syzbot


KASAN: global-out-of-bounds Read in soft_cursor

Status: upstream: reported C repro on 2019/12/16 00:09
Reported-by: syzbot+c97c8c03d2388fbba687@syzkaller.appspotmail.com
First crash: 1565d, last: 566d
Fix bisection: failed (error log, bisect log)
  
Similar bugs (7)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: global-out-of-bounds Read in soft_cursor C done 22 1039d 1506d 1/1 fixed on 2021/06/24 08:01
upstream KASAN: global-out-of-bounds Read in soft_cursor fbdev 11 1343d 1568d 0/26 auto-closed as invalid on 2020/11/22 03:01
linux-5.15 KASAN: null-ptr-deref Read in soft_cursor origin:lts-only syz error 1 305d 306d 0/3 upstream: reported syz repro on 2023/05/28 00:20
linux-4.14 KASAN: use-after-free Read in soft_cursor C inconclusive 7 1065d 1576d 0/1 upstream: reported C repro on 2019/12/04 13:11
linux-4.19 KASAN: slab-out-of-bounds Read in soft_cursor (2) C done 8 1041d 1163d 1/1 fixed on 2021/06/23 17:43
upstream general protection fault in soft_cursor fbdev C 3 307d 307d 22/26 fixed on 2023/07/01 16:05
linux-4.14 KASAN: slab-out-of-bounds Read in soft_cursor C unreliable 57 1046d 1577d 0/1 upstream: reported C repro on 2019/12/03 14:54
Fix bisection attempts (20)
Created Duration User Patch Repo Result
2022/10/13 02:24 0m bisect fix linux-4.14.y error job log (0)
2022/09/10 04:56 23m bisect fix linux-4.14.y job log (0) log
2022/08/11 04:30 25m bisect fix linux-4.14.y job log (0) log
2022/07/12 04:10 19m bisect fix linux-4.14.y job log (0) log
2022/06/12 03:47 23m bisect fix linux-4.14.y job log (0) log
2022/05/13 03:19 27m bisect fix linux-4.14.y job log (0) log
2022/04/13 02:52 26m bisect fix linux-4.14.y job log (0) log
2022/03/14 00:27 26m bisect fix linux-4.14.y job log (0) log
2022/02/11 13:40 25m bisect fix linux-4.14.y job log (0) log
2022/01/12 13:10 26m bisect fix linux-4.14.y job log (0) log
2021/12/13 12:45 24m bisect fix linux-4.14.y job log (0) log
2021/11/13 11:39 23m bisect fix linux-4.14.y job log (0) log
2021/10/14 11:11 28m bisect fix linux-4.14.y job log (0) log
2021/09/14 10:42 28m bisect fix linux-4.14.y job log (0) log
2021/08/15 10:17 25m bisect fix linux-4.14.y job log (0) log
2021/07/16 09:50 27m bisect fix linux-4.14.y job log (0) log
2021/06/16 09:21 21m bisect fix linux-4.14.y job log (0) log
2021/04/24 03:59 29m bisect fix linux-4.14.y job log (0) log
2021/03/25 03:10 20m bisect fix linux-4.14.y job log (0) log
2021/02/04 05:03 1m bisect fix linux-4.14.y error job log (0)

Sample crash report:
==================================================================
BUG: KASAN: global-out-of-bounds in memcpy include/linux/string.h:372 [inline]
BUG: KASAN: global-out-of-bounds in soft_cursor+0x442/0xa50 drivers/video/fbdev/core/softcursor.c:70
Read of size 32 at addr ffffffff87cf4cd0 by task syz-executor768/7988

CPU: 1 PID: 7988 Comm: syz-executor768 Not tainted 4.14.210-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x283 lib/dump_stack.c:58
 print_address_description.cold+0x5/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x194 mm/kasan/report.c:351
 kasan_report+0x6f/0x7b mm/kasan/report.c:409
 memcpy+0x20/0x50 mm/kasan/kasan.c:302
 memcpy include/linux/string.h:372 [inline]
 soft_cursor+0x442/0xa50 drivers/video/fbdev/core/softcursor.c:70
 bit_cursor+0xf7a/0x1580 drivers/video/fbdev/core/bitblit.c:377
 fbcon_cursor+0x480/0x640 drivers/video/fbdev/core/fbcon.c:1287
 hide_cursor+0x7a/0x2a0 drivers/tty/vt/vt.c:590
 update_region+0xc9/0x110 drivers/tty/vt/vt.c:390
 vcs_write+0x3b9/0xb40 drivers/tty/vt/vc_screen.c:549
 __vfs_write+0xe4/0x630 fs/read_write.c:480
 vfs_write+0x17f/0x4d0 fs/read_write.c:544
 SYSC_write fs/read_write.c:590 [inline]
 SyS_write+0xf2/0x210 fs/read_write.c:582
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x440389
RSP: 002b:00007ffd141f0528 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440389
RDX: 0000000000000121 RSI: 00000000200000c0 RDI: 0000000000000004
RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000401bf0
R13: 0000000000401c80 R14: 0000000000000000 R15: 0000000000000000

