syzbot


UBSAN: shift-out-of-bounds in snd_pcm_oss_change_params_locked

Status: fixed on 2021/03/10 01:48
Subsystems: sound
[Documentation on labels]
Reported-by: syzbot+33ef0b6639a8d2d42b4c@syzkaller.appspotmail.com
Fix commit: 11cb881bf075 ALSA: pcm: oss: Fix a few more UBSAN fixes
First crash: 1197d, last: 1181d
Cause bisection: introduced by (bisect log) [merge commit]:
commit a9c20bb0206ae9384bd470a6832dd8913730add9
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: Sat Sep 14 07:25:30 2019 +0000

  Merge tag 'kvm-s390-master-5.3-1' of git://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux into kvm-master

Crash: general protection fault in batadv_iv_ogm_queue_add (log)
Repro: C syz .config
  
Discussions (7)
Title Replies (including bot) Last reply
[PATCH 4.14 000/242] 4.14.213-rc1 review 245 (245) 2021/01/13 01:20
[PATCH 5.10 000/717] 5.10.4-rc1 review 747 (747) 2021/01/05 16:41
[PATCH 4.19 000/346] 4.19.164-rc1 review 356 (356) 2021/01/02 11:29
[PATCH 4.4 000/132] 4.4.249-rc1 review 136 (136) 2020/12/30 09:37
[PATCH 5.4 000/453] 5.4.86-rc1 review 465 (465) 2020/12/30 09:22
[PATCH 4.9 000/175] 4.9.249-rc1 review 178 (178) 2020/12/29 09:28
UBSAN: shift-out-of-bounds in snd_pcm_oss_change_params_locked 0 (1) 2020/12/09 07:33

Sample crash report:
================================================================================
UBSAN: shift-out-of-bounds in sound/core/oss/pcm_oss.c:705:23
shift exponent 58 is too large for 32-bit type 'int'
CPU: 1 PID: 8476 Comm: syz-executor572 Not tainted 5.10.0-rc6-next-20201207-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395
 snd_pcm_oss_period_size sound/core/oss/pcm_oss.c:705 [inline]
 snd_pcm_oss_change_params_locked.cold+0x55/0x78 sound/core/oss/pcm_oss.c:925
 snd_pcm_oss_change_params sound/core/oss/pcm_oss.c:1084 [inline]
 snd_pcm_oss_make_ready+0xe7/0x1b0 sound/core/oss/pcm_oss.c:1143
 snd_pcm_oss_sync+0x1de/0x800 sound/core/oss/pcm_oss.c:1708
 snd_pcm_oss_release+0x276/0x300 sound/core/oss/pcm_oss.c:2546
 __fput+0x283/0x920 fs/file_table.c:280
 task_work_run+0xdd/0x190 kernel/task_work.c:140
 exit_task_work include/linux/task_work.h:30 [inline]
 do_exit+0xb89/0x2a00 kernel/exit.c:823
 do_group_exit+0x125/0x310 kernel/exit.c:920
 __do_sys_exit_group kernel/exit.c:931 [inline]
 __se_sys_exit_group kernel/exit.c:929 [inline]
 __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:929
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x43ee98
Code: Unable to access opcode bytes at RIP 0x43ee6e.
RSP: 002b:00007ffc0b9ddff8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ee98
RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
RBP: 00000000004be6a8 R08: 00000000000000e7 R09: ffffffffffffffd0
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000
================================================================================

