syzbot


KASAN: vmalloc-out-of-bounds Write in imageblit (2)

Status: upstream: reported C repro on 2021/11/19 09:18
Reported-by: syzbot+14b0e8f3fd1612e35350@syzkaller.appspotmail.com
Fix commit: 566f9c9f8933 vt: Clear selection before changing the font
Patched on: [ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce ci-upstream-kmsan-gce-386 ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-usb], missing on: [ci-qemu2-riscv64 ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce]
First crash: 317d, last: 25d

Cause bisection: introduced by (bisect log) :
commit 0499f419b76f94ede08304aad5851144813ac55c
Author: Javier Martinez Canillas <javierm@redhat.com>
Date: Mon Jan 10 09:56:25 2022 +0000

  video: vga16fb: Only probe for EGA and VGA 16 color graphic cards

Crash: KASAN: stack-out-of-bounds Write in imageblit (log)
Repro: C syz .config
similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: vmalloc-out-of-bounds Write in imageblit C 104 337d 630d 22/24 fixed on 2021/11/10 00:50
Patch testing requests:
Created Duration User Patch Repo Result
2022/08/01 15:42 10m khalid.masum.92@gmail.com patch https://github.com/torvalds/linux.git 3d7cb6b04c3f report log
2022/07/30 11:46 10m khalid.masum.92@gmail.com patch https://github.com/torvalds/linux.git e0dccc3b76fb report log
2022/07/30 08:13 10m khalid.masum.92@gmail.com patch https://github.com/torvalds/linux.git e0dccc3b76fb report log

Sample crash report:
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in fast_imageblit drivers/video/fbdev/core/sysimgblt.c:257 [inline]
BUG: KASAN: vmalloc-out-of-bounds in sys_imageblit+0x1ed0/0x2240 drivers/video/fbdev/core/sysimgblt.c:323
Write of size 4 at addr ffffc90004521000 by task syz-executor127/3605

CPU: 0 PID: 3605 Comm: syz-executor127 Not tainted 5.19.0-syzkaller-02972-g200e340f2196 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0xf/0x495 mm/kasan/report.c:313
 print_report mm/kasan/report.c:429 [inline]
 kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
 fast_imageblit drivers/video/fbdev/core/sysimgblt.c:257 [inline]
 sys_imageblit+0x1ed0/0x2240 drivers/video/fbdev/core/sysimgblt.c:323
 drm_fb_helper_sys_imageblit drivers/gpu/drm/drm_fb_helper.c:825 [inline]
 drm_fbdev_fb_imageblit+0x15c/0x350 drivers/gpu/drm/drm_fb_helper.c:2328
 bit_putcs_unaligned drivers/video/fbdev/core/bitblit.c:139 [inline]
 bit_putcs+0x6e1/0xd20 drivers/video/fbdev/core/bitblit.c:188
 fbcon_putcs+0x314/0x3e0 drivers/video/fbdev/core/fbcon.c:1285
 do_update_region+0x399/0x630 drivers/tty/vt/vt.c:676
 redraw_screen+0x61f/0x740 drivers/tty/vt/vt.c:1035
 fbcon_do_set_font+0x5eb/0x6f0 drivers/video/fbdev/core/fbcon.c:2435
 fbcon_set_font+0x89d/0xab0 drivers/video/fbdev/core/fbcon.c:2522
 con_font_set drivers/tty/vt/vt.c:4666 [inline]
 con_font_op+0x73a/0xc90 drivers/tty/vt/vt.c:4710
 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline]
 vt_ioctl+0x1efa/0x2b20 drivers/tty/vt/vt_ioctl.c:752
 tty_ioctl+0xbbd/0x15e0 drivers/tty/tty_io.c:2778
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:870 [inline]
 __se_sys_ioctl fs/ioctl.c:856 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f1d8eba0239
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf66ac9a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f1d8eba0239
RDX: 0000000020000040 RSI: 0000000000004b72 RDI: 0000000000000004
RBP: 00007ffcf66ac9c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005
R13: 0000000000000000 R14: 00007ffcf66ac9e0 R15: 00007ffcf66ac9d0
 </TASK>

