From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.4 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 965C8C2D0BF for ; Thu, 5 Dec 2019 11:27:53 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 6CC0A2464F for ; Thu, 5 Dec 2019 11:27:53 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="HcygGCX6" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729109AbfLEL1t (ORCPT ); Thu, 5 Dec 2019 06:27:49 -0500 Received: from mail-qv1-f67.google.com ([209.85.219.67]:32803 "EHLO mail-qv1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729099AbfLEL1t (ORCPT ); Thu, 5 Dec 2019 06:27:49 -0500 Received: by mail-qv1-f67.google.com with SMTP id z3so1151818qvn.0 for ; Thu, 05 Dec 2019 03:27:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RN4UxK4XX/wD+FOSD/QSslR64zPY0NoSPi7sfqEDTcg=; b=HcygGCX60Afhxpnw9ZYlpuKkkt5wdM44SN/KOzDuDxVXQAJYVla5vHk6t3E4umUT94 WY3Uy/DUPWgjn0jDpNuvlQTfbRf6E7c08Qp9KQdy8d9VELeRNDHm65ZdVHDB3uZSyxM7 eHufFLkzIjwZBrX6+UXDf4ik+qPNtMwBIdCqJDm4sA2uNoBYHBhVnpbaMdg/VJS1UEn8 AM0jTK3oFUhIZANAHf2pmaFrBnf0iz7jtAqeryjk6H+rOQm8s1DrQnC4hXGmy2QVdwbA KebmWYKIj3F0ms5Jw0G2v2v3JX7QX7bocZ4OdEkrQzuV2CoGugRaRRbvp9/fH59JF56p S+Zw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RN4UxK4XX/wD+FOSD/QSslR64zPY0NoSPi7sfqEDTcg=; b=HnkTBp3W3IKs0dd4Cs+5giJ6juX6X3yyHkGsZ4mLZVeZ7VliX+mU1LcbqsSTu4VtEX 4lAuVL/87vju6ikA3RoT3zaEKng5UgxgLtefCZdZEKZYhzz7Es+A7LWB1gXgJVIV8h56 63FFMcQGQqVGDewKCVGfxJpWkizIn1ugMV4V438jtvGgL6GnZDdsA0UrPU6o0vDghFgw BFd9QVxiy6DyeV3g9CUX75IsKqNsouHdWn3kZvtS6s5GXTBrwGKwDpy1B2Z2otVQq9ge i/NYq6fu20CUEj7fRlY0DRmD6x8YmAr+PTOWX94AIhB+ixlyhPxeLW84mmerTSYFn9lm fC1w== X-Gm-Message-State: APjAAAVi/DtvE5rvyouBk5TZ3+VbLah0wuQH1/fOW1vitVp3yvYLYCql kc4I1M0/Ckr3wPBO0p0GTkskodjYDkBBrkLCR5K51A== X-Google-Smtp-Source: APXvYqxH9YNJe5L8BxMqoB1aZ+mLyrbeKewaHX+sfn84IGKLFUtHvCbxNr7Nz7Mt9VNZMqmAAHeTZG/lcpsKaNbOTFE= X-Received: by 2002:a0c:f8d1:: with SMTP id h17mr7099085qvo.80.1575545267533; Thu, 05 Dec 2019 03:27:47 -0800 (PST) MIME-Version: 1.0 References: <0000000000003e640e0598e7abc3@google.com> <41c082f5-5d22-d398-3bdd-3f4bf69d7ea3@redhat.com> In-Reply-To: From: Dmitry Vyukov Date: Thu, 5 Dec 2019 12:27:35 +0100 Message-ID: Subject: Re: KASAN: slab-out-of-bounds Read in fbcon_get_font To: Paolo Bonzini Cc: syzbot , Andrey Ryabinin , Bartlomiej Zolnierkiewicz , Daniel Thompson , Daniel Vetter , DRI , ghalat@redhat.com, Gleb Natapov , gwshan@linux.vnet.ibm.com, "H. Peter Anvin" , James Morris , kasan-dev , KVM list , Linux Fbdev development list , LKML , linux-security-module , Maarten Lankhorst , Ingo Molnar , Michael Ellerman , Tetsuo Handa , Russell Currey , Sam Ravnborg , "Serge E. Hallyn" , stewart@linux.vnet.ibm.com, syzkaller-bugs , Kentaro Takeda , Thomas Gleixner , "the arch/x86 maintainers" Content-Type: text/plain; charset="UTF-8" Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: On Thu, Dec 5, 2019 at 11:53 AM Paolo Bonzini wrote: > > On 05/12/19 11:31, Dmitry Vyukov wrote: > >> Ah, and because the machine is a KVM guest, kvm_wait appears in a lot of > >> backtrace and I get to share syzkaller's joy every time. :) > > I don't see any mention of "kvm" in the crash report. > > It's there in the stack trace, not sure if this is what triggered my Cc: > > [] kvm_wait+0xca/0xe0 arch/x86/kernel/kvm.c:612 > > Paolo Oh, you mean the final bisection crash. Indeed it contains a kvm frame and it turns out to be a bug in syzkaller code that indeed misattributed it to kvm instead of netfilter. Should be fixed now, you may read the commit message for details: https://github.com/google/syzkaller/commit/4fb74474cf0af2126be3a8989d770c3947ae9478 Overall this "making sense out of kernel output" task is the ultimate insanity, you may skim through this file to get a taste of amount of hardcoding and special corner cases that need to be handled: https://github.com/google/syzkaller/blob/master/pkg/report/linux.go And this is never done, such "exception from exception corner case" things pop up every week. There is always something to shuffle and tune. It only keeps functioning due to 500+ test cases for all possible insane kernel outputs: https://github.com/google/syzkaller/tree/master/pkg/report/testdata/linux/report https://github.com/google/syzkaller/tree/master/pkg/report/testdata/linux/guilty So thanks for persisting and questioning! We are getting better with each new test.