Bug 2216874
| Summary: | BUG: KASAN: global-out-of-bounds in nct6775_core module in kernel 6.3.8 | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Andrew <travneff> | ||||
| Component: | kernel | Assignee: | Kernel Maintainer List <kernel-maint> | ||||
| Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 38 | CC: | acaringi, adscvr, airlied, alciregi, bskeggs, hdegoede, hpa, jarodwilson, josef, kernel-maint, lgoncalv, linville, masami256, mchehab, ptalbert, steved, travneff | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | --- | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2024-05-28 13:13:07 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Andrew
2023-06-22 23:53:29 UTC
6.3.12-200.fc38.x86_64+debug still affected:
BUG: KASAN: global-out-of-bounds in nct6775_update_device+0x352f/0x3700 [nct6775_core]
Read of size 1 at addr ffffffffc1128e86 by task sensors/1322
CPU: 7 PID: 1322 Comm: sensors Not tainted 6.3.12-200.fc38.x86_64+debug #1
Hardware name: ASUS System Product Name/TUF GAMING B550M-PLUS, BIOS 2423 08/10/2021
Call Trace:
<TASK>
dump_stack_lvl+0x76/0xd0
print_report+0xcf/0x670
? nct6775_update_device+0x352f/0x3700 [nct6775_core]
? nct6775_update_device+0x352f/0x3700 [nct6775_core]
kasan_report+0xa8/0xe0
? nct6775_update_device+0x352f/0x3700 [nct6775_core]
nct6775_update_device+0x352f/0x3700 [nct6775_core]
? lock_acquire+0x1a4/0x4f0
? __pfx_nct6775_update_device+0x10/0x10 [nct6775_core]
show_temp_label+0x1c/0x130 [nct6775_core]
dev_attr_show+0x43/0xc0
? sysfs_file_ops+0x11b/0x170
sysfs_kf_seq_show+0x1f1/0x3b0
seq_read_iter+0x40d/0x11c0
? fsnotify_perm.part.0+0x146/0x4e0
vfs_read+0x5c0/0x860
? __pfx_vfs_read+0x10/0x10
? __pfx___do_sys_newfstatat+0x10/0x10
? __fget_light+0x51/0x230
ksys_read+0x10a/0x1e0
? __pfx_ksys_read+0x10/0x10
? syscall_enter_from_user_mode+0x26/0x90
do_syscall_64+0x5d/0x90
? do_syscall_64+0x6c/0x90
? lockdep_hardirqs_on+0x81/0x110
? do_syscall_64+0x6c/0x90
? do_syscall_64+0x6c/0x90
? do_syscall_64+0x6c/0x90
? lockdep_hardirqs_on+0x81/0x110
? do_syscall_64+0x6c/0x90
? lockdep_hardirqs_on+0x81/0x110
entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7f7add6b30c1
Code: d5 fe ff ff 55 48 8d 3d 15 47 0a 00 48 89 e5 e8 b5 18 02 00 0f 1f 44 00 00 f3 0f 1e fa 80 3d 1d b5 0d 00 00 74 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 4f c3 66 0f 1f 44 00 00 55 48 89 e5 48 83 ec
RSP: 002b:00007ffc93ea5428 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055e1eb22f2c0 RCX: 00007f7add6b30c1
RDX: 0000000000001000 RSI: 00007ffc93ea54f0 RDI: 0000000000000003
RBP: 00007ffc93ea5480 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000003 R11: 0000000000000246 R12: 00007ffc93ea54f0
R13: 0000000000001000 R14: 0000000000000a68 R15: 00007f7add782d60
</TASK>
The buggy address belongs to the variable:
NCT6776_REG_PWM_MODE+0x6/0xffffffffffffa180 [nct6775_core]
Memory state around the buggy address:
ffffffffc1128d80: 00 04 f9 f9 f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9
ffffffffc1128e00: 00 06 f9 f9 f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9
>ffffffffc1128e80: 06 f9 f9 f9 f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9
^
ffffffffc1128f00: 00 00 00 00 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9
ffffffffc1128f80: 00 00 00 00 f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9
==================================================================