The buggy address belongs to the virtual mapping at
 [ffffc90004221000, ffffc90004522000) created by:
 drm_gem_shmem_vmap_locked drivers/gpu/drm/drm_gem_shmem_helper.c:319 [inline]
 drm_gem_shmem_vmap+0x3d7/0x5a0 drivers/gpu/drm/drm_gem_shmem_helper.c:366

Memory state around the buggy address:
 ffffc90004520f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc90004520f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc90004521000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                   ^
 ffffc90004521080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc90004521100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================

Crashes (701):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-root 2022/08/11 02:51 upstream 200e340f2196 a6201f11 .config log report syz C KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-root 2022/07/12 08:32 upstream 5a29232d870d da3d6955 .config log report syz C KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-selinux-root 2022/07/18 09:35 upstream 55ea9bd66688 95cb00d1 .config log report syz C KASAN: stack-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-root 2022/04/28 04:16 upstream 8f4dd16603ce 8a1f1f07 .config log report syz C BUG: unable to handle kernel paging request in imageblit
ci-upstream-linux-next-kasan-gce-root 2022/01/20 22:57 linux-next 7fc5253f5a13 b838eb76 .config log report syz C BUG: unable to handle kernel paging request in imageblit
ci-upstream-kasan-gce-root 2022/09/03 04:12 upstream d895ec7938c4 49e94a20 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-root 2022/08/26 21:53 upstream 3e5c673f0d75 e5a303f1 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-qemu-upstream 2022/08/26 16:38 upstream 4c612826bec1 e5a303f1 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-root 2022/08/26 10:59 upstream 4c612826bec1 15195ea3 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-smack-root 2022/08/24 02:39 upstream df0219d11b6f cea8b0f7 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-smack-root 2022/08/21 02:15 upstream 15b3f48a4339 26a13b38 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-smack-root 2022/08/20 19:23 upstream 50cd95ac4654 26a13b38 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-smack-root 2022/08/20 11:38 upstream 50cd95ac4654 26a13b38 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-smack-root 2022/08/18 20:11 upstream 3b06a2755758 d58e263f .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-smack-root 2022/08/18 03:21 upstream 274a2eebf80c d58e263f .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-smack-root 2022/08/17 07:53 upstream 7ebfc85e2cd7 4e72d229 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-smack-root 2022/08/17 06:24 upstream 7ebfc85e2cd7 4e72d229 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-root 2022/08/16 07:07 upstream 7ebfc85e2cd7 7a7cb304 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-root 2022/08/16 04:04 upstream 7ebfc85e2cd7 8dfcaa3d .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-smack-root 2022/08/15 15:06 upstream 7ebfc85e2cd7 8dfcaa3d .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-smack-root 2022/08/15 13:57 upstream 7ebfc85e2cd7 8dfcaa3d .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-selinux-root 2022/08/15 07:42 upstream 7ebfc85e2cd7 8dfcaa3d .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-smack-root 2022/08/13 01:31 upstream 7ebfc85e2cd7 8dfcaa3d .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-selinux-root 2022/08/11 13:42 upstream 200e340f2196 787ed7e0 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-smack-root 2022/08/04 20:40 upstream 200e340f2196 1c9013ac .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-root 2022/08/01 04:05 upstream 334c0ef6429f fef302b1 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-root 2022/07/30 11:29 upstream e65c6a46df94 fef302b1 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-selinux-root 2022/07/28 06:33 upstream 6e7765cb477a fb95c74d .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-root 2022/07/20 16:22 upstream ca85855bdcae 775344bc .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-selinux-root 2022/07/17 07:25 upstream c658cabbfd32 95cb00d1 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-root 2022/07/09 19:23 upstream e5524c2a1fc4 b5765a15 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce 2022/07/01 23:19 upstream a175eca0f3d7 1434eec0 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-qemu-upstream-386 2022/08/19 00:49 upstream 573ae4f13f63 26a13b38 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-qemu-upstream-386 2022/08/13 11:46 upstream 69dac8e431af 8dfcaa3d .