[Kernel-packages] [Bug 2003111] [NEW] ASAN catches bug in v4l kernel module.

Bram Stolk Tue, 17 Jan 2023 10:30:32 -0800

Public bug reported:

The package linux-modules-extra-5.19.0-29-generic has a kernel module
named vivid.ko for artificial v4l streams.


When I modprobe the vivid.ko module, an invalid operation is detected by
ASAN, and the created of /dev/video0 device file fails.

The offending call is v4l_querymenu

The offending operation is shift-out-of-bounds

I tried this in a virtual machine of lunar (23.04) where the modprobe
succeeded. But it fails on the real machine, running kinetic (22.10)

This is a kernel bug.


```
[ 6028.277644] vivid-000: using single planar format API
[ 6028.278261] Registered IR keymap rc-cec
[ 6028.278304] rc rc0: vivid-000-vid-cap0 as /devices/platform/vivid.0/rc/rc0
[ 6028.278329] input: vivid-000-vid-cap0 as 
/devices/platform/vivid.0/rc/rc0/input34
[ 6028.278395] vivid-000: CEC adapter cec0 registered for HDMI input 0
[ 6028.278420] vivid-000: V4L2 capture device registered as video3
[ 6028.278422] Registered IR keymap rc-cec
[ 6028.278433] rc rc1: vivid-000-vid-out0 as /devices/platform/vivid.0/rc/rc1
[ 6028.278451] input: vivid-000-vid-out0 as 
/devices/platform/vivid.0/rc/rc1/input35
[ 6028.278491] vivid-000: CEC adapter cec1 registered for HDMI output 0
[ 6028.278512] vivid-000: V4L2 output device registered as video4
[ 6028.278531] vivid-000: V4L2 capture device registered as vbi0, supports raw 
and sliced VBI
[ 6028.278550] vivid-000: V4L2 output device registered as vbi1, supports raw 
and sliced VBI
[ 6028.278571] vivid-000: V4L2 capture device registered as swradio0
[ 6028.278590] vivid-000: V4L2 receiver device registered as radio0
[ 6028.278609] vivid-000: V4L2 transmitter device registered as radio1
[ 6028.278628] vivid-000: V4L2 metadata capture device registered as video5
[ 6028.278649] vivid-000: V4L2 metadata output device registered as video6
[ 6028.278669] vivid-000: V4L2 touch capture device registered as v4l-touch0
[ 6028.302648] 
================================================================================
[ 6028.302651] UBSAN: shift-out-of-bounds in 
/build/linux-qLbdtO/linux-5.19.0/drivers/media/v4l2-core/v4l2-ctrls-api.c:1102:35
[ 6028.302652] shift exponent 64 is too large for 64-bit type 'long long 
unsigned int'
[ 6028.302654] CPU: 4 PID: 2138 Comm: pipewire Not tainted 5.19.0-29-generic 
#30-Ubuntu
[ 6028.302656] Hardware name: ASUS System Product Name/PRIME Z690M-PLUS D4, 
BIOS 1008 01/13/2022
[ 6028.302656] Call Trace:
[ 6028.302657]  <TASK>
[ 6028.302659]  show_stack+0x4e/0x61
[ 6028.302663]  dump_stack_lvl+0x4a/0x6f
[ 6028.302665]  dump_stack+0x10/0x18
[ 6028.302666]  ubsan_epilogue+0x9/0x43
[ 6028.302668]  __ubsan_handle_shift_out_of_bounds.cold+0x61/0xef
[ 6028.302669]  ? mutex_lock+0x12/0x50
[ 6028.302673]  v4l2_querymenu.cold+0x24/0x39 [videodev]
[ 6028.302681]  v4l_querymenu+0x81/0xa0 [videodev]
[ 6028.302686]  __video_do_ioctl+0x1e7/0x590 [videodev]
[ 6028.302691]  video_usercopy+0x14b/0x730 [videodev]
[ 6028.302696]  ? video_get_user.constprop.0+0x1d0/0x1d0 [videodev]
[ 6028.302700]  video_ioctl2+0x15/0x30 [videodev]
[ 6028.302705]  v4l2_ioctl+0x69/0xb0 [videodev]
[ 6028.302709]  __x64_sys_ioctl+0x9d/0xe0
[ 6028.302711]  do_syscall_64+0x58/0x90
[ 6028.302712]  ? do_syscall_64+0x67/0x90
[ 6028.302712]  ? do_syscall_64+0x67/0x90
[ 6028.302713]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 6028.302715] RIP: 0033:0x7f8631712d8f
[ 6028.302717] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 
00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 
00 f0 ff ff 77 18 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 6028.302717] RSP: 002b:00007ffd35484ed0 EFLAGS: 00000246 ORIG_RAX: 
0000000000000010
[ 6028.302719] RAX: ffffffffffffffda RBX: 0000000000000400 RCX: 00007f8631712d8f
[ 6028.302720] RDX: 00007ffd35485050 RSI: ffffffffc02c5625 RDI: 0000000000000032
[ 6028.302720] RBP: 000000000000000b R08: 0000000000000a58 R09: 000000000000000b
[ 6028.302721] R10: 000000080000000c R11: 0000000000000246 R12: 00007ffd35485058
[ 6028.302721] R13: 00007ffd35485050 R14: 000055959cc26a48 R15: 0000000000000032
[ 6028.302723]  </TASK>
[ 6028.302724] 
================================================================================
```

