan-gce-smack-root | |||||
2019/12/18 23:40 | upstream | 2187f215ebaa | 79b211f7 | .config | console log | report | ci-upstream-kasan-gce-selinux-root | |||||
2019/12/21 17:39 | upstream | 6210469417fd | bc586918 | .config | console log | report | ci-qemu-upstream-386 | |||||
2020/02/25 19:10 | linux-next | bdc5461b23ca | 59b57593 | .config | console log | report | ci-upstream-linux-next-kasan-gce-root | |||||
2020/02/21 04:53 | linux-next | bee46b309a13 | bd2a74a3 | .config | console log | report | ci-upstream-linux-next-kasan-gce-root |