* KASAN: slab-out-of-bounds Read in fbcon_get_font
@ 2019-12-03 22:25 ` syzbot
0 siblings, 0 replies; 53+ messages in thread
From: syzbot @ 2019-12-03 22:25 UTC (permalink / raw)
To: b.zolnierkie, daniel.thompson, daniel.vetter, dri-devel, ghalat,
linux-fbdev, linux-kernel, maarten.lankhorst, sam,
syzkaller-bugs
Hello,
syzbot found the following crash on:
HEAD commit: 76bb8b05 Merge tag 'kbuild-v5.5' of git://git.kernel.org/p..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10bfe282e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=dd226651cb0f364b
dashboard link: https://syzkaller.appspot.com/bug?extid=4455ca3b3291de891abc
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11181edae00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=105cbb7ae00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:380 [inline]
BUG: KASAN: slab-out-of-bounds in fbcon_get_font+0x2b2/0x5e0
drivers/video/fbdev/core/fbcon.c:2465
Read of size 16 at addr ffff888094b0aa10 by task syz-executor414/9999
CPU: 0 PID: 9999 Comm: syz-executor414 Not tainted 5.4.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:638
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192
memcpy+0x24/0x50 mm/kasan/common.c:124
memcpy include/linux/string.h:380 [inline]
fbcon_get_font+0x2b2/0x5e0 drivers/video/fbdev/core/fbcon.c:2465
con_font_get drivers/tty/vt/vt.c:4446 [inline]
con_font_op+0x20b/0x1250 drivers/tty/vt/vt.c:4605
vt_ioctl+0x181a/0x26d0 drivers/tty/vt/vt_ioctl.c:965
tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2658
vfs_ioctl fs/ioctl.c:47 [inline]
file_ioctl fs/ioctl.c:545 [inline]
do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732
ksys_ioctl+0xab/0xd0 fs/ioctl.c:749
__do_sys_ioctl fs/ioctl.c:756 [inline]
__se_sys_ioctl fs/ioctl.c:754 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754
do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4444d9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fff6f4393b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fff6f4393c0 RCX: 00000000004444d9
RDX: 0000000020000440 RSI: 0000000000004b72 RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000400da0
R10: 00007fff6f438f00 R11: 0000000000000246 R12: 00000000004021e0
R13: 0000000000402270 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 9999:
save_stack+0x23/0x90 mm/kasan/common.c:71
set_track mm/kasan/common.c:79 [inline]
__kasan_kmalloc mm/kasan/common.c:512 [inline]
__kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:485
kasan_kmalloc+0x9/0x10 mm/kasan/common.c:526
__do_kmalloc mm/slab.c:3656 [inline]
__kmalloc+0x163/0x770 mm/slab.c:3665
kmalloc include/linux/slab.h:561 [inline]
fbcon_set_font+0x32d/0x860 drivers/video/fbdev/core/fbcon.c:2663
con_font_set drivers/tty/vt/vt.c:4538 [inline]
con_font_op+0xe18/0x1250 drivers/tty/vt/vt.c:4603
vt_ioctl+0xd2e/0x26d0 drivers/tty/vt/vt_ioctl.c:913
tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2658
vfs_ioctl fs/ioctl.c:47 [inline]
file_ioctl fs/ioctl.c:545 [inline]
do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732
ksys_ioctl+0xab/0xd0 fs/ioctl.c:749
__do_sys_ioctl fs/ioctl.c:756 [inline]
__se_sys_ioctl fs/ioctl.c:754 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754
do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 9771:
save_stack+0x23/0x90 mm/kasan/common.c:71
set_track mm/kasan/common.c:79 [inline]
kasan_set_free_info mm/kasan/common.c:334 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/common.c:473
kasan_slab_free+0xe/0x10 mm/kasan/common.c:482
__cache_free mm/slab.c:3426 [inline]
kfree+0x10a/0x2c0 mm/slab.c:3757
tomoyo_init_log+0x15c1/0x2070 security/tomoyo/audit.c:294
tomoyo_supervisor+0x33f/0xef0 security/tomoyo/common.c:2095
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x18e/0x210 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:670 [inline]
tomoyo_find_next_domain+0x1354/0x1f6c security/tomoyo/domain.c:876
tomoyo_bprm_check_security security/tomoyo/tomoyo.c:107 [inline]
tomoyo_bprm_check_security+0x124/0x1a0 security/tomoyo/tomoyo.c:97
security_bprm_check+0x63/0xb0 security/security.c:784
search_binary_handler+0x71/0x570 fs/exec.c:1645
exec_binprm fs/exec.c:1701 [inline]
__do_execve_file.isra.0+0x1329/0x22b0 fs/exec.c:1821
do_execveat_common fs/exec.c:1867 [inline]
do_execve fs/exec.c:1884 [inline]
__do_sys_execve fs/exec.c:1960 [inline]
__se_sys_execve fs/exec.c:1955 [inline]
__x64_sys_execve+0x8f/0xc0 fs/exec.c:1955
do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff888094b0a000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 2576 bytes inside of
4096-byte region [ffff888094b0a000, ffff888094b0b000)
The buggy address belongs to the page:
page:ffffea000252c280 refcount:1 mapcount:0 mapping:ffff8880aa402000
index:0x0 compound_mapcount: 0
raw: 00fffe0000010200 ffffea0002a3ae08 ffffea0002a6aa88 ffff8880aa402000
raw: 0000000000000000 ffff888094b0a000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888094b0a900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888094b0a980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff888094b0aa00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888094b0aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888094b0ab00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 53+ messages in thread
* KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-03 22:25 ` syzbot 0 siblings, 0 replies; 53+ messages in thread From: syzbot @ 2019-12-03 22:25 UTC (permalink / raw) To: b.zolnierkie, daniel.thompson, daniel.vetter, dri-devel, ghalat, linux-fbdev, linux-kernel, maarten.lankhorst, sam, syzkaller-bugs Hello, syzbot found the following crash on: HEAD commit: 76bb8b05 Merge tag 'kbuild-v5.5' of git://git.kernel.org/p.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=10bfe282e00000 kernel config: https://syzkaller.appspot.com/x/.config?x=dd226651cb0f364b dashboard link: https://syzkaller.appspot.com/bug?extid=4455ca3b3291de891abc compiler: gcc (GCC) 9.0.0 20181231 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11181edae00000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=105cbb7ae00000 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:380 [inline] BUG: KASAN: slab-out-of-bounds in fbcon_get_font+0x2b2/0x5e0 drivers/video/fbdev/core/fbcon.c:2465 Read of size 16 at addr ffff888094b0aa10 by task syz-executor414/9999 CPU: 0 PID: 9999 Comm: syz-executor414 Not tainted 5.4.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:638 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192 memcpy+0x24/0x50 mm/kasan/common.c:124 memcpy include/linux/string.h:380 [inline] fbcon_get_font+0x2b2/0x5e0 drivers/video/fbdev/core/fbcon.c:2465 con_font_get drivers/tty/vt/vt.c:4446 [inline] con_font_op+0x20b/0x1250 drivers/tty/vt/vt.c:4605 vt_ioctl+0x181a/0x26d0 drivers/tty/vt/vt_ioctl.c:965 tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2658 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:545 [inline] do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 __do_sys_ioctl fs/ioctl.c:756 [inline] __se_sys_ioctl fs/ioctl.c:754 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4444d9 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fff6f4393b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fff6f4393c0 RCX: 00000000004444d9 RDX: 0000000020000440 RSI: 0000000000004b72 RDI: 0000000000000005 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000400da0 R10: 00007fff6f438f00 R11: 0000000000000246 R12: 00000000004021e0 R13: 0000000000402270 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 9999: save_stack+0x23/0x90 mm/kasan/common.c:71 set_track mm/kasan/common.c:79 [inline] __kasan_kmalloc mm/kasan/common.c:512 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:485 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:526 __do_kmalloc mm/slab.c:3656 [inline] __kmalloc+0x163/0x770 mm/slab.c:3665 kmalloc include/linux/slab.h:561 [inline] fbcon_set_font+0x32d/0x860 drivers/video/fbdev/core/fbcon.c:2663 con_font_set drivers/tty/vt/vt.c:4538 [inline] con_font_op+0xe18/0x1250 drivers/tty/vt/vt.c:4603 vt_ioctl+0xd2e/0x26d0 drivers/tty/vt/vt_ioctl.c:913 tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2658 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:545 [inline] do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 __do_sys_ioctl fs/ioctl.c:756 [inline] __se_sys_ioctl fs/ioctl.c:754 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 9771: save_stack+0x23/0x90 mm/kasan/common.c:71 set_track mm/kasan/common.c:79 [inline] kasan_set_free_info mm/kasan/common.c:334 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:473 kasan_slab_free+0xe/0x10 mm/kasan/common.c:482 __cache_free mm/slab.c:3426 [inline] kfree+0x10a/0x2c0 mm/slab.c:3757 tomoyo_init_log+0x15c1/0x2070 security/tomoyo/audit.c:294 tomoyo_supervisor+0x33f/0xef0 security/tomoyo/common.c:2095 tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline] tomoyo_env_perm+0x18e/0x210 security/tomoyo/environ.c:63 tomoyo_environ security/tomoyo/domain.c:670 [inline] tomoyo_find_next_domain+0x1354/0x1f6c security/tomoyo/domain.c:876 tomoyo_bprm_check_security security/tomoyo/tomoyo.c:107 [inline] tomoyo_bprm_check_security+0x124/0x1a0 security/tomoyo/tomoyo.c:97 security_bprm_check+0x63/0xb0 security/security.c:784 search_binary_handler+0x71/0x570 fs/exec.c:1645 exec_binprm fs/exec.c:1701 [inline] __do_execve_file.isra.0+0x1329/0x22b0 fs/exec.c:1821 do_execveat_common fs/exec.c:1867 [inline] do_execve fs/exec.c:1884 [inline] __do_sys_execve fs/exec.c:1960 [inline] __se_sys_execve fs/exec.c:1955 [inline] __x64_sys_execve+0x8f/0xc0 fs/exec.c:1955 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff888094b0a000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 2576 bytes inside of 4096-byte region [ffff888094b0a000, ffff888094b0b000) The buggy address belongs to the page: page:ffffea000252c280 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0 raw: 00fffe0000010200 ffffea0002a3ae08 ffffea0002a6aa88 ffff8880aa402000 raw: 0000000000000000 ffff888094b0a000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888094b0a900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888094b0a980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ffff888094b0aa00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888094b0aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888094b0ab00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel ^ permalink raw reply [flat|nested] 53+ messages in thread
* KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-03 22:25 ` syzbot 0 siblings, 0 replies; 53+ messages in thread From: syzbot @ 2019-12-03 22:25 UTC (permalink / raw) To: b.zolnierkie, daniel.thompson, daniel.vetter, dri-devel, ghalat, linux-fbdev, linux-kernel, maarten.lankhorst, sam, syzkaller-bugs Hello, syzbot found the following crash on: HEAD commit: 76bb8b05 Merge tag 'kbuild-v5.5' of git://git.kernel.org/p.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x\x10bfe282e00000 kernel config: https://syzkaller.appspot.com/x/.config?xÝ226651cb0f364b dashboard link: https://syzkaller.appspot.com/bug?extidD55ca3b3291de891abc compiler: gcc (GCC) 9.0.0 20181231 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x\x11181edae00000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x\x105cbb7ae00000 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com ================================= BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:380 [inline] BUG: KASAN: slab-out-of-bounds in fbcon_get_font+0x2b2/0x5e0 drivers/video/fbdev/core/fbcon.c:2465 Read of size 16 at addr ffff888094b0aa10 by task syz-executor414/9999 CPU: 0 PID: 9999 Comm: syz-executor414 Not tainted 5.4.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:638 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192 memcpy+0x24/0x50 mm/kasan/common.c:124 memcpy include/linux/string.h:380 [inline] fbcon_get_font+0x2b2/0x5e0 drivers/video/fbdev/core/fbcon.c:2465 con_font_get drivers/tty/vt/vt.c:4446 [inline] con_font_op+0x20b/0x1250 drivers/tty/vt/vt.c:4605 vt_ioctl+0x181a/0x26d0 drivers/tty/vt/vt_ioctl.c:965 tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2658 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:545 [inline] do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 __do_sys_ioctl fs/ioctl.c:756 [inline] __se_sys_ioctl fs/ioctl.c:754 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4444d9 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fff6f4393b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fff6f4393c0 RCX: 00000000004444d9 RDX: 0000000020000440 RSI: 0000000000004b72 RDI: 0000000000000005 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000400da0 R10: 00007fff6f438f00 R11: 0000000000000246 R12: 00000000004021e0 R13: 0000000000402270 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 9999: save_stack+0x23/0x90 mm/kasan/common.c:71 set_track mm/kasan/common.c:79 [inline] __kasan_kmalloc mm/kasan/common.c:512 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:485 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:526 __do_kmalloc mm/slab.c:3656 [inline] __kmalloc+0x163/0x770 mm/slab.c:3665 kmalloc include/linux/slab.h:561 [inline] fbcon_set_font+0x32d/0x860 drivers/video/fbdev/core/fbcon.c:2663 con_font_set drivers/tty/vt/vt.c:4538 [inline] con_font_op+0xe18/0x1250 drivers/tty/vt/vt.c:4603 vt_ioctl+0xd2e/0x26d0 drivers/tty/vt/vt_ioctl.c:913 tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2658 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:545 [inline] do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 __do_sys_ioctl fs/ioctl.c:756 [inline] __se_sys_ioctl fs/ioctl.c:754 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 9771: save_stack+0x23/0x90 mm/kasan/common.c:71 set_track mm/kasan/common.c:79 [inline] kasan_set_free_info mm/kasan/common.c:334 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:473 kasan_slab_free+0xe/0x10 mm/kasan/common.c:482 __cache_free mm/slab.c:3426 [inline] kfree+0x10a/0x2c0 mm/slab.c:3757 tomoyo_init_log+0x15c1/0x2070 security/tomoyo/audit.c:294 tomoyo_supervisor+0x33f/0xef0 security/tomoyo/common.c:2095 tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline] tomoyo_env_perm+0x18e/0x210 security/tomoyo/environ.c:63 tomoyo_environ security/tomoyo/domain.c:670 [inline] tomoyo_find_next_domain+0x1354/0x1f6c security/tomoyo/domain.c:876 tomoyo_bprm_check_security security/tomoyo/tomoyo.c:107 [inline] tomoyo_bprm_check_security+0x124/0x1a0 security/tomoyo/tomoyo.c:97 security_bprm_check+0x63/0xb0 security/security.c:784 search_binary_handler+0x71/0x570 fs/exec.c:1645 exec_binprm fs/exec.c:1701 [inline] __do_execve_file.isra.0+0x1329/0x22b0 fs/exec.c:1821 do_execveat_common fs/exec.c:1867 [inline] do_execve fs/exec.c:1884 [inline] __do_sys_execve fs/exec.c:1960 [inline] __se_sys_execve fs/exec.c:1955 [inline] __x64_sys_execve+0x8f/0xc0 fs/exec.c:1955 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff888094b0a000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 2576 bytes inside of 4096-byte region [ffff888094b0a000, ffff888094b0b000) The buggy address belongs to the page: page:ffffea000252c280 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0 raw: 00fffe0000010200 ffffea0002a3ae08 ffffea0002a6aa88 ffff8880aa402000 raw: 0000000000000000 ffff888094b0a000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888094b0a900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888094b0a980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ffff888094b0aa00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888094b0aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888094b0ab00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================= --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font 2019-12-03 22:25 ` syzbot (?) @ 2019-12-03 22:37 ` Daniel Vetter -1 siblings, 0 replies; 53+ messages in thread From: Daniel Vetter @ 2019-12-03 22:37 UTC (permalink / raw) To: syzbot, Kentaro Takeda, Tetsuo Handa, James Morris, Serge E. Hallyn, linux-security-module Cc: Bartlomiej Zolnierkiewicz, Daniel Thompson, dri-devel, ghalat, Linux Fbdev development list, Linux Kernel Mailing List, Maarten Lankhorst, Sam Ravnborg, syzkaller-bugs On Tue, Dec 3, 2019 at 11:25 PM syzbot <syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com> wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit: 76bb8b05 Merge tag 'kbuild-v5.5' of git://git.kernel.org/p.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=10bfe282e00000 > kernel config: https://syzkaller.appspot.com/x/.config?x=dd226651cb0f364b > dashboard link: https://syzkaller.appspot.com/bug?extid=4455ca3b3291de891abc > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11181edae00000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=105cbb7ae00000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com > > ================================================================== > BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:380 [inline] > BUG: KASAN: slab-out-of-bounds in fbcon_get_font+0x2b2/0x5e0 > drivers/video/fbdev/core/fbcon.c:2465 > Read of size 16 at addr ffff888094b0aa10 by task syz-executor414/9999 So fbcon allocates some memory, security/tomoyo goes around and frees it, fbcon goes boom because the memory is gone. I'm kinda leaning towards "not an fbcon bug". Adding relevant security folks and mailing lists. But from a very quick look in tomoyo it loosk more like "machine on fire, random corruption all over". No idea what's going on here. -Daniel > > CPU: 0 PID: 9999 Comm: syz-executor414 Not tainted 5.4.0-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0x197/0x210 lib/dump_stack.c:118 > print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 > __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 > kasan_report+0x12/0x20 mm/kasan/common.c:638 > check_memory_region_inline mm/kasan/generic.c:185 [inline] > check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192 > memcpy+0x24/0x50 mm/kasan/common.c:124 > memcpy include/linux/string.h:380 [inline] > fbcon_get_font+0x2b2/0x5e0 drivers/video/fbdev/core/fbcon.c:2465 > con_font_get drivers/tty/vt/vt.c:4446 [inline] > con_font_op+0x20b/0x1250 drivers/tty/vt/vt.c:4605 > vt_ioctl+0x181a/0x26d0 drivers/tty/vt/vt_ioctl.c:965 > tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2658 > vfs_ioctl fs/ioctl.c:47 [inline] > file_ioctl fs/ioctl.c:545 [inline] > do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 > ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 > __do_sys_ioctl fs/ioctl.c:756 [inline] > __se_sys_ioctl fs/ioctl.c:754 [inline] > __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 > do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x4444d9 > Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > RSP: 002b:00007fff6f4393b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 > RAX: ffffffffffffffda RBX: 00007fff6f4393c0 RCX: 00000000004444d9 > RDX: 0000000020000440 RSI: 0000000000004b72 RDI: 0000000000000005 > RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000400da0 > R10: 00007fff6f438f00 R11: 0000000000000246 R12: 00000000004021e0 > R13: 0000000000402270 R14: 0000000000000000 R15: 0000000000000000 > > Allocated by task 9999: > save_stack+0x23/0x90 mm/kasan/common.c:71 > set_track mm/kasan/common.c:79 [inline] > __kasan_kmalloc mm/kasan/common.c:512 [inline] > __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:485 > kasan_kmalloc+0x9/0x10 mm/kasan/common.c:526 > __do_kmalloc mm/slab.c:3656 [inline] > __kmalloc+0x163/0x770 mm/slab.c:3665 > kmalloc include/linux/slab.h:561 [inline] > fbcon_set_font+0x32d/0x860 drivers/video/fbdev/core/fbcon.c:2663 > con_font_set drivers/tty/vt/vt.c:4538 [inline] > con_font_op+0xe18/0x1250 drivers/tty/vt/vt.c:4603 > vt_ioctl+0xd2e/0x26d0 drivers/tty/vt/vt_ioctl.c:913 > tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2658 > vfs_ioctl fs/ioctl.c:47 [inline] > file_ioctl fs/ioctl.c:545 [inline] > do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 > ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 > __do_sys_ioctl fs/ioctl.c:756 [inline] > __se_sys_ioctl fs/ioctl.c:754 [inline] > __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 > do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > Freed by task 9771: > save_stack+0x23/0x90 mm/kasan/common.c:71 > set_track mm/kasan/common.c:79 [inline] > kasan_set_free_info mm/kasan/common.c:334 [inline] > __kasan_slab_free+0x102/0x150 mm/kasan/common.c:473 > kasan_slab_free+0xe/0x10 mm/kasan/common.c:482 > __cache_free mm/slab.c:3426 [inline] > kfree+0x10a/0x2c0 mm/slab.c:3757 > tomoyo_init_log+0x15c1/0x2070 security/tomoyo/audit.c:294 > tomoyo_supervisor+0x33f/0xef0 security/tomoyo/common.c:2095 > tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline] > tomoyo_env_perm+0x18e/0x210 security/tomoyo/environ.c:63 > tomoyo_environ security/tomoyo/domain.c:670 [inline] > tomoyo_find_next_domain+0x1354/0x1f6c security/tomoyo/domain.c:876 > tomoyo_bprm_check_security security/tomoyo/tomoyo.c:107 [inline] > tomoyo_bprm_check_security+0x124/0x1a0 security/tomoyo/tomoyo.c:97 > security_bprm_check+0x63/0xb0 security/security.c:784 > search_binary_handler+0x71/0x570 fs/exec.c:1645 > exec_binprm fs/exec.c:1701 [inline] > __do_execve_file.isra.0+0x1329/0x22b0 fs/exec.c:1821 > do_execveat_common fs/exec.c:1867 [inline] > do_execve fs/exec.c:1884 [inline] > __do_sys_execve fs/exec.c:1960 [inline] > __se_sys_execve fs/exec.c:1955 [inline] > __x64_sys_execve+0x8f/0xc0 fs/exec.c:1955 > do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > The buggy address belongs to the object at ffff888094b0a000 > which belongs to the cache kmalloc-4k of size 4096 > The buggy address is located 2576 bytes inside of > 4096-byte region [ffff888094b0a000, ffff888094b0b000) > The buggy address belongs to the page: > page:ffffea000252c280 refcount:1 mapcount:0 mapping:ffff8880aa402000 > index:0x0 compound_mapcount: 0 > raw: 00fffe0000010200 ffffea0002a3ae08 ffffea0002a6aa88 ffff8880aa402000 > raw: 0000000000000000 ffff888094b0a000 0000000100000001 0000000000000000 > page dumped because: kasan: bad access detected > > Memory state around the buggy address: > ffff888094b0a900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ffff888094b0a980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > ffff888094b0aa00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ^ > ffff888094b0aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ffff888094b0ab00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ================================================================== > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches -- Daniel Vetter Software Engineer, Intel Corporation +41 (0) 79 365 57 48 - http://blog.ffwll.ch ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-03 22:37 ` Daniel Vetter 0 siblings, 0 replies; 53+ messages in thread From: Daniel Vetter @ 2019-12-03 22:37 UTC (permalink / raw) To: syzbot, Kentaro Takeda, Tetsuo Handa, James Morris, Serge E. Hallyn, linux-security-module Cc: Daniel Thompson, Bartlomiej Zolnierkiewicz, syzkaller-bugs, Linux Kernel Mailing List, dri-devel, ghalat, Linux Fbdev development list, Sam Ravnborg On Tue, Dec 3, 2019 at 11:25 PM syzbot <syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com> wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit: 76bb8b05 Merge tag 'kbuild-v5.5' of git://git.kernel.org/p.