syzbot


KASAN: slab-out-of-bounds Read in vc_do_resize

Status: fixed on 2020/09/16 22:51
Subsystems: serial
[Documentation on labels]
Reported-by: syzbot+c37a14770d51a085a520@syzkaller.appspotmail.com
Fix commit: d88ca7e1a27e fbmem: pull fbcon_update_vcs() out of fb_set_var()
First crash: 1561d, last: 1326d
Cause bisection: introduced by (bisect log) :
commit 9e1467002630065ed86c65ea28bfc9194fff6f0e
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date: Tue May 28 09:02:59 2019 +0000

  fbcon: replace FB_EVENT_MODE_CHANGE/_ALL with direct calls

Crash: KASAN: slab-out-of-bounds Read in vc_do_resize (log)
Repro: C syz .config
  
Discussions (4)
Title Replies (including bot) Last reply
[PATCH 5.8 000/255] 5.8.6-rc1 review 263 (263) 2020/09/03 09:29
[PATCH 5.4 000/214] 5.4.62-rc1 review 219 (219) 2020/09/02 07:24
[PATCH] vt: Handle recursion in vc_do_resize(). 8 (8) 2020/08/04 05:38
KASAN: slab-out-of-bounds Read in vc_do_resize 0 (4) 2020/01/26 11:26
Last patch testing requests (11)
Created Duration User Patch Repo Result
2020/07/29 10:59 17m penguin-kernel@i-love.sakura.ne.jp patch upstream OK
2020/07/28 22:04 12m penguin-kernel@i-love.sakura.ne.jp upstream report log
2020/07/28 14:59 18m penguin-kernel@i-love.sakura.ne.jp patch upstream OK
2020/07/28 12:12 16m penguin-kernel@i-love.sakura.ne.jp patch upstream OK
2020/07/28 06:56 16m penguin-kernel@i-love.sakura.ne.jp patch upstream OK
2020/07/27 22:52 16m penguin-kernel@i-love.sakura.ne.jp patch upstream OK
2020/07/27 13:11 16m penguin-kernel@i-love.sakura.ne.jp patch upstream OK
2020/07/27 04:36 12m penguin-kernel@i-love.sakura.ne.jp patch upstream report log
2020/07/26 14:45 12m penguin-kernel@i-love.sakura.ne.jp patch upstream report log
2020/07/26 13:09 11m penguin-kernel@i-love.sakura.ne.jp patch upstream report log
2020/07/26 10:45 17m penguin-kernel@i-love.sakura.ne.jp patch upstream report log
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2020/06/01 03:15 29m bisect fix upstream job log (0) log
2020/03/30 00:24 31m bisect fix upstream job log (0) log

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in scr_memcpyw include/linux/vt_buffer.h:49 [inline]
BUG: KASAN: slab-out-of-bounds in vc_do_resize+0xb5e/0x1af0 drivers/tty/vt/vt.c:1250
Read of size 192 at addr ffff888095d34540 by task syz-executor536/9034

