On 1/28/20 1:49 PM, Petr Mladek wrote:
On Tue 2020-01-28 18:23:46, anon anon wrote:
Dear Linux kernel developers,
I found the crash "KASAN: slab-out-of-bounds Write in vgacon_scroll" when running syzkaller, hope it's unknown:
Linux version: Linux v4.17-rc4 (75bc37fefc44) Branch: master
This crash still exists on the latest linux kernel Linux v5.5-rc6. Please get C repo and crash log generated by syzkaller, as well as the .config I used for linux kernel from the attachment. Thanks.
The out-of-bound access seems to be in vgacon_scroll() and thus in vgacon code.
Unfortunately, most people in CC are printk-guys. They were mentioned by ./scripts/get_maintainer.pl -f drivers/video/console/vgacon.c just because the very last comment (tree wide pr_warning() clean up).
Bartolomej seems to be the only relevant name.
Bartolomej,
are you going to look at it? Or should we add more people or some list
Help is welcomed as I'm not going to look at it in the foreseeable future (I'm busy enough with other things).
(dri-devel@lists.freedesktop.org or linux-fbdev@vger.kernel.org) into CC?
Added to Cc:, thanks.
Thanks, Petr
Best regards, -- Bartlomiej Zolnierkiewicz Samsung R&D Institute Poland Samsung Electronics
On (20/01/28 15:58), Bartlomiej Zolnierkiewicz wrote: [..]
Help is welcomed as I'm not going to look at it in the foreseeable future (I'm busy enough with other things).
(dri-devel@lists.freedesktop.org or linux-fbdev@vger.kernel.org) into CC?
Added to Cc:, thanks.
Hmm. There is something strange about it. I use vga console quite often, and scrolling happens all the time, yet I can't get the same out-of-bounds report (nor have I ever seen it in the past), even with the reproducer. Is it supposed to be executed as it is, or are there any preconditions? Any chance that something that runs prior to that reproducer somehow impacts the system? Just asking.
-ss
On (20/01/29 23:15), Sergey Senozhatsky wrote:
Date: Wed, 29 Jan 2020 23:15:17 +0900 From: Sergey Senozhatsky sergey.senozhatsky@gmail.com To: Bartlomiej Zolnierkiewicz b.zolnierkie@samsung.com Cc: Petr Mladek pmladek@suse.com, anon anon 742991625abc@gmail.com, wangkefeng.wang@huawei.com, sergey.senozhatsky@gmail.com, syzkaller@googlegroups.com, linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org Subject: Re: KASAN: slab-out-of-bounds Write in vgacon_scroll Message-ID: 20200129141517.GA13721@jagdpanzerIV.localdomain
On (20/01/28 15:58), Bartlomiej Zolnierkiewicz wrote: [..]
Help is welcomed as I'm not going to look at it in the foreseeable future (I'm busy enough with other things).
(dri-devel@lists.freedesktop.org or linux-fbdev@vger.kernel.org) into CC?
Added to Cc:, thanks.
Hmm. There is something strange about it. I use vga console quite often, and scrolling happens all the time, yet I can't get the same out-of-bounds report (nor have I ever seen it in the past), even with the reproducer. Is it supposed to be executed as it is, or are there any preconditions? Any chance that something that runs prior to that reproducer somehow impacts the system? Just asking.
These questions were addressed to anon anon (742991625abc@gmail.com), not to Bartlomiej.
-ss
Cc-ing Dmitry and Tetsuo
Original Message-id: CAA=061EoW8AmjUrBLsJy5nTDz-1jeArLeB+z6HJuyZud0zZXug@mail.gmail.com
On (20/01/29 23:17), Sergey Senozhatsky wrote:
Hmm. There is something strange about it. I use vga console quite often, and scrolling happens all the time, yet I can't get the same out-of-bounds report (nor have I ever seen it in the past), even with the reproducer. Is it supposed to be executed as it is, or are there any preconditions? Any chance that something that runs prior to that reproducer somehow impacts the system? Just asking.
These questions were addressed to anon anon (742991625abc@gmail.com), not to Bartlomiej.
Could this be GCC_PLUGIN related?
-ss
On Wed, Jan 29, 2020 at 3:40 PM Sergey Senozhatsky sergey.senozhatsky@gmail.com wrote:
Cc-ing Dmitry and Tetsuo
Original Message-id: CAA=061EoW8AmjUrBLsJy5nTDz-1jeArLeB+z6HJuyZud0zZXug@mail.gmail.com
On (20/01/29 23:17), Sergey Senozhatsky wrote:
Hmm. There is something strange about it. I use vga console quite often, and scrolling happens all the time, yet I can't get the same out-of-bounds report (nor have I ever seen it in the past), even with the reproducer. Is it supposed to be executed as it is, or are there any preconditions? Any chance that something that runs prior to that reproducer somehow impacts the system? Just asking.
These questions were addressed to anon anon (742991625abc@gmail.com), not to Bartlomiej.
