KASAN: vmalloc-out-of-bounds Write in bitfill

KASAN: vmalloc-out-of-bounds Write in bitfill_aligned
Status: fixed on 2020/09/21 20:54
Reported-by: syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com
Fix commit: 033724d68642 fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
First crash: 731d, last: 496d

duplicates (9):
Title	Repro	Cause bisect	Count	Last	Reported	Patched	Status
INFO: task hung in console_callback			7	514d	682d	0/22	closed as dup on 2020/08/16 15:22
INFO: task hung in fb_open	C	done	552	478d	732d	0/22	closed as dup on 2020/07/27 23:07
INFO: task can't die in fb_open			3	478d	496d	0/22	closed as dup on 2020/07/27 05:19
INFO: task hung in vcs_open			32	456d	589d	0/22	closed as dup on 2020/08/05 10:53
INFO: task hung in fb_release	C	done	64	478d	712d	0/22	closed as dup on 2020/07/27 23:00
INFO: task hung in con_install			6	515d	697d	0/22	closed as dup on 2020/08/16 15:20
INFO: task hung in con_set_cmap			1	518d	513d	0/22	closed as dup on 2020/07/26 05:18
INFO: task hung in do_fb_ioctl			47	484d	692d	0/22	closed as dup on 2020/07/27 22:56
BUG: unable to handle kernel paging request in bitfill_aligned			1	573d	571d	0/22	closed as dup on 2020/08/16 15:35

similar bugs (1):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	BUG: unable to handle kernel paging request in bitfill_aligned (2)				19	7d11h	382d	0/22	upstream: reported on 2020/11/17 20:47

Patch testing requests:
Created	Duration	User	Patch	Repo	Result
2020/07/14 13:05	27m	penguin-kernel@i-love.sakura.ne.jp	patch	upstream	OK
2020/07/14 12:42	20m	penguin-kernel@i-love.sakura.ne.jp	patch	upstream	report log
2020/07/14 10:42	26m	penguin-kernel@i-love.sakura.ne.jp	patch	upstream	error

Sample crash report:

==================================================================
BUG: KASAN: vmalloc-out-of-bounds in bitfill_aligned drivers/video/fbdev/core/sysfillrect.c:54 [inline]
BUG: KASAN: vmalloc-out-of-bounds in bitfill_aligned+0x34a/0x400 drivers/video/fbdev/core/sysfillrect.c:25
Write of size 8 at addr ffffc90009a91000 by task syz-executor080/9273

CPU: 3 PID: 9273 Comm: syz-executor080 Not tainted 5.8.0-rc6-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0x5/0x436 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 bitfill_aligned drivers/video/fbdev/core/sysfillrect.c:54 [inline]
 bitfill_aligned+0x34a/0x400 drivers/video/fbdev/core/sysfillrect.c:25
 sys_fillrect+0x408/0x7a0 drivers/video/fbdev/core/sysfillrect.c:291
 drm_fb_helper_sys_fillrect+0x1e/0x190 drivers/gpu/drm/drm_fb_helper.c:731
 bit_clear_margins+0x2d5/0x4a0 drivers/video/fbdev/core/bitblit.c:232
 fbcon_clear_margins+0x1d5/0x230 drivers/video/fbdev/core/fbcon.c:1381
 fbcon_switch+0xb6e/0x16c0 drivers/video/fbdev/core/fbcon.c:2363
 redraw_screen+0x2ae/0x770 drivers/tty/vt/vt.c:1015
 fbcon_modechanged+0x575/0x710 drivers/video/fbdev/core/fbcon.c:3001
 fbcon_update_vcs+0x3a/0x50 drivers/video/fbdev/core/fbcon.c:3048
 fb_set_var+0xae8/0xd60 drivers/video/fbdev/core/fbmem.c:1056
 do_fb_ioctl+0x33f/0x6c0 drivers/video/fbdev/core/fbmem.c:1109
 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1185
 vfs_ioctl fs/ioctl.c:48 [inline]
 ksys_ioctl+0x11a/0x180 fs/ioctl.c:753
 __do_sys_ioctl fs/ioctl.c:762 [inline]
 __se_sys_ioctl fs/ioctl.c:760 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:760
 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x433d79
Code: c4 18 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb da fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffc03901138 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000433d79
RDX: 0000000020000000 RSI: 0000000000004601 RDI: 0000000000000003
RBP: 00000000006b2018 R08: 0000000000000000 R09: 00000000004002e0
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401c10
R13: 0000000000401ca0 R14: 0000000000000000 R15: 0000000000000000


Memory state around the buggy address:
 ffffc90009a90f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc90009a90f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc90009a91000: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
                   ^
 ffffc90009a91080: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
 ffffc90009a91100: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
==================================================================