CPU: 1 PID: 9034 Comm: syz-executor536 Not tainted 5.5.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fb/0x318 lib/dump_stack.c:118
 print_address_description+0x74/0x5c0 mm/kasan/report.c:374
 __kasan_report+0x149/0x1c0 mm/kasan/report.c:506
 kasan_report+0x26/0x50 mm/kasan/common.c:639
 check_memory_region_inline mm/kasan/generic.c:182 [inline]
 check_memory_region+0x2b6/0x2f0 mm/kasan/generic.c:192
 memcpy+0x28/0x60 mm/kasan/common.c:125
 scr_memcpyw include/linux/vt_buffer.h:49 [inline]
 vc_do_resize+0xb5e/0x1af0 drivers/tty/vt/vt.c:1250
 vc_resize+0x4f/0x60 drivers/tty/vt/vt.c:1304
 fbcon_modechanged+0x701/0xdf0 drivers/video/fbdev/core/fbcon.c:2980
 fbcon_update_vcs+0x31/0x40 drivers/video/fbdev/core/fbcon.c:3038
 fb_set_var+0x8f5/0xdc0 drivers/video/fbdev/core/fbmem.c:1051
 do_fb_ioctl+0x55e/0x780 drivers/video/fbdev/core/fbmem.c:1104
 fb_ioctl+0xb9/0xf0 drivers/video/fbdev/core/fbmem.c:1180
 do_vfs_ioctl+0x6e2/0x19b0 fs/ioctl.c:47
 ksys_ioctl fs/ioctl.c:749 [inline]
 __do_sys_ioctl fs/ioctl.c:756 [inline]
 __se_sys_ioctl fs/ioctl.c:754 [inline]
 __x64_sys_ioctl+0xe3/0x120 fs/ioctl.c:754
 do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x446d49
Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fc010171db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006dbc48 RCX: 0000000000446d49
RDX: 0000000020000000 RSI: 0000000000004601 RDI: 0000000000000004
RBP: 00000000006dbc40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc4c
R13: 00007ffc8ab7313f R14: 00007fc0101729c0 R15: 0000000000000001

