lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 13 Nov 2018 06:12:04 -0800
From:   syzbot <syzbot+ccf0a61ed12f2a7313ee@...kaller.appspotmail.com>
To:     bwinther@...co.com, hverkuil@...all.nl, keescook@...omium.org,
        linux-kernel@...r.kernel.org, linux-media@...r.kernel.org,
        mchehab@...nel.org, syzkaller-bugs@...glegroups.com
Subject: Re: KASAN: global-out-of-bounds Read in tpg_print_str_4

syzbot has found a reproducer for the following crash on:

HEAD commit:    ccda4af0f4b9 Linux 4.20-rc2
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1779cb0b400000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4a0a89f12ca9b0f5
dashboard link: https://syzkaller.appspot.com/bug?extid=ccf0a61ed12f2a7313ee
compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=126f0ed5400000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15ed6c25400000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+ccf0a61ed12f2a7313ee@...kaller.appspotmail.com

==================================================================
BUG: KASAN: global-out-of-bounds in tpg_print_str_4+0xbc9/0xd70  
drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:1820
Read of size 1 at addr ffffffff88632850 by task vivid-000-vid-c/5989

CPU: 0 PID: 5989 Comm: vivid-000-vid-c Not tainted 4.20.0-rc2+ #236
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x244/0x39d lib/dump_stack.c:113
  print_address_description.cold.7+0x58/0x1ff mm/kasan/report.c:256
  kasan_report_error mm/kasan/report.c:354 [inline]
  kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412
  __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
  tpg_print_str_4+0xbc9/0xd70  
drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:1820
  tpg_gen_text+0x4ba/0x540 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:1874
  vivid_fillbuff+0x3ff7/0x68e0  
drivers/media/platform/vivid/vivid-kthread-cap.c:532
  vivid_thread_vid_cap_tick  
drivers/media/platform/vivid/vivid-kthread-cap.c:709 [inline]
  vivid_thread_vid_cap+0xbc1/0x2650  
drivers/media/platform/vivid/vivid-kthread-cap.c:813
  kthread+0x35a/0x440 kernel/kthread.c:246
  ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

The buggy address belongs to the variable:
  font_vga_8x16+0x50/0x60

Memory state around the buggy address:
  ffffffff88632700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffffffff88632780: 00 00 00 00 fa fa fa fa 00 fa fa fa fa fa fa fa
> ffffffff88632800: 00 00 00 00 00 fa fa fa fa fa fa fa 00 00 00 00
                                                  ^
  ffffffff88632880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffffffff88632900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