BUG: KASAN: vmalloc-out-of-bounds Write in imageblit
From: Juefei Pu
Date: Sat Aug 24 2024 - 18:39:32 EST
Hello,
We found the following issue using syzkaller on Linux v6.10.
In `fast_imageblit`, there is an out-of-bounds memory access when
executing `*dst++ = colortab[(*src >> 7) & bit_mask];`
Although Syzbot has found a similar bug
(https://syzkaller.appspot.com/bug?extid=3d3864c27a5e770e7654), the
bug we discovered can be triggered on Linux v6.10. Meanwhile, Syzbot
failed to trigger the crash for 396 days. Thus, it looks like this is
a new bug.
Unfortunately, the syzkaller failed to generate a reproducer.
But at least we have the report:
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in fast_imageblit
drivers/video/fbdev/core/sysimgblt.c:257 [inline]
BUG: KASAN: vmalloc-out-of-bounds in sys_imageblit+0x1c22/0x2600
drivers/video/fbdev/core/sysimgblt.c:326
Write of size 4 at addr ffffc90002ad9190 by task syz.0.802/17876
CPU: 0 PID: 17876 Comm: syz.0.802 Not tainted 6.10.0 #13
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x23d/0x360 lib/dump_stack.c:114
print_address_description+0x77/0x360 mm/kasan/report.c:377
print_report+0xfd/0x210 mm/kasan/report.c:488
kasan_report+0x13f/0x170 mm/kasan/report.c:601
fast_imageblit drivers/video/fbdev/core/sysimgblt.c:257 [inline]
sys_imageblit+0x1c22/0x2600 drivers/video/fbdev/core/sysimgblt.c:326
drm_fbdev_generic_defio_imageblit+0x2a/0xf0
drivers/gpu/drm/drm_fbdev_generic.c:37
bit_putcs+0x18a3/0x1d90
fbcon_putcs+0x34f/0x520 drivers/video/fbdev/core/fbcon.c:1288
con_putc drivers/tty/vt/vt.c:302 [inline]
complement_pos+0x3f4/0xa70 drivers/tty/vt/vt.c:757
highlight_pointer drivers/tty/vt/selection.c:63 [inline]
clear_selection+0x17/0x70 drivers/tty/vt/selection.c:85
hide_cursor+0x80/0x480 drivers/tty/vt/vt.c:844
redraw_screen+0x1d7/0xe70 drivers/tty/vt/vt.c:948
fbcon_blank+0x61f/0xae0 drivers/video/fbdev/core/fbcon.c:2231
do_unblank_screen+0x294/0x760 drivers/tty/vt/vt.c:4563
unblank_screen drivers/tty/vt/vt.c:4582 [inline]
tioclinux+0x186/0x4c0 drivers/tty/vt/vt.c:3357
vt_ioctl+0x9d4/0x2060 drivers/tty/vt/vt_ioctl.c:761
tty_ioctl+0x906/0xdb0 drivers/tty/tty_io.c:2803
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xfe/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x7e/0x150 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x67/0x6f
RIP: 0033:0x7f77eff809b9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f77f0e57038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f77f0145f80 RCX: 00007f77eff809b9
RDX: 0000000020000580 RSI: 000000000000541c RDI: 0000000000000018
RBP: 00007f77efff4f70 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f77f0145f80 R15: 00007ffd3ddd4628
</TASK>
Memory state around the buggy address:
ffffc90002ad9080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc90002ad9100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc90002ad9180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc90002ad9200: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc90002ad9280: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================