Allocated by task 9034:
 save_stack mm/kasan/common.c:72 [inline]
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc+0x118/0x1c0 mm/kasan/common.c:513
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527
 __do_kmalloc mm/slab.c:3656 [inline]
 __kmalloc+0x254/0x340 mm/slab.c:3665
 kmalloc include/linux/slab.h:561 [inline]
 kzalloc+0x21/0x40 include/linux/slab.h:670
 vc_do_resize+0x2af/0x1af0 drivers/tty/vt/vt.c:1187
 vc_resize+0x4f/0x60 drivers/tty/vt/vt.c:1304
 fbcon_modechanged+0x701/0xdf0 drivers/video/fbdev/core/fbcon.c:2980
 fbcon_update_vcs+0x31/0x40 drivers/video/fbdev/core/fbcon.c:3038
 fb_set_var+0x8f5/0xdc0 drivers/video/fbdev/core/fbmem.c:1051
 fbcon_resize+0x819/0x11f0 drivers/video/fbdev/core/fbcon.c:2222
 resize_screen drivers/tty/vt/vt.c:1126 [inline]
 vc_do_resize+0x478/0x1af0 drivers/tty/vt/vt.c:1205
 vc_resize+0x4f/0x60 drivers/tty/vt/vt.c:1304
 fbcon_modechanged+0x701/0xdf0 drivers/video/fbdev/core/fbcon.c:2980
 fbcon_update_vcs+0x31/0x40 drivers/video/fbdev/core/fbcon.c:3038
 fb_set_var+0x8f5/0xdc0 drivers/video/fbdev/core/fbmem.c:1051
 do_fb_ioctl+0x55e/0x780 drivers/video/fbdev/core/fbmem.c:1104
 fb_ioctl+0xb9/0xf0 drivers/video/fbdev/core/fbmem.c:1180
 do_vfs_ioctl+0x6e2/0x19b0 fs/ioctl.c:47
 ksys_ioctl fs/ioctl.c:749 [inline]
 __do_sys_ioctl fs/ioctl.c:756 [inline]
 __se_sys_ioctl fs/ioctl.c:754 [inline]
 __x64_sys_ioctl+0xe3/0x120 fs/ioctl.c:754
 do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8579:
 save_stack mm/kasan/common.c:72 [inline]
 set_track mm/kasan/common.c:80 [inline]
 kasan_set_free_info mm/kasan/common.c:335 [inline]
 __kasan_slab_free+0x12e/0x1e0 mm/kasan/common.c:474
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:483
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x10d/0x220 mm/slab.c:3757
 load_elf_binary+0x2c82/0x36d0 fs/binfmt_elf.c:1085
 search_binary_handler+0x190/0x5e0 fs/exec.c:1658
 exec_binprm fs/exec.c:1701 [inline]
 __do_execve_file+0x1565/0x1cc0 fs/exec.c:1821
 do_execveat_common fs/exec.c:1867 [inline]
 do_execve fs/exec.c:1884 [inline]
 __do_sys_execve fs/exec.c:1960 [inline]
 __se_sys_execve fs/exec.c:1955 [inline]
 __x64_sys_execve+0x94/0xb0 fs/exec.c:1955
 do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff888095d34400
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 320 bytes inside of
 512-byte region [ffff888095d34400, ffff888095d34600)
The buggy address belongs to the page:
page:ffffea0002574d00 refcount:1 mapcount:0 mapping:ffff8880aa800a80 index:0x0
raw: 00fffe0000000200 ffffea0002741f88 ffffea0002846a48 ffff8880aa800a80
raw: 0000000000000000 ffff888095d34000 0000000100000004 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888095d34480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888095d34500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888095d34580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff888095d34600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888095d34680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (55):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/01/22 15:50 upstream d96d875ef5dd 8eda0b95 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/07/30 17:37 upstream d3590ebf6f91 233283a1 .config console log report syz ci-upstream-kasan-gce-selinux-root
2020/07/28 09:51 upstream 92ed30191993 cb93dc6a .config console log report syz ci-upstream-kasan-gce-smack-root
2020/07/28 04:47 upstream 92ed30191993 cb93dc6a .config console log report syz ci-upstream-kasan-gce
2020/01/23 22:22 upstream 131701c697e8 3334d684 .config console log report syz ci-upstream-kasan-gce-root
2020/01/22 02:45 upstream d96d875ef5dd 8eda0b95 .config console log report syz ci-upstream-kasan-gce
2020/07/28 05:35 upstream 92ed30191993 cb93dc6a .config console log report syz ci-upstream-kasan-gce-386
2020/08/10 15:19 upstream 9420f1ce0186 70301872 .config console log report ci-upstream-kasan-gce-smack-root
2020/08/10 09:35 upstream 9420f1ce0186 70301872 .config console log report ci-upstream-kasan-gce-smack-root
2020/08/07 15:41 upstream d6efb3ac3e6c cb436c69 .config console log report ci-upstream-kasan-gce-smack-root
2020/08/06 08:01 upstream fffe3ae0ee84 0487ea6f .config console log report ci-upstream-kasan-gce-root
2020/08/04 20:30 upstream c0842fbc1b18 80a06902 .config console log report ci-upstream-kasan-gce-smack-root