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=10bfe282e00000 > kernel config: https://syzkaller.appspot.com/x/.config?x=dd226651cb0f364b > dashboard link: https://syzkaller.appspot.com/bug?extid=4455ca3b3291de891abc > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11181edae00000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=105cbb7ae00000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com > > ================================================================== > BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:380 [inline] > BUG: KASAN: slab-out-of-bounds in fbcon_get_font+0x2b2/0x5e0 > drivers/video/fbdev/core/fbcon.c:2465 > Read of size 16 at addr ffff888094b0aa10 by task syz-executor414/9999 So fbcon allocates some memory, security/tomoyo goes around and frees it, fbcon goes boom because the memory is gone. I'm kinda leaning towards "not an fbcon bug". Adding relevant security folks and mailing lists. But from a very quick look in tomoyo it loosk more like "machine on fire, random corruption all over". No idea what's going on here. -Daniel > > CPU: 0 PID: 9999 Comm: syz-executor414 Not tainted 5.4.0-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0x197/0x210 lib/dump_stack.c:118 > print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 > __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 > kasan_report+0x12/0x20 mm/kasan/common.c:638 > check_memory_region_inline mm/kasan/generic.c:185 [inline] > check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192 > memcpy+0x24/0x50 mm/kasan/common.c:124 > memcpy include/linux/string.h:380 [inline] > fbcon_get_font+0x2b2/0x5e0 drivers/video/fbdev/core/fbcon.c:2465 > con_font_get drivers/tty/vt/vt.c:4446 [inline] > con_font_op+0x20b/0x1250 drivers/tty/vt/vt.c:4605 > vt_ioctl+0x181a/0x26d0 drivers/tty/vt/vt_ioctl.c:965 > tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2658 > vfs_ioctl fs/ioctl.c:47 [inline] > file_ioctl fs/ioctl.c:545 [inline] > do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 > ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 > __do_sys_ioctl fs/ioctl.c:756 [inline] > __se_sys_ioctl fs/ioctl.c:754 [inline] > __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 > do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x4444d9 > Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > RSP: 002b:00007fff6f4393b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 > RAX: ffffffffffffffda RBX: 00007fff6f4393c0 RCX: 00000000004444d9 > RDX: 0000000020000440 RSI: 0000000000004b72 RDI: 0000000000000005 > RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000400da0 > R10: 00007fff6f438f00 R11: 0000000000000246 R12: 00000000004021e0 > R13: 0000000000402270 R14: 0000000000000000 R15: 0000000000000000 > > Allocated by task 9999: > save_stack+0x23/0x90 mm/kasan/common.c:71 > set_track mm/kasan/common.c:79 [inline] > __kasan_kmalloc mm/kasan/common.c:512 [inline] > __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:485 > kasan_kmalloc+0x9/0x10 mm/kasan/common.c:526 > __do_kmalloc mm/slab.c:3656 [inline] > __kmalloc+0x163/0x770 mm/slab.c:3665 > kmalloc include/linux/slab.h:561 [inline] > fbcon_set_font+0x32d/0x860 drivers/video/fbdev/core/fbcon.c:2663 > con_font_set drivers/tty/vt/vt.c:4538 [inline] > con_font_op+0xe18/0x1250 drivers/tty/vt/vt.c:4603 > vt_ioctl+0xd2e/0x26d0 drivers/tty/vt/vt_ioctl.c:913 > tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2658 > vfs_ioctl fs/ioctl.c:47 [inline] > file_ioctl fs/ioctl.c:545 [inline] > do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 > ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 > __do_sys_ioctl fs/ioctl.c:756 [inline] > __se_sys_ioctl fs/ioctl.c:754 [inline] > __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 > do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > Freed by task 9771: > save_stack+0x23/0x90 mm/kasan/common.c:71 > set_track mm/kasan/common.c:79 [inline] > kasan_set_free_info mm/kasan/common.c:334 [inline] > __kasan_slab_free+0x102/0x150 mm/kasan/common.c:473 > kasan_slab_free+0xe/0x10 mm/kasan/common.c:482 > __cache_free mm/slab.c:3426 [inline] > kfree+0x10a/0x2c0 mm/slab.c:3757 > tomoyo_init_log+0x15c1/0x2070 security/tomoyo/audit.c:294 > tomoyo_supervisor+0x33f/0xef0 security/tomoyo/common.c:2095 > tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline] > tomoyo_env_perm+0x18e/0x210 security/tomoyo/environ.c:63 > tomoyo_environ security/tomoyo/domain.c:670 [inline] > tomoyo_find_next_domain+0x1354/0x1f6c security/tomoyo/domain.c:876 > tomoyo_bprm_check_security security/tomoyo/tomoyo.c:107 [inline] > tomoyo_bprm_check_security+0x124/0x1a0 security/tomoyo/tomoyo.c:97 > security_bprm_check+0x63/0xb0 security/security.c:784 > search_binary_handler+0x71/0x570 fs/exec.c:1645 > exec_binprm fs/exec.c:1701 [inline] > __do_execve_file.isra.0+0x1329/0x22b0 fs/exec.c:1821 > do_execveat_common fs/exec.c:1867 [inline] > do_execve fs/exec.c:1884 [inline] > __do_sys_execve fs/exec.c:1960 [inline] > __se_sys_execve fs/exec.c:1955 [inline] > __x64_sys_execve+0x8f/0xc0 fs/exec.c:1955 > do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > The buggy address belongs to the object at ffff888094b0a000 > which belongs to the cache kmalloc-4k of size 4096 > The buggy address is located 2576 bytes inside of > 4096-byte region [ffff888094b0a000, ffff888094b0b000) > The buggy address belongs to the page: > page:ffffea000252c280 refcount:1 mapcount:0 mapping:ffff8880aa402000 > index:0x0 compound_mapcount: 0 > raw: 00fffe0000010200 ffffea0002a3ae08 ffffea0002a6aa88 ffff8880aa402000 > raw: 0000000000000000 ffff888094b0a000 0000000100000001 0000000000000000 > page dumped because: kasan: bad access detected > > Memory state around the buggy address: > ffff888094b0a900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ffff888094b0a980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > ffff888094b0aa00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ^ > ffff888094b0aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ffff888094b0ab00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ================================================================== > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches -- Daniel Vetter Software Engineer, Intel Corporation +41 (0) 79 365 57 48 - http://blog.ffwll.ch _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-03 22:37 ` Daniel Vetter 0 siblings, 0 replies; 53+ messages in thread From: Daniel Vetter @ 2019-12-03 22:37 UTC (permalink / raw) To: syzbot, Kentaro Takeda, Tetsuo Handa, James Morris, Serge E. Hallyn, linux-security-module Cc: Daniel Thompson, Bartlomiej Zolnierkiewicz, syzkaller-bugs, Linux Kernel Mailing List, dri-devel, ghalat, Linux Fbdev development list, Sam Ravnborg On Tue, Dec 3, 2019 at 11:25 PM syzbot <syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com> wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit: 76bb8b05 Merge tag 'kbuild-v5.5' of git://git.kernel.org/p.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x\x10bfe282e00000 > kernel config: https://syzkaller.appspot.com/x/.config?xÝ226651cb0f364b > dashboard link: https://syzkaller.appspot.com/bug?extidD55ca3b3291de891abc > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x\x11181edae00000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x\x105cbb7ae00000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com > > ================================= > BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:380 [inline] > BUG: KASAN: slab-out-of-bounds in fbcon_get_font+0x2b2/0x5e0 > drivers/video/fbdev/core/fbcon.c:2465 > Read of size 16 at addr ffff888094b0aa10 by task syz-executor414/9999 So fbcon allocates some memory, security/tomoyo goes around and frees it, fbcon goes boom because the memory is gone. I'm kinda leaning towards "not an fbcon bug". Adding relevant security folks and mailing lists. But from a very quick look in tomoyo it loosk more like "machine on fire, random corruption all over". No idea what's going on here. -Daniel > > CPU: 0 PID: 9999 Comm: syz-executor414 Not tainted 5.4.0-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0x197/0x210 lib/dump_stack.c:118 > print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 > __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 > kasan_report+0x12/0x20 mm/kasan/common.c:638 > check_memory_region_inline mm/kasan/generic.c:185 [inline] > check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192 > memcpy+0x24/0x50 mm/kasan/common.c:124 > memcpy include/linux/string.h:380 [inline] > fbcon_get_font+0x2b2/0x5e0 drivers/video/fbdev/core/fbcon.c:2465 > con_font_get drivers/tty/vt/vt.c:4446 [inline] > con_font_op+0x20b/0x1250 drivers/tty/vt/vt.c:4605 > vt_ioctl+0x181a/0x26d0 drivers/tty/vt/vt_ioctl.c:965 > tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2658 > vfs_ioctl fs/ioctl.c:47 [inline] > file_ioctl fs/ioctl.c:545 [inline] > do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 > ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 > __do_sys_ioctl fs/ioctl.c:756 [inline] > __se_sys_ioctl fs/ioctl.c:754 [inline] > __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 > do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > RIP: 0033:0x4444d9 > Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > RSP: 002b:00007fff6f4393b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 > RAX: ffffffffffffffda RBX: 00007fff6f4393c0 RCX: 00000000004444d9 > RDX: 0000000020000440 RSI: 0000000000004b72 RDI: 0000000000000005 > RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000400da0 > R10: 00007fff6f438f00 R11: 0000000000000246 R12: 00000000004021e0 > R13: 0000000000402270 R14: 0000000000000000 R15: 0000000000000000 > > Allocated by task 9999: > save_stack+0x23/0x90 mm/kasan/common.c:71 > set_track mm/kasan/common.c:79 [inline] > __kasan_kmalloc mm/kasan/common.c:512 [inline] > __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:485 > kasan_kmalloc+0x9/0x10 mm/kasan/common.c:526 > __do_kmalloc mm/slab.c:3656 [inline] > __kmalloc+0x163/0x770 mm/slab.c:3665 > kmalloc include/linux/slab.h:561 [inline] > fbcon_set_font+0x32d/0x860 drivers/video/fbdev/core/fbcon.c:2663 > con_font_set drivers/tty/vt/vt.c:4538 [inline] > con_font_op+0xe18/0x1250 drivers/tty/vt/vt.c:4603 > vt_ioctl+0xd2e/0x26d0 drivers/tty/vt/vt_ioctl.c:913 > tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2658 > vfs_ioctl fs/ioctl.c:47 [inline] > file_ioctl fs/ioctl.c:545 [inline] > do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 > ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 > __do_sys_ioctl fs/ioctl.c:756 [inline] > __se_sys_ioctl fs/ioctl.c:754 [inline] > __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 > do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > Freed by task 9771: > save_stack+0x23/0x90 mm/kasan/common.c:71 > set_track mm/kasan/common.c:79 [inline] > kasan_set_free_info mm/kasan/common.c:334 [inline] > __kasan_slab_free+0x102/0x150 mm/kasan/common.c:473 > kasan_slab_free+0xe/0x10 mm/kasan/common.c:482 > __cache_free mm/slab.c:3426 [inline] > kfree+0x10a/0x2c0 mm/slab.c:3757 > tomoyo_init_log+0x15c1/0x2070 security/tomoyo/audit.c:294 > tomoyo_supervisor+0x33f/0xef0 security/tomoyo/common.c:2095 > tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline] > tomoyo_env_perm+0x18e/0x210 security/tomoyo/environ.c:63 > tomoyo_environ security/tomoyo/domain.c:670 [inline] > tomoyo_find_next_domain+0x1354/0x1f6c security/tomoyo/domain.c:876 > tomoyo_bprm_check_security security/tomoyo/tomoyo.c:107 [inline] > tomoyo_bprm_check_security+0x124/0x1a0 security/tomoyo/tomoyo.c:97 > security_bprm_check+0x63/0xb0 security/security.c:784 > search_binary_handler+0x71/0x570 fs/exec.c:1645 > exec_binprm fs/exec.c:1701 [inline] > __do_execve_file.isra.0+0x1329/0x22b0 fs/exec.c:1821 > do_execveat_common fs/exec.c:1867 [inline] > do_execve fs/exec.c:1884 [inline] > __do_sys_execve fs/exec.c:1960 [inline] > __se_sys_execve fs/exec.c:1955 [inline] > __x64_sys_execve+0x8f/0xc0 fs/exec.c:1955 > do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > The buggy address belongs to the object at ffff888094b0a000 > which belongs to the cache kmalloc-4k of size 4096 > The buggy address is located 2576 bytes inside of > 4096-byte region [ffff888094b0a000, ffff888094b0b000) > The buggy address belongs to the page: > page:ffffea000252c280 refcount:1 mapcount:0 mapping:ffff8880aa402000 > index:0x0 compound_mapcount: 0 > raw: 00fffe0000010200 ffffea0002a3ae08 ffffea0002a6aa88 ffff8880aa402000 > raw: 0000000000000000 ffff888094b0a000 0000000100000001 0000000000000000 > page dumped because: kasan: bad access detected > > Memory state around the buggy address: > ffff888094b0a900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ffff888094b0a980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > ffff888094b0aa00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ^ > ffff888094b0aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ffff888094b0ab00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ================================= > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches -- Daniel Vetter Software Engineer, Intel Corporation +41 (0) 79 365 57 48 - http://blog.ffwll.ch ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font 2019-12-03 22:37 ` Daniel Vetter (?) @ 2019-12-04 6:33 ` Dmitry Vyukov -1 siblings, 0 replies; 53+ messages in thread From: Dmitry Vyukov @ 2019-12-04 6:33 UTC (permalink / raw) To: Daniel Vetter, kasan-dev, Andrey Ryabinin Cc: syzbot, Kentaro Takeda, Tetsuo Handa, James Morris, Serge E. Hallyn, linux-security-module, Bartlomiej Zolnierkiewicz, Daniel Thompson, dri-devel, ghalat, Linux Fbdev development list, Linux Kernel Mailing List, Maarten Lankhorst, Sam Ravnborg, syzkaller-bugs On Tue, Dec 3, 2019 at 11:37 PM Daniel Vetter <daniel.vetter@ffwll.ch> wrote: > > On Tue, Dec 3, 2019 at 11:25 PM syzbot > <syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com> wrote: > > > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit: 76bb8b05 Merge tag 'kbuild-v5.5' of git://git.kernel.org/p.. > > git tree: upstream > > console output: https://syzkaller.appspot.com/x/log.txt?x=10bfe282e00000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=dd226651cb0f364b > > dashboard link: https://syzkaller.appspot.com/bug?extid=4455ca3b3291de891abc > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11181edae00000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=105cbb7ae00000 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com > > > > ================================================================== > > BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:380 [inline] > > BUG: KASAN: slab-out-of-bounds in fbcon_get_font+0x2b2/0x5e0 > > drivers/video/fbdev/core/fbcon.c:2465 > > Read of size 16 at addr ffff888094b0aa10 by task syz-executor414/9999 > > So fbcon allocates some memory, security/tomoyo goes around and frees > it, fbcon goes boom because the memory is gone. I'm kinda leaning > towards "not an fbcon bug". Adding relevant security folks and mailing > lists. > > But from a very quick look in tomoyo it loosk more like "machine on > fire, random corruption all over". No idea what's going on here. Hi Daniel, This is an out-of-bounds access, not use-after-free. I don't know why we print the free stack at all (maybe +Andrey knows), but that's what KASAN did from day one. I filed https://bugzilla.kernel.org/show_bug.cgi?id=198425 which I think is a good idea, I will add your confusion as a data point :) Re this bug, free stack is irrelevant, I guess it's when the heap block was freed before it was reallocated by console. So it's plain out-of-bounds in fbcon_get_font, which looks sane and consistent to me and reproducible on top. > > CPU: 0 PID: 9999 Comm: syz-executor414 Not tainted 5.4.0-syzkaller #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > Google 01/01/2011 > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0x197/0x210 lib/dump_stack.c:118 > > print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 > > __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 > > kasan_report+0x12/0x20 mm/kasan/common.c:638 > > check_memory_region_inline mm/kasan/generic.c:185 [inline] > > check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192 > > memcpy+0x24/0x50 mm/kasan/common.c:124 > > memcpy include/linux/string.h:380 [inline] > > fbcon_get_font+0x2b2/0x5e0 drivers/video/fbdev/core/fbcon.c:2465 > > con_font_get drivers/tty/vt/vt.c:4446 [inline] > > con_font_op+0x20b/0x1250 drivers/tty/vt/vt.c:4605 > > vt_ioctl+0x181a/0x26d0 drivers/tty/vt/vt_ioctl.c:965 > > tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2658 > > vfs_ioctl fs/ioctl.c:47 [inline] > > file_ioctl fs/ioctl.c:545 [inline] > > do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 > > ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 > > __do_sys_ioctl fs/ioctl.c:756 [inline] > > __se_sys_ioctl fs/ioctl.c:754 [inline] > > __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 > > do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > RIP: 0033:0x4444d9 > > Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > > ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > > RSP: 002b:00007fff6f4393b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 > > RAX: ffffffffffffffda RBX: 00007fff6f4393c0 RCX: 00000000004444d9 > > RDX: 0000000020000440 RSI: 0000000000004b72 RDI: 0000000000000005 > > RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000400da0 > > R10: 00007fff6f438f00 R11: 0000000000000246 R12: 00000000004021e0 > > R13: 0000000000402270 R14: 0000000000000000 R15: 0000000000000000 > > > > Allocated by task 9999: > > save_stack+0x23/0x90 mm/kasan/common.c:71 > > set_track mm/kasan/common.c:79 [inline] > > __kasan_kmalloc mm/kasan/common.c:512 [inline] > > __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:485 > > kasan_kmalloc+0x9/0x10 mm/kasan/common.c:526 > > __do_kmalloc mm/slab.c:3656 [inline] > > __kmalloc+0x163/0x770 mm/slab.c:3665 > > kmalloc include/linux/slab.h:561 [inline] > > fbcon_set_font+0x32d/0x860 drivers/video/fbdev/core/fbcon.c:2663 > > con_font_set drivers/tty/vt/vt.c:4538 [inline] > > con_font_op+0xe18/0x1250 drivers/tty/vt/vt.c:4603 > > vt_ioctl+0xd2e/0x26d0 drivers/tty/vt/vt_ioctl.c:913 > > tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2658 > > vfs_ioctl fs/ioctl.c:47 [inline] > > file_ioctl fs/ioctl.c:545 [inline] > > do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 > > ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 > > __do_sys_ioctl fs/ioctl.c:756 [inline] > > __se_sys_ioctl fs/ioctl.c:754 [inline] > > __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 > > do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > > > Freed by task 9771: > > save_stack+0x23/0x90 mm/kasan/common.c:71 > > set_track mm/kasan/common.c:79 [inline] > > kasan_set_free_info mm/kasan/common.c:334 [inline] > > __kasan_slab_free+0x102/0x150 mm/kasan/common.c:473 > > kasan_slab_free+0xe/0x10 mm/kasan/common.c:482 > > __cache_free mm/slab.c:3426 [inline] > > kfree+0x10a/0x2c0 mm/slab.c:3757 > > tomoyo_init_log+0x15c1/0x2070 security/tomoyo/audit.c:294 > > tomoyo_supervisor+0x33f/0xef0 security/tomoyo/common.c:2095 > > tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline] > > tomoyo_env_perm+0x18e/0x210 security/tomoyo/environ.c:63 > > tomoyo_environ security/tomoyo/domain.c:670 [inline] > > tomoyo_find_next_domain+0x1354/0x1f6c security/tomoyo/domain.c:876 > > tomoyo_bprm_check_security security/tomoyo/tomoyo.c:107 [inline] > > tomoyo_bprm_check_security+0x124/0x1a0 security/tomoyo/tomoyo.c:97 > > security_bprm_check+0x63/0xb0 security/security.c:784 > > search_binary_handler+0x71/0x570 fs/exec.c:1645 > > exec_binprm fs/exec.c:1701 [inline] > > __do_execve_file.isra.0+0x1329/0x22b0 fs/exec.c:1821 > > do_execveat_common fs/exec.c:1867 [inline] > > do_execve fs/exec.c:1884 [inline] > > __do_sys_execve fs/exec.c:1960 [inline] > > __se_sys_execve fs/exec.c:1955 [inline] > > __x64_sys_execve+0x8f/0xc0 fs/exec.c:1955 > > do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > > > The buggy address belongs to the object at ffff888094b0a000 > > which belongs to the cache kmalloc-4k of size 4096 > > The buggy address is located 2576 bytes inside of > > 4096-byte region [ffff888094b0a000, ffff888094b0b000) > > The buggy address belongs to the page: > > page:ffffea000252c280 refcount:1 mapcount:0 