lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <000000000000a91c14057a28a4ae@google.com>
Date:   Thu, 08 Nov 2018 07:11:03 -0800
From:   syzbot <syzbot+ccf0a61ed12f2a7313ee@...kaller.appspotmail.com>
To:     bwinther@...co.com, hverkuil@...all.nl, keescook@...omium.org,
        linux-kernel@...r.kernel.org, linux-media@...r.kernel.org,
        mchehab@...nel.org, syzkaller-bugs@...glegroups.com
Subject: KASAN: global-out-of-bounds Read in tpg_print_str_4

Hello,

syzbot found the following crash on:

HEAD commit:    85758777c2a2 Merge tag 'hwmon-for-v4.20-rc2' of git://git...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=157af45d400000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8f559fee2fc3375a
dashboard link: https://syzkaller.appspot.com/bug?extid=ccf0a61ed12f2a7313ee
compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+ccf0a61ed12f2a7313ee@...kaller.appspotmail.com

==================================================================
BUG: KASAN: global-out-of-bounds in tpg_print_str_4+0xbc9/0xd70  
drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:1820
Read of size 1 at addr ffffffff88631c50 by task vivid-000-vid-c/7282

CPU: 0 PID: 7282 Comm: vivid-000-vid-c Not tainted 4.20.0-rc1+ #228
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x244/0x39d lib/dump_stack.c:113
  print_address_description.cold.7+0x58/0x1ff mm/kasan/report.c:256
  kasan_report_error mm/kasan/report.c:354 [inline]
  kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412
  __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
  tpg_print_str_4+0xbc9/0xd70  
drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:1820
  tpg_gen_text+0x4ba/0x540 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:1874
  vivid_fillbuff+0x3ff7/0x68e0  
drivers/media/platform/vivid/vivid-kthread-cap.c:532
  vivid_thread_vid_cap_tick  
drivers/media/platform/vivid/vivid-kthread-cap.c:709 [inline]
  vivid_thread_vid_cap+0xbc1/0x2650  
drivers/media/platform/vivid/vivid-kthread-cap.c:813
  kthread+0x35a/0x440 kernel/kthread.c:246
  ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

The buggy address belongs to the variable:
  font_vga_8x16+0x50/0x60

Memory state around the buggy address:
  ffffffff88631b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffffffff88631b80: 00 00 00 00 fa fa fa fa 00 fa fa fa fa fa fa fa
> ffffffff88631c00: 00 00 00 00 00 fa fa fa fa fa fa fa 00 00 00 00
                                                  ^
  ffffffff88631c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffffffff88631d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