ProblemType: Bug
DistroRelease: Ubuntu 22.10
Package: linux-modules-extra-5.19.0-29-generic 5.19.0-29.30
ProcVersionSignature: Ubuntu 5.19.0-29.30-generic 5.19.17
Uname: Linux 5.19.0-29-generic x86_64
ApportVersion: 2.23.1-0ubuntu3
Architecture: amd64
AudioDevicesInUse:
 USER        PID ACCESS COMMAND
 /dev/snd/controlC1:  stolk      2160 F.... wireplumber
 /dev/snd/controlC0:  stolk      2160 F.... wireplumber
 /dev/snd/seq:        stolk      2138 F.... pipewire
CRDA: N/A
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Tue Jan 17 10:12:44 2023
Dependencies:
 linux-modules-5.19.0-29-generic 5.19.0-29.30
 wireless-regdb 2022.06.06-0ubuntu1
InstallationDate: Installed on 2022-08-26 (144 days ago)
InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Alpha amd64 (20220825)
MachineType: ASUS System Product Name
ProcFB: 0 i915drmfb
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.19.0-29-generic 
root=/dev/mapper/vgubuntu-root ro quiet splash intel_pstate=passive 
eisa_bus.disable_dev=1,2,3,4,5,6,7,8 vt.handoff=7
RelatedPackageVersions:
 linux-restricted-modules-5.19.0-29-generic N/A
 linux-backports-modules-5.19.0-29-generic  N/A
 linux-firmware                             20220923.gitf09bebf3-0ubuntu1.3
RfKill:
 
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 01/13/2022
dmi.bios.release: 10.8
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: 1008
dmi.board.asset.tag: Default string
dmi.board.name: PRIME Z690M-PLUS D4
dmi.board.vendor: ASUSTeK COMPUTER INC.
dmi.board.version: Rev 1.xx
dmi.chassis.asset.tag: Default string
dmi.chassis.type: 3
dmi.chassis.vendor: Default string
dmi.chassis.version: Default string
dmi.modalias: 
dmi:bvnAmericanMegatrendsInc.:bvr1008:bd01/13/2022:br10.8:svnASUS:pnSystemProductName:pvrSystemVersion:rvnASUSTeKCOMPUTERINC.:rnPRIMEZ690M-PLUSD4:rvrRev1.xx:cvnDefaultstring:ct3:cvrDefaultstring:skuSKU:
dmi.product.family: To be filled by O.E.M.
dmi.product.name: System Product Name
dmi.product.sku: SKU
dmi.product.version: System Version
dmi.sys.vendor: ASUS

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: Confirmed


** Tags: amd64 apport-bug kinetic wayland-session

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2003111

Title:
  ASAN catches bug in v4l kernel module.