mapping:ffff8880aa402000 > > index:0x0 compound_mapcount: 0 > > raw: 00fffe0000010200 ffffea0002a3ae08 ffffea0002a6aa88 ffff8880aa402000 > > raw: 0000000000000000 ffff888094b0a000 0000000100000001 0000000000000000 > > page dumped because: kasan: bad access detected > > > > Memory state around the buggy address: > > ffff888094b0a900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > ffff888094b0a980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > > ffff888094b0aa00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > ^ > > ffff888094b0aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > ffff888094b0ab00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > ================================================================== > > > > > > --- > > This bug is generated by a bot. It may contain errors. > > See https://goo.gl/tpsmEJ for more information about syzbot. > > syzbot engineers can be reached at syzkaller@googlegroups.com. > > > > syzbot will keep track of this bug report. See: > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > syzbot can test patches for this bug, for details see: > > https://goo.gl/tpsmEJ#testing-patches ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-04 6:33 ` Dmitry Vyukov 0 siblings, 0 replies; 53+ messages in thread From: Dmitry Vyukov @ 2019-12-04 6:33 UTC (permalink / raw) To: Daniel Vetter, kasan-dev, Andrey Ryabinin Cc: Daniel Thompson, Bartlomiej Zolnierkiewicz, Tetsuo Handa, Linux Kernel Mailing List, syzbot, dri-devel, James Morris, syzkaller-bugs, linux-security-module, ghalat, Linux Fbdev development list, Kentaro Takeda, Sam Ravnborg, Serge E. Hallyn On Tue, Dec 3, 2019 at 11:37 PM Daniel Vetter <daniel.vetter@ffwll.ch> wrote: > > On Tue, Dec 3, 2019 at 11:25 PM syzbot > <syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com> wrote: > > > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit: 76bb8b05 Merge tag 'kbuild-v5.5' of git://git.kernel.org/p.. > > git tree: upstream > > console output: https://syzkaller.appspot.com/x/log.txt?x=10bfe282e00000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=dd226651cb0f364b > > dashboard link: https://syzkaller.appspot.com/bug?extid=4455ca3b3291de891abc > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11181edae00000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=105cbb7ae00000 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com > > > > ================================================================== > > BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:380 [inline] > > BUG: KASAN: slab-out-of-bounds in fbcon_get_font+0x2b2/0x5e0 > > drivers/video/fbdev/core/fbcon.c:2465 > > Read of size 16 at addr ffff888094b0aa10 by task syz-executor414/9999 > > So fbcon allocates some memory, security/tomoyo goes around and frees > it, fbcon goes boom because the memory is gone. I'm kinda leaning > towards "not an fbcon bug". Adding relevant security folks and mailing > lists. > > But from a very quick look in tomoyo it loosk more like "machine on > fire, random corruption all over". No idea what's going on here. Hi Daniel, This is an out-of-bounds access, not use-after-free. I don't know why we print the free stack at all (maybe +Andrey knows), but that's what KASAN did from day one. I filed https://bugzilla.kernel.org/show_bug.cgi?id=198425 which I think is a good idea, I will add your confusion as a data point :) Re this bug, free stack is irrelevant, I guess it's when the heap block was freed before it was reallocated by console. So it's plain out-of-bounds in fbcon_get_font, which looks sane and consistent to me and reproducible on top. > > CPU: 0 PID: 9999 Comm: syz-executor414 Not tainted 5.4.0-syzkaller #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > Google 01/01/2011 > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0x197/0x210 lib/dump_stack.c:118 > > print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 > > __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 > > kasan_report+0x12/0x20 mm/kasan/common.c:638 > > check_memory_region_inline mm/kasan/generic.c:185 [inline] > > check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192 > > memcpy+0x24/0x50 mm/kasan/common.c:124 > > memcpy include/linux/string.h:380 [inline] > > fbcon_get_font+0x2b2/0x5e0 drivers/video/fbdev/core/fbcon.c:2465 > > con_font_get drivers/tty/vt/vt.c:4446 [inline] > > con_font_op+0x20b/0x1250 drivers/tty/vt/vt.c:4605 > > vt_ioctl+0x181a/0x26d0 drivers/tty/vt/vt_ioctl.c:965 > > tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2658 > > vfs_ioctl fs/ioctl.c:47 [inline] > > file_ioctl fs/ioctl.c:545 [inline] > > do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 > > ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 > > __do_sys_ioctl fs/ioctl.c:756 [inline] > > __se_sys_ioctl fs/ioctl.c:754 [inline] > > __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 > > do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > RIP: 0033:0x4444d9 > > Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > > ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > > RSP: 002b:00007fff6f4393b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 > > RAX: ffffffffffffffda RBX: 00007fff6f4393c0 RCX: 00000000004444d9 > > RDX: 0000000020000440 RSI: 0000000000004b72 RDI: 0000000000000005 > > RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000400da0 > > R10: 00007fff6f438f00 R11: 0000000000000246 R12: 00000000004021e0 > > R13: 0000000000402270 R14: 0000000000000000 R15: 0000000000000000 > > > > Allocated by task 9999: > > save_stack+0x23/0x90 mm/kasan/common.c:71 > > set_track mm/kasan/common.c:79 [inline] > > __kasan_kmalloc mm/kasan/common.c:512 [inline] > > __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:485 > > kasan_kmalloc+0x9/0x10 mm/kasan/common.c:526 > > __do_kmalloc mm/slab.c:3656 [inline] > > __kmalloc+0x163/0x770 mm/slab.c:3665 > > kmalloc include/linux/slab.h:561 [inline] > > fbcon_set_font+0x32d/0x860 drivers/video/fbdev/core/fbcon.c:2663 > > con_font_set drivers/tty/vt/vt.c:4538 [inline] > > con_font_op+0xe18/0x1250 drivers/tty/vt/vt.c:4603 > > vt_ioctl+0xd2e/0x26d0 drivers/tty/vt/vt_ioctl.c:913 > > tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2658 > > vfs_ioctl fs/ioctl.c:47 [inline] > > file_ioctl fs/ioctl.c:545 [inline] > > do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 > > ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 > > __do_sys_ioctl fs/ioctl.c:756 [inline] > > __se_sys_ioctl fs/ioctl.c:754 [inline] > > __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 > > do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > > > Freed by task 9771: > > save_stack+0x23/0x90 mm/kasan/common.c:71 > > set_track mm/kasan/common.c:79 [inline] > > kasan_set_free_info mm/kasan/common.c:334 [inline] > > __kasan_slab_free+0x102/0x150 mm/kasan/common.c:473 > > kasan_slab_free+0xe/0x10 mm/kasan/common.c:482 > > __cache_free mm/slab.c:3426 [inline] > > kfree+0x10a/0x2c0 mm/slab.c:3757 > > tomoyo_init_log+0x15c1/0x2070 security/tomoyo/audit.c:294 > > tomoyo_supervisor+0x33f/0xef0 security/tomoyo/common.c:2095 > > tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline] > > tomoyo_env_perm+0x18e/0x210 security/tomoyo/environ.c:63 > > tomoyo_environ security/tomoyo/domain.c:670 [inline] > > tomoyo_find_next_domain+0x1354/0x1f6c security/tomoyo/domain.c:876 > > tomoyo_bprm_check_security security/tomoyo/tomoyo.c:107 [inline] > > tomoyo_bprm_check_security+0x124/0x1a0 security/tomoyo/tomoyo.c:97 > > security_bprm_check+0x63/0xb0 security/security.c:784 > > search_binary_handler+0x71/0x570 fs/exec.c:1645 > > exec_binprm fs/exec.c:1701 [inline] > > __do_execve_file.isra.0+0x1329/0x22b0 fs/exec.c:1821 > > do_execveat_common fs/exec.c:1867 [inline] > > do_execve fs/exec.c:1884 [inline] > > __do_sys_execve fs/exec.c:1960 [inline] > > __se_sys_execve fs/exec.c:1955 [inline] > > __x64_sys_execve+0x8f/0xc0 fs/exec.c:1955 > > do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > > > The buggy address belongs to the object at ffff888094b0a000 > > which belongs to the cache kmalloc-4k of size 4096 > > The buggy address is located 2576 bytes inside of > > 4096-byte region [ffff888094b0a000, ffff888094b0b000) > > The buggy address belongs to the page: > > page:ffffea000252c280 refcount:1 mapcount:0 mapping:ffff8880aa402000 > > index:0x0 compound_mapcount: 0 > > raw: 00fffe0000010200 ffffea0002a3ae08 ffffea0002a6aa88 ffff8880aa402000 > > raw: 0000000000000000 ffff888094b0a000 0000000100000001 0000000000000000 > > page dumped because: kasan: bad access detected > > > > Memory state around the buggy address: > > ffff888094b0a900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > ffff888094b0a980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > > ffff888094b0aa00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > ^ > > ffff888094b0aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > ffff888094b0ab00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > ================================================================== > > > > > > --- > > This bug is generated by a bot. It may contain errors. > > See https://goo.gl/tpsmEJ for more information about syzbot. > > syzbot engineers can be reached at syzkaller@googlegroups.com. > > > > syzbot will keep track of this bug report. See: > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > syzbot can test patches for this bug, for details see: > > https://goo.gl/tpsmEJ#testing-patches _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-04 6:33 ` Dmitry Vyukov 0 siblings, 0 replies; 53+ messages in thread From: Dmitry Vyukov @ 2019-12-04 6:33 UTC (permalink / raw) To: Daniel Vetter, kasan-dev, Andrey Ryabinin Cc: Daniel Thompson, Bartlomiej Zolnierkiewicz, Tetsuo Handa, Linux Kernel Mailing List, syzbot, dri-devel, James Morris, syzkaller-bugs, linux-security-module, ghalat, Linux Fbdev development list, Kentaro Takeda, Sam Ravnborg, Serge E. Hallyn On Tue, Dec 3, 2019 at 11:37 PM Daniel Vetter <daniel.vetter@ffwll.ch> wrote: > > On Tue, Dec 3, 2019 at 11:25 PM syzbot > <syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com> wrote: > > > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit: 76bb8b05 Merge tag 'kbuild-v5.5' of git://git.kernel.org/p.. > > git tree: upstream > > console output: https://syzkaller.appspot.com/x/log.txt?x\x10bfe282e00000 > > kernel config: https://syzkaller.appspot.com/x/.config?xÝ226651cb0f364b > > dashboard link: https://syzkaller.appspot.com/bug?extidD55ca3b3291de891abc > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x\x11181edae00000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x\x105cbb7ae00000 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com > > > > ================================= > > BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:380 [inline] > > BUG: KASAN: slab-out-of-bounds in fbcon_get_font+0x2b2/0x5e0 > > drivers/video/fbdev/core/fbcon.c:2465 > > Read of size 16 at addr ffff888094b0aa10 by task syz-executor414/9999 > > So fbcon allocates some memory, security/tomoyo goes around and frees > it, fbcon goes boom because the memory is gone. I'm kinda leaning > towards "not an fbcon bug". Adding relevant security folks and mailing > lists. > > But from a very quick look in tomoyo it loosk more like "machine on > fire, random corruption all over". No idea what's going on here. Hi Daniel, This is an out-of-bounds access, not use-after-free. I don't know why we print the free stack at all (maybe +Andrey knows), but that's what KASAN did from day one. I filed https://bugzilla.kernel.org/show_bug.cgi?id\x198425 which I think is a good idea, I will add your confusion as a data point :) Re this bug, free stack is irrelevant, I guess it's when the heap block was freed before it was reallocated by console. So it's plain out-of-bounds in fbcon_get_font, which looks sane and consistent to me and reproducible on top. > > CPU: 0 PID: 9999 Comm: syz-executor414 Not tainted 5.4.0-syzkaller #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > Google 01/01/2011 > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0x197/0x210 lib/dump_stack.c:118 > > print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 > > __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 > > kasan_report+0x12/0x20 mm/kasan/common.c:638 > > check_memory_region_inline mm/kasan/generic.c:185 [inline] > > check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192 > > memcpy+0x24/0x50 mm/kasan/common.c:124 > > memcpy include/linux/string.h:380 [inline] > > fbcon_get_font+0x2b2/0x5e0 drivers/video/fbdev/core/fbcon.c:2465 > > con_font_get drivers/tty/vt/vt.c:4446 [inline] > > con_font_op+0x20b/0x1250 drivers/tty/vt/vt.c:4605 > > vt_ioctl+0x181a/0x26d0 drivers/tty/vt/vt_ioctl.c:965 > > tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2658 > > vfs_ioctl fs/ioctl.c:47 [inline] > > file_ioctl fs/ioctl.c:545 [inline] > > do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 > > ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 > > __do_sys_ioctl fs/ioctl.c:756 [inline] > > __se_sys_ioctl fs/ioctl.c:754 [inline] > > __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 > > do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > RIP: 0033:0x4444d9 > > Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > > ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > > RSP: 002b:00007fff6f4393b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 > > RAX: ffffffffffffffda RBX: 00007fff6f4393c0 RCX: 00000000004444d9 > > RDX: 0000000020000440 RSI: 0000000000004b72 RDI: 0000000000000005 > > RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000400da0 > > R10: 00007fff6f438f00 R11: 0000000000000246 R12: 00000000004021e0 > > R13: 0000000000402270 R14: 0000000000000000 R15: 0000000000000000 > > > > Allocated by task 9999: > > save_stack+0x23/0x90 mm/kasan/common.c:71 > > set_track mm/kasan/common.c:79 [inline] > > __kasan_kmalloc mm/kasan/common.c:512 [inline] > > __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:485 > > kasan_kmalloc+0x9/0x10 mm/kasan/common.c:526 > > __do_kmalloc mm/slab.c:3656 [inline] > > __kmalloc+0x163/0x770 mm/slab.c:3665 > > kmalloc include/linux/slab.h:561 [inline] > > fbcon_set_font+0x32d/0x860 drivers/video/fbdev/core/fbcon.c:2663 > > con_font_set drivers/tty/vt/vt.c:4538 [inline] > > con_font_op+0xe18/0x1250 drivers/tty/vt/vt.c:4603 > > vt_ioctl+0xd2e/0x26d0 drivers/tty/vt/vt_ioctl.c:913 > > tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2658 > > vfs_ioctl fs/ioctl.c:47 [inline] > > file_ioctl fs/ioctl.c:545 [inline] > > do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 > > ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 > > __do_sys_ioctl fs/ioctl.c:756 [inline] > > __se_sys_ioctl fs/ioctl.c:754 [inline] > > __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 > > do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > > > Freed by task 9771: > > save_stack+0x23/0x90 mm/kasan/common.c:71 > > set_track mm/kasan/common.c:79 [inline] > > kasan_set_free_info mm/kasan/common.c:334 [inline] > > __kasan_slab_free+0x102/0x150 mm/kasan/common.c:473 > > kasan_slab_free+0xe/0x10 mm/kasan/common.c:482 > > __cache_free mm/slab.c:3426 [inline] > > kfree+0x10a/0x2c0 mm/slab.c:3757 > > tomoyo_init_log+0x15c1/0x2070 security/tomoyo/audit.c:294 > > tomoyo_supervisor+0x33f/0xef0 security/tomoyo/common.c:2095 > > tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline] > > tomoyo_env_perm+0x18e/0x210 security/tomoyo/environ.c:63 > > tomoyo_environ security/tomoyo/domain.c:670 [inline] > > tomoyo_find_next_domain+0x1354/0x1f6c security/tomoyo/domain.c:876 > > tomoyo_bprm_check_security security/tomoyo/tomoyo.c:107 [inline] > > tomoyo_bprm_check_security+0x124/0x1a0 security/tomoyo/tomoyo.c:97 > > security_bprm_check+0x63/0xb0 security/security.c:784 > > search_binary_handler+0x71/0x570 fs/exec.c:1645 > > exec_binprm fs/exec.c:1701 [inline] > > __do_execve_file.isra.0+0x1329/0x22b0 fs/exec.c:1821 > > do_execveat_common fs/exec.c:1867 [inline] > > do_execve fs/exec.c:1884 [inline] > > __do_sys_execve fs/exec.c:1960 [inline] > > __se_sys_execve fs/exec.c:1955 [inline] > > __x64_sys_execve+0x8f/0xc0 fs/exec.c:1955 > > do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > > > The buggy address belongs to the object at ffff888094b0a000 > > which belongs to the cache kmalloc-4k of size 4096 > > The buggy address is located 2576 bytes inside of > > 4096-byte region [ffff888094b0a000, ffff888094b0b000) > > The buggy address belongs to the page: > > page:ffffea000252c280 refcount:1 mapcount:0 mapping:ffff8880aa402000 > > index:0x0 compound_mapcount: 0 > > raw: 00fffe0000010200 ffffea0002a3ae08 ffffea0002a6aa88 ffff8880aa402000 > > raw: 0000000000000000 ffff888094b0a000 0000000100000001 0000000000000000 > > page dumped because: kasan: bad access detected > > > > Memory state around the buggy address: > > ffff888094b0a900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > ffff888094b0a980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > > ffff888094b0aa00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > ^ > > ffff888094b0aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > ffff888094b0ab00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > ================================= > > > > > > --- > > This bug is generated by a bot. It may contain errors. > > See https://goo.gl/tpsmEJ for more information about syzbot. > > syzbot engineers can be reached at syzkaller@googlegroups.com. > > > > syzbot will keep track of this bug report. See: > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > syzbot can test patches for this bug, for details see: > > https://goo.gl/tpsmEJ#testing-patches ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font 2019-12-04 6:33 ` Dmitry Vyukov (?) @ 2019-12-04 9:15 ` Daniel Vetter -1 siblings, 0 replies; 53+ messages in thread From: Daniel Vetter @ 2019-12-04 9:15 UTC (permalink / raw) To: Dmitry Vyukov Cc: kasan-dev, Andrey Ryabinin, syzbot, Kentaro Takeda, Tetsuo Handa, James Morris, Serge E. Hallyn, linux-security-module, Bartlomiej Zolnierkiewicz, Daniel Thompson, dri-devel, ghalat, Linux Fbdev development list, Linux Kernel Mailing List, Maarten Lankhorst, Sam Ravnborg, syzkaller-bugs On Wed, Dec 4, 2019 at 7:33 AM Dmitry Vyukov <dvyukov@google.com> wrote: > > On Tue, Dec 3, 2019 at 11:37 PM Daniel Vetter <daniel.vetter@ffwll.ch> wrote: > > > > On Tue, Dec 3, 2019 at 11:25 PM syzbot > > <syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com> wrote: > > > > > > Hello, > > > > > > syzbot found the following crash on: > > > > > > HEAD commit: 76bb8b05 Merge tag 'kbuild-v5.5' of git://git.kernel.org/p.. > > > git tree: upstream > > > console output: https://syzkaller.appspot.com/x/log.txt?x=10bfe282e00000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=dd226651cb0f364b > > > dashboard link: https://syzkaller.appspot.com/bug?extid=4455ca3b3291de891abc > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11181edae00000 > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=105cbb7ae00000 > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > > Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com > > > > > > ================================================================== > > > BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:380 [inline] > > > BUG: KASAN: slab-out-of-bounds in fbcon_get_font+0x2b2/0x5e0 > > > drivers/video/fbdev/core/fbcon.c:2465 > > > Read of size 16 at addr ffff888094b0aa10 by task syz-executor414/9999 > > > > So fbcon allocates some memory, security/tomoyo goes around and frees > > it, fbcon goes boom because the memory is gone. I'm kinda leaning > > towards "not an fbcon bug". Adding relevant security folks and mailing > > lists. > > > > But from a very quick look in tomoyo it loosk more like "machine on > > fire, random corruption all over". No idea what's going on here. > > Hi Daniel, > > This is an out-of-bounds access, not use-after-free. > I don't know why we print the free stack at all (maybe +Andrey knows), > but that's what KASAN did from day one. I filed > https://bugzilla.kernel.org/show_bug.cgi?id=198425 which I think is a > good idea, I will add your confusion as a data point :) > Re this bug, free stack is irrelevant, I guess it's when the heap > block was freed before it was reallocated by console. So it's plain > out-of-bounds in fbcon_get_font, which looks sane and consistent to me > and reproducible on top. Ugh, that's indeed very confusing, thanks for explaining. -Daniel > > > > > CPU: 0 PID: 9999 Comm: syz-executor414 Not tainted 5.4.0-syzkaller #0 > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > > Google 01/01/2011 > > > Call Trace: > > > __dump_stack lib/dump_stack.c:77 [inline] > > > dump_stack+0x197/0x210 lib/dump_stack.c:118 > > > print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 > > > __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 > > > kasan_report+0x12/0x20 mm/kasan/common.c:638 > > > check_memory_region_inline mm/kasan/generic.c:185 [inline] > > > check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192 > > > memcpy+0x24/0x50 mm/kasan/common.c:124 > > > memcpy include/linux/string.h:380 [inline] > > > fbcon_get_font+0x2b2/0x5e0 drivers/video/fbdev/core/fbcon.c:2465 > > > con_font_get drivers/tty/vt/vt.c:4446 [inline] > > > con_font_op+0x20b/0x1250 drivers/tty/vt/vt.c:4605 > > > vt_ioctl+0x181a/0x26d0 drivers/tty/vt/vt_ioctl.c:965 > > > tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2658 > > > vfs_ioctl fs/ioctl.c:47 [inline] > > > file_ioctl fs/ioctl.c:545 [inline] > > > do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 > > > ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 > > > __do_sys_ioctl fs/ioctl.c:756 [inline] > > > __se_sys_ioctl fs/ioctl.c:754 [inline] > > > __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 > > > do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 > > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > > RIP: 0033:0x4444d9 > > > Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 > > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > > > ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > > > RSP: 002b:00007fff6f4393b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 > > > RAX: ffffffffffffffda RBX: 00007fff6f4393c0 RCX: 00000000004444d9 > > > RDX: 0000000020000440 RSI: 0000000000004b72 RDI: 0000000000000005 > > > RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000400da0 > > > R10: 00007fff6f438f00 R11: 0000000000000246 R12: 00000000004021e0 > > > R13: 0000000000402270 R14: 0000000000000000 R15: 0000000000000000 > > > > > > Allocated by task 9999: > > > save_stack+0x23/0x90 mm/kasan/common.c:71 > > > set_track mm/kasan/common.c:79 [inline] > > > __kasan_kmalloc mm/kasan/common.c:512 [inline] > > > __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:485 > > > kasan_kmalloc+0x9/0x10 mm/kasan/common.c:526 > > > __do_kmalloc mm/slab.c:3656 [inline] > > > __kmalloc+0x163/0x770 mm/slab.c:3665 > > > kmalloc include/linux/slab.h:561 [inline] > > > fbcon_set_font+0x32d/0x860 drivers/video/fbdev/core/fbcon.c:2663 > > > con_font_set drivers/tty/vt/vt.c:4538 [inline] > > > con_font_op+0xe18/0x1250 drivers/tty/vt/vt.c:4603 > > > vt_ioctl+0xd2e/0x26d0 drivers/tty/vt/vt_ioctl.c:913 > > > tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2658 > > > vfs_ioctl fs/ioctl.c:47 [inline] > > > file_ioctl fs/ioctl.c:545 [inline] > > > do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 > > > ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 > > > __do_sys_ioctl fs/ioctl.c:756 [inline] > > > __se_sys_ioctl fs/ioctl.c:754 [inline] > > > __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 > > > do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 > > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > > > > > Freed by task 9771: > > > save_stack+0x23/0x90 mm/kasan/common.c:71 > > > set_track mm/kasan/common.c:79 [inline] > > > kasan_set_free_info mm/kasan/common.c:334 [inline] > > > __kasan_slab_free+0x102/0x150 mm/kasan/common.c:473 > > > kasan_slab_free+0xe/0x10 mm/kasan/common.c:482 > > > __cache_free mm/slab.c:3426 [inline] > > > kfree+0x10a/0x2c0 mm/slab.c:3757 > > > tomoyo_init_log+0x15c1/0x2070 security/tomoyo/audit.c:294 > > > tomoyo_supervisor+0x33f/0xef0 security/tomoyo/common.c:2095 > > > tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline] > > > tomoyo_env_perm+0x18e/0x210 security/tomoyo/environ.c:63 > > > tomoyo_environ security/tomoyo/domain.c:670 [inline] > > > tomoyo_find_next_domain+0x1354/0x1f6c security/tomoyo/domain.c:876 > > > tomoyo_bprm_check_security security/tomoyo/tomoyo.c:107 [inline] > > > tomoyo_bprm_check_security+0x124/0x1a0 security/tomoyo/tomoyo.c:97 > > > security_bprm_check+0x63/0xb0 security/security.c:784 > > > search_binary_handler+0x71/0x570 fs/exec.c:1645 > > > exec_binprm fs/exec.c:1701 [inline] > > > __do_execve_file.isra.0+0x1329/0x22b0 fs/exec.c:1821 > > > do_execveat_common fs/exec.c:1867 [inline] > > > do_execve fs/exec.c:1884 [inline] > > > __do_sys_execve fs/exec.c:1960 [inline] > > > __se_sys_execve fs/exec.c:1955 [inline] > > > __x64_sys_execve+0x8f/0xc0 fs/exec.c:1955 > > > do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 > > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > > > > > The buggy address belongs to the object at ffff888094b0a000 > > > which belongs to the cache kmalloc-4k of size 4096 > > > The buggy address is located 2576 bytes inside of > > > 4096-byte region [ffff888094b0a000, ffff888094b0b000) > > > The buggy address belongs to the page: > > > page:ffffea000252c280 refcount:1 mapcount:0 mapping:ffff8880aa402000 > > > index:0x0 compound_mapcount: 0 > > > raw: 00fffe0000010200 ffffea0002a3ae08 ffffea0002a6aa88 ffff8880aa402000 > > > raw: 0000000000000000 ffff888094b0a000 0000000100000001 0000000000000000 > > > page dumped because: kasan: bad access detected > > > > > > Memory state around the buggy address: > > > ffff888094b0a900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > > ffff888094b0a980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > > > ffff888094b0aa00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > > ^ > > > ffff888094b0aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > > ffff888094b0ab00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > > ================================================================== > > > > > > > > > --- > > > This bug is generated by a bot. It may contain errors. > > > See https://goo.gl/tpsmEJ for more information about syzbot. > > > syzbot engineers can be reached at syzkaller@googlegroups.com. > > > > > > syzbot will keep track of this bug report. See: > > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > > syzbot can test patches for this bug, for details see: > > > https://goo.gl/tpsmEJ#testing-patches -- Daniel Vetter Software Engineer, Intel Corporation +41 (0) 79 365 57 48 - http://blog.ffwll.ch ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-04 9:15 ` Daniel Vetter 0 siblings, 0 replies; 53+ messages in thread From: Daniel Vetter @ 2019-12-04 9:15 UTC (permalink / raw) To: Dmitry Vyukov Cc: linux-security-module, Daniel Thompson, Bartlomiej Zolnierkiewicz, Tetsuo Handa, syzkaller-bugs, James Morris, kasan-dev, Linux Kernel Mailing List, syzbot, ghalat, dri-devel, Linux Fbdev development list, Andrey Ryabinin, Serge E. Hallyn, Sam Ravnborg, Kentaro Takeda On Wed, Dec 4, 2019 at 7:33 AM Dmitry Vyukov <dvyukov@google.com> wrote: > > On Tue, Dec 3, 2019 at 11:37 PM Daniel Vetter <daniel.vetter@ffwll.ch> wrote: > > > > On Tue, Dec 3, 2019 at 11:25 PM syzbot > > <syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com> wrote: > > > > > > Hello, > > > > > > syzbot found the following crash on: > > > > > > HEAD commit: 76bb8b05 Merge tag 'kbuild-v5.5' of git://git.kernel.org/p.. > > > git tree: upstream > > > console output: https://syzkaller.appspot.com/x/log.txt?x=10bfe282e00000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=dd226651cb0f364b > > > dashboard link: https://syzkaller.appspot.com/bug?extid=4455ca3b3291de891abc > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11181edae00000 > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=105cbb7ae00000 > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > > Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com > > > > > > ================================================================== > > > BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:380 [inline] > > > BUG: KASAN: slab-out-of-bounds in fbcon_get_font+0x2b2/0x5e0 > > > drivers/video/fbdev/core/fbcon.c:2465 > > > Read of size 16 at addr ffff888094b0aa10 by task syz-executor414/9999 > > > > So fbcon allocates some memory, security/tomoyo goes around and frees > > it, fbcon goes boom because the memory is gone. I'm kinda leaning > > towards "not an fbcon bug". Adding relevant security folks and mailing > > lists. > > > > But from a very quick look in tomoyo it loosk more like "machine on > > fire, random corruption all over". No idea what's going on here. > > Hi Daniel, > > This is an out-of-bounds access, not use-after-free. > I don't know why we print the free stack at all (maybe +Andrey knows), > but that's what KASAN did from day one. I filed > https://bugzilla.kernel.org/show_bug.cgi?id=198425 which I think is a > good idea, I will add your confusion as a data point :) > Re this bug, free stack is irrelevant, I guess it's when the heap > block was freed before it was reallocated by console. So it's plain > out-of-bounds in fbcon_get_font, which looks sane and consistent to me > and reproducible on top. Ugh, that's indeed very confusing, thanks for explaining. -Daniel > > > > > CPU: 0 PID: 9999 Comm: syz-executor414 Not tainted 5.4.0-syzkaller #0 > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > > Google 01/01/2011 > > > Call Trace: > > > __dump_stack lib/dump_stack.c:77 [inline] > > > dump_stack+0x197/0x210 lib/dump_stack.c:118 > > > print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 > > > __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 > > > kasan_report+0x12/0x20 mm/kasan/common.c:638 > > > check_memory_region_inline mm/kasan/generic.c:185 [inline] > > > check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192 > > > memcpy+0x24/0x50 mm/kasan/common.c:124 > > > memcpy include/linux/string.h:380 [inline] > > > fbcon_get_font+0x2b2/0x5e0 drivers/video/fbdev/core/fbcon.c:2465 > > > con_font_get drivers/tty/vt/vt.c:4446 [inline] > > > con_font_op+0x20b/0x1250 drivers/tty/vt/vt.c:4605 > > > vt_ioctl+0x181a/0x26d0 drivers/tty/vt/vt_ioctl.c:965 > > > tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2658 > > > vfs_ioctl fs/ioctl.c:47 [inline] > > > file_ioctl fs/ioctl.c:545 [inline] > > > do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 > > > ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 > > > __do_sys_ioctl fs/ioctl.c:756 [inline] > > > __se_sys_ioctl fs/ioctl.c:754 [inline] > > > __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 > > > do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 > > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > > RIP: 0033:0x4444d9 > > > Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 > > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > > > ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > > > RSP: 002b:00007fff6f4393b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 > > > RAX: ffffffffffffffda RBX: 00007fff6f4393c0 RCX: 00000000004444d9 > > > RDX: 0000000020000440 RSI: 0000000000004b72 RDI: 0000000000000005 > > > RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000400da0 > > > R10: 00007fff6f438f00 R11: 0000000000000246 R12: 00000000004021e0 > > > R13: 0000000000402270 R14: 0000000000000000 R15: 0000000000000000 > > > > > > Allocated by task 9999: > > > save_stack+0x23/0x90 mm/kasan/common.c:71 > > > set_track mm/kasan/common.c:79 [inline] > > > __kasan_kmalloc mm/kasan/common.c:512 [inline] > > > __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:485 > > > kasan_kmalloc+0x9/0x10 mm/kasan/common.c:526 > > > __do_kmalloc mm/slab.c:3656 [inline] > > > __kmalloc+0x163/0x770 mm/slab.c:3665 > > > kmalloc include/linux/slab.h:561 [inline] > > > fbcon_set_font+0x32d/0x860 drivers/video/fbdev/core/fbcon.c:2663 > > > con_font_set drivers/tty/vt/vt.c:4538 [inline] > > > con_font_op+0xe18/0x1250 drivers/tty/vt/vt.c:4603 > > > vt_ioctl+0xd2e/0x26d0 drivers/tty/vt/vt_ioctl.c:913 > > > tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2658 > > > vfs_ioctl fs/ioctl.c:47 [inline] > > > file_ioctl fs/ioctl.c:545 [inline] > > > do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 > > > ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 > > > __do_sys_ioctl fs/ioctl.c:756 [inline] > > > __se_sys_ioctl fs/ioctl.c:754 [inline] > > > __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 > > > do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 > > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > > > > > Freed by task 9771: > > > save_stack+0x23/0x90 mm/kasan/common.c:71 > > > set_track mm/kasan/common.c:79 [inline] > > > kasan_set_free_info mm/kasan/common.c:334 [inline] > > > __kasan_slab_free+0x102/0x150 mm/kasan/common.c:473 > > > kasan_slab_free+0xe/0x10 mm/kasan/common.c:482 > > > __cache_free mm/slab.c:3426 [inline] > > > kfree+0x10a/0x2c0 mm/slab.c:3757 > > > tomoyo_init_log+0x15c1/0x2070 security/tomoyo/audit.c:294 > > > tomoyo_supervisor+0x33f/0xef0 security/tomoyo/common.c:2095 > > > tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline] > > > tomoyo_env_perm+0x18e/0x210 security/tomoyo/environ.c:63 > > > tomoyo_environ security/tomoyo/domain.c:670 [inline] > > > tomoyo_find_next_domain+0x1354/0x1f6c security/tomoyo/domain.c:876 > > > tomoyo_bprm_check_security security/tomoyo/tomoyo.c:107 [inline] > > > tomoyo_bprm_check_security+0x124/0x1a0 security/tomoyo/tomoyo.c:97 > > > security_bprm_check+0x63/0xb0 security/security.c:784 > > > search_binary_handler+0x71/0x570 fs/exec.c:1645 > > > exec_binprm fs/exec.c:1701 [inline] > > > __do_execve_file.isra.0+0x1329/0x22b0 fs/exec.c:1821 > > > do_execveat_common fs/exec.c:1867 [inline] > > > do_execve fs/exec.c:1884 [inline] > > > __do_sys_execve fs/exec.c:1960 [inline] > > > __se_sys_execve fs/exec.c:1955 [inline] > > > __x64_sys_execve+0x8f/0xc0 fs/exec.c:1955 > > > do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 > > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > > > > > The buggy address belongs to the object at ffff888094b0a000 > > > which belongs to the cache kmalloc-4k of size 4096 > > > The buggy address is located 2576 bytes inside of > > > 4096-byte region [ffff888094b0a000, ffff888094b0b000) > > > The buggy address belongs to the page: > > > page:ffffea000252c280 refcount:1 mapcount:0 mapping:ffff8880aa402000 > > > index:0x0 compound_mapcount: 0 > > > raw: 00fffe0000010200 ffffea0002a3ae08 ffffea0002a6aa88 ffff8880aa402000 > > > raw: 0000000000000000 ffff888094b0a000 0000000100000001 0000000000000000 > > > page dumped because: kasan: bad access detected > > > > > > Memory state around the buggy address: > > > ffff888094b0a900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > > ffff888094b0a980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > > > ffff888094b0aa00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > > ^ > > > ffff888094b0aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > > ffff888094b0ab00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > > ================================================================== > > > > > > > > > --- > > > This bug is generated by a bot. It may contain errors. > > > See https://goo.gl/tpsmEJ for more information about syzbot. > > > syzbot engineers can be reached at syzkaller@googlegroups.com. > > > > > > syzbot will keep track of this bug report. See: > > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > > syzbot can test patches for this bug, for details see: > > > https://goo.gl/tpsmEJ#testing-patches -- Daniel Vetter Software Engineer, Intel Corporation +41 (0) 79 365 57 48 - http://blog.ffwll.ch _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-04 9:15 ` Daniel Vetter 0 siblings, 0 replies; 53+ messages in thread From: Daniel Vetter @ 2019-12-04 9:15 UTC (permalink / raw) To: Dmitry Vyukov Cc: linux-security-module, Daniel Thompson, Bartlomiej Zolnierkiewicz, Tetsuo Handa, syzkaller-bugs, James Morris, kasan-dev, Linux Kernel Mailing List, syzbot, ghalat, dri-devel, Linux Fbdev development list, Andrey Ryabinin, Serge E. Hallyn, Sam Ravnborg, Kentaro Takeda On Wed, Dec 4, 2019 at 7:33 AM Dmitry Vyukov <dvyukov@google.com> wrote: > > On Tue, Dec 3, 2019 at 11:37 PM Daniel Vetter <daniel.vetter@ffwll.ch> wrote: > > > > On Tue, Dec 3, 2019 at 11:25 PM syzbot > > <syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com> wrote: > > > > > > Hello, > > > > > > syzbot found the following crash on: > > > > > > HEAD commit: 76bb8b05 Merge tag 'kbuild-v5.5' of git://git.kernel.org/p.. > > > git tree: upstream > > > console output: https://syzkaller.appspot.com/x/log.txt?x\x10bfe282e00000 > > > kernel config: https://syzkaller.appspot.com/x/.config?xÝ226651cb0f364b > > > dashboard link: https://syzkaller.appspot.com/bug?extidD55ca3b3291de891abc > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x\x11181edae00000 > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x\x105cbb7ae00000 > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > > Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com > > > > > > ================================= > > > BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:380 [inline] > > > BUG: KASAN: slab-out-of-bounds in fbcon_get_font+0x2b2/0x5e0 > > > drivers/video/fbdev/core/fbcon.c:2465 > > > Read of size 16 at addr ffff888094b0aa10 by task syz-executor414/9999 > > > > So fbcon allocates some memory, security/tomoyo goes around and frees > > it, fbcon goes boom because the memory is gone. I'm kinda leaning > > towards "not an fbcon bug". Adding relevant security folks and mailing > > lists. > > > > But from a very quick look in tomoyo it loosk more like "machine on > > fire, random corruption all over". No idea what's going on here. > > Hi Daniel, > > This is an out-of-bounds access, not use-after-free. > I don't know why we print the free stack at all (maybe +Andrey knows), > but that's what KASAN did from day one. I filed > https://bugzilla.kernel.org/show_bug.cgi?id\x198425 which I think is a > good idea, I will add your confusion as a data point :) > Re this bug, free stack is irrelevant, I guess it's when the heap > block was freed before it was reallocated by console. So it's plain > out-of-bounds in fbcon_get_font, which looks sane and consistent to me > and reproducible on top. Ugh, that's indeed very confusing, thanks for explaining. -Daniel > > > > > CPU: 0 PID: 9999 Comm: syz-executor414 Not tainted 5.4.0-syzkaller #0 > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > > Google 01/01/2011 > > > Call Trace: > > > __dump_stack lib/dump_stack.c:77 [inline] > > > dump_stack+0x197/0x210 lib/dump_stack.c:118 > > > print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 > > > __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 > > > kasan_report+0x12/0x20 mm/kasan/common.c:638 > > > check_memory_region_inline mm/kasan/generic.c:185 [inline] > > > check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192 > > > memcpy+0x24/0x50 mm/kasan/common.c:124 > > > memcpy include/linux/string.h:380 [inline] > > > fbcon_get_font+0x2b2/0x5e0 drivers/video/fbdev/core/fbcon.c:2465 > > > con_font_get drivers/tty/vt/vt.c:4446 [inline] > > > con_font_op+0x20b/0x1250 drivers/tty/vt/vt.c:4605 > > > vt_ioctl+0x181a/0x26d0 drivers/tty/vt/vt_ioctl.c:965 > > > tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2658 > > > vfs_ioctl fs/ioctl.c:47 [inline] > > > file_ioctl fs/ioctl.c:545 [inline] > > > do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 > > > ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 > > > __do_sys_ioctl fs/ioctl.c:756 [inline] > > > __se_sys_ioctl fs/ioctl.c:754 [inline] > > > __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 > > > do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 > > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > > RIP: 0033:0x4444d9 > > > Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 > > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > > > ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > > > RSP: 002b:00007fff6f4393b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 > > > RAX: ffffffffffffffda RBX: 00007fff6f4393c0 RCX: 00000000004444d9 > > > RDX: 0000000020000440 RSI: 0000000000004b72 RDI: 0000000000000005 > > > RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000400da0 > > > R10: 00007fff6f438f00 R11: 0000000000000246 R12: 00000000004021e0 > > > R13: 0000000000402270 R14: 0000000000000000 R15: 0000000000000000 > > > > > > Allocated by task 9999: > > > save_stack+0x23/0x90 mm/kasan/common.c:71 > > > set_track mm/kasan/common.c:79 [inline] > > > __kasan_kmalloc mm/kasan/common.c:512 [inline] > > > __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:485 > > > kasan_kmalloc+0x9/0x10 mm/kasan/common.c:526 > > > __do_kmalloc mm/slab.c:3656 [inline] > > > __kmalloc+0x163/0x770 mm/slab.c:3665 > > > kmalloc include/linux/slab.h:561 [inline] > > > fbcon_set_font+0x32d/0x860 drivers/video/fbdev/core/fbcon.c:2663 > > > con_font_set drivers/tty/vt/vt.c:4538 [inline] > > > con_font_op+0xe18/0x1250 drivers/tty/vt/vt.c:4603 > > > vt_ioctl+0xd2e/0x26d0 drivers/tty/vt/vt_ioctl.c:913 > > > tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2658 > > > vfs_ioctl fs/ioctl.c:47 [inline] > > > file_ioctl fs/ioctl.c:545 [inline] > > > do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 > > > ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 > > > __do_sys_ioctl fs/ioctl.c:756 [inline] > > > __se_sys_ioctl fs/ioctl.c:754 [inline] > > > __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 > > > do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 > > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > > > > > Freed by task 9771: > > > save_stack+0x23/0x90 mm/kasan/common.c:71 > > > set_track mm/kasan/common.c:79 [inline] > > > kasan_set_free_info mm/kasan/common.c:334 [inline] > > > __kasan_slab_free+0x102/0x150 mm/kasan/common.c:473 > > > kasan_slab_free+0xe/0x10 mm/kasan/common.c:482 > > > __cache_free mm/slab.c:3426 [inline] > > > kfree+0x10a/0x2c0 mm/slab.c:3757 > > > tomoyo_init_log+0x15c1/0x2070 security/tomoyo/audit.c:294 > > > tomoyo_supervisor+0x33f/0xef0 security/tomoyo/common.c:2095 > > > tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline] > > > tomoyo_env_perm+0x18e/0x210 security/tomoyo/environ.c:63 > > > tomoyo_environ security/tomoyo/domain.c:670 [inline] > > > tomoyo_find_next_domain+0x1354/0x1f6c security/tomoyo/domain.c:876 > > > tomoyo_bprm_check_security security/tomoyo/tomoyo.c:107 [inline] > > > tomoyo_bprm_check_security+0x124/0x1a0 security/tomoyo/tomoyo.c:97 > > > security_bprm_check+0x63/0xb0 security/security.c:784 > > > search_binary_handler+0x71/0x570 fs/exec.c:1645 > > > exec_binprm fs/exec.c:1701 [inline] > > > __do_execve_file.isra.0+0x1329/0x22b0 fs/exec.c:1821 > > > do_execveat_common fs/exec.c:1867 [inline] > > > do_execve fs/exec.c:1884 [inline] > > > __do_sys_execve fs/exec.c:1960 [inline] > > > __se_sys_execve fs/exec.c:1955 [inline] > > > __x64_sys_execve+0x8f/0xc0 fs/exec.c:1955 > > > do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 > > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > > > > > The buggy address belongs to the object at ffff888094b0a000 > > > which belongs to the cache kmalloc-4k of size 4096 > > > The buggy