From: syzbot <syzbot+b38b1ef6edf0c74a8d97@syzkaller.appspotmail.com>
To: b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch,
dri-devel@lists.freedesktop.org, george.kennedy@oracle.com,
gregkh@linuxfoundation.org, jirislaby@kernel.org,
linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org,
natechancellor@gmail.com, syzkaller-bugs@googlegroups.com
Subject: KASAN: global-out-of-bounds Read in fbcon_resize
Date: Wed, 19 Aug 2020 22:35:15 -0700 [thread overview]
Message-ID: <00000000000024be1505ad487cbb@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: 8eb858df Add linux-next specific files for 20200819
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1158a00e900000
kernel config: https://syzkaller.appspot.com/x/.config?x=cd187ef624ef7f02
dashboard link: https://syzkaller.appspot.com/bug?extid=b38b1ef6edf0c74a8d97
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=146a5589900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=165aa636900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b38b1ef6edf0c74a8d97@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: global-out-of-bounds in fbcon_resize+0x781/0x810 drivers/video/fbdev/core/fbcon.c:2206
Read of size 4 at addr ffffffff8896d418 by task syz-executor732/6868
CPU: 0 PID: 6868 Comm: syz-executor732 Not tainted 5.9.0-rc1-next-20200819-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x18f/0x20d lib/dump_stack.c:118
print_address_description.constprop.0.cold+0x5/0x497 mm/kasan/report.c:383
__kasan_report mm/kasan/report.c:513 [inline]
kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
fbcon_resize+0x781/0x810 drivers/video/fbdev/core/fbcon.c:2206
resize_screen drivers/tty/vt/vt.c:1175 [inline]
vc_do_resize+0x535/0x1150 drivers/tty/vt/vt.c:1246
vt_ioctl+0x11d2/0x2cc0 drivers/tty/vt/vt_ioctl.c:1025
tty_ioctl+0x1019/0x15f0 drivers/tty/tty_io.c:2656
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl fs/ioctl.c:739 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x440329
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffc8ff997d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440329
RDX: 0000000020000040 RSI: 0000000000005609 RDI: 0000000000000004
RBP: 00000000006ca018 R08: 000000000000000d R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b90
R13: 0000000000401c20 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the variable:
font_vga_8x16+0x58/0x60
Memory state around the buggy address:
ffffffff8896d300: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
ffffffff8896d380: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9
>ffffffff8896d400: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
^
ffffffff8896d480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffff8896d500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
WARNING: multiple messages have this Message-ID (diff)
From: syzbot <syzbot+b38b1ef6edf0c74a8d97@syzkaller.appspotmail.com>
To: b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch,
dri-devel@lists.freedesktop.org, george.kennedy@oracle.com,
gregkh@linuxfoundation.org, jirislaby@kernel.org,
linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org,
natechancellor@gmail.com, syzkaller-bugs@googlegroups.com
Subject: KASAN: global-out-of-bounds Read in fbcon_resize
Date: Thu, 20 Aug 2020 05:35:15 +0000 [thread overview]
Message-ID: <00000000000024be1505ad487cbb@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: 8eb858df Add linux-next specific files for 20200819
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x\x1158a00e900000
kernel config: https://syzkaller.appspot.com/x/.config?xÍ187ef624ef7f02
dashboard link: https://syzkaller.appspot.com/bug?extid³8b1ef6edf0c74a8d97
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x\x146a5589900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x\x165aa636900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b38b1ef6edf0c74a8d97@syzkaller.appspotmail.com
=================================
BUG: KASAN: global-out-of-bounds in fbcon_resize+0x781/0x810 drivers/video/fbdev/core/fbcon.c:2206
Read of size 4 at addr ffffffff8896d418 by task syz-executor732/6868
CPU: 0 PID: 6868 Comm: syz-executor732 Not tainted 5.9.0-rc1-next-20200819-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x18f/0x20d lib/dump_stack.c:118
print_address_description.constprop.0.cold+0x5/0x497 mm/kasan/report.c:383
__kasan_report mm/kasan/report.c:513 [inline]
kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
fbcon_resize+0x781/0x810 drivers/video/fbdev/core/fbcon.c:2206
resize_screen drivers/tty/vt/vt.c:1175 [inline]
vc_do_resize+0x535/0x1150 drivers/tty/vt/vt.c:1246
vt_ioctl+0x11d2/0x2cc0 drivers/tty/vt/vt_ioctl.c:1025
tty_ioctl+0x1019/0x15f0 drivers/tty/tty_io.c:2656
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl fs/ioctl.c:739 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x440329