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-qemu-upstream-386 2022/07/13 10:54 upstream b047602d579b 5d921b08 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-qemu-upstream-386 2022/07/09 23:45 upstream b1c428b6c368 b5765a15 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-386 2022/05/31 20:20 upstream 8ab2afa23bd1 af70c3a9 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-qemu-upstream-386 2021/11/15 01:57 upstream fa55b7dcdc43 83f5c9b5 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-linux-next-kasan-gce-root 2022/08/16 13:13 linux-next 6c8f479764eb 7a7cb304 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-linux-next-kasan-gce-root 2022/08/12 19:26 linux-next 6c8f479764eb 402cd70d .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-smack-root 2022/08/26 18:56 upstream 3e5c673f0d75 e5a303f1 .config log report info BUG: unable to handle kernel paging request in imageblit
ci-upstream-kasan-gce-root 2022/08/25 22:29 upstream 3f5c20055a64 9b5bf4cd .config log report info BUG: unable to handle kernel paging request in imageblit
ci-upstream-kasan-gce-root 2022/08/25 07:24 upstream c40e8341e3b3 514514f6 .config log report info BUG: unable to handle kernel paging request in imageblit
ci-upstream-kasan-gce-selinux-root 2022/08/22 17:52 upstream 1c23f9e627a7 26a13b38 .config log report info BUG: unable to handle kernel paging request in imageblit
ci-upstream-kasan-gce-root 2022/08/19 20:15 upstream 4c2d0b039c5c 26a13b38 .config log report info KASAN: stack-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-root 2022/08/14 19:44 upstream 7ebfc85e2cd7 8dfcaa3d .config log report info BUG: unable to handle kernel paging request in imageblit
ci-upstream-kasan-gce-smack-root 2022/07/25 11:58 upstream e0dccc3b76fb 664c519c .config log report info BUG: unable to handle kernel paging request in imageblit
ci-upstream-kasan-gce-smack-root 2022/07/22 16:35 upstream 68e77ffbfd06 22343af4 .config log report info KASAN: stack-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-smack-root 2022/03/25 18:07 upstream 34af78c4e616 89bc8608 .config log report info KASAN: slab-out-of-bounds Read in imageblit
ci-qemu2-arm32 2022/04/01 04:36 upstream 478f74a3d808 68fc921a .config log report info BUG: unable to handle kernel paging request in imageblit
ci-upstream-linux-next-kasan-gce-root 2022/08/28 12:06 linux-next 8d0c42c9e807 07177916 .config log report info BUG: unable to handle kernel paging request in imageblit
ci-upstream-linux-next-kasan-gce-root 2022/08/19 09:15 linux-next 8755ae45a9e8 26a13b38 .config log report info KASAN: stack-out-of-bounds Write in imageblit
ci-upstream-gce-arm64 2022/09/02 11:17 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 85413d1e802e a805568e .config log report info BUG: unable to handle kernel paging request in imageblit
ci-upstream-gce-arm64 2022/08/30 16:13 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci a41a877bc12d 4a380809 .config log report info BUG: unable to handle kernel paging request in imageblit
ci-upstream-gce-arm64 2022/08/30 01:17 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci a41a877bc12d 5b44472d .config log report info BUG: unable to handle kernel paging request in imageblit
ci-upstream-gce-arm64 2022/08/29 14:07 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci a41a877bc12d 5b44472d .config log report info BUG: unable to handle kernel paging request in imageblit
ci-upstream-gce-arm64 2022/08/26 13:34 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci a41a877bc12d e5a303f1 .config log report info BUG: unable to handle kernel paging request in imageblit
ci-upstream-gce-arm64 2022/08/25 01:48 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci a41a877bc12d 514514f6 .config log report info BUG: unable to handle kernel paging request in imageblit
ci-upstream-gce-arm64 2022/08/24 14:39 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci a41a877bc12d 514514f6 .config log report info BUG: unable to handle kernel paging request in imageblit
ci-upstream-gce-arm64 2022/08/21 09:28 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 680fb5b009e8 26a13b38 .config log report info BUG: unable to handle kernel paging request in imageblit
* Struck through repros no longer work on HEAD.