address is located 2576 bytes inside of > > > 4096-byte region [ffff888094b0a000, ffff888094b0b000) > > > The buggy address belongs to the page: > > > page:ffffea000252c280 refcount:1 mapcount:0 mapping:ffff8880aa402000 > > > index:0x0 compound_mapcount: 0 > > > raw: 00fffe0000010200 ffffea0002a3ae08 ffffea0002a6aa88 ffff8880aa402000 > > > raw: 0000000000000000 ffff888094b0a000 0000000100000001 0000000000000000 > > > page dumped because: kasan: bad access detected > > > > > > Memory state around the buggy address: > > > ffff888094b0a900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > > ffff888094b0a980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > > > ffff888094b0aa00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > > ^ > > > ffff888094b0aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > > ffff888094b0ab00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > > ================================= > > > > > > > > > --- > > > This bug is generated by a bot. It may contain errors. > > > See https://goo.gl/tpsmEJ for more information about syzbot. > > > syzbot engineers can be reached at syzkaller@googlegroups.com. > > > > > > syzbot will keep track of this bug report. See: > > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > > syzbot can test patches for this bug, for details see: > > > https://goo.gl/tpsmEJ#testing-patches -- Daniel Vetter Software Engineer, Intel Corporation +41 (0) 79 365 57 48 - http://blog.ffwll.ch ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font 2019-12-04 6:33 ` Dmitry Vyukov (?) @ 2019-12-04 20:49 ` Andrey Ryabinin -1 siblings, 0 replies; 53+ messages in thread From: Andrey Ryabinin @ 2019-12-04 20:49 UTC (permalink / raw) To: Dmitry Vyukov, Daniel Vetter, kasan-dev Cc: syzbot, Kentaro Takeda, Tetsuo Handa, James Morris, Serge E. Hallyn, linux-security-module, Bartlomiej Zolnierkiewicz, Daniel Thompson, dri-devel, ghalat, Linux Fbdev development list, Linux Kernel Mailing List, Maarten Lankhorst, Sam Ravnborg, syzkaller-bugs On 12/4/19 9:33 AM, Dmitry Vyukov wrote: > On Tue, Dec 3, 2019 at 11:37 PM Daniel Vetter <daniel.vetter@ffwll.ch> wrote: >> >> On Tue, Dec 3, 2019 at 11:25 PM syzbot >> <syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com> wrote: >>> >>> Hello, >>> >>> syzbot found the following crash on: >>> >>> HEAD commit: 76bb8b05 Merge tag 'kbuild-v5.5' of git://git.kernel.org/p.. >>> git tree: upstream >>> console output: https://syzkaller.appspot.com/x/log.txt?x=10bfe282e00000 >>> kernel config: https://syzkaller.appspot.com/x/.config?x=dd226651cb0f364b >>> dashboard link: https://syzkaller.appspot.com/bug?extid=4455ca3b3291de891abc >>> compiler: gcc (GCC) 9.0.0 20181231 (experimental) >>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11181edae00000 >>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=105cbb7ae00000 >>> >>> IMPORTANT: if you fix the bug, please add the following tag to the commit: >>> Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com >>> >>> ================================================================== >>> BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:380 [inline] >>> BUG: KASAN: slab-out-of-bounds in fbcon_get_font+0x2b2/0x5e0 >>> drivers/video/fbdev/core/fbcon.c:2465 >>> Read of size 16 at addr ffff888094b0aa10 by task syz-executor414/9999 >> >> So fbcon allocates some memory, security/tomoyo goes around and frees >> it, fbcon goes boom because the memory is gone. I'm kinda leaning >> towards "not an fbcon bug". Adding relevant security folks and mailing >> lists. >> >> But from a very quick look in tomoyo it loosk more like "machine on >> fire, random corruption all over". No idea what's going on here. > > Hi Daniel, > > This is an out-of-bounds access, not use-after-free. > I don't know why we print the free stack at all (maybe +Andrey knows), > but that's what KASAN did from day one. I filed > https://bugzilla.kernel.org/show_bug.cgi?id=198425 which I think is a > good idea, I will add your confusion as a data point :) Because we have that information (free stack) and it usually better to provide all the information we have rather than hide it. You never known what information might be needed to fix the bug. Free memory might be reused and what we report as OOB might be an UAF and free stack could be useful in such case. ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-04 20:49 ` Andrey Ryabinin 0 siblings, 0 replies; 53+ messages in thread From: Andrey Ryabinin @ 2019-12-04 20:49 UTC (permalink / raw) To: Dmitry Vyukov, Daniel Vetter, kasan-dev Cc: Daniel Thompson, Bartlomiej Zolnierkiewicz, Tetsuo Handa, Linux Kernel Mailing List, syzbot, dri-devel, James Morris, syzkaller-bugs, linux-security-module, ghalat, Linux Fbdev development list, Kentaro Takeda, Sam Ravnborg, Serge E. Hallyn On 12/4/19 9:33 AM, Dmitry Vyukov wrote: > On Tue, Dec 3, 2019 at 11:37 PM Daniel Vetter <daniel.vetter@ffwll.ch> wrote: >> >> On Tue, Dec 3, 2019 at 11:25 PM syzbot >> <syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com> wrote: >>> >>> Hello, >>> >>> syzbot found the following crash on: >>> >>> HEAD commit: 76bb8b05 Merge tag 'kbuild-v5.5' of git://git.kernel.org/p.. >>> git tree: upstream >>> console output: https://syzkaller.appspot.com/x/log.txt?x=10bfe282e00000 >>> kernel config: https://syzkaller.appspot.com/x/.config?x=dd226651cb0f364b >>> dashboard link: https://syzkaller.appspot.com/bug?extid=4455ca3b3291de891abc >>> compiler: gcc (GCC) 9.0.0 20181231 (experimental) >>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11181edae00000 >>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=105cbb7ae00000 >>> >>> IMPORTANT: if you fix the bug, please add the following tag to the commit: >>> Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com >>> >>> ================================================================== >>> BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:380 [inline] >>> BUG: KASAN: slab-out-of-bounds in fbcon_get_font+0x2b2/0x5e0 >>> drivers/video/fbdev/core/fbcon.c:2465 >>> Read of size 16 at addr ffff888094b0aa10 by task syz-executor414/9999 >> >> So fbcon allocates some memory, security/tomoyo goes around and frees >> it, fbcon goes boom because the memory is gone. I'm kinda leaning >> towards "not an fbcon bug". Adding relevant security folks and mailing >> lists. >> >> But from a very quick look in tomoyo it loosk more like "machine on >> fire, random corruption all over". No idea what's going on here. > > Hi Daniel, > > This is an out-of-bounds access, not use-after-free. > I don't know why we print the free stack at all (maybe +Andrey knows), > but that's what KASAN did from day one. I filed > https://bugzilla.kernel.org/show_bug.cgi?id=198425 which I think is a > good idea, I will add your confusion as a data point :) Because we have that information (free stack) and it usually better to provide all the information we have rather than hide it. You never known what information might be needed to fix the bug. Free memory might be reused and what we report as OOB might be an UAF and free stack could be useful in such case. _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-04 20:49 ` Andrey Ryabinin 0 siblings, 0 replies; 53+ messages in thread From: Andrey Ryabinin @ 2019-12-04 20:49 UTC (permalink / raw) To: Dmitry Vyukov, Daniel Vetter, kasan-dev Cc: Daniel Thompson, Bartlomiej Zolnierkiewicz, Tetsuo Handa, Linux Kernel Mailing List, syzbot, dri-devel, James Morris, syzkaller-bugs, linux-security-module, ghalat, Linux Fbdev development list, Kentaro Takeda, Sam Ravnborg, Serge E. Hallyn On 12/4/19 9:33 AM, Dmitry Vyukov wrote: > On Tue, Dec 3, 2019 at 11:37 PM Daniel Vetter <daniel.vetter@ffwll.ch> wrote: >> >> On Tue, Dec 3, 2019 at 11:25 PM syzbot >> <syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com> wrote: >>> >>> Hello, >>> >>> syzbot found the following crash on: >>> >>> HEAD commit: 76bb8b05 Merge tag 'kbuild-v5.5' of git://git.kernel.org/p.. >>> git tree: upstream >>> console output: https://syzkaller.appspot.com/x/log.txt?x\x10bfe282e00000 >>> kernel config: https://syzkaller.appspot.com/x/.config?xÝ226651cb0f364b >>> dashboard link: https://syzkaller.appspot.com/bug?extidD55ca3b3291de891abc >>> compiler: gcc (GCC) 9.0.0 20181231 (experimental) >>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x\x11181edae00000 >>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x\x105cbb7ae00000 >>> >>> IMPORTANT: if you fix the bug, please add the following tag to the commit: >>> Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com >>> >>> ================================= >>> BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:380 [inline] >>> BUG: KASAN: slab-out-of-bounds in fbcon_get_font+0x2b2/0x5e0 >>> drivers/video/fbdev/core/fbcon.c:2465 >>> Read of size 16 at addr ffff888094b0aa10 by task syz-executor414/9999 >> >> So fbcon allocates some memory, security/tomoyo goes around and frees >> it, fbcon goes boom because the memory is gone. I'm kinda leaning >> towards "not an fbcon bug". Adding relevant security folks and mailing >> lists. >> >> But from a very quick look in tomoyo it loosk more like "machine on >> fire, random corruption all over". No idea what's going on here. > > Hi Daniel, > > This is an out-of-bounds access, not use-after-free. > I don't know why we print the free stack at all (maybe +Andrey knows), > but that's what KASAN did from day one. I filed > https://bugzilla.kernel.org/show_bug.cgi?id\x198425 which I think is a > good idea, I will add your confusion as a data point :) Because we have that information (free stack) and it usually better to provide all the information we have rather than hide it. You never known what information might be needed to fix the bug. Free memory might be reused and what we report as OOB might be an UAF and free stack could be useful in such case. ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font 2019-12-03 22:25 ` syzbot (?) @ 2019-12-04 21:41 ` syzbot -1 siblings, 0 replies; 53+ messages in thread From: syzbot @ 2019-12-04 21:41 UTC (permalink / raw) To: aryabinin, b.zolnierkie, daniel.thompson, daniel.vetter, dri-devel, dvyukov, ghalat, gleb, gwshan, hpa, jmorris, kasan-dev, kvm, linux-fbdev, linux-kernel, linux-security-module, maarten.lankhorst, mingo, mpe, pbonzini, penguin-kernel, ruscur, sam, serge, stewart, syzkaller-bugs, takedakn, tglx, x86 syzbot has bisected this bug to: commit 2de50e9674fc4ca3c6174b04477f69eb26b4ee31 Author: Russell Currey <ruscur@russell.cc> Date: Mon Feb 8 04:08:20 2016 +0000 powerpc/powernv: Remove support for p5ioc2 bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=127a042ae00000 start commit: 76bb8b05 Merge tag 'kbuild-v5.5' of git://git.kernel.org/p.. git tree: upstream final crash: https://syzkaller.appspot.com/x/report.txt?x=117a042ae00000 console output: https://syzkaller.appspot.com/x/log.txt?x=167a042ae00000 kernel config: https://syzkaller.appspot.com/x/.config?x=dd226651cb0f364b dashboard link: https://syzkaller.appspot.com/bug?extid=4455ca3b3291de891abc syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11181edae00000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=105cbb7ae00000 Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com Fixes: 2de50e9674fc ("powerpc/powernv: Remove support for p5ioc2") For information about bisection process see: https://goo.gl/tpsmEJ#bisection ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-04 21:41 ` syzbot 0 siblings, 0 replies; 53+ messages in thread From: syzbot @ 2019-12-04 21:41 UTC (permalink / raw) To: aryabinin, b.zolnierkie, daniel.thompson, daniel.vetter, dri-devel, dvyukov, ghalat, gleb, gwshan, hpa, jmorris, kasan-dev, kvm, linux-fbdev, linux-kernel, linux-security-module, maarten.lankhorst, mingo, mpe, pbonzini, penguin-kernel, ruscur, sam, serge, stewart, syzkaller-bugs, takedakn, tglx, x86 syzbot has bisected this bug to: commit 2de50e9674fc4ca3c6174b04477f69eb26b4ee31 Author: Russell Currey <ruscur@russell.cc> Date: Mon Feb 8 04:08:20 2016 +0000 powerpc/powernv: Remove support for p5ioc2 bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=127a042ae00000 start commit: 76bb8b05 Merge tag 'kbuild-v5.5' of git://git.kernel.org/p.. git tree: upstream final crash: https://syzkaller.appspot.com/x/report.txt?x=117a042ae00000 console output: https://syzkaller.appspot.com/x/log.txt?x=167a042ae00000 kernel config: https://syzkaller.appspot.com/x/.config?x=dd226651cb0f364b dashboard link: https://syzkaller.appspot.com/bug?extid=4455ca3b3291de891abc syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11181edae00000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=105cbb7ae00000 Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com Fixes: 2de50e9674fc ("powerpc/powernv: Remove support for p5ioc2") For information about bisection process see: https://goo.gl/tpsmEJ#bisection _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-04 21:41 ` syzbot 0 siblings, 0 replies; 53+ messages in thread From: syzbot @ 2019-12-04 21:41 UTC (permalink / raw) To: aryabinin, b.zolnierkie, daniel.thompson, daniel.vetter, dri-devel, dvyukov, ghalat, gleb, gwshan, hpa, jmorris, kasan-dev, kvm, linux-fbdev, linux-kernel, linux-security-module, maarten.lankhorst, mingo, mpe, pbonzini, penguin-kernel, ruscur, sam, serge, stewart, syzkaller-bugs, takedakn, tglx, x86 syzbot has bisected this bug to: commit 2de50e9674fc4ca3c6174b04477f69eb26b4ee31 Author: Russell Currey <ruscur@russell.cc> Date: Mon Feb 8 04:08:20 2016 +0000 powerpc/powernv: Remove support for p5ioc2 bisection log: https://syzkaller.appspot.com/x/bisect.txt?x\x127a042ae00000 start commit: 76bb8b05 Merge tag 'kbuild-v5.5' of git://git.kernel.org/p.. git tree: upstream final crash: https://syzkaller.appspot.com/x/report.txt?x\x117a042ae00000 console output: https://syzkaller.appspot.com/x/log.txt?x\x167a042ae00000 kernel config: https://syzkaller.appspot.com/x/.config?xÝ226651cb0f364b dashboard link: https://syzkaller.appspot.com/bug?extidD55ca3b3291de891abc syz repro: https://syzkaller.appspot.com/x/repro.syz?x\x11181edae00000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x\x105cbb7ae00000 Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com Fixes: 2de50e9674fc ("powerpc/powernv: Remove support for p5ioc2") For information about bisection process see: https://goo.gl/tpsmEJ#bisection ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font 2019-12-04 21:41 ` syzbot @ 2019-12-05 1:59 ` Tetsuo Handa -1 siblings, 0 replies; 53+ messages in thread From: Tetsuo Handa @ 2019-12-05 1:59 UTC (permalink / raw) To: Bartlomiej Zolnierkiewicz, Daniel Vetter, Maarten Lankhorst, Sam Ravnborg, Grzegorz Halat Cc: syzbot, aryabinin, daniel.thompson, dri-devel, dvyukov, gleb, gwshan, hpa, jmorris, kasan-dev, kvm, linux-fbdev, linux-kernel, linux-security-module, mingo, mpe, pbonzini, ruscur, serge, stewart, syzkaller-bugs, takedakn, tglx, x86 Hello. syzbot is reporting that memory allocation size at fbcon_set_font() is too small because font's height is rounded up from 10 to 16 after memory allocation. ---------- diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c index c9235a2f42f8..68fe66e435d3 100644 --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -2461,6 +2461,7 @@ static int fbcon_get_font(struct vc_data *vc, struct console_font *font) if (font->width <= 8) { j = vc->vc_font.height; + printk("ksize(fontdata)=%lu font->charcount=%d vc->vc_font.height=%d font->width=%u\n", ksize(fontdata), font->charcount, j, font->width); for (i = 0; i < font->charcount; i++) { memcpy(data, fontdata, j); memset(data + j, 0, 32 - j); @@ -2661,6 +2662,8 @@ static int fbcon_set_font(struct vc_data *vc, struct console_font *font, size = h * pitch * charcount; new_data = kmalloc(FONT_EXTRA_WORDS * sizeof(int) + size, GFP_USER); + if (new_data) + printk("ksize(new_data)=%lu h=%u pitch=%u charcount=%u font->width=%u\n", ksize(new_data), h, pitch, charcount, font->width); if (!new_data) return -ENOMEM; ---------- Normal usage: [ 27.305293] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8 [ 27.328527] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8 [ 27.362551] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8 [ 27.385084] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8 [ 27.387653] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8 [ 27.417562] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8 [ 27.437808] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8 [ 27.440738] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8 [ 27.461157] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8 [ 27.495346] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8 [ 27.607372] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8 [ 27.655674] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8 [ 27.675310] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8 [ 27.702193] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8 syzbot's testcase: [ 115.784893] ksize(new_data)=4096 h=10 pitch=1 charcount=256 font->width=8 [ 115.790269] ksize(fontdata)=4096 font->charcount=256 vc->vc_font.height=16 font->width=8 ^ permalink raw reply related [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-05 1:59 ` Tetsuo Handa 0 siblings, 0 replies; 53+ messages in thread From: Tetsuo Handa @ 2019-12-05 1:59 UTC (permalink / raw) To: Bartlomiej Zolnierkiewicz, Daniel Vetter, Maarten Lankhorst, Sam Ravnborg, Grzegorz Halat Cc: linux-fbdev, kvm, hpa, dri-devel, ruscur, syzbot, takedakn, stewart, daniel.thompson, mpe, x86, jmorris, kasan-dev, mingo, aryabinin, serge, gleb, syzkaller-bugs, gwshan, tglx, dvyukov, linux-kernel, linux-security-module, pbonzini Hello. syzbot is reporting that memory allocation size at fbcon_set_font() is too small because font's height is rounded up from 10 to 16 after memory allocation. ---------- diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c index c9235a2f42f8..68fe66e435d3 100644 --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -2461,6 +2461,7 @@ static int fbcon_get_font(struct vc_data *vc, struct console_font *font) if (font->width <= 8) { j = vc->vc_font.height; + printk("ksize(fontdata)=%lu font->charcount=%d vc->vc_font.height=%d font->width=%u\n", ksize(fontdata), font->charcount, j, font->width); for (i = 0; i < font->charcount; i++) { memcpy(data, fontdata, j); memset(data + j, 0, 32 - j); @@ -2661,6 +2662,8 @@ static int fbcon_set_font(struct vc_data *vc, struct console_font *font, size = h * pitch * charcount; new_data = kmalloc(FONT_EXTRA_WORDS * sizeof(int) + size, GFP_USER); + if (new_data) + printk("ksize(new_data)=%lu h=%u pitch=%u charcount=%u font->width=%u\n", ksize(new_data), h, pitch, charcount, font->width); if (!new_data) return -ENOMEM; ---------- Normal usage: [ 27.305293] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8 [ 27.328527] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8 [ 27.362551] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8 [ 27.385084] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8 [ 27.387653] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8 [ 27.417562] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8 [ 27.437808] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8 [ 27.440738] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8 [ 27.461157] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8 [ 27.495346] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8 [ 27.607372] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8 [ 27.655674] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8 [ 27.675310] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8 [ 27.702193] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8 syzbot's testcase: [ 115.784893] ksize(new_data)=4096 h=10 pitch=1 charcount=256 font->width=8 [ 115.790269] ksize(fontdata)=4096 font->charcount=256 vc->vc_font.height=16 font->width=8 _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel ^ permalink raw reply related [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font 2019-12-04 21:41 ` syzbot (?) @ 2019-12-05 10:13 ` Paolo Bonzini -1 siblings, 0 replies; 53+ messages in thread From: Paolo Bonzini @ 2019-12-05 10:13 UTC (permalink / raw) To: syzbot, aryabinin, b.zolnierkie, daniel.thompson, daniel.vetter, dri-devel, dvyukov, ghalat, gleb, gwshan, hpa, jmorris, kasan-dev, kvm, linux-fbdev, linux-kernel, linux-security-module, maarten.lankhorst, mingo, mpe, penguin-kernel, ruscur, sam, serge, stewart, syzkaller-bugs, takedakn, tglx, x86 On 04/12/19 22:41, syzbot wrote: > syzbot has bisected this bug to: > > commit 2de50e9674fc4ca3c6174b04477f69eb26b4ee31 > Author: Russell Currey <ruscur@russell.cc> > Date: Mon Feb 8 04:08:20 2016 +0000 > > powerpc/powernv: Remove support for p5ioc2 > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=127a042ae00000 > start commit: 76bb8b05 Merge tag 'kbuild-v5.5' of > git://git.kernel.org/p.. > git tree: upstream > final crash: https://syzkaller.appspot.com/x/report.txt?x=117a042ae00000 > console output: https://syzkaller.appspot.com/x/log.txt?x=167a042ae00000 > kernel config: https://syzkaller.appspot.com/x/.config?x=dd226651cb0f364b > dashboard link: > https://syzkaller.appspot.com/bug?extid=4455ca3b3291de891abc > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11181edae00000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=105cbb7ae00000 > > Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com > Fixes: 2de50e9674fc ("powerpc/powernv: Remove support for p5ioc2") > > For information about bisection process see: > https://goo.gl/tpsmEJ#bisection > Why is everybody being CC'd, even if the bug has nothing to do with the person's subsystem? Thanks, Paolo ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-05 10:13 ` Paolo Bonzini 0 siblings, 0 replies; 53+ messages in thread From: Paolo Bonzini @ 2019-12-05 10:13 UTC (permalink / raw) To: syzbot, aryabinin, b.zolnierkie, daniel.thompson, daniel.vetter, dri-devel, dvyukov, ghalat, gleb, gwshan, hpa, jmorris, kasan-dev, kvm, linux-fbdev, linux-kernel, linux-security-module, maarten.lankhorst, mingo, mpe, penguin-kernel, ruscur, sam, serge, stewart, syzkaller-bugs, takedakn, tglx, x86 On 04/12/19 22:41, syzbot wrote: > syzbot has bisected this bug to: > > commit 2de50e9674fc4ca3c6174b04477f69eb26b4ee31 > Author: Russell Currey <ruscur@russell.cc> > Date: Mon Feb 8 04:08:20 2016 +0000 > > powerpc/powernv: Remove support for p5ioc2 > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=127a042ae00000 > start commit: 76bb8b05 Merge tag 'kbuild-v5.5' of > git://git.kernel.org/p.. > git tree: upstream > final crash: https://syzkaller.appspot.com/x/report.txt?x=117a042ae00000 > console output: https://syzkaller.appspot.com/x/log.txt?x=167a042ae00000 > kernel config: https://syzkaller.appspot.com/x/.config?x=dd226651cb0f364b > dashboard link: > https://syzkaller.appspot.com/bug?extid=4455ca3b3291de891abc > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11181edae00000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=105cbb7ae00000 > > Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com > Fixes: 2de50e9674fc ("powerpc/powernv: Remove support for p5ioc2") > > For information about bisection process see: > https://goo.gl/tpsmEJ#bisection > Why is everybody being CC'd, even if the bug has nothing to do with the person's subsystem? Thanks, Paolo _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-05 10:13 ` Paolo Bonzini 0 siblings, 0 replies; 53+ messages in thread From: Paolo Bonzini @ 2019-12-05 10:13 UTC (permalink / raw) To: syzbot, aryabinin, b.zolnierkie, daniel.thompson, daniel.vetter, dri-devel, dvyukov, ghalat, gleb, gwshan, hpa, jmorris, kasan-dev, kvm, linux-fbdev, linux-kernel, linux-security-module, maarten.lankhorst, mingo, mpe, penguin-kernel, ruscur, sam, serge, stewart, syzkaller-bugs, takedakn, tglx, x86 On 04/12/19 22:41, syzbot wrote: > syzbot has bisected this bug to: > > commit 2de50e9674fc4ca3c6174b04477f69eb26b4ee31 > Author: Russell Currey <ruscur@russell.cc> > Date: Mon Feb 8 04:08:20 2016 +0000 > > powerpc/powernv: Remove support for p5ioc2 > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=127a042ae00000 > start commit: 76bb8b05 Merge tag 'kbuild-v5.5' of > git://git.kernel.org/p.. > git tree: upstream > final crash: https://syzkaller.appspot.com/x/report.txt?x=117a042ae00000 > console output: https://syzkaller.appspot.com/x/log.txt?x=167a042ae00000 > kernel config: https://syzkaller.appspot.com/x/.config?x=dd226651cb0f364b > dashboard link: > https://syzkaller.appspot.com/bug?extid=4455ca3b3291de891abc > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11181edae00000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=105cbb7ae00000 > > Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com > Fixes: 2de50e9674fc ("powerpc/powernv: Remove support for p5ioc2") > > For information about bisection process see: > https://goo.gl/tpsmEJ#bisection > Why is everybody being CC'd, even if the bug has nothing to do with the person's subsystem? Thanks, Paolo ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font 2019-12-05 10:13 ` Paolo Bonzini (?) @ 2019-12-05 10:16 ` Dmitry Vyukov -1 siblings, 0 replies; 53+ messages in thread From: Dmitry Vyukov @ 2019-12-05 10:16 UTC (permalink / raw) To: Paolo Bonzini Cc: syzbot, Andrey Ryabinin, Bartlomiej Zolnierkiewicz, Daniel Thompson, Daniel Vetter, DRI, ghalat, Gleb Natapov, gwshan, H. Peter Anvin, James Morris, kasan-dev, KVM list, Linux Fbdev development list, LKML, linux-security-module, Maarten Lankhorst, Ingo Molnar, Michael Ellerman, Tetsuo Handa, Russell Currey, Sam Ravnborg, Serge E. Hallyn, stewart, syzkaller-bugs, Kentaro Takeda, Thomas Gleixner, the arch/x86 maintainers On Thu, Dec 5, 2019 at 11:13 AM Paolo Bonzini <pbonzini@redhat.com> wrote: > > On 04/12/19 22:41, syzbot wrote: > > syzbot has bisected this bug to: > > > > commit 2de50e9674fc4ca3c6174b04477f69eb26b4ee31 > > Author: Russell Currey <ruscur@russell.cc> > > Date: Mon Feb 8 04:08:20 2016 +0000 > > > > powerpc/powernv: Remove support for p5ioc2 > > > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=127a042ae00000 > > start commit: 76bb8b05 Merge tag 'kbuild-v5.5' of > > git://git.kernel.org/p.. > > git tree: upstream > > final crash: https://syzkaller.appspot.com/x/report.txt?x=117a042ae00000 > > console output: https://syzkaller.appspot.com/x/log.txt?x=167a042ae00000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=dd226651cb0f364b > > dashboard link: > > https://syzkaller.appspot.com/bug?extid=4455ca3b3291de891abc > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11181edae00000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=105cbb7ae00000 > > > > Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com > > Fixes: 2de50e9674fc ("powerpc/powernv: Remove support for p5ioc2") > > > > For information about bisection process see: > > https://goo.gl/tpsmEJ#bisection > > > > Why is everybody being CC'd, even if the bug has nothing to do with the > person's subsystem? The To list should be intersection of 2 groups of emails: result of get_maintainers.pl on the file identified as culprit in the crash message + emails extracted from the bisected to commit. ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-05 10:16 ` Dmitry Vyukov 0 siblings, 0 replies; 53+ messages in thread From: Dmitry Vyukov @ 2019-12-05 10:16 UTC (permalink / raw) To: Paolo Bonzini Cc: Linux Fbdev development list, KVM list, Tetsuo Handa, Daniel Vetter, H. Peter Anvin, DRI, ghalat, Russell Currey, Sam Ravnborg, syzbot, Kentaro Takeda, stewart, Daniel Thompson, Michael Ellerman, the arch/x86 maintainers, James Morris, kasan-dev, Ingo Molnar, Andrey Ryabinin, Serge E. Hallyn, Bartlomiej Zolnierkiewicz, Gleb Natapov, syzkaller-bugs, gwshan, Thomas Gleixner, LKML, linux-security-module On Thu, Dec 5, 2019 at 11:13 AM Paolo Bonzini <pbonzini@redhat.com> wrote: > > On 04/12/19 22:41, syzbot wrote: > > syzbot has bisected this bug to: > > > > commit 2de50e9674fc4ca3c6174b04477f69eb26b4ee31 > > Author: Russell Currey <ruscur@russell.cc> > > Date: Mon Feb 8 04:08:20 2016 +0000 > > > > powerpc/powernv: Remove support for p5ioc2 > > > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=127a042ae00000 > > start commit: 76bb8b05 Merge tag 'kbuild-v5.5' of > > git://git.kernel.org/p.. > > git tree: upstream > > final crash: https://syzkaller.appspot.com/x/report.txt?x=117a042ae00000 > > console output: https://syzkaller.appspot.com/x/log.txt?x=167a042ae00000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=dd226651cb0f364b > > dashboard link: > > https://syzkaller.appspot.com/bug?extid=4455ca3b3291de891abc > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11181edae00000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=105cbb7ae00000 > > > > Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com > > Fixes: 2de50e9674fc ("powerpc/powernv: Remove support for p5ioc2") > > > > For information about bisection process see: > > https://goo.gl/tpsmEJ#bisection > > > > Why is everybody being CC'd, even if the bug has nothing to do with the > person's subsystem? The To list should be intersection of 2 groups of emails: result of get_maintainers.pl on the file identified as culprit in the crash message + emails extracted from the bisected to commit. _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-05 10:16 ` Dmitry Vyukov 0 siblings, 0 replies; 53+ messages in thread From: Dmitry Vyukov @ 2019-12-05 10:16 UTC (permalink / raw) To: Paolo Bonzini Cc: Linux Fbdev development list, KVM list, Tetsuo Handa, Daniel Vetter, H. Peter Anvin, DRI, ghalat, Russell Currey, Sam Ravnborg, syzbot, Kentaro Takeda, stewart, Daniel Thompson, Michael Ellerman, the arch/x86 maintainers, James Morris, kasan-dev, Ingo Molnar, Andrey Ryabinin, Serge E. Hallyn, Bartlomiej Zolnierkiewicz, Gleb Natapov, syzkaller-bugs, gwshan, Thomas Gleixner, LKML, linux-security-module On Thu, Dec 5, 2019 at 11:13 AM Paolo Bonzini <pbonzini@redhat.com> wrote: > > On 04/12/19 22:41, syzbot wrote: > > syzbot has bisected this bug to: > > > > commit 2de50e9674fc4ca3c6174b04477f69eb26b4ee31 > > Author: Russell Currey <ruscur@russell.cc> > > Date: Mon Feb 8 04:08:20 2016 +0000 > > > > powerpc/powernv: Remove support for p5ioc2 > > > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x\x127a042ae00000 > > start commit: 76bb8b05 Merge tag 'kbuild-v5.5' of > > git://git.kernel.org/p.. > > git tree: upstream > > final crash: https://syzkaller.appspot.com/x/report.txt?x\x117a042ae00000 > > console output: https://syzkaller.appspot.com/x/log.txt?x\x167a042ae00000 > > kernel config: https://syzkaller.appspot.com/x/.config?xÝ226651cb0f364b > > dashboard link: > > https://syzkaller.appspot.com/bug?extidD55ca3b3291de891abc > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x\x11181edae00000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x\x105cbb7ae00000 > > > > Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com > > Fixes: 2de50e9674fc ("powerpc/powernv: Remove support for p5ioc2") > > > > For information about bisection process see: > > https://goo.gl/tpsmEJ#bisection > > > > Why is everybody being CC'd, even if the bug has nothing to do with the > person's subsystem? The To list should be intersection of 2 groups of emails: result of get_maintainers.pl on the file identified as culprit in the crash message + emails extracted from the bisected to commit. ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font 2019-12-05 10:16 ` Dmitry Vyukov (?) @ 2019-12-05 10:22 ` Paolo Bonzini -1 siblings, 0 replies; 53+ messages in thread From: Paolo Bonzini @ 2019-12-05 10:22 UTC (permalink / raw) To: Dmitry Vyukov Cc: syzbot, Andrey Ryabinin, Bartlomiej Zolnierkiewicz, Daniel Thompson, Daniel Vetter, DRI, ghalat, Gleb Natapov, gwshan, H. Peter Anvin, James Morris, kasan-dev, KVM list, Linux Fbdev development list, LKML, linux-security-module, Maarten Lankhorst, Ingo Molnar, Michael Ellerman, Tetsuo Handa, Russell Currey, Sam Ravnborg, Serge E. Hallyn, stewart, syzkaller-bugs, Kentaro Takeda, Thomas Gleixner, the arch/x86 maintainers On 05/12/19 11:16, Dmitry Vyukov wrote: > On Thu, Dec 5, 2019 at 11:13 AM Paolo Bonzini <pbonzini@redhat.com> wrote: >> >> On 04/12/19 22:41, syzbot wrote: >>> syzbot has bisected this bug to: >>> >>> commit 2de50e9674fc4ca3c6174b04477f69eb26b4ee31 >>> Author: Russell Currey <ruscur@russell.cc> >>> Date: Mon Feb 8 04:08:20 2016 +0000 >>> >>> powerpc/powernv: Remove support for p5ioc2 >>> >>> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=127a042ae00000 >>> start commit: 76bb8b05 Merge tag 'kbuild-v5.5' of >>> git://git.kernel.org/p.. >>> git tree: upstream >>> final crash: https://syzkaller.appspot.com/x/report.txt?x=117a042ae00000 >>> console output: https://syzkaller.appspot.com/x/log.txt?x=167a042ae00000 >>> kernel config: https://syzkaller.appspot.com/x/.config?x=dd226651cb0f364b >>> dashboard link: >>> https://syzkaller.appspot.com/bug?extid=4455ca3b3291de891abc >>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11181edae00000 >>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=105cbb7ae00000 >>> >>> Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com >>> Fixes: 2de50e9674fc ("powerpc/powernv: Remove support for p5ioc2") >>> >>> For information about bisection process see: >>> https://goo.gl/tpsmEJ#bisection >>> >> >> Why is everybody being CC'd, even if the bug has nothing to do with the >> person's subsystem? > > The To list should be intersection of 2 groups of emails: result of > get_maintainers.pl on the file identified as culprit in the crash > message + emails extracted from the bisected to commit. Ah, and because the machine is a KVM guest, kvm_wait appears in a lot of backtrace and I get to share syzkaller's joy every time. :) This bisect result is bogus, though Tetsuo found the bug anyway. Perhaps you can exclude commits that only touch architectures other than x86? Paolo ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-05 10:22 ` Paolo Bonzini 0 siblings, 0 replies; 53+ messages in thread From: Paolo Bonzini @ 2019-12-05 10:22 UTC (permalink / raw) To: Dmitry Vyukov Cc: Linux Fbdev development list, KVM list, Tetsuo Handa, Daniel Vetter, H. Peter Anvin, DRI, ghalat, Russell Currey, Sam Ravnborg, syzbot, Kentaro Takeda, stewart, Daniel Thompson, Michael Ellerman, the arch/x86 maintainers, James Morris, kasan-dev, Ingo Molnar, Andrey Ryabinin, Serge E. Hallyn, Bartlomiej Zolnierkiewicz, Gleb Natapov, syzkaller-bugs, gwshan, Thomas Gleixner, LKML, linux-security-module On 05/12/19 11:16, Dmitry Vyukov wrote: > On Thu, Dec 5, 2019 at 11:13 AM Paolo Bonzini <pbonzini@redhat.com> wrote: >> >> On 04/12/19 22:41, syzbot wrote: >>> syzbot has bisected this bug to: >>> >>> commit 2de50e9674fc4ca3c6174b04477f69eb26b4ee31 >>> Author: Russell Currey <ruscur@russell.cc> >>> Date: Mon Feb 8 04:08:20 2016 +0000 >>> >>> powerpc/powernv: Remove support for p5ioc2 >>> >>> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=127a042ae00000 >>> start commit: 76bb8b05 Merge tag 'kbuild-v5.5' of >>> git://git.kernel.org/p.. >>> git tree: upstream >>> final crash: https://syzkaller.appspot.com/x/report.txt?x=117a042ae00000 >>> console output: https://syzkaller.appspot.com/x/log.txt?x=167a042ae00000 >>> kernel config: https://syzkaller.appspot.com/x/.config?x=dd226651cb0f364b >>> dashboard link: >>> https://syzkaller.appspot.com/bug?extid=4455ca3b3291de891abc >>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11181edae00000 >>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=105cbb7ae00000 >>> >>> Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com >>> Fixes: 2de50e9674fc ("powerpc/powernv: Remove support for p5ioc2") >>> >>> For information about bisection process see: >>> https://goo.gl/tpsmEJ#bisection >>> >> >> Why is everybody being CC'd, even if the bug has nothing to do with the >> person's subsystem? > > The To list should be intersection of 2 groups of emails: result of > get_maintainers.pl on the file identified as culprit in the crash > message + emails extracted from the bisected to commit. Ah, and because the machine is a KVM guest, kvm_wait appears in a lot of backtrace and I get to share syzkaller's joy every time. :) This bisect result is bogus, though Tetsuo found the bug anyway. Perhaps you can exclude commits that only touch architectures other than x86? Paolo _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-05 10:22 ` Paolo Bonzini 0 siblings, 0 replies; 53+ messages in thread From: Paolo Bonzini @ 2019-12-05 10:22 UTC (permalink / raw) To: Dmitry Vyukov Cc: Linux Fbdev development list, KVM list, Tetsuo Handa, Daniel Vetter, H. Peter Anvin, DRI, ghalat, Russell Currey, Sam Ravnborg, syzbot, Kentaro Takeda, stewart, Daniel Thompson, Michael Ellerman, the arch/x86 maintainers, James Morris, kasan-dev, Ingo Molnar, Andrey Ryabinin, Serge E. Hallyn, Bartlomiej Zolnierkiewicz, Gleb Natapov, syzkaller-bugs, gwshan, Thomas Gleixner, LKML, linux-security-module On 05/12/19 11:16, Dmitry Vyukov wrote: > On Thu, Dec 5, 2019 at 11:13 AM Paolo Bonzini <pbonzini@redhat.com> wrote: >> >> On 04/12/19 22:41, syzbot wrote: >>> syzbot has bisected this bug to: >>> >>> commit 2de50e9674fc4ca3c6174b04477f69eb26b4ee31 >>> Author: Russell Currey <ruscur@russell.cc> >>> Date: Mon Feb 8 04:08:20 2016 +0000 >>> >>> powerpc/powernv: Remove support for p5ioc2 >>> >>> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x\x127a042ae00000 >>> start commit: 76bb8b05 Merge tag 'kbuild-v5.5' of >>> git://git.kernel.org/p.. >>> git tree: upstream >>> final crash: https://syzkaller.appspot.com/x/report.txt?x\x117a042ae00000 >>> console output: https://syzkaller.appspot.com/x/log.txt?x\x167a042ae00000 >>> kernel config: https://syzkaller.appspot.com/x/.config?xÝ226651cb0f364b >>> dashboard link: >>> https://syzkaller.appspot.com/bug?extidD55ca3b3291de891abc >>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x\x11181edae00000 >>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x\x105cbb7ae00000 >>> >>> Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com >>> Fixes: 2de50e9674fc ("powerpc/powernv: Remove support for p5ioc2") >>> >>> For information about bisection process see: >>> https://goo.gl/tpsmEJ#bisection >>> >> >> Why is everybody being CC'd, even if the bug has nothing to do with the >> person's subsystem? > > The To list should be intersection of 2 groups of emails: result of > get_maintainers.pl on the file identified as culprit in the crash > message + emails extracted from the bisected to commit. Ah, and because the machine is a KVM guest, kvm_wait appears in a lot of backtrace and I get to share syzkaller's joy every time. :) This bisect result is bogus, though Tetsuo found the bug anyway. Perhaps you can exclude commits that only touch architectures other than x86? Paolo ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font 2019-12-05 10:22 ` Paolo Bonzini (?) @ 2019-12-05 10:31 ` Dmitry Vyukov -1 siblings, 0 replies; 53+ messages in thread From: Dmitry Vyukov @ 2019-12-05 10:31 UTC (permalink / raw) To: Paolo Bonzini Cc: syzbot, Andrey Ryabinin, Bartlomiej Zolnierkiewicz, Daniel Thompson, Daniel Vetter, DRI, ghalat, Gleb Natapov, gwshan, H. Peter Anvin, James Morris, kasan-dev, KVM list, Linux Fbdev development list, LKML, linux-security-module, Maarten Lankhorst, Ingo Molnar, Michael Ellerman, Tetsuo Handa, Russell Currey, Sam Ravnborg, Serge E. Hallyn, stewart, syzkaller-bugs, Kentaro Takeda, Thomas Gleixner, the arch/x86 maintainers On Thu, Dec 5, 2019 at 11:22 AM Paolo Bonzini <pbonzini@redhat.com> wrote: > > On 05/12/19 11:16, Dmitry Vyukov wrote: > > On Thu, Dec 5, 2019 at 11:13 AM Paolo Bonzini <pbonzini@redhat.com> wrote: > >> > >> On 04/12/19 22:41, syzbot wrote: > >>> syzbot has bisected this bug to: > >>> > >>> commit 2de50e9674fc4ca3c6174b04477f69eb26b4ee31 > >>> Author: Russell Currey <ruscur@russell.cc> > >>> Date: Mon Feb 8 04:08:20 2016 +0000 > >>> > >>> powerpc/powernv: Remove support for p5ioc2 > >>> > >>> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=127a042ae00000 > >>> start commit: 76bb8b05 Merge tag 'kbuild-v5.5' of > >>> git://git.kernel.org/p.. > >>> git tree: upstream > >>> final crash: https://syzkaller.appspot.com/x/report.txt?x=117a042ae00000 > >>> console output: https://syzkaller.appspot.com/x/log.txt?x=167a042ae00000 > >>> kernel config: https://syzkaller.appspot.com/x/.config?x=dd226651cb0f364b > >>> dashboard link: > >>> https://syzkaller.appspot.com/bug?extid=4455ca3b3291de891abc > >>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11181edae00000 > >>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=105cbb7ae00000 > >>> > >>> Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com > >>> Fixes: 2de50e9674fc ("powerpc/powernv: Remove support for p5ioc2") > >>> > >>> For information about bisection process see: > >>> https://goo.gl/tpsmEJ#bisection > >>> > >> > >> Why is everybody being CC'd, even if the bug has nothing to do with the > >> person's subsystem? > > > > The To list should be intersection of 2 groups of emails: result of > > get_maintainers.pl on the file identified as culprit in the crash > > message + emails extracted from the bisected to commit. > > Ah, and because the machine is a KVM guest, kvm_wait appears in a lot of > backtrace and I get to share syzkaller's joy every time. :) I don't see any mention of "kvm" in the crash report. And it's only 1 file, not all of them, in this case I would expect it to be drivers/video/fbdev/core/fbcon.c. So it should be something different. > This bisect result is bogus, though Tetsuo found the bug anyway. > Perhaps you can exclude commits that only touch architectures other than > x86? We do this. It work sometimes. But sometimes it hits non-deterministic kernel build bugs: https://github.com/google/syzkaller/issues/1271#issuecomment-559093018 And in this case it hit some git bisect weirdness which I can't explain yet: https://github.com/google/syzkaller/issues/1527 ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-05 10:31 ` Dmitry Vyukov 0 siblings, 0 replies; 53+ messages in thread From: Dmitry Vyukov @ 2019-12-05 10:31 UTC (permalink / raw) To: Paolo Bonzini Cc: Linux Fbdev development list, KVM list, Tetsuo Handa, Daniel Vetter, H. Peter Anvin, DRI, ghalat, Russell Currey, Sam Ravnborg, syzbot, Kentaro Takeda, stewart, Daniel Thompson, Michael Ellerman, the arch/x86 maintainers, James Morris, kasan-dev, Ingo Molnar, Andrey Ryabinin, Serge E. Hallyn, Bartlomiej Zolnierkiewicz, Gleb Natapov, syzkaller-bugs, gwshan, Thomas Gleixner, LKML, linux-security-module On Thu, Dec 5, 2019 at 11:22 AM Paolo Bonzini <pbonzini@redhat.com> wrote: > > On 05/12/19 11:16, Dmitry Vyukov wrote: > > On Thu, Dec 5, 2019 at 11:13 AM Paolo Bonzini <pbonzini@redhat.com> wrote: > >> > >> On 04/12/19 22:41, syzbot wrote: > >>> syzbot has bisected this bug to: > >>> > >>> commit 2de50e9674fc4ca3c6174b04477f69eb26b4ee31 > >>> Author: Russell Currey <ruscur@russell.cc> > >>> Date: Mon Feb 8 04:08:20 2016 +0000 > >>> > >>> powerpc/powernv: Remove support for p5ioc2 > >>> > >>> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=127a042ae00000 > >>> start commit: 76bb8b05 Merge tag 'kbuild-v5.5' of > >>> git://git.kernel.org/p.. > >>> git tree: upstream > >>> final crash: https://syzkaller.appspot.com/x/report.txt?x=117a042ae00000 > >>> console output: https://syzkaller.appspot.com/x/log.txt?x=167a042ae00000 > >>> kernel config: https://syzkaller.appspot.com/x/.config?x=dd226651cb0f364b > >>> dashboard link: > >>> https://syzkaller.appspot.com/bug?extid=4455ca3b3291de891abc > >>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11181edae00000 > >>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=105cbb7ae00000 > >>> > >>> Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com > >>> Fixes: 2de50e9674fc ("powerpc/powernv: Remove support for p5ioc2") > >>> > >>> For information about bisection process see: > >>> https://goo.gl/tpsmEJ#bisection > >>> > >> > >> Why is everybody being CC'd, even if the bug has nothing to do with the > >> person's subsystem? > > > > The To list should be intersection of 2 groups of emails: result of > > get_maintainers.pl on the file identified as culprit in the crash > > message + emails extracted from the bisected to commit. > > Ah, and because the machine is a KVM guest, kvm_wait appears in a lot of > backtrace and I get to share syzkaller's joy every time. :) I don't see any mention of "kvm" in the crash report. And it's only 1 file, not all of them, in this case I would expect it to be drivers/video/fbdev/core/fbcon.c. So it should be something different. > This bisect result is bogus, though Tetsuo found the bug anyway. > Perhaps you can exclude commits that only touch architectures other than > x86? We do this. It work sometimes. But sometimes it hits non-deterministic kernel build bugs: https://github.com/google/syzkaller/issues/1271#issuecomment-559093018 And in this case it hit some git bisect weirdness which I can't explain yet: https://github.com/google/syzkaller/issues/1527 _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-05 10:31 ` Dmitry Vyukov 0 siblings, 0 replies; 53+ messages in thread From: Dmitry Vyukov @ 2019-12-05 10:31 UTC (permalink / raw) To: Paolo Bonzini Cc: Linux Fbdev development list, KVM list, Tetsuo Handa, Daniel Vetter, H. Peter Anvin, DRI, ghalat, Russell Currey, Sam Ravnborg, syzbot, Kentaro Takeda, stewart, Daniel Thompson, Michael Ellerman, the arch/x86 maintainers, James Morris, kasan-dev, Ingo Molnar, Andrey Ryabinin, Serge E. Hallyn, Bartlomiej Zolnierkiewicz, Gleb Natapov, syzkaller-bugs, gwshan, Thomas Gleixner, LKML, linux-security-module On Thu, Dec 5, 2019 at 11:22 AM Paolo Bonzini <pbonzini@redhat.com> wrote: > > On 05/12/19 11:16, Dmitry Vyukov wrote: > > On Thu, Dec 5, 2019 at 11:13 AM Paolo Bonzini <pbonzini@redhat.com> wrote: > >> > >> On 04/12/19 22:41, syzbot wrote: > >>> syzbot has bisected this bug to: > >>> > >>> commit 2de50e9674fc4ca3c6174b04477f69eb26b4ee31 > >>> Author: Russell Currey <ruscur@russell.cc> > >>> Date: Mon Feb 8 04:08:20 2016 +0000 > >>> > >>> powerpc/powernv: Remove support for p5ioc2 > >>> > >>> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x\x127a042ae00000 > >>> start commit: 76bb8b05 Merge tag 'kbuild-v5.5' of > >>> git://git.kernel.org/p.. > >>> git tree: upstream > >>> final crash: https://syzkaller.appspot.com/x/report.txt?x\x117a042ae00000 > >>> console output: https://syzkaller.appspot.com/x/log.txt?x\x167a042ae00000 > >>> kernel config: https://syzkaller.appspot.com/x/.config?xÝ226651cb0f364b > >>> dashboard link: > >>> https://syzkaller.appspot.com/bug?extidD55ca3b3291de891abc > >>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x\x11181edae00000 > >>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x\x105cbb7ae00000 > >>> > >>> Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com > >>> Fixes: 2de50e9674fc ("powerpc/powernv: Remove support for p5ioc2") > >>> > >>> For information about bisection process see: > >>> https://goo.gl/tpsmEJ#bisection > >>> > >> > >> Why is everybody being CC'd, even if the bug has nothing to do with the > >> person's subsystem? > > > > The To list should be intersection of 2 groups of emails: result of > > get_maintainers.pl on the file identified as culprit in the crash > > message + emails extracted from the bisected to commit. > > Ah, and because the machine is a KVM guest, kvm_wait appears in a lot of > backtrace and I get to share syzkaller's joy every time. :) I don't see any mention of "kvm" in the crash report. And it's only 1 file, not all of them, in this case I would expect it to be drivers/video/fbdev/core/fbcon.c. So it should be something different. > This bisect result is bogus, though Tetsuo found the bug anyway. > Perhaps you can exclude commits that only touch architectures other than > x86? We do this. It work sometimes. But sometimes it hits non-deterministic kernel build bugs: https://github.com/google/syzkaller/issues/1271#issuecomment-559093018 And in this case it hit some git bisect weirdness which I can't explain yet: https://github.com/google/syzkaller/issues/1527 ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font 2019-12-05 10:31 ` Dmitry Vyukov (?) @ 2019-12-05 10:53 ` Paolo Bonzini -1 siblings, 0 replies; 53+ messages in thread From: Paolo Bonzini @ 2019-12-05 10:53 UTC (permalink / raw) To: Dmitry Vyukov Cc: syzbot, Andrey Ryabinin, Bartlomiej Zolnierkiewicz, Daniel Thompson, Daniel Vetter, DRI, ghalat, Gleb Natapov, gwshan, H. Peter Anvin, James Morris, kasan-dev, KVM list, Linux Fbdev development list, LKML, linux-security-module, Maarten Lankhorst, Ingo Molnar, Michael Ellerman, Tetsuo Handa, Russell Currey, Sam Ravnborg, Serge E. Hallyn, stewart, syzkaller-bugs, Kentaro Takeda, Thomas Gleixner, the arch/x86 maintainers On 05/12/19 11:31, Dmitry Vyukov wrote: >> Ah, and because the machine is a KVM guest, kvm_wait appears in a lot of >> backtrace and I get to share syzkaller's joy every time. :) > I don't see any mention of "kvm" in the crash report. It's there in the stack trace, not sure if this is what triggered my Cc: [<ffffffff810c7c3a>] kvm_wait+0xca/0xe0 arch/x86/kernel/kvm.c:612 Paolo ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-05 10:53 ` Paolo Bonzini 0 siblings, 0 replies; 53+ messages in thread From: Paolo Bonzini @ 2019-12-05 10:53 UTC (permalink / raw) To: Dmitry Vyukov Cc: Linux Fbdev development list, KVM list, Tetsuo Handa, Daniel Vetter, H. Peter Anvin, DRI, ghalat, Russell Currey, Sam Ravnborg, syzbot, Kentaro Takeda, stewart, Daniel Thompson, Michael Ellerman, the arch/x86 maintainers, James Morris, kasan-dev, Ingo Molnar, Andrey Ryabinin, Serge E. Hallyn, Bartlomiej Zolnierkiewicz, Gleb Natapov, syzkaller-bugs, gwshan, Thomas Gleixner, LKML, linux-security-module On 05/12/19 11:31, Dmitry Vyukov wrote: >> Ah, and because the machine is a KVM guest, kvm_wait appears in a lot of >> backtrace and I get to share syzkaller's joy every time. :) > I don't see any mention of "kvm" in the crash report. It's there in the stack trace, not sure if this is what triggered my Cc: [<ffffffff810c7c3a>] kvm_wait+0xca/0xe0 arch/x86/kernel/kvm.c:612 Paolo _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-05 10:53 ` Paolo Bonzini 0 siblings, 0 replies; 53+ messages in thread From: Paolo Bonzini @ 2019-12-05 10:53 UTC (permalink / raw) To: Dmitry Vyukov Cc: Linux Fbdev development list, KVM list, Tetsuo Handa, Daniel Vetter, H. Peter Anvin, DRI, ghalat, Russell Currey, Sam Ravnborg, syzbot, Kentaro Takeda, stewart, Daniel Thompson, Michael Ellerman, the arch/x86 maintainers, James Morris, kasan-dev, Ingo Molnar, Andrey Ryabinin, Serge E. Hallyn, Bartlomiej Zolnierkiewicz, Gleb Natapov, syzkaller-bugs, gwshan, Thomas Gleixner, LKML, linux-security-module On 05/12/19 11:31, Dmitry Vyukov wrote: >> Ah, and because the machine is a KVM guest, kvm_wait appears in a lot of >> backtrace and I get to share syzkaller's joy every time. :) > I don't see any mention of "kvm" in the crash report. It's there in the stack trace, not sure if this is what triggered my Cc: [<ffffffff810c7c3a>] kvm_wait+0xca/0xe0 arch/x86/kernel/kvm.c:612 Paolo ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font 2019-12-05 10:53 ` Paolo Bonzini (?) @ 2019-12-05 11:27 ` Dmitry Vyukov -1 siblings, 0 replies; 53+ messages in thread From: Dmitry Vyukov @ 2019-12-05 11:27 UTC (permalink / raw) To: Paolo Bonzini Cc: syzbot, Andrey Ryabinin, Bartlomiej Zolnierkiewicz, Daniel Thompson, Daniel Vetter, DRI, ghalat, Gleb Natapov, gwshan, H. Peter Anvin, James Morris, kasan-dev, KVM list, Linux Fbdev development list, LKML, linux-security-module, Maarten Lankhorst, Ingo Molnar, Michael Ellerman, Tetsuo Handa, Russell Currey, Sam Ravnborg, Serge E. Hallyn, stewart, syzkaller-bugs, Kentaro Takeda, Thomas Gleixner, the arch/x86 maintainers On Thu, Dec 5, 2019 at 11:53 AM Paolo Bonzini <pbonzini@redhat.com> wrote: > > On 05/12/19 11:31, Dmitry Vyukov wrote: > >> Ah, and because the machine is a KVM guest, kvm_wait appears in a lot of > >> backtrace and I get to share syzkaller's joy every time. :) > > I don't see any mention of "kvm" in the crash report. > > It's there in the stack trace, not sure if this is what triggered my Cc: > > [<ffffffff810c7c3a>] kvm_wait+0xca/0xe0 arch/x86/kernel/kvm.c:612 > > Paolo Oh, you mean the final bisection crash. Indeed it contains a kvm frame and it turns out to be a bug in syzkaller code that indeed misattributed it to kvm instead of netfilter. Should be fixed now, you may read the commit message for details: https://github.com/google/syzkaller/commit/4fb74474cf0af2126be3a8989d770c3947ae9478 Overall this "making sense out of kernel output" task is the ultimate insanity, you may skim through this file to get a taste of amount of hardcoding and special corner cases that need to be handled: https://github.com/google/syzkaller/blob/master/pkg/report/linux.go And this is never done, such "exception from exception corner case" things pop up every week. There is always something to shuffle and tune. It only keeps functioning due to 500+ test cases for all possible insane kernel outputs: https://github.com/google/syzkaller/tree/master/pkg/report/testdata/linux/report https://github.com/google/syzkaller/tree/master/pkg/report/testdata/linux/guilty So thanks for persisting and questioning! We are getting better with each new test. ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-05 11:27 ` Dmitry Vyukov 0 siblings, 0 replies; 53+ messages in thread From: Dmitry Vyukov @ 2019-12-05 11:27 UTC (permalink / raw) To: Paolo Bonzini Cc: Linux Fbdev development list, KVM list, Tetsuo Handa, Daniel Vetter, H. Peter Anvin, DRI, ghalat, Russell Currey, Sam Ravnborg, syzbot, Kentaro Takeda, stewart, Daniel Thompson, Michael Ellerman, the arch/x86 maintainers, James Morris, kasan-dev, Ingo Molnar, Andrey Ryabinin, Serge E. Hallyn, Bartlomiej Zolnierkiewicz, Gleb Natapov, syzkaller-bugs, gwshan, Thomas Gleixner, LKML, linux-security-module On Thu, Dec 5, 2019 at 11:53 AM Paolo Bonzini <pbonzini@redhat.com> wrote: > > On 05/12/19 11:31, Dmitry Vyukov wrote: > >> Ah, and because the machine is a KVM guest, kvm_wait appears in a lot of > >> backtrace and I get to share syzkaller's joy every time. :) > > I don't see any mention of "kvm" in the crash report. > > It's there in the stack trace, not sure if this is what triggered my Cc: > > [<ffffffff810c7c3a>] kvm_wait+0xca/0xe0 arch/x86/kernel/kvm.c:612 > > Paolo Oh, you mean the final bisection crash. Indeed it contains a kvm frame and it turns out to be a bug in syzkaller code that indeed misattributed it to kvm instead of netfilter. Should be fixed now, you may read the commit message for details: https://github.com/google/syzkaller/commit/4fb74474cf0af2126be3a8989d770c3947ae9478 Overall this "making sense out of kernel output" task is the ultimate insanity, you may skim through this file to get a taste of amount of hardcoding and special corner cases that need to be handled: https://github.com/google/syzkaller/blob/master/pkg/report/linux.go And this is never done, such "exception from exception corner case" things pop up every week. There is always something to shuffle and tune. It only keeps functioning due to 500+ test cases for all possible insane kernel outputs: https://github.com/google/syzkaller/tree/master/pkg/report/testdata/linux/report https://github.com/google/syzkaller/tree/master/pkg/report/testdata/linux/guilty So thanks for persisting and questioning! We are getting better with each new test. _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-05 11:27 ` Dmitry Vyukov 0 siblings, 0 replies; 53+ messages in thread From: Dmitry Vyukov @ 2019-12-05 11:27 UTC (permalink / raw) To: Paolo Bonzini Cc: Linux Fbdev development list, KVM list, Tetsuo Handa, Daniel Vetter, H. Peter Anvin, DRI, ghalat, Russell Currey, Sam Ravnborg, syzbot, Kentaro Takeda, stewart, Daniel Thompson, Michael Ellerman, the arch/x86 maintainers, James Morris, kasan-dev, Ingo Molnar, Andrey Ryabinin, Serge E. Hallyn, Bartlomiej Zolnierkiewicz, Gleb Natapov, syzkaller-bugs, gwshan, Thomas Gleixner, LKML, linux-security-module On Thu, Dec 5, 2019 at 11:53 AM Paolo Bonzini <pbonzini@redhat.com> wrote: > > On 05/12/19 11:31, Dmitry Vyukov wrote: > >> Ah, and because the machine is a KVM guest, kvm_wait appears in a lot of > >> backtrace and I get to share syzkaller's joy every time. :) > > I don't see any mention of "kvm" in the crash report. > > It's there in the stack trace, not sure if this is what triggered my Cc: > > [<ffffffff810c7c3a>] kvm_wait+0xca/0xe0 arch/x86/kernel/kvm.c:612 > > Paolo Oh, you mean the final bisection crash. Indeed it contains a kvm frame and it turns out to be a bug in syzkaller code that indeed misattributed it to kvm instead of netfilter. Should be fixed now, you may read the commit message for details: https://github.com/google/syzkaller/commit/4fb74474cf0af2126be3a8989d770c3947ae9478 Overall this "making sense out of kernel output" task is the ultimate insanity, you may skim through this file to get a taste of amount of hardcoding and special corner cases that need to be handled: https://github.com/google/syzkaller/blob/master/pkg/report/linux.go And this is never done, such "exception from exception corner case" things pop up every week. There is always something to shuffle and tune. It only keeps functioning due to 500+ test cases for all possible insane kernel outputs: https://github.com/google/syzkaller/tree/master/pkg/report/testdata/linux/report https://github.com/google/syzkaller/tree/master/pkg/report/testdata/linux/guilty So thanks for persisting and questioning! We are getting better with each new test. ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font 2019-12-05 11:27 ` Dmitry Vyukov (?) @ 2019-12-05 11:29 ` Paolo Bonzini -1 siblings, 0 replies; 53+ messages in thread From: Paolo Bonzini @ 2019-12-05 11:29 UTC (permalink / raw) To: Dmitry Vyukov Cc: syzbot, Andrey Ryabinin, Bartlomiej Zolnierkiewicz, Daniel Thompson, Daniel Vetter, DRI, ghalat, Gleb Natapov, gwshan, H. Peter Anvin, James Morris, kasan-dev, KVM list, Linux Fbdev development list, LKML, linux-security-module, Maarten Lankhorst, Ingo Molnar, Michael Ellerman, Tetsuo Handa, Russell Currey, Sam Ravnborg, Serge E. Hallyn, stewart, syzkaller-bugs, Kentaro Takeda, Thomas Gleixner, the arch/x86 maintainers On 05/12/19 12:27, Dmitry Vyukov wrote: > Oh, you mean the final bisection crash. Indeed it contains a kvm frame > and it turns out to be a bug in syzkaller code that indeed > misattributed it to kvm instead of netfilter. > Should be fixed now, you may read the commit message for details: > https://github.com/google/syzkaller/commit/4fb74474cf0af2126be3a8989d770c3947ae9478 > > Overall this "making sense out of kernel output" task is the ultimate > insanity, you may skim through this file to get a taste of amount of > hardcoding and special corner cases that need to be handled: > https://github.com/google/syzkaller/blob/master/pkg/report/linux.go > And this is never done, such "exception from exception corner case" > things pop up every week. There is always something to shuffle and > tune. It only keeps functioning due to 500+ test cases for all > possible insane kernel outputs: > https://github.com/google/syzkaller/tree/master/pkg/report/testdata/linux/report > https://github.com/google/syzkaller/tree/master/pkg/report/testdata/linux/guilty > > So thanks for persisting and questioning! We are getting better with > each new test. Thanks to you! I "complain" because I know you're so responsive. :) Paolo ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-05 11:29 ` Paolo Bonzini 0 siblings, 0 replies; 53+ messages in thread From: Paolo Bonzini @ 2019-12-05 11:29 UTC (permalink / raw) To: Dmitry Vyukov Cc: Linux Fbdev development list, KVM list, Tetsuo Handa, Daniel Vetter, H. Peter Anvin, DRI, ghalat, Russell Currey, Sam Ravnborg, syzbot, Kentaro Takeda, stewart, Daniel Thompson, Michael Ellerman, the arch/x86 maintainers, James Morris, kasan-dev, Ingo Molnar, Andrey Ryabinin, Serge E. Hallyn, Bartlomiej Zolnierkiewicz, Gleb Natapov, syzkaller-bugs, gwshan, Thomas Gleixner, LKML, linux-security-module On 05/12/19 12:27, Dmitry Vyukov wrote: > Oh, you mean the final bisection crash. Indeed it contains a kvm frame > and it turns out to be a bug in syzkaller code that indeed > misattributed it to kvm instead of netfilter. > Should be fixed now, you may read the commit message for details: > https://github.com/google/syzkaller/commit/4fb74474cf0af2126be3a8989d770c3947ae9478 > > Overall this "making sense out of kernel output" task is the ultimate > insanity, you may skim through this file to get a taste of amount of > hardcoding and special corner cases that need to be handled: > https://github.com/google/syzkaller/blob/master/pkg/report/linux.go > And this is never done, such "exception from exception corner case" > things pop up every week. There is always something to shuffle and > tune. It only keeps functioning due to 500+ test cases for all > possible insane kernel outputs: > https://github.com/google/syzkaller/tree/master/pkg/report/testdata/linux/report > https://github.com/google/syzkaller/tree/master/pkg/report/testdata/linux/guilty > > So thanks for persisting and questioning! We are getting better with > each new test. Thanks to you! I "complain" because I know you're so responsive. :) Paolo _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-05 11:29 ` Paolo Bonzini 0 siblings, 0 replies; 53+ messages in thread From: Paolo Bonzini @ 2019-12-05 11:29 UTC (permalink / raw) To: Dmitry Vyukov Cc: Linux Fbdev development list, KVM list, Tetsuo Handa, Daniel Vetter, H. Peter Anvin, DRI, ghalat, Russell Currey, Sam Ravnborg, syzbot, Kentaro Takeda, stewart, Daniel Thompson, Michael Ellerman, the arch/x86 maintainers, James Morris, kasan-dev, Ingo Molnar, Andrey Ryabinin, Serge E. Hallyn, Bartlomiej Zolnierkiewicz, Gleb Natapov, syzkaller-bugs, gwshan, Thomas Gleixner, LKML, linux-security-module On 05/12/19 12:27, Dmitry Vyukov wrote: > Oh, you mean the final bisection crash. Indeed it contains a kvm frame > and it turns out to be a bug in syzkaller code that indeed > misattributed it to kvm instead of netfilter. > Should be fixed now, you may read the commit message for details: > https://github.com/google/syzkaller/commit/4fb74474cf0af2126be3a8989d770c3947ae9478 > > Overall this "making sense out of kernel output" task is the ultimate > insanity, you may skim through this file to get a taste of amount of > hardcoding and special corner cases that need to be handled: > https://github.com/google/syzkaller/blob/master/pkg/report/linux.go > And this is never done, such "exception from exception corner case" > things pop up every week. There is always something to shuffle and > tune. It only keeps functioning due to 500+ test cases for all > possible insane kernel outputs: > https://github.com/google/syzkaller/tree/master/pkg/report/testdata/linux/report > https://github.com/google/syzkaller/tree/master/pkg/report/testdata/linux/guilty > > So thanks for persisting and questioning! We are getting better with > each new test. Thanks to you! I "complain" because I know you're so responsive. :) Paolo ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font 2019-12-05 10:22 ` Paolo Bonzini (?) @ 2019-12-05 10:41 ` Tetsuo Handa -1 siblings, 0 replies; 53+ messages in thread From: Tetsuo Handa @ 2019-12-05 10:41 UTC (permalink / raw) To: Paolo Bonzini, Dmitry Vyukov Cc: syzbot, Andrey Ryabinin, Bartlomiej Zolnierkiewicz, Daniel Thompson, Daniel Vetter, DRI, ghalat, Gleb Natapov, gwshan, H. Peter Anvin, James Morris, kasan-dev, KVM list, Linux Fbdev development list, LKML, linux-security-module, Maarten Lankhorst, Ingo Molnar, Michael Ellerman, Russell Currey, Sam Ravnborg, Serge E. Hallyn, stewart, syzkaller-bugs, Kentaro Takeda, Thomas Gleixner, the arch/x86 maintainers On 2019/12/05 19:22, Paolo Bonzini wrote: > Ah, and because the machine is a KVM guest, kvm_wait appears in a lot of > backtrace and I get to share syzkaller's joy every time. :) > > This bisect result is bogus, though Tetsuo found the bug anyway. > Perhaps you can exclude commits that only touch architectures other than > x86? > It would be nice if coverage functionality can extract filenames in the source code and supply the list of filenames as arguments for bisect operation. Also, (unrelated but) it would be nice if we can have "make yes2modconfig" target which converts CONFIG_FOO=y to CONFIG_FOO=m if FOO is tristate. syzbot is testing kernel configs close to "make allyesconfig" but I want to save kernel rebuild time by disabling unrelated functionality when manually "debug printk()ing" kernels. ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-05 10:41 ` Tetsuo Handa 0 siblings, 0 replies; 53+ messages in thread From: Tetsuo Handa @ 2019-12-05 10:41 UTC (permalink / raw) To: Paolo Bonzini, Dmitry Vyukov Cc: Linux Fbdev development list, KVM list, Daniel Vetter, H. Peter Anvin, DRI, ghalat, Russell Currey, Sam Ravnborg, syzbot, Kentaro Takeda, stewart, Daniel Thompson, Michael Ellerman, the arch/x86 maintainers, James Morris, kasan-dev, Ingo Molnar, Andrey Ryabinin, Serge E. Hallyn, Bartlomiej Zolnierkiewicz, Gleb Natapov, syzkaller-bugs, gwshan, Thomas Gleixner, LKML, linux-security-module On 2019/12/05 19:22, Paolo Bonzini wrote: > Ah, and because the machine is a KVM guest, kvm_wait appears in a lot of > backtrace and I get to share syzkaller's joy every time. :) > > This bisect result is bogus, though Tetsuo found the bug anyway. > Perhaps you can exclude commits that only touch architectures other than > x86? > It would be nice if coverage functionality can extract filenames in the source code and supply the list of filenames as arguments for bisect operation. Also, (unrelated but) it would be nice if we can have "make yes2modconfig" target which converts CONFIG_FOO=y to CONFIG_FOO=m if FOO is tristate. syzbot is testing kernel configs close to "make allyesconfig" but I want to save kernel rebuild time by disabling unrelated functionality when manually "debug printk()ing" kernels. _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-05 10:41 ` Tetsuo Handa 0 siblings, 0 replies; 53+ messages in thread From: Tetsuo Handa @ 2019-12-05 10:41 UTC (permalink / raw) To: Paolo Bonzini, Dmitry Vyukov Cc: Linux Fbdev development list, KVM list, Daniel Vetter, H. Peter Anvin, DRI, ghalat, Russell Currey, Sam Ravnborg, syzbot, Kentaro Takeda, stewart, Daniel Thompson, Michael Ellerman, the arch/x86 maintainers, James Morris, kasan-dev, Ingo Molnar, Andrey Ryabinin, Serge E. Hallyn, Bartlomiej Zolnierkiewicz, Gleb Natapov, syzkaller-bugs, gwshan, Thomas Gleixner, LKML, linux-security-module On 2019/12/05 19:22, Paolo Bonzini wrote: > Ah, and because the machine is a KVM guest, kvm_wait appears in a lot of > backtrace and I get to share syzkaller's joy every time. :) > > This bisect result is bogus, though Tetsuo found the bug anyway. > Perhaps you can exclude commits that only touch architectures other than > x86? > It would be nice if coverage functionality can extract filenames in the source code and supply the list of filenames as arguments for bisect operation. Also, (unrelated but) it would be nice if we can have "make yes2modconfig" target which converts CONFIG_FOO=y to CONFIG_FOO=m if FOO is tristate. syzbot is testing kernel configs close to "make allyesconfig" but I want to save kernel rebuild time by disabling unrelated functionality when manually "debug printk()ing" kernels. ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font 2019-12-05 10:41 ` Tetsuo Handa (?) @ 2019-12-05 11:35 ` Dmitry Vyukov -1 siblings, 0 replies; 53+ messages in thread From: Dmitry Vyukov @ 2019-12-05 11:35 UTC (permalink / raw) To: Tetsuo Handa Cc: Paolo Bonzini, syzbot, Andrey Ryabinin, Bartlomiej Zolnierkiewicz, Daniel Thompson, Daniel Vetter, DRI, ghalat, Gleb Natapov, gwshan, H. Peter Anvin, James Morris, kasan-dev, KVM list, Linux Fbdev development list, LKML, linux-security-module, Maarten Lankhorst, Ingo Molnar, Michael Ellerman, Russell Currey, Sam Ravnborg, Serge E. Hallyn, stewart, syzkaller-bugs, Kentaro Takeda, Thomas Gleixner, the arch/x86 maintainers On Thu, Dec 5, 2019 at 11:41 AM Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> wrote: > > On 2019/12/05 19:22, Paolo Bonzini wrote: > > Ah, and because the machine is a KVM guest, kvm_wait appears in a lot of > > backtrace and I get to share syzkaller's joy every time. :) > > > > This bisect result is bogus, though Tetsuo found the bug anyway. > > Perhaps you can exclude commits that only touch architectures other than > > x86? > > > > It would be nice if coverage functionality can extract filenames in the source > code and supply the list of filenames as arguments for bisect operation. What is the criteria for file name extraction? What will bisect operation do with the set of files? If you have a feature/improvement request, please file it at: https://github.com/google/syzkaller/issues/new ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-05 11:35 ` Dmitry Vyukov 0 siblings, 0 replies; 53+ messages in thread From: Dmitry Vyukov @ 2019-12-05 11:35 UTC (permalink / raw) To: Tetsuo Handa Cc: Linux Fbdev development list, KVM list, Daniel Vetter, Russell Currey, DRI, ghalat, H. Peter Anvin, Sam Ravnborg, syzbot, Kentaro Takeda, stewart, Daniel Thompson, Michael Ellerman, the arch/x86 maintainers, James Morris, kasan-dev, Ingo Molnar, Andrey Ryabinin, Serge E. Hallyn, Bartlomiej Zolnierkiewicz, Gleb Natapov, syzkaller-bugs, gwshan, Thomas Gleixner, LKML, linux-security-module, Paolo Bonzini On Thu, Dec 5, 2019 at 11:41 AM Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> wrote: > > On 2019/12/05 19:22, Paolo Bonzini wrote: > > Ah, and because the machine is a KVM guest, kvm_wait appears in a lot of > > backtrace and I get to share syzkaller's joy every time. :) > > > > This bisect result is bogus, though Tetsuo found the bug anyway. > > Perhaps you can exclude commits that only touch architectures other than > > x86? > > > > It would be nice if coverage functionality can extract filenames in the source > code and supply the list of filenames as arguments for bisect operation. What is the criteria for file name extraction? What will bisect operation do with the set of files? If you have a feature/improvement request, please file it at: https://github.com/google/syzkaller/issues/new _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-05 11:35 ` Dmitry Vyukov 0 siblings, 0 replies; 53+ messages in thread From: Dmitry Vyukov @ 2019-12-05 11:35 UTC (permalink / raw) To: Tetsuo Handa Cc: Linux Fbdev development list, KVM list, Daniel Vetter, Russell Currey, DRI, ghalat, H. Peter Anvin, Sam Ravnborg, syzbot, Kentaro Takeda, stewart, Daniel Thompson, Michael Ellerman, the arch/x86 maintainers, James Morris, kasan-dev, Ingo Molnar, Andrey Ryabinin, Serge E. Hallyn, Bartlomiej Zolnierkiewicz, Gleb Natapov, syzkaller-bugs, gwshan, Thomas Gleixner, LKML, linux-security-module, Paolo Bonzini On Thu, Dec 5, 2019 at 11:41 AM Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> wrote: > > On 2019/12/05 19:22, Paolo Bonzini wrote: > > Ah, and because the machine is a KVM guest, kvm_wait appears in a lot of > > backtrace and I get to share syzkaller's joy every time. :) > > > > This bisect result is bogus, though Tetsuo found the bug anyway. > > Perhaps you can exclude commits that only touch architectures other than > > x86? > > > > It would be nice if coverage functionality can extract filenames in the source > code and supply the list of filenames as arguments for bisect operation. What is the criteria for file name extraction? What will bisect operation do with the set of files? If you have a feature/improvement request, please file it at: https://github.com/google/syzkaller/issues/new ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font 2019-12-05 10:41 ` Tetsuo Handa (?) @ 2019-12-05 11:36 ` Dmitry Vyukov -1 siblings, 0 replies; 53+ messages in thread From: Dmitry Vyukov @ 2019-12-05 11:36 UTC (permalink / raw) To: Tetsuo Handa Cc: Paolo Bonzini, syzbot, Andrey Ryabinin, Bartlomiej Zolnierkiewicz, Daniel Thompson, Daniel Vetter, DRI, ghalat, Gleb Natapov, gwshan, H. Peter Anvin, James Morris, kasan-dev, KVM list, Linux Fbdev development list, LKML, linux-security-module, Maarten Lankhorst, Ingo Molnar, Michael Ellerman, Russell Currey, Sam Ravnborg, Serge E. Hallyn, stewart, syzkaller-bugs, Kentaro Takeda, Thomas Gleixner, the arch/x86 maintainers On Thu, Dec 5, 2019 at 11:41 AM Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> wrote: > > On 2019/12/05 19:22, Paolo Bonzini wrote: > > Ah, and because the machine is a KVM guest, kvm_wait appears in a lot of > > backtrace and I get to share syzkaller's joy every time. :) > > > > This bisect result is bogus, though Tetsuo found the bug anyway. > > Perhaps you can exclude commits that only touch architectures other than > > x86? > > > > It would be nice if coverage functionality can extract filenames in the source > code and supply the list of filenames as arguments for bisect operation. > > Also, (unrelated but) it would be nice if we can have "make yes2modconfig" > target which converts CONFIG_FOO=y to CONFIG_FOO=m if FOO is tristate. > syzbot is testing kernel configs close to "make allyesconfig" but I want to > save kernel rebuild time by disabling unrelated functionality when manually > "debug printk()ing" kernels. I thought that maybe sed "s#=y#=m#g" && make olddefconfig will do, but unfortunately, it turns off non-tristate configs... $ egrep "CONFIG_MEMORY_HOTPLUG|CONFIG_TCP_CONG_DCTCP" .config CONFIG_MEMORY_HOTPLUG=y CONFIG_TCP_CONG_DCTCP=y # sed -i "s/CONFIG_MEMORY_HOTPLUG=y/CONFIG_MEMORY_HOTPLUG=m/g" .config # sed -i "s/CONFIG_TCP_CONG_DCTCP=y/CONFIG_TCP_CONG_DCTCP=m/g" .config # egrep "CONFIG_MEMORY_HOTPLUG|CONFIG_TCP_CONG_DCTCP" .config CONFIG_MEMORY_HOTPLUG=m CONFIG_TCP_CONG_DCTCP=m # make olddefconfig # egrep "CONFIG_MEMORY_HOTPLUG|CONFIG_TCP_CONG_DCTCP" .config # CONFIG_MEMORY_HOTPLUG is not set CONFIG_TCP_CONG_DCTCP=m ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-05 11:36 ` Dmitry Vyukov 0 siblings, 0 replies; 53+ messages in thread From: Dmitry Vyukov @ 2019-12-05 11:36 UTC (permalink / raw) To: Tetsuo Handa Cc: Linux Fbdev development list, KVM list, Daniel Vetter, Russell Currey, DRI, ghalat, H. Peter Anvin, Sam Ravnborg, syzbot, Kentaro Takeda, stewart, Daniel Thompson, Michael Ellerman, the arch/x86 maintainers, James Morris, kasan-dev, Ingo Molnar, Andrey Ryabinin, Serge E. Hallyn, Bartlomiej Zolnierkiewicz, Gleb Natapov, syzkaller-bugs, gwshan, Thomas Gleixner, LKML, linux-security-module, Paolo Bonzini On Thu, Dec 5, 2019 at 11:41 AM Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> wrote: > > On 2019/12/05 19:22, Paolo Bonzini wrote: > > Ah, and because the machine is a KVM guest, kvm_wait appears in a lot of > > backtrace and I get to share syzkaller's joy every time. :) > > > > This bisect result is bogus, though Tetsuo found the bug anyway. > > Perhaps you can exclude commits that only touch architectures other than > > x86? > > > > It would be nice if coverage functionality can extract filenames in the source > code and supply the list of filenames as arguments for bisect operation. > > Also, (unrelated but) it would be nice if we can have "make yes2modconfig" > target which converts CONFIG_FOO=y to CONFIG_FOO=m if FOO is tristate. > syzbot is testing kernel configs close to "make allyesconfig" but I want to > save kernel rebuild time by disabling unrelated functionality when manually > "debug printk()ing" kernels. I thought that maybe sed "s#=y#=m#g" && make olddefconfig will do, but unfortunately, it turns off non-tristate configs... $ egrep "CONFIG_MEMORY_HOTPLUG|CONFIG_TCP_CONG_DCTCP" .config CONFIG_MEMORY_HOTPLUG=y CONFIG_TCP_CONG_DCTCP=y # sed -i "s/CONFIG_MEMORY_HOTPLUG=y/CONFIG_MEMORY_HOTPLUG=m/g" .config # sed -i "s/CONFIG_TCP_CONG_DCTCP=y/CONFIG_TCP_CONG_DCTCP=m/g" .config # egrep "CONFIG_MEMORY_HOTPLUG|CONFIG_TCP_CONG_DCTCP" .config CONFIG_MEMORY_HOTPLUG=m CONFIG_TCP_CONG_DCTCP=m # make olddefconfig # egrep "CONFIG_MEMORY_HOTPLUG|CONFIG_TCP_CONG_DCTCP" .config # CONFIG_MEMORY_HOTPLUG is not set CONFIG_TCP_CONG_DCTCP=m _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-05 11:36 ` Dmitry Vyukov 0 siblings, 0 replies; 53+ messages in thread From: Dmitry Vyukov @ 2019-12-05 11:36 UTC (permalink / raw) To: Tetsuo Handa Cc: Linux Fbdev development list, KVM list, Daniel Vetter, Russell Currey, DRI, ghalat, H. Peter Anvin, Sam Ravnborg, syzbot, Kentaro Takeda, stewart, Daniel Thompson, Michael Ellerman, the arch/x86 maintainers, James Morris, kasan-dev, Ingo Molnar, Andrey Ryabinin, Serge E. Hallyn, Bartlomiej Zolnierkiewicz, Gleb Natapov, syzkaller-bugs, gwshan, Thomas Gleixner, LKML, linux-security-module, Paolo Bonzini On Thu, Dec 5, 2019 at 11:41 AM Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> wrote: > > On 2019/12/05 19:22, Paolo Bonzini wrote: > > Ah, and because the machine is a KVM guest, kvm_wait appears in a lot of > > backtrace and I get to share syzkaller's joy every time. :) > > > > This bisect result is bogus, though Tetsuo found the bug anyway. > > Perhaps you can exclude commits that only touch architectures other than > > x86? > > > > It would be nice if coverage functionality can extract filenames in the source > code and supply the list of filenames as arguments for bisect operation. > > Also, (unrelated but) it would be nice if we can have "make yes2modconfig" > target which converts CONFIG_FOO=y to CONFIG_FOO=m if FOO is tristate. > syzbot is testing kernel configs close to "make allyesconfig" but I want to > save kernel rebuild time by disabling unrelated functionality when manually > "debug printk()ing" kernels. I thought that maybe sed "s#=y#=m#g" && make olddefconfig will do, but unfortunately, it turns off non-tristate configs... $ egrep "CONFIG_MEMORY_HOTPLUG|CONFIG_TCP_CONG_DCTCP" .config CONFIG_MEMORY_HOTPLUG=y CONFIG_TCP_CONG_DCTCP=y # sed -i "s/CONFIG_MEMORY_HOTPLUG=y/CONFIG_MEMORY_HOTPLUG=m/g" .config # sed -i "s/CONFIG_TCP_CONG_DCTCP=y/CONFIG_TCP_CONG_DCTCP=m/g" .config # egrep "CONFIG_MEMORY_HOTPLUG|CONFIG_TCP_CONG_DCTCP" .config CONFIG_MEMORY_HOTPLUG=m CONFIG_TCP_CONG_DCTCP=m # make olddefconfig # egrep "CONFIG_MEMORY_HOTPLUG|CONFIG_TCP_CONG_DCTCP" .config # CONFIG_MEMORY_HOTPLUG is not set CONFIG_TCP_CONG_DCTCP=m ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font 2019-12-05 10:16 ` Dmitry Vyukov (?) @ 2019-12-05 10:30 ` Tetsuo Handa -1 siblings, 0 replies; 53+ messages in thread From: Tetsuo Handa @ 2019-12-05 10:30 UTC (permalink / raw) To: Dmitry Vyukov, Paolo Bonzini Cc: syzbot, Andrey Ryabinin, Bartlomiej Zolnierkiewicz, Daniel Thompson, Daniel Vetter, DRI, ghalat, Gleb Natapov, gwshan, H. Peter Anvin, James Morris, kasan-dev, KVM list, Linux Fbdev development list, LKML, linux-security-module, Maarten Lankhorst, Ingo Molnar, Michael Ellerman, Russell Currey, Sam Ravnborg, Serge E. Hallyn, stewart, syzkaller-bugs, Kentaro Takeda, Thomas Gleixner, the arch/x86 maintainers On 2019/12/05 19:16, Dmitry Vyukov wrote: > On Thu, Dec 5, 2019 at 11:13 AM Paolo Bonzini <pbonzini@redhat.com> wrote: >> >> On 04/12/19 22:41, syzbot wrote: >>> syzbot has bisected this bug to: >>> >>> commit 2de50e9674fc4ca3c6174b04477f69eb26b4ee31 >>> Author: Russell Currey <ruscur@russell.cc> >>> Date: Mon Feb 8 04:08:20 2016 +0000 >>> >>> powerpc/powernv: Remove support for p5ioc2 >>> >>> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=127a042ae00000 >>> start commit: 76bb8b05 Merge tag 'kbuild-v5.5' of >>> git://git.kernel.org/p.. >>> git tree: upstream >>> final crash: https://syzkaller.appspot.com/x/report.txt?x=117a042ae00000 >>> console output: https://syzkaller.appspot.com/x/log.txt?x=167a042ae00000 >>> kernel config: https://syzkaller.appspot.com/x/.config?x=dd226651cb0f364b >>> dashboard link: >>> https://syzkaller.appspot.com/bug?extid=4455ca3b3291de891abc >>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11181edae00000 >>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=105cbb7ae00000 >>> >>> Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com >>> Fixes: 2de50e9674fc ("powerpc/powernv: Remove support for p5ioc2") >>> >>> For information about bisection process see: >>> https://goo.gl/tpsmEJ#bisection >>> >> >> Why is everybody being CC'd, even if the bug has nothing to do with the >> person's subsystem? > > The To list should be intersection of 2 groups of emails: result of > get_maintainers.pl on the file identified as culprit in the crash > message + emails extracted from the bisected to commit. > There is "#syz uncc" command but it is too hard to utilize? ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-05 10:30 ` Tetsuo Handa 0 siblings, 0 replies; 53+ messages in thread From: Tetsuo Handa @ 2019-12-05 10:30 UTC (permalink / raw) To: Dmitry Vyukov, Paolo Bonzini Cc: Linux Fbdev development list, KVM list, Daniel Vetter, H. Peter Anvin, DRI, ghalat, Russell Currey, Sam Ravnborg, syzbot, Kentaro Takeda, stewart, Daniel Thompson, Michael Ellerman, the arch/x86 maintainers, James Morris, kasan-dev, Ingo Molnar, Andrey Ryabinin, Serge E. Hallyn, Bartlomiej Zolnierkiewicz, Gleb Natapov, syzkaller-bugs, gwshan, Thomas Gleixner, LKML, linux-security-module On 2019/12/05 19:16, Dmitry Vyukov wrote: > On Thu, Dec 5, 2019 at 11:13 AM Paolo Bonzini <pbonzini@redhat.com> wrote: >> >> On 04/12/19 22:41, syzbot wrote: >>> syzbot has bisected this bug to: >>> >>> commit 2de50e9674fc4ca3c6174b04477f69eb26b4ee31 >>> Author: Russell Currey <ruscur@russell.cc> >>> Date: Mon Feb 8 04:08:20 2016 +0000 >>> >>> powerpc/powernv: Remove support for p5ioc2 >>> >>> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=127a042ae00000 >>> start commit: 76bb8b05 Merge tag 'kbuild-v5.5' of >>> git://git.kernel.org/p.. >>> git tree: upstream >>> final crash: https://syzkaller.appspot.com/x/report.txt?x=117a042ae00000 >>> console output: https://syzkaller.appspot.com/x/log.txt?x=167a042ae00000 >>> kernel config: https://syzkaller.appspot.com/x/.config?x=dd226651cb0f364b >>> dashboard link: >>> https://syzkaller.appspot.com/bug?extid=4455ca3b3291de891abc >>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11181edae00000 >>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=105cbb7ae00000 >>> >>> Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com >>> Fixes: 2de50e9674fc ("powerpc/powernv: Remove support for p5ioc2") >>> >>> For information about bisection process see: >>> https://goo.gl/tpsmEJ#bisection >>> >> >> Why is everybody being CC'd, even if the bug has nothing to do with the >> person's subsystem? > > The To list should be intersection of 2 groups of emails: result of > get_maintainers.pl on the file identified as culprit in the crash > message + emails extracted from the bisected to commit. > There is "#syz uncc" command but it is too hard to utilize? _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel ^ permalink raw reply [flat|nested] 53+ messages in thread
* Re: KASAN: slab-out-of-bounds Read in fbcon_get_font @ 2019-12-05 10:30 ` Tetsuo Handa 0 siblings, 0 replies; 53+ messages in thread From: Tetsuo Handa @ 2019-12-05 10:30 UTC (permalink / raw) To: Dmitry Vyukov, Paolo Bonzini Cc: Linux Fbdev development list, KVM list, Daniel Vetter, H. Peter Anvin, DRI, ghalat, Russell Currey, Sam Ravnborg, syzbot, Kentaro Takeda, stewart, Daniel Thompson, Michael Ellerman, the arch/x86 maintainers, James Morris, kasan-dev, Ingo Molnar, Andrey Ryabinin, Serge E. Hallyn, Bartlomiej Zolnierkiewicz, Gleb Natapov, syzkaller-bugs, gwshan, Thomas Gleixner, LKML, linux-security-module On 2019/12/05 19:16, Dmitry Vyukov wrote: > On Thu, Dec 5, 2019 at 11:13 AM Paolo Bonzini <pbonzini@redhat.com> wrote: >> >> On 04/12/19 22:41, syzbot wrote: >>> syzbot has bisected this bug to: >>> >>> commit 2de50e9674fc4ca3c6174b04477f69eb26b4ee31 >>> Author: Russell Currey <ruscur@russell.cc> >>> Date: Mon Feb 8 04:08:20 2016 +0000 >>> >>> powerpc/powernv: Remove support for p5ioc2 >>> >>> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x\x127a042ae00000 >>> start commit: 76bb8b05 Merge tag 'kbuild-v5.5' of >>> git://git.kernel.org/p.. >>> git tree: upstream >>> final crash: https://syzkaller.appspot.com/x/report.txt?x\x117a042ae00000 >>> console output: https://syzkaller.appspot.com/x/log.txt?x\x167a042ae00000 >>> kernel config: https://syzkaller.appspot.com/x/.config?xÝ226651cb0f364b >>> dashboard link: >>> https://syzkaller.appspot.com/bug?extidD55ca3b3291de891abc >>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x\x11181edae00000 >>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x\x105cbb7ae00000 >>> >>> Reported-by: syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com >>> Fixes: 2de50e9674fc ("powerpc/powernv: Remove support for p5ioc2") >>> >>> For information about bisection process see: >>> https://goo.gl/tpsmEJ#bisection >>> >> >> Why is everybody being CC'd, even if the bug has nothing to do with the >> person's subsystem? > > The To list should be intersection of 2 groups of emails: result of > get_maintainers.pl on the file identified as culprit in the crash > message + emails extracted from the bisected to commit. > There is "#syz uncc" command but it is too hard to utilize? ^ permalink raw reply [flat|nested] 53+ messages in thread
end of thread, other threads:[~2019-12-06 8:18 UTC | newest] Thread overview: 53+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-12-03 22:25 KASAN: slab-out-of-bounds Read in fbcon_get_font syzbot 2019-12-03 22:25 ` syzbot 2019-12-03 22:25 ` syzbot 2019-12-03 22:37 ` Daniel Vetter 2019-12-03 22:37 ` Daniel Vetter 2019-12-03 22:37 ` Daniel Vetter 2019-12-04 6:33 ` Dmitry Vyukov 2019-12-04 6:33 ` Dmitry Vyukov 2019-12-04 6:33 ` Dmitry Vyukov 2019-12-04 9:15 ` Daniel Vetter 2019-12-04 9:15 ` Daniel Vetter 2019-12-04 9:15 ` Daniel Vetter 2019-12-04 20:49 ` Andrey Ryabinin 2019-12-04 20:49 ` Andrey Ryabinin 2019-12-04 20:49 ` Andrey Ryabinin 2019-12-04 21:41 ` syzbot 2019-12-04 21:41 ` syzbot 2019-12-04 21:41 ` syzbot 2019-12-05 1:59 ` Tetsuo Handa 2019-12-05 1:59 ` Tetsuo Handa 2019-12-05 10:13 ` Paolo Bonzini 2019-12-05 10:13 ` Paolo Bonzini 2019-12-05 10:13 ` Paolo Bonzini 2019-12-05 10:16 ` Dmitry Vyukov 2019-12-05 10:16 ` Dmitry Vyukov 2019-12-05 10:16 ` Dmitry Vyukov 2019-12-05 10:22 ` Paolo Bonzini 2019-12-05 10:22 ` Paolo Bonzini 2019-12-05 10:22 ` Paolo Bonzini 2019-12-05 10:31 ` Dmitry Vyukov 2019-12-05 10:31 ` Dmitry Vyukov 2019-12-05 10:31 ` Dmitry Vyukov 2019-12-05 10:53 ` Paolo Bonzini 2019-12-05 10:53 ` Paolo Bonzini 2019-12-05 10:53 ` Paolo Bonzini 2019-12-05 11:27 ` Dmitry Vyukov 2019-12-05 11:27 ` Dmitry Vyukov 2019-12-05 11:27 ` Dmitry Vyukov 2019-12-05 11:29 ` Paolo Bonzini 2019-12-05 11:29 ` Paolo Bonzini 2019-12-05 11:29 ` Paolo Bonzini 2019-12-05 10:41 ` Tetsuo Handa 2019-12-05 10:41 ` Tetsuo Handa 2019-12-05 10:41 ` Tetsuo Handa 2019-12-05 11:35 ` Dmitry Vyukov 2019-12-05 11:35 ` Dmitry Vyukov 2019-12-05 11:35 ` Dmitry Vyukov 2019-12-05 11:36 ` Dmitry Vyukov 2019-12-05 11:36 ` Dmitry Vyukov 2019-12-05 11:36 ` Dmitry Vyukov 2019-12-05 10:30 ` Tetsuo Handa 2019-12-05 10:30 ` Tetsuo Handa 2019-12-05 10:30 ` Tetsuo Handa
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.