Disabling lock debugging due to kernel taint
Might be related somehow: bug# 2223090 bug# 2212779 Still present on 6.4.15-200.fc38.x86_64+debug :
==================================================================
BUG: KASAN: global-out-of-bounds in nct6775_update_device+0x352f/0x3700 [nct6775_core]
Read of size 1 at addr ffffffffc16a8e86 by task sensors/1322
CPU: 6 PID: 1322 Comm: sensors Not tainted 6.4.15-200.fc38.x86_64+debug #1
Hardware name: ASUS System Product Name/TUF GAMING B550M-PLUS, BIOS 2423 08/10/2021
Call Trace:
<TASK>
dump_stack_lvl+0x76/0xd0
print_report+0xcf/0x670
? nct6775_update_device+0x352f/0x3700 [nct6775_core]
? nct6775_update_device+0x352f/0x3700 [nct6775_core]
kasan_report+0xa8/0xe0
? nct6775_update_device+0x352f/0x3700 [nct6775_core]
nct6775_update_device+0x352f/0x3700 [nct6775_core]
? __pfx_nct6775_update_device+0x10/0x10 [nct6775_core]
show_temp_label+0x1c/0x130 [nct6775_core]
dev_attr_show+0x43/0xc0
? sysfs_file_ops+0x11b/0x170
sysfs_kf_seq_show+0x1f1/0x3b0
seq_read_iter+0x40d/0x11c0
? fsnotify_perm.part.0+0x146/0x4e0
vfs_read+0x44e/0x850
? __pfx_vfs_read+0x10/0x10
? __fget_light+0x51/0x230
ksys_read+0x10a/0x1e0
? __pfx_ksys_read+0x10/0x10
? syscall_enter_from_user_mode+0x26/0x90
do_syscall_64+0x5d/0x90
? do_syscall_64+0x6c/0x90
? do_syscall_64+0x6c/0x90
? lockdep_hardirqs_on+0x81/0x110
? do_syscall_64+0x6c/0x90
? do_syscall_64+0x6c/0x90
? do_syscall_64+0x6c/0x90
? do_syscall_64+0x6c/0x90
? lockdep_hardirqs_on+0x81/0x110
? do_syscall_64+0x6c/0x90
? asm_exc_page_fault+0x26/0x30
? lockdep_hardirqs_on+0x81/0x110
entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7f8ae701b0c1
Code: d5 fe ff ff 55 48 8d 3d 15 47 0a 00 48 89 e5 e8 b5 18 02 00 0f 1f 44 00 00 f3 0f 1e fa 80 3d 1d b5 0d 00 00 74 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 4f c3 66 0f 1f 44 00 00 55 48 89 e5 48 83 ec
RSP: 002b:00007ffe91b1a688 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055f2ced342c0 RCX: 00007f8ae701b0c1
RDX: 0000000000001000 RSI: 00007ffe91b1a750 RDI: 0000000000000003
RBP: 00007ffe91b1a6e0 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000003 R11: 0000000000000246 R12: 00007ffe91b1a750
R13: 0000000000001000 R14: 0000000000000a68 R15: 00007f8ae70ead60
</TASK>
The buggy address belongs to the variable:
NCT6776_REG_PWM_MODE+0x6/0xfffffffffff69180 [nct6775_core]
Memory state around the buggy address:
ffffffffc16a8d80: 00 04 f9 f9 f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9
ffffffffc16a8e00: 00 06 f9 f9 f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9
>ffffffffc16a8e80: 06 f9 f9 f9 f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9
^
ffffffffc16a8f00: 00 00 00 00 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9
ffffffffc16a8f80: 00 00 00 00 f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9
==================================================================
Disabling lock debugging due to kernel taint
Fedora Linux 38 entered end-of-life (EOL) status on 2024-05-21. Fedora Linux 38 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora Linux please feel free to reopen this bug against that version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see the version field. If you are unable to reopen this bug, please file a new report against an active release. Thank you for reporting this bug and we are sorry it could not be fixed. |