Crashes (225):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/12/08 06:06 linux-next 15ac8fdb7440 51a9082e .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/12/08 05:06 linux-next 15ac8fdb7440 51a9082e .config console log report syz ci-upstream-linux-next-kasan-gce-root
2020/12/23 22:23 upstream 614cb5894306 c2c1d1dd .config console log report info ci-upstream-kasan-gce
2020/12/23 01:26 upstream 614cb5894306 04201c06 .config console log report info ci-upstream-kasan-gce
2020/12/21 18:15 upstream e37b12e4bb21 04201c06 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/21 15:00 upstream e37b12e4bb21 04201c06 .config console log report info ci-upstream-kasan-gce
2020/12/20 22:02 upstream 467f8165a2b0 04201c06 .config console log report info ci-upstream-kasan-gce
2020/12/20 19:18 upstream 467f8165a2b0 04201c06 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/20 18:16 upstream 467f8165a2b0 04201c06 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/18 22:45 upstream a409ed156a90 04201c06 .config console log report info ci-upstream-kasan-gce
2020/12/18 13:54 upstream d64c6f96ba86 04201c06 .config console log report info ci-upstream-kasan-gce
2020/12/17 18:20 upstream accefff5b547 04201c06 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/17 11:41 upstream accefff5b547 04201c06 .config console log report info ci-upstream-kasan-gce
2020/12/17 09:56 upstream accefff5b547 04201c06 .config console log report info ci-upstream-kasan-gce
2020/12/17 06:09 upstream 5e60366d56c6 04201c06 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/16 22:07 upstream 5e60366d56c6 04201c06 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/16 21:04 upstream 5e60366d56c6 04201c06 .config console log report info ci-upstream-kasan-gce
2020/12/16 20:00 upstream 5e60366d56c6 04201c06 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/16 19:55 upstream 5e60366d56c6 04201c06 .config console log report info ci-upstream-kasan-gce
2020/12/16 18:50 upstream 5e60366d56c6 04201c06 .config console log report info ci-upstream-kasan-gce
2020/12/16 17:46 upstream 5e60366d56c6 04201c06 .config console log report info ci-upstream-kasan-gce-selinux-root
2020/12/23 03:15 upstream 614cb5894306 04201c06 .config console log report info ci-upstream-kasan-gce-386
2020/12/21 16:03 upstream e37b12e4bb21 04201c06 .config console log report info ci-upstream-kasan-gce-386
2020/12/21 03:31 upstream 6a447b0e3151 04201c06 .config console log report info ci-upstream-kasan-gce-386
2020/12/20 08:10 upstream 467f8165a2b0 04201c06 .config console log report info ci-upstream-kasan-gce-386
2020/12/17 15:07 upstream accefff5b547 04201c06 .config console log report info ci-upstream-kasan-gce-386
2020/12/17 01:22 upstream 5e60366d56c6 04201c06 .config console log report info ci-upstream-kasan-gce-386
2020/12/16 23:49 upstream 5e60366d56c6 04201c06 .config console log report info ci-upstream-kasan-gce-386
2020/12/16 22:46 upstream 5e60366d56c6 04201c06 .config console log report info ci-upstream-kasan-gce-386
2020/12/16 17:32 upstream 5e60366d56c6 04201c06 .config console log report info ci-upstream-kasan-gce-386
2020/12/20 17:39 linux-next 0d52778b8710 04201c06 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/18 08:28 linux-next 0d52778b8710 04201c06 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/17 12:45 linux-next 90cc8cf2d1ab 04201c06 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/15 12:06 linux-next 14240d4c5b25 97183ed7 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/15 10:42 linux-next 14240d4c5b25 97183ed7 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/15 09:27 linux-next 14240d4c5b25 97183ed7 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/15 07:57 linux-next 14240d4c5b25 97183ed7 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/15 05:43 linux-next 14240d4c5b25 97183ed7 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/15 03:04 linux-next 14240d4c5b25 97183ed7 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/15 01:00 linux-next 14240d4c5b25 97183ed7 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/14 13:26 linux-next 14240d4c5b25 b22a7ec3 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/14 09:12 linux-next 14240d4c5b25 b22a7ec3 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/14 07:02 linux-next 14240d4c5b25 b22a7ec3 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/14 05:31 linux-next 14240d4c5b25 b22a7ec3 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/14 03:04 linux-next 14240d4c5b25 b22a7ec3 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/14 01:48 linux-next 14240d4c5b25 b22a7ec3 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/13 18:35 linux-next 14240d4c5b25 bca53db9 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/13 17:07 linux-next 14240d4c5b25 bca53db9 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/07 12:07 linux-next 15ac8fdb7440 1190297f .config console log report info ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.