Re: KASAN: slab-out-of-bounds Write in vgacon_scroll

Re: KASAN: slab-out-of-bounds Write in vgacon_scroll

[Petr Mladek]

On Tue 2020-01-28 18:23:46, anon anon wrote:
> Dear Linux kernel developers,
> 
> I found the crash "KASAN: slab-out-of-bounds Write in vgacon_scroll"
> when running syzkaller, hope it's unknown:
> 
> Linux version: Linux v4.17-rc4 (75bc37fefc44)
> Branch: master
> 
> This crash still exists on the latest linux kernel Linux v5.5-rc6.
> Please get C repo and crash log generated by syzkaller, as well as the
> .config I used for linux kernel from the attachment. Thanks.

The out-of-bound access seems to be in vgacon_scroll() and thus
in vgacon code.

Unfortunately, most people in CC are printk-guys. They were mentioned
by ./scripts/get_maintainer.pl -f drivers/video/console/vgacon.c
just because the very last comment (tree wide pr_warning() clean up).

Bartolomej seems to be the only relevant name.

Bartolomej,

are you going to look at it? Or should we add more people or some list
(dri-devel@lists.freedesktop.org or linux-fbdev@vger.kernel.org) into CC?

Thanks,
Petr

Re: KASAN: slab-out-of-bounds Write in vgacon_scroll

[Bartlomiej Zolnierkiewicz]

On 1/28/20 1:49 PM, Petr Mladek wrote:
> On Tue 2020-01-28 18:23:46, anon anon wrote:
>> Dear Linux kernel developers,
>>
>> I found the crash "KASAN: slab-out-of-bounds Write in vgacon_scroll"
>> when running syzkaller, hope it's unknown:
>>
>> Linux version: Linux v4.17-rc4 (75bc37fefc44)
>> Branch: master
>>
>> This crash still exists on the latest linux kernel Linux v5.5-rc6.
>> Please get C repo and crash log generated by syzkaller, as well as the
>> .config I used for linux kernel from the attachment. Thanks.
> 
> The out-of-bound access seems to be in vgacon_scroll() and thus
> in vgacon code.
> 
> Unfortunately, most people in CC are printk-guys. They were mentioned
> by ./scripts/get_maintainer.pl -f drivers/video/console/vgacon.c
> just because the very last comment (tree wide pr_warning() clean up).
> 
> Bartolomej seems to be the only relevant name.
> 
> Bartolomej,
> 
> are you going to look at it? Or should we add more people or some list

Help is welcomed as I'm not going to look at it in the foreseeable future
(I'm busy enough with other things).

> (dri-devel@lists.freedesktop.org or linux-fbdev@vger.kernel.org) into CC?

Added to Cc:, thanks.

> Thanks,
> Petr

Best regards,
--
Bartlomiej Zolnierkiewicz
Samsung R&D Institute Poland
Samsung Electronics

Re: KASAN: slab-out-of-bounds Write in vgacon_scroll

[Sergey Senozhatsky]

On (20/01/28 15:58), Bartlomiej Zolnierkiewicz wrote:
[..]
> 
> Help is welcomed as I'm not going to look at it in the foreseeable future
> (I'm busy enough with other things).
> 
> > (dri-devel@lists.freedesktop.org or linux-fbdev@vger.kernel.org) into CC?
> 
> Added to Cc:, thanks.

Hmm. There is something strange about it. I use vga console quite
often, and scrolling happens all the time, yet I can't get the same
out-of-bounds report (nor have I ever seen it in the past), even with
the reproducer. Is it supposed to be executed as it is, or are there
any preconditions? Any chance that something that runs prior to that
reproducer somehow impacts the system? Just asking.

