syzbot

 sign-in | mailing list | source | docs
🐞 Open [949] 🐞 Fixed [4019] 🐞 Invalid [8929] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes

KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer (2)

Status: upstream: reported C repro on 2021/09/05 20:22
Reported-by: syzbot+272ce7abd8e49c0ddf42@syzkaller.appspotmail.com
First crash: 388d, last: 34d

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: INFO: task hung in vivid_stop_generating_vid_cap (log)
Repro: C syz .config
similar bugs (3):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer 1 983d 983d 0/24 auto-closed as invalid on 2020/05/17 19:44
linux-4.19 BUG: unable to handle kernel paging request in tpg_fill_plane_buffer (2) syz error 7 27d 422d 0/1 upstream: reported syz repro on 2021/08/02 00:51
linux-4.14 BUG: unable to handle kernel paging request in tpg_fill_plane_buffer (2) 1 256d 256d 0/1 auto-closed as invalid on 2022/05/15 07:48

Sample crash report:
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in memcpy include/linux/fortify-string.h:191 [inline]
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2545 [inline]
BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1325/0x38e0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2626
Write of size 128 at addr ffffc9000dbe2fe0 by task vivid-001-vid-c/14838

CPU: 0 PID: 14838 Comm: vivid-001-vid-c Not tainted 5.14.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105
 print_address_description.constprop.0.cold+0xf/0x309 mm/kasan/report.c:256
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
 memcpy+0x39/0x60 mm/kasan/shadow.c:66
 memcpy include/linux/fortify-string.h:191 [inline]
 tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2545 [inline]
 tpg_fill_plane_buffer+0x1325/0x38e0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2626
 vivid_fillbuff+0x1ac1/0x3f00 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:469
 vivid_thread_vid_cap_tick+0x88b/0x2360 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:729
 vivid_thread_vid_cap+0x5d2/0xaf0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:868
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295


Memory state around the buggy address:
 ffffc9000dbe2f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc9000dbe2f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc9000dbe3000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                   ^
 ffffc9000dbe3080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc9000dbe3100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================

Fix bisection attempts:
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce 2022/07/26 06:02 upstream e0dccc3b76fb d236a457 .config log report syz C
ci-upstream-kasan-gce 2022/06/26 02:44 upstream 0840a7914caa d236a457 .config log report syz C
ci-upstream-kasan-gce 2022/05/24 05:05 upstream 143a6252e1b8 d236a457 .config log report syz C
ci-upstream-kasan-gce 2022/01/25 08:14 upstream a08b41ab9e2e d236a457 .config log report syz C
ci-upstream-kasan-gce 2021/12/26 07:37 upstream 438645193e59 d236a457 .config log report syz C
ci-upstream-kasan-gce 2021/11/26 04:28 upstream a4849f6000e2 d236a457 .config log report syz C
ci-upstream-kasan-gce 2021/10/04 23:43 upstream f6274b06e326 d236a457 .config log report syz C
* Struck through repros no longer work on HEAD.
Crashes (10):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce 2021/09/04 23:21 upstream f1583cb1be35 d236a457 .config log report syz C KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
ci-upstream-kasan-gce-root 2022/08/24 23:36 upstream c40e8341e3b3 514514f6 .config log report info KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
ci-upstream-kasan-gce-root 2022/04/07 20:33 upstream 3e732ebf7316 c6ff3e05 .config log report info KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
ci-upstream-kasan-gce-selinux-root 2022/03/14 20:27 upstream 09688c0166e7 9e8eaa75 .config log report info KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
ci-upstream-kasan-gce-root 2022/02/27 13:16 upstream 2293be58d6a1 45a13a73 .config log report info KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
ci-upstream-kasan-gce 2022/02/15 14:13 upstream d567f5db412e 8b9ca619 .config log report info KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
ci-upstream-kasan-gce 2021/10/27 04:06 upstream 3906fe9bb7f1 d50eb50a .config log report info KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
ci-upstream-kasan-gce 2021/10/22 06:44 upstream 2f111a6fd5b5 55f90bc6 .config log report info KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
ci-upstream-kasan-gce-root 2021/10/18 03:13 upstream d999ade1cc86 0c5d9412 .config log report info KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
ci-upstream-linux-next-kasan-gce-root 2022/04/24 04:44 linux-next f1244c81da13 131df97d .config log report info KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
* Struck through repros no longer work on HEAD.