Crashes (475):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro
ci-qemu-upstream	2020/07/26 07:57	upstream	04300d66f0a0	1f7cc1ca	.config	log	report	syz	C
ci-qemu-upstream	2020/06/10 11:27	upstream	435faf5c218a	860c4de9	.config	log	report	syz	C
ci-qemu-upstream	2020/03/17 09:33	upstream	fb33c6510d55	749688d2	.config	log	report	syz	C
ci-qemu-upstream-386	2020/06/18 07:30	upstream	435faf5c218a	d45a4d69	.config	log	report	syz	C
ci-qemu-upstream	2020/07/26 04:20	upstream	04300d66f0a0	1f7cc1ca	.config	log	report
ci-qemu-upstream	2020/07/26 00:50	upstream	23ee3e4e5bd2	1f7cc1ca	.config	log	report
ci-qemu-upstream	2020/07/22 11:41	upstream	4fa640dc5230	128cd85f	.config	log	report
ci-qemu-upstream	2020/07/20 21:02	upstream	5714ee50bb43	8caeeeb7	.config	log	report
ci-qemu-upstream	2020/07/20 17:50	upstream	5714ee50bb43	8caeeeb7	.config	log	report
ci-qemu-upstream	2020/07/20 17:28	upstream	5714ee50bb43	8caeeeb7	.config	log	report
ci-qemu-upstream	2020/07/20 07:10	upstream	92188b41f139	9c812472	.config	log	report
ci-qemu-upstream	2020/07/20 00:48	upstream	92188b41f139	9c812472	.config	log	report
ci-qemu-upstream	2020/07/20 00:47	upstream	92188b41f139	9c812472	.config	log	report
ci-qemu-upstream	2020/07/19 22:50	upstream	92188b41f139	9c812472	.config	log	report
ci-qemu-upstream	2020/07/19 18:30	upstream	f932d58abc38	9c812472	.config	log	report
ci-qemu-upstream	2020/07/19 17:16	upstream	f932d58abc38	9c812472	.config	log	report
ci-qemu-upstream	2020/07/19 04:25	upstream	6cf7ccba29dc	9c812472	.config	log	report
ci-qemu-upstream	2020/07/18 20:07	upstream	6cf7ccba29dc	9c812472	.config	log	report
ci-qemu-upstream	2020/07/18 17:34	upstream	6a70f89cc58f	9c812472	.config	log	report
ci-qemu-upstream	2020/07/18 17:24	upstream	6a70f89cc58f	9c812472	.config	log	report
ci-qemu-upstream	2020/07/18 13:29	upstream	6a70f89cc58f	9c812472	.config	log	report
ci-qemu-upstream	2020/07/17 10:29	upstream	07a56bb875af	54b3c45e	.config	log	report
ci-qemu-upstream	2020/07/17 04:36	upstream	07a56bb875af	54b3c45e	.config	log	report
ci-qemu-upstream	2020/07/15 19:00	upstream	e9919e11e219	ada108d0	.config	log	report
ci-qemu-upstream	2020/07/15 09:49	upstream	e9919e11e219	ada108d0	.config	log	report
ci-qemu-upstream	2020/07/13 16:40	upstream	11ba468877bb	f90ec899	.config	log	report
ci-qemu-upstream	2020/07/13 15:40	upstream	11ba468877bb	f90ec899	.config	log	report
ci-qemu-upstream	2020/07/12 12:23	upstream	0aea6d5c5be3	115e1930	.config	log	report
ci-qemu-upstream	2020/07/12 10:39	upstream	0aea6d5c5be3	115e1930	.config	log	report
ci-qemu-upstream	2019/12/04 18:08	upstream	63de37476ebd	b2088328	.config	log	report
ci-qemu-upstream-386	2020/07/26 13:17	upstream	04300d66f0a0	51265195	.config	log	report
ci-qemu-upstream-386	2020/07/26 07:28	upstream	04300d66f0a0	1f7cc1ca	.config	log	report
ci-qemu-upstream-386	2020/07/26 05:54	upstream	04300d66f0a0	1f7cc1ca	.config	log	report
ci-qemu-upstream-386	2020/07/25 19:47	upstream	23ee3e4e5bd2	1f7cc1ca	.config	log	report
ci-qemu-upstream-386	2020/07/25 10:20	upstream	68845a55c31b	0a13649c	.config	log	report
ci-qemu-upstream-386	2020/07/25 05:30	upstream	68845a55c31b	0a13649c	.config	log	report
ci-qemu-upstream-386	2020/07/25 05:24	upstream	68845a55c31b	0a13649c	.config	log	report
ci-qemu-upstream-386	2020/07/24 06:21	upstream	f37e99aca03f	70c104a1	.config	log	report
ci-qemu-upstream-386	2020/07/23 10:00	upstream	8c26c87b0532	340ea530	.config	log	report
ci-qemu-upstream-386	2020/07/23 03:51	upstream	8c26c87b0532	340ea530	.config	log	report
ci-qemu-upstream-386	2020/07/22 15:12	upstream	4fa640dc5230	128cd85f	.config	log	report
ci-qemu-upstream-386	2020/07/22 02:45	upstream	4fa640dc5230	21f1765e	.config	log	report
ci-qemu-upstream-386	2020/07/21 12:43	upstream	4fa640dc5230	328906f3	.config	log	report
ci-qemu-upstream-386	2020/07/19 12:31	upstream	f932d58abc38	9c812472	.config	log	report
ci-qemu-upstream-386	2020/07/19 06:48	upstream	6cf7ccba29dc	9c812472	.config	log	report
ci-qemu-upstream-386	2020/07/16 20:51	upstream	f8456690ba8e	b090c643	.config	log	report
ci-qemu-upstream-386	2020/07/16 19:41	upstream	f8456690ba8e	b090c643	.config	log	report
ci-qemu-upstream-386	2020/07/15 12:31	upstream	e9919e11e219	ada108d0	.config	log	report
ci-qemu-upstream-386	2020/07/15 08:44	upstream	e9919e11e219	ada108d0	.config	log	report
ci-qemu-upstream-386	2020/07/15 06:27	upstream	e9919e11e219	ada108d0	.config	log	report
ci-qemu-upstream-386	2020/07/15 03:54	upstream	e9919e11e219	ada108d0	.config	log	report
ci-qemu-upstream-386	2020/07/13 18:12	upstream	11ba468877bb	f90ec899	.config	log	report
ci-qemu-upstream-386	2020/07/13 04:06	upstream	9901a6bd1577	9ebcc5b1	.config	log	report
ci-qemu-upstream-386	2020/07/12 15:19	upstream	0aea6d5c5be3	115e1930	.config	log	report