Bug 2216874
| Summary: | BUG: KASAN: global-out-of-bounds in nct6775_core module in kernel 6.3.8 | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Andrew <travneff> | ||||
| Component: | kernel | Assignee: | Kernel Maintainer List <kernel-maint> | ||||
| Status: | NEW --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 38 | CC: | acaringi, adscvr, airlied, alciregi, bskeggs, hdegoede, hpa, jarodwilson, josef, kernel-maint, lgoncalv, linville, masami256, mchehab, ptalbert, steved, travneff | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | --- | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | Type: | Bug | |||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Andrew
2023-06-22 23:53:29 UTC
6.3.12-200.fc38.x86_64+debug still affected:
BUG: KASAN: global-out-of-bounds in nct6775_update_device+0x352f/0x3700 [nct6775_core]
Read of size 1 at addr ffffffffc1128e86 by task sensors/1322
CPU: 7 PID: 1322 Comm: sensors Not tainted 6.3.12-200.fc38.x86_64+debug #1
Hardware name: ASUS System Product Name/TUF GAMING B550M-PLUS, BIOS 2423 08/10/2021
Call Trace:
<TASK>
dump_stack_lvl+0x76/0xd0
print_report+0xcf/0x670
? nct6775_update_device+0x352f/0x3700 [nct6775_core]
? nct6775_update_device+0x352f/0x3700 [nct6775_core]
kasan_report+0xa8/0xe0
? nct6775_update_device+0x352f/0x3700 [nct6775_core]
nct6775_update_device+0x352f/0x3700 [nct6775_core]
? lock_acquire+0x1a4/0x4f0
? __pfx_nct6775_update_device+0x10/0x10 [nct6775_core]
show_temp_label+0x1c/0x130 [nct6775_core]
dev_attr_show+0x43/0xc0
? sysfs_file_ops+0x11b/0x170
sysfs_kf_seq_show+0x1f1/0x3b0
seq_read_iter+0x40d/0x11c0
? fsnotify_perm.part.0+0x146/0x4e0
vfs_read+0x5c0/0x860
? __pfx_vfs_read+0x10/0x10
? __pfx___do_sys_newfstatat+0x10/0x10
? __fget_light+0x51/0x230
ksys_read+0x10a/0x1e0
? __pfx_ksys_read+0x10/0x10
? syscall_enter_from_user_mode+0x26/0x90
do_syscall_64+0x5d/0x90
? do_syscall_64+0x6c/0x90
? lockdep_hardirqs_on+0x81/0x110
? do_syscall_64+0x6c/0x90
? do_syscall_64+0x6c/0x90
? do_syscall_64+0x6c/0x90
? lockdep_hardirqs_on+0x81/0x110
? do_syscall_64+0x6c/0x90
? lockdep_hardirqs_on+0x81/0x110
entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7f7add6b30c1
Code: d5 fe ff ff 55 48 8d 3d 15 47 0a 00 48 89 e5 e8 b5 18 02 00 0f 1f 44 00 00 f3 0f 1e fa 80 3d 1d b5 0d 00 00 74 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 4f c3 66 0f 1f 44 00 00 55 48 89 e5 48 83 ec
RSP: 002b:00007ffc93ea5428 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055e1eb22f2c0 RCX: 00007f7add6b30c1
RDX: 0000000000001000 RSI: 00007ffc93ea54f0 RDI: 0000000000000003
RBP: 00007ffc93ea5480 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000003 R11: 0000000000000246 R12: 00007ffc93ea54f0
R13: 0000000000001000 R14: 0000000000000a68 R15: 00007f7add782d60
</TASK>
The buggy address belongs to the variable:
NCT6776_REG_PWM_MODE+0x6/0xffffffffffffa180 [nct6775_core]
Memory state around the buggy address:
ffffffffc1128d80: 00 04 f9 f9 f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9
ffffffffc1128e00: 00 06 f9 f9 f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9
>ffffffffc1128e80: 06 f9 f9 f9 f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9
^
ffffffffc1128f00: 00 00 00 00 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9
ffffffffc1128f80: 00 00 00 00 f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9
==================================================================
Disabling lock debugging due to kernel taint
Might be related somehow: bug# 2223090 bug# 2212779 |