syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [717] 🐞 Fixed [181] 🐞 Invalid [640] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes | 💬 Send us feedback |
| Created | Duration | User | Patch | Repo | Result |
|---|---|---|---|---|---|
| 2023/02/07 11:32 | 10m | retest repro | linux-4.14.y | report log | |
| 2022/09/16 21:29 | 11m | retest repro | linux-4.14.y | report log |
| Created | Duration | User | Patch | Repo | Result |
|---|---|---|---|---|---|
| 2020/07/18 04:13 | 32m | bisect fix | linux-4.14.y | job log (2) | |
| 2020/05/10 12:50 | 25m | bisect fix | linux-4.14.y | job log (0) log | |
| 2020/04/10 12:25 | 24m | bisect fix | linux-4.14.y | job log (0) log | |
| 2020/02/11 06:12 | 24m | bisect fix | linux-4.14.y | job log (0) log | |
| 2020/01/12 05:47 | 24m | bisect fix | linux-4.14.y | job log (0) log |
audit: type=1400 audit(1575461251.847:36): avc: denied { map } for pid=7015 comm="syz-executor252" path="/root/syz-executor252987772" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: use-after-free in memcpy include/linux/string.h:347 [inline]
BUG: KASAN: use-after-free in soft_cursor+0x43d/0xa50 drivers/video/fbdev/core/softcursor.c:70
Read of size 9 at addr ffff88809f7e2e51 by task syz-executor252/7015
CPU: 1 PID: 7015 Comm: syz-executor252 Not tainted 4.14.157-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memcpy+0x24/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:347 [inline]
soft_cursor+0x43d/0xa50 drivers/video/fbdev/core/softcursor.c:70
bit_cursor+0x11be/0x1830 drivers/video/fbdev/core/bitblit.c:386
fbcon_cursor+0x4e3/0x6f0 drivers/video/fbdev/core/fbcon.c:1347
hide_cursor+0x9d/0x2e0 drivers/tty/vt/vt.c:589
redraw_screen+0x2a5/0x7c0 drivers/tty/vt/vt.c:679
vc_do_resize+0xc8a/0xec0 drivers/tty/vt/vt.c:954
vc_resize+0x4d/0x60 drivers/tty/vt/vt.c:974
vt_ioctl+0x10a8/0x2170 drivers/tty/vt/vt_ioctl.c:901
tty_ioctl+0x841/0x1320 drivers/tty/tty_io.c:2661
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x7ae/0x1060 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x440219
RSP: 002b:00007fff5036ec48 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440219
RDX: 00000000200002c0 RSI: 000000000000560a RDI: 0000000000000004
RBP: 00000000006ca018 R08: 0000000000000001 R09: 00000000004002c8
R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000401b00
R13: 0000000000401b90 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 4051:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
kmem_cache_alloc_trace+0x152/0x790 mm/slab.c:3618
kmalloc include/linux/slab.h:488 [inline]
kzalloc include/linux/slab.h:661 [inline]
alloc_pipe_info+0xb0/0x380 fs/pipe.c:647
get_pipe_inode fs/pipe.c:726 [inline]
create_pipe_files+0xc4/0x880 fs/pipe.c:759
__do_pipe_flags+0x38/0x210 fs/pipe.c:816
SYSC_pipe2 fs/pipe.c:864 [inline]
SyS_pipe2 fs/pipe.c:858 [inline]
SYSC_pipe fs/pipe.c:882 [inline]
SyS_pipe+0x65/0x110 fs/pipe.c:880
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 4051:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
free_pipe_info+0x209/0x2b0 fs/pipe.c:698
put_pipe_info+0xb3/0xd0 fs/pipe.c:575
pipe_release+0x1b6/0x250 fs/pipe.c:596
__fput+0x275/0x7a0 fs/file_table.c:210
____fput+0x16/0x20 fs/file_table.c:244
task_work_run+0x114/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x1da/0x220 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4bc/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff88809f7e2c80
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 465 bytes inside of
512-byte region [ffff88809f7e2c80, ffff88809f7e2e80)
The buggy address belongs to the page:
page:ffffea00027df880 count:1 mapcount:0 mapping:ffff88809f7e2000 index:0x0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff88809f7e2000 0000000000000000 0000000100000006
raw: ffffea00023b9b60 ffffea00024c1120 ffff8880aa800940 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809f7e2d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88809f7e2d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88809f7e2e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88809f7e2e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88809f7e2f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2019/12/04 12:10 | linux-4.14.y | fbc5fe7a54d0 | 0ecb9746 | .config | console log | report | syz | C | ci2-linux-4-14 | |||
| 2021/04/28 07:39 | linux-4.14.y | cf256fbcbe34 | 77e2b668 | .config | console log | report | info | ci2-linux-4-14 | KASAN: use-after-free Read in soft_cursor | |||
| 2020/09/17 07:22 | linux-4.14.y | cbfa1702aaf6 | 8247808b | .config | console log | report | info | ci2-linux-4-14 | ||||
| 2020/06/18 02:58 | linux-4.14.y | b850307b279c | d45a4d69 | .config | console log | report | ci2-linux-4-14 | |||||
| 2020/05/23 23:33 | linux-4.14.y | a41ba30d9df2 | 96c92ad3 | .config | console log | report | ci2-linux-4-14 | |||||
| 2020/03/11 11:46 | linux-4.14.y | 78d697fc93f9 | e103bc9e | .config | console log | report | ci2-linux-4-14 | |||||
| 2019/12/13 05:47 | linux-4.14.y | a844dc4c5442 | 2a752b7c | .config | console log | report | ci2-linux-4-14 |