	-ss

Re: KASAN: slab-out-of-bounds Write in vgacon_scroll

[Sergey Senozhatsky]

On (20/01/29 23:15), Sergey Senozhatsky wrote:
> Date: Wed, 29 Jan 2020 23:15:17 +0900
> From: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
> To: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
> Cc: Petr Mladek <pmladek@suse.com>, anon anon <742991625abc@gmail.com>,
>  wangkefeng.wang@huawei.com, sergey.senozhatsky@gmail.com,
>  syzkaller@googlegroups.com, linux-kernel@vger.kernel.org,
>  dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org
> Subject: Re: KASAN: slab-out-of-bounds Write in vgacon_scroll
> Message-ID: <20200129141517.GA13721@jagdpanzerIV.localdomain>
> 
> On (20/01/28 15:58), Bartlomiej Zolnierkiewicz wrote:
> [..]
> > 
> > Help is welcomed as I'm not going to look at it in the foreseeable future
> > (I'm busy enough with other things).
> > 
> > > (dri-devel@lists.freedesktop.org or linux-fbdev@vger.kernel.org) into CC?
> > 
> > Added to Cc:, thanks.
> 
> Hmm. There is something strange about it. I use vga console quite
> often, and scrolling happens all the time, yet I can't get the same
> out-of-bounds report (nor have I ever seen it in the past), even with
> the reproducer. Is it supposed to be executed as it is, or are there
> any preconditions? Any chance that something that runs prior to that
> reproducer somehow impacts the system? Just asking.

These questions were addressed to anon anon (742991625abc@gmail.com),
not to Bartlomiej.

	-ss

Re: KASAN: slab-out-of-bounds Write in vgacon_scroll

[Sergey Senozhatsky]

Cc-ing Dmitry and Tetsuo

Original Message-id: CAA=061EoW8AmjUrBLsJy5nTDz-1jeArLeB+z6HJuyZud0zZXug@mail.gmail.com

On (20/01/29 23:17), Sergey Senozhatsky wrote:
> > Hmm. There is something strange about it. I use vga console quite
> > often, and scrolling happens all the time, yet I can't get the same
> > out-of-bounds report (nor have I ever seen it in the past), even with
> > the reproducer. Is it supposed to be executed as it is, or are there
> > any preconditions? Any chance that something that runs prior to that
> > reproducer somehow impacts the system? Just asking.
> 
> These questions were addressed to anon anon (742991625abc@gmail.com),
> not to Bartlomiej.

Could this be GCC_PLUGIN related?

	-ss

Re: KASAN: slab-out-of-bounds Write in vgacon_scroll

[Dmitry Vyukov]

On Wed, Jan 29, 2020 at 3:40 PM Sergey Senozhatsky
<sergey.senozhatsky@gmail.com> wrote:
>
> Cc-ing Dmitry and Tetsuo
>
> Original Message-id: CAA=061EoW8AmjUrBLsJy5nTDz-1jeArLeB+z6HJuyZud0zZXug@mail.gmail.com
>
> On (20/01/29 23:17), Sergey Senozhatsky wrote:
> > > Hmm. There is something strange about it. I use vga console quite
> > > often, and scrolling happens all the time, yet I can't get the same
> > > out-of-bounds report (nor have I ever seen it in the past), even with
> > > the reproducer. Is it supposed to be executed as it is, or are there
> > > any preconditions? Any chance that something that runs prior to that
> > > reproducer somehow impacts the system? Just asking.
> >
> > These questions were addressed to anon anon (742991625abc@gmail.com),
> > not to Bartlomiej.
>
> Could this be GCC_PLUGIN related?

syzkaller repros are meant to be self-contained, but they don't
capture the image and VM setup (or actual hardware). I suspect it may
have something to do with these bugs.
syzbot has reported a bunch of similar bugs in one of our internal kernels:

KASAN: slab-out-of-bounds Read in vgacon_scroll
KASAN: slab-out-of-bounds Read in vgacon_invert_region
KASAN: use-after-free Write in vgacon_scroll
KASAN: use-after-free Read in vgacon_scroll
KASAN: use-after-free Read in vgacon_invert_region
BUG: unable to handle kernel paging request in vgacon_scroll

But none on upstream kernels. That may be some difference in config?
I actually don't know what affects these things. When I tried to get
at least some coverage of that code in syzkaller I just understood
that relations between all these
tty/pty/ptmx/vt/pt/ldisc/vcs/vcsu/fb/con/dri/drm/etc are complex to
say the least...

