syzbot


KASAN: slab-out-of-bounds Read in fbcon_get_font

Status: auto-obsoleted due to no activity on 2022/09/25 10:38
Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com
First crash: 1029d, last: 724d

Cause bisection: introduced by (bisect log) :
commit 2de50e9674fc4ca3c6174b04477f69eb26b4ee31
Author: Russell Currey <ruscur@russell.cc>
Date: Mon Feb 8 04:08:20 2016 +0000

  powerpc/powernv: Remove support for p5ioc2

Crash: BUG: spinlock lockup suspected in nf_conntrack_lock (log)
Repro: C syz .config

Fix bisection: the fix commit could be any of (bisect log):
  6b643a07a7e4 x86/entry, ubsan, objtool: Whitelist __ubsan_handle_*()
  8e8bb06d199a x86/entry, bug: Comment the instrumentation_begin() usage for WARN()
  14d3b376b6c3 x86/entry, cpumask: Provide non-instrumented variant of cpu_is_offline()
  33aea07f30c2 compiler_attributes.h: Support no_sanitize_undefined check with GCC 4
  5144f8a8dfd7 compiler_types.h: Add __no_sanitize_{address,undefined} to noinstr
  acf7b0bf7dcf kasan: Fix required compiler version
  734d099ba644 objtool: Don't consider vmlinux a C-file
  7b861a53e46b kasan: Bump required compiler version
  5ddbc4082e10 x86, kcsan: Add __no_kcsan to noinstr
  e3a9e681adb7 x86/entry: Fixup bad_iret vs noinstr
  c7aadc09321d x86/entry: Increase entry_stack size to a full page
  e79302ae8c8c kcsan: Remove __no_kcsan_or_inline
  145a773aef83 x86/entry: Fix #UD vs WARN more
  e82587336695 x86, kcsan: Remove __no_kcsan_or_inline usage
  2c92d787cc9f Merge branch 'linus' into x86/entry, to resolve conflicts
similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: slab-out-of-bounds Read in fbcon_get_font C error 35 735d 1030d 0/1 upstream: reported C repro on 2019/12/03 02:00
linux-4.19 KASAN: slab-out-of-bounds Read in fbcon_get_font C done 97 722d 1030d 1/1 fixed on 2020/11/05 11:24
Patch testing requests:
Created Duration User Patch Repo Result
2022/09/25 08:30 16m linux-next OK log
2022/09/25 05:30 19m linux-next OK log
2022/09/25 03:30 17m linux-next OK log
2022/09/25 01:30 18m linux-next OK log
2022/09/24 12:30 15m upstream OK log
2022/09/24 09:30 16m upstream OK log
2022/09/24 05:30 16m upstream OK log
2022/09/24 02:30 18m upstream OK log
2022/09/21 19:29 16m upstream OK log
2022/09/21 15:29 16m upstream OK log
2022/09/21 12:29 17m upstream OK log
2022/09/21 08:29 18m upstream OK log
2021/04/15 14:08 18m alaaemadhossney.ae@gmail.com upstream OK

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:380 [inline]
BUG: KASAN: slab-out-of-bounds in fbcon_get_font+0x2b2/0x5e0 drivers/video/fbdev/core/fbcon.c:2465
Read of size 5 at addr ffff8880a283540c by task syz-executor713/11451

CPU: 1 PID: 11451 Comm: syz-executor713 Not tainted 5.5.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x197/0x210 lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
 kasan_report+0x12/0x20 mm/kasan/common.c:639
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192
 memcpy+0x24/0x50 mm/kasan/common.c:125
 memcpy include/linux/string.h:380 [inline]
 fbcon_get_font+0x2b2/0x5e0 drivers/video/fbdev/core/fbcon.c:2465
 con_font_get drivers/tty/vt/vt.c:4446 [inline]
 con_font_op+0x20b/0x1270 drivers/tty/vt/vt.c:4605
 vt_ioctl+0xd2e/0x26d0 drivers/tty/vt/vt_ioctl.c:913
 tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660
 vfs_ioctl fs/ioctl.c:47 [inline]
 file_ioctl fs/ioctl.c:545 [inline]
 do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732
 ksys_ioctl+0xab/0xd0 fs/ioctl.c:749
 __do_sys_ioctl fs/ioctl.c:756 [inline]
 __se_sys_ioctl fs/ioctl.c:754 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754
 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x448549
Code: e8 1c e6 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 8b 06 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f662c161db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006e49e8 RCX: 0000000000448549
RDX: 0000000020000140 RSI: 0000000000004b60 RDI: 0000000000000003
RBP: 00000000006e49e0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006e49ec
R13: 00007fff9641cc3f R14: 00007f662c1629c0 R15: 20c49ba5e353f7cf

