syzbot

 sign-in | mailing list | source | docs
🐞 Open [712] 🐞 Fixed [297] 🐞 Invalid [838] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: slab-out-of-bounds Read in bit_putcs

Status: upstream: reported C repro on 2019/12/03 12:47
Reported-by: syzbot+07e7f57313dc988967db@syzkaller.appspotmail.com
First crash: 1603d, last: 1068d
Fix bisection the fix commit could be any of (bisect log):
  8c5ec4a731e1 vt: Fix character height handling with VT_RESIZEX
  9a71ed8da907 vgacon: Record video mode changes with VT_RESIZEX
  17d6c58c5fc5 tty: vt: always invoke vc->vc_sw->con_resize callback
  fd8f21c9d234 video: hgafb: fix potential NULL pointer dereference
  1dfd47b684c2 video: hgafb: correctly handle card detect failure during probe
   
Similar bugs (6)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: slab-out-of-bounds Read in bit_putcs C done error 343 1291d 1600d 0/26 auto-obsoleted due to no activity on 2022/09/25 19:49
linux-4.14 KASAN: slab-out-of-bounds Read in bit_putcs C error 95 590d 1602d 0/1 upstream: reported C repro on 2019/12/03 16:38
linux-4.14 KASAN: global-out-of-bounds Read in bit_putcs C error 241 588d 1598d 0/1 upstream: reported C repro on 2019/12/07 16:26
linux-6.1 BUG: unable to handle kernel paging request in bit_putcs C done 4 51d 246d 3/3 fixed on 2024/04/03 01:55
upstream general protection fault in bit_putcs fbdev C 5 48d 202d 0/26 upstream: reported C repro on 2023/10/04 08:45
linux-4.19 KASAN: global-out-of-bounds Read in bit_putcs C done 214 1064d 1601d 1/1 fixed on 2021/06/24 08:01
Fix bisection attempts (3)
Created Duration User Patch Repo Result
2021/06/20 20:09 5h38m bisect fix linux-4.19.y job log (5)
2021/05/04 19:00 23m bisect fix linux-4.19.y job log (0) log
2021/04/04 18:35 25m bisect fix linux-4.19.y job log (0) log

Sample crash report:
audit: type=1400 audit(1602976135.984:8): avc:  denied  { execmem } for  pid=6489 comm="syz-executor322" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
==================================================================
BUG: KASAN: slab-out-of-bounds in __fb_pad_aligned_buffer include/linux/fb.h:674 [inline]
BUG: KASAN: slab-out-of-bounds in bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:96 [inline]
BUG: KASAN: slab-out-of-bounds in bit_putcs+0xbe2/0xd35 drivers/video/fbdev/core/bitblit.c:185
Read of size 1 at addr ffff8880898b123e by task syz-executor322/6489

CPU: 1 PID: 6489 Comm: syz-executor322 Not tainted 4.19.152-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x22c/0x33e lib/dump_stack.c:118
 print_address_description.cold+0x56/0x25c mm/kasan/report.c:256
 kasan_report_error.cold+0x66/0xb9 mm/kasan/report.c:354
 kasan_report mm/kasan/report.c:412 [inline]
 __asan_report_load1_noabort+0x88/0x90 mm/kasan/report.c:430
 __fb_pad_aligned_buffer include/linux/fb.h:674 [inline]
 bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:96 [inline]
 bit_putcs+0xbe2/0xd35 drivers/video/fbdev/core/bitblit.c:185
 fbcon_putcs+0x389/0x5d0 drivers/video/fbdev/core/fbcon.c:1269
 con_flush drivers/tty/vt/vt.c:2559 [inline]
 do_con_write+0x671/0x1f40 drivers/tty/vt/vt.c:2809
 con_write+0x22/0xb0 drivers/tty/vt/vt.c:3145
 process_output_block drivers/tty/n_tty.c:593 [inline]
 n_tty_write+0x3c0/0xff0 drivers/tty/n_tty.c:2331
 do_tty_write drivers/tty/tty_io.c:960 [inline]
 tty_write+0x496/0x890 drivers/tty/tty_io.c:1044
 __vfs_write+0xf7/0x770 fs/read_write.c:485
 vfs_write+0x1f3/0x540 fs/read_write.c:549
 ksys_write+0x12b/0x2a0 fs/read_write.c:599
 do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4403c9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fff5d8fd448 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403c9
RDX: 0000000000001006 RSI: 0000000020000180 RDI: 0000000000000006
RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 000000000000000d R11: 0000000000000246 R12: 0000000000401c30
R13: 0000000000401cc0 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 6471:
 __do_kmalloc_node mm/slab.c:3689 [inline]
 __kmalloc_node_track_caller+0x4c/0x70 mm/slab.c:3703
 __kmalloc_reserve net/core/skbuff.c:137 [inline]
 __alloc_skb+0xae/0x580 net/core/skbuff.c:205
 alloc_skb include/linux/skbuff.h:995 [inline]
 __tcp_send_ack+0xb3/0x610 net/ipv4/tcp_output.c:3619
 tcp_delack_timer_handler+0x339/0x760 net/ipv4/tcp_timer.c:303
 tcp_delack_timer+0x95/0x270 net/ipv4/tcp_timer.c:330
 call_timer_fn+0x177/0x760 kernel/time/timer.c:1338
 expire_timers+0x243/0x500 kernel/time/timer.c:1375
 __run_timers kernel/time/timer.c:1703 [inline]
 run_timer_softirq+0x259/0x730 kernel/time/timer.c:1716
 __do_softirq+0x27d/0xad2 kernel/softirq.c:292