Could this be GCC_PLUGIN related?
syzkaller repros are meant to be self-contained, but they don't capture the image and VM setup (or actual hardware). I suspect it may have something to do with these bugs. syzbot has reported a bunch of similar bugs in one of our internal kernels:
KASAN: slab-out-of-bounds Read in vgacon_scroll KASAN: slab-out-of-bounds Read in vgacon_invert_region KASAN: use-after-free Write in vgacon_scroll KASAN: use-after-free Read in vgacon_scroll KASAN: use-after-free Read in vgacon_invert_region BUG: unable to handle kernel paging request in vgacon_scroll
But none on upstream kernels. That may be some difference in config? I actually don't know what affects these things. When I tried to get at least some coverage of that code in syzkaller I just understood that relations between all these tty/pty/ptmx/vt/pt/ldisc/vcs/vcsu/fb/con/dri/drm/etc are complex to say the least...
On Wed, Jan 29, 2020 at 3:59 PM Dmitry Vyukov dvyukov@google.com wrote:
On Wed, Jan 29, 2020 at 3:40 PM Sergey Senozhatsky sergey.senozhatsky@gmail.com wrote:
Cc-ing Dmitry and Tetsuo
Original Message-id: CAA=061EoW8AmjUrBLsJy5nTDz-1jeArLeB+z6HJuyZud0zZXug@mail.gmail.com
On (20/01/29 23:17), Sergey Senozhatsky wrote:
Hmm. There is something strange about it. I use vga console quite often, and scrolling happens all the time, yet I can't get the same out-of-bounds report (nor have I ever seen it in the past), even with the reproducer. Is it supposed to be executed as it is, or are there any preconditions? Any chance that something that runs prior to that reproducer somehow impacts the system? Just asking.
These questions were addressed to anon anon (742991625abc@gmail.com), not to Bartlomiej.
Could this be GCC_PLUGIN related?
syzkaller repros are meant to be self-contained, but they don't capture the image and VM setup (or actual hardware). I suspect it may have something to do with these bugs. syzbot has reported a bunch of similar bugs in one of our internal kernels:
KASAN: slab-out-of-bounds Read in vgacon_scroll KASAN: slab-out-of-bounds Read in vgacon_invert_region KASAN: use-after-free Write in vgacon_scroll KASAN: use-after-free Read in vgacon_scroll KASAN: use-after-free Read in vgacon_invert_region BUG: unable to handle kernel paging request in vgacon_scroll
But none on upstream kernels. That may be some difference in config? I actually don't know what affects these things. When I tried to get at least some coverage of that code in syzkaller I just understood that relations between all these tty/pty/ptmx/vt/pt/ldisc/vcs/vcsu/fb/con/dri/drm/etc are complex to say the least...
It would also be good to figure out how we can cover this on syzbot/upstream.
Our upstream config is:
$ grep VGA upstream-kasan.config CONFIG_VGA_ARB=y CONFIG_VGA_ARB_MAX_GPUS=16 # CONFIG_VGA_SWITCHEROO is not set CONFIG_FB_VGA16=y CONFIG_VGASTATE=y CONFIG_VGA_CONSOLE=y CONFIG_VGACON_SOFT_SCROLLBACK=y CONFIG_VGACON_SOFT_SCROLLBACK_SIZE=64 # CONFIG_VGACON_SOFT_SCROLLBACK_PERSISTENT_ENABLE_BY_DEFAULT is not set CONFIG_LOGO_LINUX_VGA16=y # CONFIG_USB_SISUSBVGA is not set # CONFIG_VFIO_PCI_VGA is not set
where anon's is: CONFIG_VGA_ARB=y CONFIG_VGA_ARB_MAX_GPUS=16 # CONFIG_VGA_SWITCHEROO is not set # CONFIG_FB_VGA16 is not set CONFIG_VGA_CONSOLE=y CONFIG_VGACON_SOFT_SCROLLBACK=y CONFIG_VGACON_SOFT_SCROLLBACK_SIZE=64 # CONFIG_VGACON_SOFT_SCROLLBACK_PERSISTENT_ENABLE_BY_DEFAULT is not set # CONFIG_LOGO_LINUX_VGA16 is not set # CONFIG_USB_SISUSBVGA is not set
And the one on which are catching the bugs in vgacon on internal kernel is: CONFIG_VGA_ARB=y CONFIG_VGA_ARB_MAX_GPUS=16 # CONFIG_VGA_SWITCHEROO is not set # CONFIG_VGASTATE is not set CONFIG_VGA_CONSOLE=y # CONFIG_VGACON_SOFT_SCROLLBACK is not set # CONFIG_USB_SISUSBVGA is not set # CONFIG_VFIO_PCI_VGA is not set
May it be related to CONFIG_VGASTATE?
A fbcon bug found that allocation size was wrong. https://groups.google.com/d/msg/syzkaller-bugs/TVGAFDeUKJo/uchTlvbFAQAJ You can try adding printk() for examining values because you have reproducers.
dri-devel@lists.freedesktop.org
-
Bartlomiej Zolnierkiewicz -
Dmitry Vyukov -
Sergey Senozhatsky -
Tetsuo Handa