Allocated by task 11446:
 save_stack+0x23/0x90 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc mm/kasan/common.c:513 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527
 __do_kmalloc mm/slab.c:3656 [inline]
 __kmalloc+0x163/0x770 mm/slab.c:3665
 kmalloc include/linux/slab.h:561 [inline]
 fbcon_set_font+0x32d/0x860 drivers/video/fbdev/core/fbcon.c:2663
 con_font_set drivers/tty/vt/vt.c:4538 [inline]
 con_font_op+0xe30/0x1270 drivers/tty/vt/vt.c:4603
 vt_ioctl+0xd2e/0x26d0 drivers/tty/vt/vt_ioctl.c:913
 tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660
 vfs_ioctl fs/ioctl.c:47 [inline]
 file_ioctl fs/ioctl.c:545 [inline]
 do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732
 ksys_ioctl+0xab/0xd0 fs/ioctl.c:749
 __do_sys_ioctl fs/ioctl.c:756 [inline]
 __se_sys_ioctl fs/ioctl.c:754 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754
 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 12:
 save_stack+0x23/0x90 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 kasan_set_free_info mm/kasan/common.c:335 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:483
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x10a/0x2c0 mm/slab.c:3757
 free_tty_struct+0x95/0xc0 drivers/tty/tty_io.c:177
 release_one_tty+0x28c/0x360 drivers/tty/tty_io.c:1468
 process_one_work+0x9af/0x1740 kernel/workqueue.c:2264
 worker_thread+0x98/0xe40 kernel/workqueue.c:2410
 kthread+0x361/0x430 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff8880a2835000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1036 bytes inside of
 2048-byte region [ffff8880a2835000, ffff8880a2835800)
The buggy address belongs to the page:
page:ffffea00028a0d40 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0
raw: 00fffe0000000200 ffffea00023c2ac8 ffffea000259c108 ffff8880aa400e00
raw: 0000000000000000 ffff8880a2835000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a2835300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880a2835380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880a2835400: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                         ^
 ffff8880a2835480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880a2835500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (137):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-selinux-root 2019/12/13 14:49 upstream ae4b064e2a61 08003f64 .config log report syz C
ci-upstream-kasan-gce-root 2019/12/13 10:01 upstream ae4b064e2a61 08003f64 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2019/12/09 21:21 upstream e42617b825f8 b31eda3d .config log report syz C
ci-upstream-kasan-gce-root 2019/12/09 15:19 upstream e42617b825f8 b31eda3d .config log report syz C
ci-upstream-kasan-gce-root 2019/12/03 21:18 upstream 76bb8b05960c ae13a849 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2019/12/03 20:10 upstream 76bb8b05960c ae13a849 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2019/12/24 16:40 linux-next 7ddd09fc4b74 be5c2c81 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2019/12/21 23:26 linux-next 7ddd09fc4b74 bc586918 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2019/12/13 08:12 linux-next 78adcacd4edb 08003f64 .config log report syz C
ci-upstream-kasan-gce-root 2020/01/03 08:40 upstream 7ca4ad5ba886 25a0186e .config log report syz
ci-upstream-kasan-gce-selinux-root 2020/01/03 07:45 upstream 7ca4ad5ba886 25a0186e .config log report syz
ci-upstream-linux-next-kasan-gce-root 2020/01/08 21:59 linux-next 4becfd1b26ef ddc3e859 .config log report syz
ci-upstream-kasan-gce-smack-root 2020/10/04 11:21 upstream 22fbc037cd32 5ef9c291 .config log report info
ci-upstream-kasan-gce-smack-root 2020/10/04 00:16 upstream 22fbc037cd32 1a3f9408 .config log report info
ci-upstream-kasan-gce-smack-root 2020/09/30 13:38 upstream 02de58b24d2e 8516f6d3 .config log report info
ci-upstream-kasan-gce-smack-root 2020/09/29 13:32 upstream fb0155a09b02 1b88c6d5 .config log report info
ci-upstream-kasan-gce-root 2020/09/28 12:17 upstream a1b8638ba132 6bfdbe89 .config log report info
ci-upstream-kasan-gce-root 2020/09/19 15:49 upstream eb5f95f1593f 53ce8104 .config log report info
ci-upstream-kasan-gce-smack-root 2020/09/04 11:16 upstream e28f0104343d abf9ba4f .config log report
ci-upstream-kasan-gce-smack-root 2020/08/29 00:45 upstream 96d454cd2c16 d5a3ae1f .config log report