Freed by task 0:
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcc/0x250 mm/slab.c:3822
 skb_free_head net/core/skbuff.c:554 [inline]
 skb_release_data+0x6ea/0x930 net/core/skbuff.c:574
 skb_release_all net/core/skbuff.c:631 [inline]
 __kfree_skb net/core/skbuff.c:645 [inline]
 consume_skb+0x113/0x3e0 net/core/skbuff.c:705
 __dev_kfree_skb_any+0x9c/0xd0 net/core/dev.c:2796
 dev_consume_skb_any include/linux/netdevice.h:3557 [inline]
 napi_consume_skb+0x4a8/0x650 net/core/skbuff.c:769
 free_old_xmit_skbs+0xdb/0x240 drivers/net/virtio_net.c:1379
 start_xmit+0x156/0x17c0 drivers/net/virtio_net.c:1575
 __netdev_start_xmit include/linux/netdevice.h:4333 [inline]
 netdev_start_xmit include/linux/netdevice.h:4347 [inline]
 xmit_one net/core/dev.c:3256 [inline]
 dev_hard_start_xmit+0x1a8/0x960 net/core/dev.c:3272
 sch_direct_xmit+0x2cf/0xf70 net/sched/sch_generic.c:332
 qdisc_restart net/sched/sch_generic.c:395 [inline]
 __qdisc_run+0x4fc/0x1680 net/sched/sch_generic.c:403
 qdisc_run include/net/pkt_sched.h:120 [inline]
 __dev_xmit_skb net/core/dev.c:3451 [inline]
 __dev_queue_xmit+0x21fe/0x2ec0 net/core/dev.c:3807
 neigh_hh_output include/net/neighbour.h:491 [inline]
 neigh_output include/net/neighbour.h:499 [inline]
 ip_finish_output2+0xc04/0x1640 net/ipv4/ip_output.c:230
 ip_finish_output+0x88e/0xd80 net/ipv4/ip_output.c:318
 NF_HOOK_COND include/linux/netfilter.h:278 [inline]
 ip_output+0x203/0x650 net/ipv4/ip_output.c:406
 dst_output include/net/dst.h:455 [inline]
 ip_local_out+0xaf/0x170 net/ipv4/ip_output.c:125
 __ip_queue_xmit+0x8a0/0x1bd0 net/ipv4/ip_output.c:506
 __tcp_transmit_skb+0x1c72/0x36c0 net/ipv4/tcp_output.c:1148
 tcp_transmit_skb net/ipv4/tcp_output.c:1164 [inline]
 tcp_write_xmit+0x839/0x5050 net/ipv4/tcp_output.c:2389
 __tcp_push_pending_frames+0xae/0x280 net/ipv4/tcp_output.c:2568
 tcp_push_pending_frames include/net/tcp.h:1772 [inline]
 tcp_data_snd_check net/ipv4/tcp_input.c:5179 [inline]
 tcp_rcv_established+0x1359/0x1d10 net/ipv4/tcp_input.c:5588
 tcp_v4_do_rcv+0x5d6/0x870 net/ipv4/tcp_ipv4.c:1544
 tcp_v4_rcv+0x2c1d/0x3bd0 net/ipv4/tcp_ipv4.c:1829
 ip_local_deliver_finish+0x4cb/0xc80 net/ipv4/ip_input.c:215
 NF_HOOK include/linux/netfilter.h:289 [inline]
 ip_local_deliver+0x188/0x560 net/ipv4/ip_input.c:256
 dst_input include/net/dst.h:461 [inline]
 ip_rcv_finish+0x1ca/0x2e0 net/ipv4/ip_input.c:414
 NF_HOOK include/linux/netfilter.h:289 [inline]
 ip_rcv+0xca/0x420 net/ipv4/ip_input.c:524
 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:4954
 __netif_receive_skb+0x27/0x1c0 net/core/dev.c:5066
 netif_receive_skb_internal+0x110/0x450 net/core/dev.c:5156
 napi_skb_finish net/core/dev.c:5600 [inline]
 napi_gro_receive+0x303/0x460 net/core/dev.c:5631
 receive_buf+0x1045/0x6250 drivers/net/virtio_net.c:1072
 virtnet_receive drivers/net/virtio_net.c:1336 [inline]
 virtnet_poll+0x52f/0xda0 drivers/net/virtio_net.c:1441
 napi_poll net/core/dev.c:6272 [inline]
 net_rx_action+0x4e5/0x10d0 net/core/dev.c:6338
 __do_softirq+0x27d/0xad2 kernel/softirq.c:292

