Did some simple debugging on fbterm just now, and I found out that
kernel oops when fbterm running `Screen::move()`
(<https://github.com/sfzhi/fbterm/blob/master/src/screen.cpp#L146>)
The most suspicious function inside is setupOffset(), which calls an
ioctl(), setting yoffset:
```
void FbDev::setupOffset()
{
vinfo.yoffset = mOffsetCur;
ioctl(fbdev_fd, FBIOPAN_DISPLAY, &vinfo);
}
```
And the "yoffset" may be used in `src_ptr` as `par->fb_y` in
vmw_fb_dirty_flush():
```
if (w && h) {
dst_ptr = (u8 *)virtual +
(dst_y1 * par->set_fb->pitches[0] + dst_x1 * cpp);
src_ptr = (u8 *)par->vmalloc +
((dst_y1 + par->fb_y) * info->fix.line_length +
(dst_x1 + par->fb_x) * cpp);
while (h-- > 0) {
memcpy(dst_ptr, src_ptr, w*cpp);
dst_ptr += par->set_fb->pitches[0];
src_ptr += info->fix.line_length;
}
// ...
```
(so it is a out-of-bound read for real?)
On 1/25/23 18:18, Keyu Tao wrote:
Source: linux
Severity: normal
X-Debbugs-Cc: taok...@outlook.com
Dear Maintainer,
It seems that fbterm triggers an out-of-bound memory write (memcpy) when vmwgfx
loads.
Dmesg oops message:
[ 214.780971] BUG: unable to handle page fault for address: ffffae3dc1171000
[ 214.781348] #PF: supervisor write access in kernel mode
[ 214.781691] #PF: error_code(0x0002) - not-present page
[ 214.782130] PGD 1000067 P4D 1000067 PUD 11b3067 PMD 2427067 PTE 0
[ 214.782610] Oops: 0002 [#1] SMP PTI
[ 214.783069] CPU: 0 PID: 372 Comm: kworker/0:4 Kdump: loaded Not tainted
5.10.0-21-amd64 #1 Debian 5.10.162-1
[ 214.783902] Hardware name: VMware, Inc. VMware Virtual Platform/440BX
Desktop Reference Platform, BIOS 6.00 07/22/2020
[ 214.784694] Workqueue: events vmw_fb_dirty_flush [vmwgfx]
[ 214.785153] RIP: 0010:memcpy_orig+0x29/0x123
[ 214.785765] Code: 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe 7c 35 48 83 ea 20 48 83
ea 20 4c 8b 06 4c 8b 4e 08 4c 8b 56 10 4c 8b 5e 18 48 8d 76 20 <4c> 89 07 4c 89
4f 08 4c 89 57 10 4c 89 5f 18 48 8d 7f 20 73 d4 83
[ 214.787323] RSP: 0018:ffffae3dc0807e00 EFLAGS: 00010202
[ 214.787721] RAX: ffffae3dc1170c00 RBX: ffff9f70f41c9000 RCX: 0000000000000c80
[ 214.788147] RDX: 0000000000000840 RSI: ffffae3dc0e93a20 RDI: ffffae3dc1171000
[ 214.788553] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[ 214.788983] R10: 0000000000000000 R11: 0000000000000000 R12: ffffae3dc0e93600
[ 214.789386] R13: ffff9f70f41c94e8 R14: ffff9f70e2c56400 R15: 0000000000000c80
[ 214.790137] FS: 0000000000000000(0000) GS:ffff9f7111800000(0000)
knlGS:0000000000000000
[ 214.790680] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 214.791290] CR2: ffffae3dc1171000 CR3: 000000002360a003 CR4: 00000000003706f0
[ 214.791729] Call Trace:
[ 214.792302] vmw_fb_dirty_flush+0x247/0x350 [vmwgfx]
[ 214.792777] process_one_work+0x1b3/0x350
[ 214.793187] worker_thread+0x53/0x3e0
[ 214.793626] ? process_one_work+0x350/0x350
[ 214.794045] kthread+0x118/0x140
[ 214.794448] ? __kthread_bind_mask+0x60/0x60
[ 214.794871] ret_from_fork+0x1f/0x30
[ 214.795260] Modules linked in: xt_conntrack xt_MASQUERADE
nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype iptable_filter
iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter
bridge stp llc intel_rapl_msr intel_rapl_common intel_pmc_core kvm_intel kvm
irqbypass rapl overlay vmw_balloon btusb btrtl btbcm joydev btintel pcspkr
serio_raw bluetooth snd_ens1371 snd_ac97_codec ac97_bus gameport snd_rawmidi
snd_seq_device jitterentropy_rng snd_pcm snd_timer drbg ansi_cprng snd
ecdh_generic rfkill soundcore ecc sg vsock_loopback
vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock vmw_vmci ac
evdev binfmt_misc parport_pc ppdev nfsd configfs fuse lp parport auth_rpcgss
nfs_acl lockd grace sunrpc ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2
btrfs blake2b_generic raid10 raid456 async_raid6_recov async_memcpy async_pq
async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath
linear md_mod dm_mirror dm_region_hash dm_log dm_mod
[ 214.795316] hid_generic usbhid hid sd_mod t10_pi crc_t10dif
crct10dif_generic crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel
sr_mod cdrom ghash_clmulni_intel ata_generic vmwgfx aesni_intel xhci_pci libaes
crypto_simd ttm cryptd ata_piix glue_helper drm_kms_helper cec xhci_hcd
ehci_pci drm uhci_hcd mptspi mptscsih ehci_hcd mptbase libata psmouse
scsi_transport_spi usbcore e1000 usb_common scsi_mod i2c_piix4 button
[ 214.803260] CR2: ffffae3dc1171000
[ 214.803722] ---[ end trace d0b2266ea0877554 ]---
[ 214.804283] RIP: 0010:memcpy_orig+0x29/0x123
[ 214.804727] Code: 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe 7c 35 48 83 ea 20 48 83
ea 20 4c 8b 06 4c 8b 4e 08 4c 8b 56 10 4c 8b 5e 18 48 8d 76 20 <4c> 89 07 4c 89
4f 08 4c 89 57 10 4c 89 5f 18 48 8d 7f 20 73 d4 83
[ 214.806126] RSP: 0018:ffffae3dc0807e00 EFLAGS: 00010202
[ 214.806585] RAX: ffffae3dc1170c00 RBX: ffff9f70f41c9000 RCX: 0000000000000c80
[ 214.807069] RDX: 0000000000000840 RSI: ffffae3dc0e93a20 RDI: ffffae3dc1171000
[ 214.807549] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[ 214.808025] R10: 0000000000000000 R11: 0000000000000000 R12: ffffae3dc0e93600
[ 214.808658] R13: ffff9f70f41c94e8 R14: ffff9f70e2c56400 R15: 0000000000000c80
[ 214.809137] FS: 0000000000000000(0000) GS:ffff9f7111800000(0000)
knlGS:0000000000000000
[ 214.809596] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 214.810078] CR2: ffffae3dc1171000 CR3: 000000002360a003 CR4: 00000000003706f0
How to reproduce:
1. sudo apt install fbterm
2. Switch to TTY (such as tty1), and run fbterm by users with read and write
permission to /dev/fb0
3. Run fbterm, and hold Enter for a few seconds (to make it scroll)
4. Oops!
-- System Information:
Debian Release: 11.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-21-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_DIE
Locale: LANG=en_US.UTF-8, LC_CTYPE=zh_CN.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