The buggy address belongs to the variable:
 oid_index+0x850/0x9a0

Memory state around the buggy address:
 ffffffff87cf4b80: fa fa fa fa 04 fa fa fa fa fa fa fa 05 fa fa fa
 ffffffff87cf4c00: fa fa fa fa 01 fa fa fa fa fa fa fa 00 00 02 fa
>ffffffff87cf4c80: fa fa fa fa 00 00 00 fa fa fa fa fa 00 00 00 00
                                                 ^
 ffffffff87cf4d00: 00 01 fa fa fa fa fa fa 00 00 00 00 01 fa fa fa
 ffffffff87cf4d80: fa fa fa fa 00 00 00 05 fa fa fa fa 00 00 00 00
==================================================================

Crashes (19):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/12/08 02:47 linux-4.14.y c196b3a9c83a 51a9082e .config console log report syz C ci2-linux-4-14
2021/05/17 08:59 linux-4.14.y 7d7d1c0ab3eb a2eb125d .config console log report info ci2-linux-4-14 KASAN: global-out-of-bounds Read in soft_cursor
2021/05/13 04:54 linux-4.14.y 7d7d1c0ab3eb ed7d41c5 .config console log report info ci2-linux-4-14 KASAN: global-out-of-bounds Read in soft_cursor
2021/04/26 10:25 linux-4.14.y cf256fbcbe34 e60b7df1 .config console log report info ci2-linux-4-14 KASAN: global-out-of-bounds Read in soft_cursor
2021/04/25 14:43 linux-4.14.y cf256fbcbe34 36c88236 .config console log report info ci2-linux-4-14 KASAN: global-out-of-bounds Read in soft_cursor
2021/02/23 02:58 linux-4.14.y 29c52025152b fcc6d71b .config console log report info ci2-linux-4-14 KASAN: global-out-of-bounds Read in soft_cursor
2021/02/08 12:35 linux-4.14.y 2c8a3fceddf0 2ce644fc .config console log report info ci2-linux-4-14 KASAN: global-out-of-bounds Read in soft_cursor
2021/01/05 05:02 linux-4.14.y 1752938529c6 2a28ff1f .config console log report info ci2-linux-4-14
2020/12/19 02:29 linux-4.14.y 3f2ecb86cb90 04201c06 .config console log report info ci2-linux-4-14
2020/11/02 21:00 linux-4.14.y 2b7915014161 7f344fa6 .config console log report info ci2-linux-4-14
2020/08/19 06:19 linux-4.14.y 14b58326976d e1c29030 .config console log report ci2-linux-4-14
2020/07/07 15:10 linux-4.14.y b850307b279c 42723355 .config console log report ci2-linux-4-14
2020/06/18 09:42 linux-4.14.y b850307b279c d45a4d69 .config console log report ci2-linux-4-14
2020/06/18 09:20 linux-4.14.y b850307b279c d45a4d69 .config console log report ci2-linux-4-14
2020/05/02 11:41 linux-4.14.y 050272a0423e 58da4c35 .config console log report ci2-linux-4-14
2020/03/08 00:37 linux-4.14.y 78d697fc93f9 2e9971bb .config console log report ci2-linux-4-14
2020/01/17 02:09 linux-4.14.y c04fc6fa5c96 3de7aabb .config console log report ci2-linux-4-14
2020/01/08 17:28 linux-4.14.y 84f5ad468100 ddc3e859 .config console log report ci2-linux-4-14
2019/12/16 00:08 linux-4.14.y a844dc4c5442 eef6e580 .config console log report ci2-linux-4-14
* Struck through repros no longer work on HEAD.