syzbot


KASAN: global-out-of-bounds Read in fb_pad_aligned_buffer
Status: upstream: reported C repro on 2019/12/07 21:58
Reported-by: syzbot+0568d05e486eee0a1ba2@syzkaller.appspotmail.com
First crash: 900d, last: 592d

Cause bisection: introduced by (bisect log) :
commit 2de50e9674fc4ca3c6174b04477f69eb26b4ee31
Author: Russell Currey <ruscur@russell.cc>
Date: Mon Feb 8 04:08:20 2016 +0000

  powerpc/powernv: Remove support for p5ioc2

Crash: BUG: spinlock lockup suspected in nf_conntrack_lock (log)
Repro: C syz .config

Fix bisection: failed (bisect log)
similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: global-out-of-bounds Read in fb_pad_aligned_buffer C inconclusive 6 625d 900d 0/1 upstream: reported C repro on 2019/12/07 22:52
linux-4.19 KASAN: global-out-of-bounds Read in fb_pad_aligned_buffer C done 5 575d 900d 1/1 fixed on 2020/11/28 11:57
Patch testing requests:
Created Duration User Patch Repo Result
2021/03/14 08:56 37m ducheng2@gmail.com upstream OK

Sample crash report:
==================================================================
BUG: KASAN: global-out-of-bounds in __fb_pad_aligned_buffer include/linux/fb.h:655 [inline]
BUG: KASAN: global-out-of-bounds in fb_pad_aligned_buffer+0x137/0x150 drivers/video/fbdev/core/fbmem.c:116
Read of size 1 at addr ffffffff8875bd80 by task syz-executor137/22416

CPU: 0 PID: 22416 Comm: syz-executor137 Not tainted 5.7.0-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x188/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0x5/0x413 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 __fb_pad_aligned_buffer include/linux/fb.h:655 [inline]
 fb_pad_aligned_buffer+0x137/0x150 drivers/video/fbdev/core/fbmem.c:116
 bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:99 [inline]
 bit_putcs+0xbb4/0xd60 drivers/video/fbdev/core/bitblit.c:185
 fbcon_putcs+0x345/0x3f0 drivers/video/fbdev/core/fbcon.c:1362
 do_update_region+0x398/0x630 drivers/tty/vt/vt.c:683
 redraw_screen+0x64c/0x770 drivers/tty/vt/vt.c:1029
 fbcon_do_set_font+0x819/0x950 drivers/video/fbdev/core/fbcon.c:2614
 fbcon_copy_font+0x125/0x190 drivers/video/fbdev/core/fbcon.c:2629
 con_font_copy drivers/tty/vt/vt.c:4627 [inline]
 con_font_op+0x666/0x1160 drivers/tty/vt/vt.c:4642
 vt_ioctl+0x1740/0x2640 drivers/tty/vt/vt_ioctl.c:980
 tty_ioctl+0xedc/0x1440 drivers/tty/tty_io.c:2656
 vfs_ioctl fs/ioctl.c:47 [inline]
 ksys_ioctl+0x11a/0x180 fs/ioctl.c:771
 __do_sys_ioctl fs/ioctl.c:780 [inline]
 __se_sys_ioctl fs/ioctl.c:778 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:778
 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x43a569
Code: e8 9c e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 8b cd fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fdd3bf3ace8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006c3c28 RCX: 000000000043a569
RDX: 0000000020000080 RSI: 0000000000004b72 RDI: 0000000000000003
RBP: 00000000006c3c20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006c3c2c
R13: 00007ffd4921c1ff R14: 00007fdd3bf1b000 R15: 0000000000000003

The buggy address belongs to the variable:
 fontdata_8x16+0x1000/0x1120

Memory state around the buggy address:
 ffffffff8875bc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffff8875bd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffff8875bd80: fa fa fa fa 06 fa fa fa fa fa fa fa 05 fa fa fa
                   ^
 ffffffff8875be00: fa fa fa fa 06 fa fa fa fa fa fa fa 00 00 03 fa
 ffffffff8875be80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (12):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-qemu-upstream 2020/06/25 23:58 upstream 435faf5c218a c7b4497a .config log report syz C
ci-upstream-kasan-gce-root 2020/04/10 00:47 upstream 5d30bcacd91a a8c6a3f8 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2019/12/09 04:26 upstream 9455d25f4e3b 1508f453 .config log report syz C
ci-qemu-upstream-386 2020/08/30 19:42 upstream 1127b219ce94 d5a3ae1f .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2019/12/21 07:46 linux-next 7ddd09fc4b74 bc586918 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/04/11 11:50 upstream ab6f762f0f53 a8c6a3f8 .config log report syz
ci-upstream-linux-next-kasan-gce-root 2020/04/14 18:56 linux-next f19bb13a0eaf 3f3c5574 .config log report syz
ci-upstream-kasan-gce-root 2020/10/10 18:05 upstream 6f2f486d57c4 4a77ae0b .config log report info
ci-upstream-kasan-gce-selinux-root 2020/03/14 19:35 upstream 69a4d0baeeb1 749688d2 .config log report
ci-upstream-kasan-gce-root 2020/03/04 10:24 upstream 63623fd44972 c88c7b75 .config log report
ci-upstream-kasan-gce-selinux-root 2019/12/07 21:40 upstream ad910e36da4c 1508f453 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/12/10 03:00 linux-next 6cf8298daad0 4b83c8fb .config log report