All of lore.kernel.org
 help / color / mirror / Atom feed
From: syzbot <syzbot+14b0e8f3fd1612e35350@syzkaller.appspotmail.com>
To: khalid.masum.92@gmail.com, linux-kernel@vger.kernel.org,
	syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] KASAN: vmalloc-out-of-bounds Write in imageblit (2)
Date: Sat, 30 Jul 2022 08:39:14 -0700	[thread overview]
Message-ID: <000000000000a81b9205e5079176@google.com> (raw)
In-Reply-To: <20220730114547.5790-1-khalid.masum.92@gmail.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: vmalloc-out-of-bounds Write in imageblit

==================================================================
BUG: KASAN: vmalloc-out-of-bounds in fast_imageblit drivers/video/fbdev/core/sysimgblt.c:257 [inline]
BUG: KASAN: vmalloc-out-of-bounds in sys_imageblit+0x1ed0/0x2240 drivers/video/fbdev/core/sysimgblt.c:323
Write of size 4 at addr ffffc90004411000 by task syz-executor.5/4188

CPU: 1 PID: 4188 Comm: syz-executor.5 Not tainted 5.19.0-rc8-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0xf/0x495 mm/kasan/report.c:313
 print_report mm/kasan/report.c:429 [inline]
 kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
 fast_imageblit drivers/video/fbdev/core/sysimgblt.c:257 [inline]
 sys_imageblit+0x1ed0/0x2240 drivers/video/fbdev/core/sysimgblt.c:323
 drm_fb_helper_sys_imageblit drivers/gpu/drm/drm_fb_helper.c:825 [inline]
 drm_fbdev_fb_imageblit+0x15c/0x350 drivers/gpu/drm/drm_fb_helper.c:2328
 bit_putcs_unaligned drivers/video/fbdev/core/bitblit.c:139 [inline]
 bit_putcs+0x6e1/0xd20 drivers/video/fbdev/core/bitblit.c:188
 fbcon_putcs+0x314/0x3e0 drivers/video/fbdev/core/fbcon.c:1285
 do_update_region+0x399/0x630 drivers/tty/vt/vt.c:676
 redraw_screen+0x61f/0x740 drivers/tty/vt/vt.c:1035
 fbcon_do_set_font+0x5eb/0x6f0 drivers/video/fbdev/core/fbcon.c:2435
 fbcon_set_font+0x89d/0xab0 drivers/video/fbdev/core/fbcon.c:2522
 con_font_set drivers/tty/vt/vt.c:4666 [inline]
 con_font_op+0x73a/0xc90 drivers/tty/vt/vt.c:4710
 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline]
 vt_ioctl+0x1efa/0x2b20 drivers/tty/vt/vt_ioctl.c:752
 tty_ioctl+0xbbd/0x15e0 drivers/tty/tty_io.c:2778
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:870 [inline]
 __se_sys_ioctl fs/ioctl.c:856 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fb2a0689109
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb2a1830168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fb2a079bf60 RCX: 00007fb2a0689109
RDX: 0000000020000040 RSI: 0000000000004b72 RDI: 0000000000000004
RBP: 00007fb2a18301d0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffca595479f R14: 00007fb2a1830300 R15: 0000000000022000
 </TASK>

The buggy address belongs to the virtual mapping at
 [ffffc90004111000, ffffc90004412000) created by:
 drm_gem_shmem_vmap_locked drivers/gpu/drm/drm_gem_shmem_helper.c:319 [inline]
 drm_gem_shmem_vmap+0x3d7/0x5a0 drivers/gpu/drm/drm_gem_shmem_helper.c:366

Memory state around the buggy address:
 ffffc90004410f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc90004410f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc90004411000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                   ^
 ffffc90004411080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc90004411100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================


Tested on:

commit:         e0dccc3b Linux 5.19-rc8
git tree:       https://github.com/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=13963ed2080000
kernel config:  https://syzkaller.appspot.com/x/.config?x=26034e6fe0075dad
dashboard link: https://syzkaller.appspot.com/bug?extid=14b0e8f3fd1612e35350
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch:          https://syzkaller.appspot.com/x/patch.diff?x=14d7b5da080000


  reply	other threads:[~2022-07-30 15:39 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-19  9:18 [syzbot] KASAN: vmalloc-out-of-bounds Write in imageblit (2) syzbot
2022-01-20 22:58 ` syzbot
2022-01-21  1:48 ` syzbot
2022-07-29  6:51 ` Khalid Masum
2022-07-30 17:25   ` Helge Deller
2022-07-30 18:49     ` [PATCH] tty: vt: selection: Add check for valid tiocl_selection values Helge Deller
2022-08-04  5:47       ` Jiri Slaby
2022-08-04  7:15         ` Helge Deller
2022-08-04  8:44           ` Helge Deller
2022-08-04  9:22             ` Jiri Slaby
2022-08-05 11:13               ` Adam Borowski
2022-08-05 11:13                 ` Adam Borowski
2022-07-30 18:50     ` [PATCH] vt: Clear selection before changing the font Helge Deller
2022-07-31 11:32       ` Khalid Masum
2022-07-31 10:03     ` [syzbot] KASAN: vmalloc-out-of-bounds Write in imageblit (2) Khalid Masum
2022-07-31 10:54       ` Helge Deller
2022-07-31 10:54         ` Helge Deller
2022-07-31 11:23         ` Khalid Masum
2022-07-31 11:23           ` Khalid Masum
2022-07-31 13:55     ` Khalid Masum
2022-07-31 15:39       ` Helge Deller
2022-08-01  4:09         ` Khalid Masum
2022-07-30  8:12 ` Khalid Masum
2022-07-30 10:55   ` syzbot
2022-08-01 10:43   ` Dan Carpenter
2022-08-01 14:06     ` Khalid Masum
2022-07-30 11:45 ` Khalid Masum
2022-07-30 15:39   ` syzbot [this message]
2022-08-01 15:42 Khalid Masum
2022-08-01 15:53 ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000a81b9205e5079176@google.com \
    --to=syzbot+14b0e8f3fd1612e35350@syzkaller.appspotmail.com \
    --cc=khalid.masum.92@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.