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffc8ff997d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440329
RDX: 0000000020000040 RSI: 0000000000005609 RDI: 0000000000000004
RBP: 00000000006ca018 R08: 000000000000000d R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b90
R13: 0000000000401c20 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the variable:
font_vga_8x16+0x58/0x60
Memory state around the buggy address:
ffffffff8896d300: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
ffffffff8896d380: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9
>ffffffff8896d400: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
^
ffffffff8896d480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffff8896d500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
WARNING: multiple messages have this Message-ID (diff)
From: syzbot <syzbot+b38b1ef6edf0c74a8d97@syzkaller.appspotmail.com>
To: b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch,
dri-devel@lists.freedesktop.org, george.kennedy@oracle.com,
gregkh@linuxfoundation.org, jirislaby@kernel.org,
linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org,
natechancellor@gmail.com, syzkaller-bugs@googlegroups.com
Subject: KASAN: global-out-of-bounds Read in fbcon_resize
Date: Wed, 19 Aug 2020 22:35:15 -0700 [thread overview]
Message-ID: <00000000000024be1505ad487cbb@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: 8eb858df Add linux-next specific files for 20200819
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1158a00e900000
kernel config: https://syzkaller.appspot.com/x/.config?x=cd187ef624ef7f02
dashboard link: https://syzkaller.appspot.com/bug?extid=b38b1ef6edf0c74a8d97
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=146a5589900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=165aa636900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b38b1ef6edf0c74a8d97@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: global-out-of-bounds in fbcon_resize+0x781/0x810 drivers/video/fbdev/core/fbcon.c:2206
Read of size 4 at addr ffffffff8896d418 by task syz-executor732/6868
CPU: 0 PID: 6868 Comm: syz-executor732 Not tainted 5.9.0-rc1-next-20200819-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x18f/0x20d lib/dump_stack.c:118
print_address_description.constprop.0.cold+0x5/0x497 mm/kasan/report.c:383
__kasan_report mm/kasan/report.c:513 [inline]
kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
fbcon_resize+0x781/0x810 drivers/video/fbdev/core/fbcon.c:2206
resize_screen drivers/tty/vt/vt.c:1175 [inline]
vc_do_resize+0x535/0x1150 drivers/tty/vt/vt.c:1246
vt_ioctl+0x11d2/0x2cc0 drivers/tty/vt/vt_ioctl.c:1025
tty_ioctl+0x1019/0x15f0 drivers/tty/tty_io.c:2656
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl fs/ioctl.c:739 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x440329
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffc8ff997d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440329
RDX: 0000000020000040 RSI: 0000000000005609 RDI: 0000000000000004
RBP: 00000000006ca018 R08: 000000000000000d R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b90
R13: 0000000000401c20 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the variable:
font_vga_8x16+0x58/0x60
Memory state around the buggy address:
ffffffff8896d300: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
ffffffff8896d380: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9
>ffffffff8896d400: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
^
ffffffff8896d480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffff8896d500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
next reply other threads:[~2020-08-20 5:35 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-20 5:35 syzbot [this message]
2020-08-20 5:35 ` KASAN: global-out-of-bounds Read in fbcon_resize syzbot
2020-08-20 5:35 ` syzbot
2020-09-10 22:57 ` [PATCH] fbcon: Fix user font detection test at fbcon_resize() Tetsuo Handa
2020-09-10 22:57 ` Tetsuo Handa
2020-09-10 22:57 ` Tetsuo Handa
2020-09-16 0:01 ` Tetsuo Handa
2020-09-16 0:01 ` Tetsuo Handa
2020-09-16 0:01 ` Tetsuo Handa
2020-09-16 7:44 ` Daniel Vetter
2020-09-16 7:44 ` Daniel Vetter
2020-09-16 7:44 ` Daniel Vetter
2020-09-16 8:26 ` Greg KH
2020-09-16 8:26 ` Greg KH
2020-09-16 8:26 ` Greg KH
2020-09-16 10:06 ` Tetsuo Handa
2020-09-16 10:06 ` Tetsuo Handa
2020-09-16 10:06 ` Tetsuo Handa
2020-09-16 12:35 ` Greg KH
2020-09-16 12:35 ` Greg KH
2020-09-16 12:35 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=00000000000024be1505ad487cbb@google.com \
--to=syzbot+b38b1ef6edf0c74a8d97@syzkaller.appspotmail.com \
--cc=b.zolnierkie@samsung.com \
--cc=daniel.vetter@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=george.kennedy@oracle.com \
--cc=gregkh@linuxfoundation.org \
--cc=jirislaby@kernel.org \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=natechancellor@gmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.