The buggy address belongs to the object at ffff8880898b0dc0
 which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 126 bytes to the right of
 1024-byte region [ffff8880898b0dc0, ffff8880898b11c0)
The buggy address belongs to the page:
page:ffffea0002262c00 count:1 mapcount:0 mapping:ffff88812c3f6ac0 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffffea0002931388 ffffea0002267b08 ffff88812c3f6ac0
raw: 0000000000000000 ffff8880898b0040 0000000100000007 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880898b1100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880898b1180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8880898b1200: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
                                        ^
 ffff8880898b1280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880898b1300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (138):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/10/17 23:10 linux-4.19.y ad326970d25c fea47c01 .config console log report syz C ci2-linux-4-19
2020/07/12 10:40 linux-4.19.y dce0f88600e4 115e1930 .config console log report syz C ci2-linux-4-19
2020/04/14 17:44 linux-4.19.y 6dd0e32665e5 3f3c5574 .config console log report syz C ci2-linux-4-19
2019/12/08 09:46 linux-4.19.y fb683b5e3f53 1508f453 .config console log report syz C ci2-linux-4-19
2019/12/03 11:46 linux-4.19.y 174651bdf802 ab342da3 .config console log report syz C ci2-linux-4-19
2021/05/21 06:53 linux-4.19.y 3c8c23092588 3c7fef33 .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in bit_putcs
2021/05/07 22:25 linux-4.19.y 3c8c23092588 bc5434be .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in bit_putcs
2021/03/05 18:22 linux-4.19.y dfb571610ba3 4a024a9b .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in bit_putcs
2021/02/04 09:41 linux-4.19.y 811218eceeaa 624dad51 .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in bit_putcs
2021/01/21 12:53 linux-4.19.y 43d555d83c3f d4f4eca5 .config console log report info ci2-linux-4-19 KASAN: slab-out-of-bounds Read in bit_putcs
2021/01/04 21:06 linux-4.19.y 3207316b3bee 2a28ff1f .config console log report info ci2-linux-4-19
2020/12/17 21:24 linux-4.19.y 13d2ce42de8c 04201c06 .config console log report info ci2-linux-4-19
2020/11/30 00:09 linux-4.19.y 0c88e405c97e a0092f9d .config console log report info ci2-linux-4-19
2020/11/25 20:41 linux-4.19.y 0c88e405c97e 3f581b43 .config console log report info ci2-linux-4-19
2020/11/03 22:35 linux-4.19.y f5d8eef067ac cba33199 .config console log report info ci2-linux-4-19
2020/11/03 11:51 linux-4.19.y f5d8eef067ac cba33199 .config console log report info ci2-linux-4-19
2020/10/21 03:07 linux-4.19.y ad326970d25c ff4a3345 .config console log report info ci2-linux-4-19
2020/10/09 12:44 linux-4.19.y a1b977b49b66 fa79ed2a .config console log report info ci2-linux-4-19
2020/10/03 00:42 linux-4.19.y b09c34517e1a 062c9832 .config console log report info ci2-linux-4-19
2020/09/16 21:16 linux-4.19.y a87f96283793 77507d02 .config console log report info ci2-linux-4-19
2020/09/16 17:38 linux-4.19.y a87f96283793 77507d02 .config console log report info ci2-linux-4-19