Re: KASAN: slab-out-of-bounds Write in vgacon_scroll

[Dmitry Vyukov]

On Wed, Jan 29, 2020 at 3:59 PM Dmitry Vyukov <dvyukov@google.com> wrote:
>
> On Wed, Jan 29, 2020 at 3:40 PM Sergey Senozhatsky
> <sergey.senozhatsky@gmail.com> wrote:
> >
> > Cc-ing Dmitry and Tetsuo
> >
> > Original Message-id: CAA=061EoW8AmjUrBLsJy5nTDz-1jeArLeB+z6HJuyZud0zZXug@mail.gmail.com
> >
> > On (20/01/29 23:17), Sergey Senozhatsky wrote:
> > > > Hmm. There is something strange about it. I use vga console quite
> > > > often, and scrolling happens all the time, yet I can't get the same
> > > > out-of-bounds report (nor have I ever seen it in the past), even with
> > > > the reproducer. Is it supposed to be executed as it is, or are there
> > > > any preconditions? Any chance that something that runs prior to that
> > > > reproducer somehow impacts the system? Just asking.
> > >
> > > These questions were addressed to anon anon (742991625abc@gmail.com),
> > > not to Bartlomiej.
> >
> > Could this be GCC_PLUGIN related?
>
> syzkaller repros are meant to be self-contained, but they don't
> capture the image and VM setup (or actual hardware). I suspect it may
> have something to do with these bugs.
> syzbot has reported a bunch of similar bugs in one of our internal kernels:
>
> KASAN: slab-out-of-bounds Read in vgacon_scroll
> KASAN: slab-out-of-bounds Read in vgacon_invert_region
> KASAN: use-after-free Write in vgacon_scroll
> KASAN: use-after-free Read in vgacon_scroll
> KASAN: use-after-free Read in vgacon_invert_region
> BUG: unable to handle kernel paging request in vgacon_scroll
>
> But none on upstream kernels. That may be some difference in config?
> I actually don't know what affects these things. When I tried to get
> at least some coverage of that code in syzkaller I just understood
> that relations between all these
> tty/pty/ptmx/vt/pt/ldisc/vcs/vcsu/fb/con/dri/drm/etc are complex to
> say the least...


It would also be good to figure out how we can cover this on syzbot/upstream.

Our upstream config is:

$ grep VGA upstream-kasan.config
CONFIG_VGA_ARB=y
CONFIG_VGA_ARB_MAX_GPUS=16
# CONFIG_VGA_SWITCHEROO is not set
CONFIG_FB_VGA16=y
CONFIG_VGASTATE=y
CONFIG_VGA_CONSOLE=y
CONFIG_VGACON_SOFT_SCROLLBACK=y
CONFIG_VGACON_SOFT_SCROLLBACK_SIZE=64
# CONFIG_VGACON_SOFT_SCROLLBACK_PERSISTENT_ENABLE_BY_DEFAULT is not set
CONFIG_LOGO_LINUX_VGA16=y
# CONFIG_USB_SISUSBVGA is not set
# CONFIG_VFIO_PCI_VGA is not set

where anon's is:
CONFIG_VGA_ARB=y
CONFIG_VGA_ARB_MAX_GPUS=16
# CONFIG_VGA_SWITCHEROO is not set
# CONFIG_FB_VGA16 is not set
CONFIG_VGA_CONSOLE=y
CONFIG_VGACON_SOFT_SCROLLBACK=y
CONFIG_VGACON_SOFT_SCROLLBACK_SIZE=64
# CONFIG_VGACON_SOFT_SCROLLBACK_PERSISTENT_ENABLE_BY_DEFAULT is not set
# CONFIG_LOGO_LINUX_VGA16 is not set
# CONFIG_USB_SISUSBVGA is not set

And the one on which are catching the bugs in vgacon on internal kernel is:
CONFIG_VGA_ARB=y
CONFIG_VGA_ARB_MAX_GPUS=16
# CONFIG_VGA_SWITCHEROO is not set
# CONFIG_VGASTATE is not set
CONFIG_VGA_CONSOLE=y
# CONFIG_VGACON_SOFT_SCROLLBACK is not set
# CONFIG_USB_SISUSBVGA is not set
# CONFIG_VFIO_PCI_VGA is not set


May it be related to CONFIG_VGASTATE?

Re: KASAN: slab-out-of-bounds Write in vgacon_scroll

[Tetsuo Handa]

A fbcon bug found that allocation size was wrong.
  https://groups.google.com/d/msg/syzkaller-bugs/TVGAFDeUKJo/uchTlvbFAQAJ
You can try adding printk() for examining values because you have reproducers.