ci-upstream-kasan-gce-selinux-root 2020/08/23 06:07 upstream c3d8f220d012 1da71ab0 .config log report
ci-upstream-kasan-gce-smack-root 2020/08/17 12:00 upstream 2cc3c4b3c2e9 424dd8e7 .config log report
ci-upstream-kasan-gce-smack-root 2020/08/15 01:24 upstream 7fca4dee610d 424dd8e7 .config log report
ci-upstream-kasan-gce-smack-root 2020/08/10 15:55 upstream 9420f1ce0186 70301872 .config log report
ci-upstream-kasan-gce-smack-root 2020/08/06 17:11 upstream 47ec5303d73e 1f122f88 .config log report
ci-upstream-kasan-gce-root 2020/08/03 06:33 upstream bcf876870b95 196277c4 .config log report
ci-upstream-kasan-gce-smack-root 2020/08/03 02:20 upstream 5a30a78924ec 196277c4 .config log report
ci-upstream-kasan-gce-smack-root 2020/08/02 01:30 upstream d52daa8620c6 d895b3be .config log report
ci-upstream-kasan-gce-root 2020/08/01 16:06 upstream 7dc6fd0f3b84 d895b3be .config log report
ci-upstream-kasan-gce-selinux-root 2020/08/01 14:25 upstream 7dc6fd0f3b84 d895b3be .config log report
ci-upstream-kasan-gce-smack-root 2020/07/31 16:00 upstream d8b9faec54ae 8df85ed9 .config log report
ci-upstream-kasan-gce-root 2020/07/30 06:39 upstream d3590ebf6f91 233283a1 .config log report
ci-upstream-kasan-gce-smack-root 2020/07/27 03:45 upstream 92ed30191993 51265195 .config log report
ci-upstream-kasan-gce-root 2020/07/24 11:42 upstream f37e99aca03f 554af388 .config log report
ci-upstream-kasan-gce-root 2020/07/24 09:55 upstream f37e99aca03f 70c104a1 .config log report
ci-upstream-kasan-gce-selinux-root 2020/07/24 06:33 upstream d15be546031c 70c104a1 .config log report
ci-upstream-kasan-gce-root 2020/07/23 14:15 upstream d15be546031c 340ea530 .config log report
ci-upstream-kasan-gce-selinux-root 2020/07/23 12:41 upstream d15be546031c 340ea530 .config log report
ci-upstream-kasan-gce-selinux-root 2020/07/17 05:38 upstream f8456690ba8e 54b3c45e .config log report
ci-upstream-kasan-gce-selinux-root 2020/07/10 15:20 upstream 42f82040ee66 edf162e8 .config log report
ci-upstream-kasan-gce-smack-root 2020/06/27 08:26 upstream 1590a2e1c681 ffec44b5 .config log report
ci-upstream-kasan-gce-root 2020/06/24 09:23 upstream 7ae77150d94d 54566aff .config log report
ci-upstream-kasan-gce-selinux-root 2020/06/21 00:20 upstream 7ae77150d94d c655ec77 .config log report
ci-upstream-kasan-gce-selinux-root 2020/06/16 23:59 upstream 7ae77150d94d 559fbe2d .config log report
ci-upstream-kasan-gce-selinux-root 2020/06/15 10:45 upstream 7ae77150d94d 8e3ab941 .config log report
ci-upstream-kasan-gce-root 2020/06/15 05:26 upstream 7ae77150d94d 2a22c77a .config log report
ci-upstream-kasan-gce-smack-root 2020/06/11 23:58 upstream 7ae77150d94d 58802067 .config log report
ci-upstream-kasan-gce-smack-root 2020/06/11 14:32 upstream 7ae77150d94d 3ab7a05a .config log report
ci-upstream-kasan-gce-smack-root 2020/06/10 12:59 upstream 7ae77150d94d 860c4de9 .config log report
ci-upstream-kasan-gce-selinux-root 2020/06/08 12:37 upstream 7ae77150d94d 7751efd0 .config log report
ci-upstream-kasan-gce-smack-root 2020/06/06 18:34 upstream 7ae77150d94d e6b89e4e .config log report
ci-upstream-kasan-gce-smack-root 2020/06/02 02:16 upstream 9bf9511e3d9f a0331e89 .config log report
ci-upstream-kasan-gce-root 2020/05/25 19:42 upstream 9cb1fd0efd19 30927cd7 .config log report
ci-upstream-kasan-gce-smack-root 2020/05/25 09:43 upstream 9cb1fd0efd19 11284182 .config log report
ci-qemu-upstream-386 2020/05/07 21:56 upstream 5d286d5ebcf6 435c6d53 .config log report
ci-upstream-linux-next-kasan-gce-root 2020/08/26 20:25 linux-next f37be72473a0 318430cb .config log report
ci-upstream-linux-next-kasan-gce-root 2020/08/14 23:51 linux-next 4993e4fe12af 424dd8e7 .config log report
ci-upstream-linux-next-kasan-gce-root 2020/08/12 23:26 linux-next bc09acc9f224 bc15f7db .config log report
ci-upstream-linux-next-kasan-gce-root 2020/07/27 02:07 linux-next 26027945c94a 51265195 .config log report
ci-upstream-linux-next-kasan-gce-root 2020/07/24 00:16 linux-next 4f5baedd579d 70c104a1 .config log report
ci-upstream-linux-next-kasan-gce-root 2020/07/23 09:30 linux-next 73aece61f643 340ea530 .config log report
ci-upstream-linux-next-kasan-gce-root 2020/07/02 14:28 linux-next aab2003999e7 bed10395 .config log report
* Struck through repros no longer work on HEAD.