2020/09/08 20:54 linux-4.19.y c37da90efff5 abf9ba4f .config console log report ci2-linux-4-19
2020/08/31 06:39 linux-4.19.y f6d5cb9e2c06 d5a3ae1f .config console log report ci2-linux-4-19
2020/08/22 19:51 linux-4.19.y d18b78abc0c6 6436ce4b .config console log report ci2-linux-4-19
2020/08/15 20:51 linux-4.19.y c14d30dc9987 5ce13532 .config console log report ci2-linux-4-19
2020/08/14 00:16 linux-4.19.y c14d30dc9987 54ce1ed6 .config console log report ci2-linux-4-19
2020/08/12 23:54 linux-4.19.y c14d30dc9987 bc15f7db .config console log report ci2-linux-4-19
2020/08/11 03:07 linux-4.19.y 961f830af065 d3694ffb .config console log report ci2-linux-4-19
2020/08/05 16:49 linux-4.19.y c076c79e03c6 b7129355 .config console log report ci2-linux-4-19
2020/07/22 02:43 linux-4.19.y 17a87580a885 21f1765e .config console log report ci2-linux-4-19
2020/07/19 20:25 linux-4.19.y 17a87580a885 9c812472 .config console log report ci2-linux-4-19
2020/07/16 12:49 linux-4.19.y 17a87580a885 b090c643 .config console log report ci2-linux-4-19
2020/07/15 22:22 linux-4.19.y dce0f88600e4 ada108d0 .config console log report ci2-linux-4-19
2020/07/07 19:20 linux-4.19.y 399849e4654e 08fc4ef1 .config console log report ci2-linux-4-19
2020/07/05 12:39 linux-4.19.y 399849e4654e 22f87567 .config console log report ci2-linux-4-19
2020/07/04 17:34 linux-4.19.y 399849e4654e 4f739670 .config console log report ci2-linux-4-19
2020/07/01 11:12 linux-4.19.y 399849e4654e 090d8f7b .config console log report ci2-linux-4-19
2020/07/01 08:03 linux-4.19.y a39e75458e1c c0383ebe .config console log report ci2-linux-4-19
2020/06/27 09:30 linux-4.19.y a39e75458e1c 032b4239 .config console log report ci2-linux-4-19
2020/06/27 05:39 linux-4.19.y a39e75458e1c ffec44b5 .config console log report ci2-linux-4-19
2020/06/26 12:02 linux-4.19.y a39e75458e1c b202c7a8 .config console log report ci2-linux-4-19
2020/06/24 18:50 linux-4.19.y b3a99fd385fa 41694dbf .config console log report ci2-linux-4-19
2020/06/24 16:03 linux-4.19.y b3a99fd385fa 41694dbf .config console log report ci2-linux-4-19
2020/06/24 09:23 linux-4.19.y b3a99fd385fa bbad15ae .config console log report ci2-linux-4-19
2020/06/22 17:06 linux-4.19.y b3a99fd385fa 1afe1535 .config console log report ci2-linux-4-19
2020/06/21 15:12 linux-4.19.y 3fc898571b97 4f2acff9 .config console log report ci2-linux-4-19
2020/06/19 15:04 linux-4.19.y 3fc898571b97 123cf502 .config console log report ci2-linux-4-19
2020/06/18 16:37 linux-4.19.y 3fc898571b97 3ea11d3f .config console log report ci2-linux-4-19
2020/06/13 22:34 linux-4.19.y 3fc898571b97 dbce178a .config console log report ci2-linux-4-19
2020/06/12 17:31 linux-4.19.y 3fc898571b97 3036d6fd .config console log report ci2-linux-4-19
2020/06/08 16:00 linux-4.19.y 106fa147d3da 7604bb03 .config console log report ci2-linux-4-19
2020/06/06 14:10 linux-4.19.y 4707d8e57273 e6b89e4e .config console log report ci2-linux-4-19
2020/06/05 13:53 linux-4.19.y 4707d8e57273 d36418e9 .config console log report ci2-linux-4-19
* Struck through repros no longer work on HEAD.