BUG: KASAN: vmalloc-out-of-bounds Write in imageblit

Juefei Pu juefei.pu at email.ucr.edu
Sat Aug 24 22:38:03 UTC 2024


Hello,
We found the following issue using syzkaller on Linux v6.10.
In `fast_imageblit`, there is an out-of-bounds memory access when
executing `*dst++ = colortab[(*src >> 7) & bit_mask];`

Although Syzbot has found a similar bug
(https://syzkaller.appspot.com/bug?extid=3d3864c27a5e770e7654), the
bug we discovered can be triggered on Linux v6.10. Meanwhile, Syzbot
failed to trigger the crash for 396 days. Thus, it looks like this is
a new bug.

Unfortunately, the syzkaller failed to generate a reproducer.
But at least we have the report:

==================================================================
BUG: KASAN: vmalloc-out-of-bounds in fast_imageblit
drivers/video/fbdev/core/sysimgblt.c:257 [inline]
BUG: KASAN: vmalloc-out-of-bounds in sys_imageblit+0x1c22/0x2600
drivers/video/fbdev/core/sysimgblt.c:326
Write of size 4 at addr ffffc90002ad9190 by task syz.0.802/17876

CPU: 0 PID: 17876 Comm: syz.0.802 Not tainted 6.10.0 #13
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x23d/0x360 lib/dump_stack.c:114
 print_address_description+0x77/0x360 mm/kasan/report.c:377
 print_report+0xfd/0x210 mm/kasan/report.c:488
 kasan_report+0x13f/0x170 mm/kasan/report.c:601
 fast_imageblit drivers/video/fbdev/core/sysimgblt.c:257 [inline]
 sys_imageblit+0x1c22/0x2600 drivers/video/fbdev/core/sysimgblt.c:326
 drm_fbdev_generic_defio_imageblit+0x2a/0xf0
drivers/gpu/drm/drm_fbdev_generic.c:37
 bit_putcs+0x18a3/0x1d90
 fbcon_putcs+0x34f/0x520 drivers/video/fbdev/core/fbcon.c:1288
 con_putc drivers/tty/vt/vt.c:302 [inline]
 complement_pos+0x3f4/0xa70 drivers/tty/vt/vt.c:757
 highlight_pointer drivers/tty/vt/selection.c:63 [inline]
 clear_selection+0x17/0x70 drivers/tty/vt/selection.c:85
 hide_cursor+0x80/0x480 drivers/tty/vt/vt.c:844
 redraw_screen+0x1d7/0xe70 drivers/tty/vt/vt.c:948
 fbcon_blank+0x61f/0xae0 drivers/video/fbdev/core/fbcon.c:2231
 do_unblank_screen+0x294/0x760 drivers/tty/vt/vt.c:4563
 unblank_screen drivers/tty/vt/vt.c:4582 [inline]
 tioclinux+0x186/0x4c0 drivers/tty/vt/vt.c:3357
 vt_ioctl+0x9d4/0x2060 drivers/tty/vt/vt_ioctl.c:761
 tty_ioctl+0x906/0xdb0 drivers/tty/tty_io.c:2803
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x7e/0x150 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x67/0x6f
RIP: 0033:0x7f77eff809b9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f77f0e57038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f77f0145f80 RCX: 00007f77eff809b9
RDX: 0000000020000580 RSI: 000000000000541c RDI: 0000000000000018
RBP: 00007f77efff4f70 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f77f0145f80 R15: 00007ffd3ddd4628
 </TASK>

Memory state around the buggy address:
 ffffc90002ad9080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc90002ad9100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc90002ad9180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                         ^
 ffffc90002ad9200: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc90002ad9280: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================


More information about the dri-devel mailing list