2020/08/03 23:45 upstream bcf876870b95 196277c4 .config console log report ci-upstream-kasan-gce-selinux-root
2020/08/01 12:32 upstream 7dc6fd0f3b84 d895b3be .config console log report ci-upstream-kasan-gce-smack-root
2020/07/30 12:07 upstream d3590ebf6f91 233283a1 .config console log report ci-upstream-kasan-gce
2020/07/30 05:27 upstream d3590ebf6f91 233283a1 .config console log report ci-upstream-kasan-gce-smack-root
2020/07/29 07:44 upstream 6ba1b005ffc3 cb93dc6a .config console log report ci-upstream-kasan-gce
2020/07/28 13:20 upstream 92ed30191993 cb93dc6a .config console log report ci-upstream-kasan-gce-selinux-root
2020/07/28 10:19 upstream 92ed30191993 cb93dc6a .config console log report ci-upstream-kasan-gce-selinux-root
2020/07/28 06:27 upstream 92ed30191993 cb93dc6a .config console log report ci-upstream-kasan-gce-smack-root
2020/07/27 18:28 upstream 92ed30191993 cb93dc6a .config console log report ci-upstream-kasan-gce-selinux-root
2020/07/20 17:49 upstream 5714ee50bb43 4285ffa3 .config console log report ci-upstream-kasan-gce-selinux-root
2020/07/19 18:01 upstream f932d58abc38 9c812472 .config console log report ci-upstream-kasan-gce
2020/07/19 16:46 upstream f932d58abc38 9c812472 .config console log report ci-upstream-kasan-gce
2020/07/11 20:16 upstream a581387e415b 18d18b59 .config console log report ci-upstream-kasan-gce-smack-root
2020/07/11 19:16 upstream a581387e415b 18d18b59 .config console log report ci-upstream-kasan-gce-root
2020/07/09 12:43 upstream 0bddd227f3dc bc238812 .config console log report ci-upstream-kasan-gce-smack-root
2020/07/07 20:34 upstream 7cc2a8ea1048 51095195 .config console log report ci-upstream-kasan-gce-root
2020/07/07 20:14 upstream 7cc2a8ea1048 51095195 .config console log report ci-upstream-kasan-gce-root
2020/07/07 17:57 upstream 7cc2a8ea1048 51095195 .config console log report ci-upstream-kasan-gce-root
2020/07/06 19:21 upstream 7cc2a8ea1048 51095195 .config console log report ci-upstream-kasan-gce-selinux-root
2020/07/05 08:41 upstream 7cc2a8ea1048 51095195 .config console log report ci-upstream-kasan-gce-smack-root
2020/07/01 04:24 upstream 9ebcfadb0610 917afeaa .config console log report ci-upstream-kasan-gce-smack-root
2020/06/21 07:07 upstream 7ae77150d94d c655ec77 .config console log report ci-upstream-kasan-gce-root
2020/06/08 07:04 upstream 7ae77150d94d 7751efd0 .config console log report ci-upstream-kasan-gce-selinux-root
2020/06/05 11:12 upstream 435faf5c218a 2420d1bc .config console log report ci-upstream-kasan-gce-smack-root
2020/05/02 03:15 upstream 052c467cb587 bc734e7a .config console log report ci-upstream-kasan-gce-smack-root
2020/05/01 12:29 upstream c45e8bccecaf a4d01b80 .config console log report ci-upstream-kasan-gce-smack-root
2020/04/26 10:26 upstream b2768df24ec4 99b258dd .config console log report ci-upstream-kasan-gce-smack-root
2020/04/24 23:45 upstream b4f633221f0a 03d97a1b .config console log report ci-upstream-kasan-gce-selinux-root
2020/04/24 03:35 upstream c578ddb39e56 2e44d63e .config console log report ci-upstream-kasan-gce-smack-root
2020/04/24 00:57 upstream c578ddb39e56 2e44d63e .config console log report ci-upstream-kasan-gce-smack-root
2020/02/28 19:06 upstream f8788d86ab28 59b57593 .config console log report ci-upstream-kasan-gce-smack-root
2020/02/25 22:59 upstream f8788d86ab28 59b57593 .config console log report ci-upstream-kasan-gce-smack-root
2020/02/18 22:38 upstream b1da3acc781c 012fbc32 .config console log report ci-upstream-kasan-gce-selinux-root
2020/02/13 22:32 upstream 0bf999f9c5e7 c5ed587f .config console log report ci-upstream-kasan-gce-smack-root
2020/02/12 12:07 upstream 359c92c02bfa a75b198c .config console log report ci-upstream-kasan-gce-selinux-root
2020/02/11 14:07 upstream 0a679e13ea30 084454ae .config console log report ci-upstream-kasan-gce-smack-root
2020/01/24 23:30 upstream 6381b442836e 2e95ab33 .config console log report ci-upstream-kasan-gce-smack-root
2020/01/22 01:50 upstream d96d875ef5dd 8eda0b95 .config console log report ci-upstream-kasan-gce
2019/12/19 08:00 upstream 2187f215ebaa 79b211f7 .config console log report ci-upstream-kasan-gce
2020/08/02 01:14 linux-next 01830e6c042e d895b3be .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/27 04:24 linux-next 26027945c94a 51265195 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/07/01 22:45 linux-next aab2003999e7 39acb39d .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.