Status in linux package in Ubuntu:
  Confirmed

Bug description:
  The package linux-modules-extra-5.19.0-29-generic has a kernel module
  named vivid.ko for artificial v4l streams.

  When I modprobe the vivid.ko module, an invalid operation is detected
  by ASAN, and the created of /dev/video0 device file fails.

  The offending call is v4l_querymenu

  The offending operation is shift-out-of-bounds

  I tried this in a virtual machine of lunar (23.04) where the modprobe
  succeeded. But it fails on the real machine, running kinetic (22.10)

  This is a kernel bug.

  
  ```
  [ 6028.277644] vivid-000: using single planar format API
  [ 6028.278261] Registered IR keymap rc-cec
  [ 6028.278304] rc rc0: vivid-000-vid-cap0 as /devices/platform/vivid.0/rc/rc0
  [ 6028.278329] input: vivid-000-vid-cap0 as 
/devices/platform/vivid.0/rc/rc0/input34
  [ 6028.278395] vivid-000: CEC adapter cec0 registered for HDMI input 0
  [ 6028.278420] vivid-000: V4L2 capture device registered as video3
  [ 6028.278422] Registered IR keymap rc-cec
  [ 6028.278433] rc rc1: vivid-000-vid-out0 as /devices/platform/vivid.0/rc/rc1
  [ 6028.278451] input: vivid-000-vid-out0 as 
/devices/platform/vivid.0/rc/rc1/input35
  [ 6028.278491] vivid-000: CEC adapter cec1 registered for HDMI output 0
  [ 6028.278512] vivid-000: V4L2 output device registered as video4
  [ 6028.278531] vivid-000: V4L2 capture device registered as vbi0, supports 
raw and sliced VBI
  [ 6028.278550] vivid-000: V4L2 output device registered as vbi1, supports raw 
and sliced VBI
  [ 6028.278571] vivid-000: V4L2 capture device registered as swradio0
  [ 6028.278590] vivid-000: V4L2 receiver device registered as radio0
  [ 6028.278609] vivid-000: V4L2 transmitter device registered as radio1
  [ 6028.278628] vivid-000: V4L2 metadata capture device registered as video5
  [ 6028.278649] vivid-000: V4L2 metadata output device registered as video6
  [ 6028.278669] vivid-000: V4L2 touch capture device registered as v4l-touch0
  [ 6028.302648] 
================================================================================
  [ 6028.302651] UBSAN: shift-out-of-bounds in 
/build/linux-qLbdtO/linux-5.19.0/drivers/media/v4l2-core/v4l2-ctrls-api.c:1102:35
  [ 6028.302652] shift exponent 64 is too large for 64-bit type 'long long 
unsigned int'
  [ 6028.302654] CPU: 4 PID: 2138 Comm: pipewire Not tainted 5.19.0-29-generic 
#30-Ubuntu
  [ 6028.302656] Hardware name: ASUS System Product Name/PRIME Z690M-PLUS D4, 
BIOS 1008 01/13/2022
  [ 6028.302656] Call Trace:
  [ 6028.302657]  <TASK>
  [ 6028.302659]  show_stack+0x4e/0x61
  [ 6028.302663]  dump_stack_lvl+0x4a/0x6f
  [ 6028.302665]  dump_stack+0x10/0x18
  [ 6028.302666]  ubsan_epilogue+0x9/0x43
  [ 6028.302668]  __ubsan_handle_shift_out_of_bounds.cold+0x61/0xef
  [ 6028.302669]  ? mutex_lock+0x12/0x50
  [ 6028.302673]  v4l2_querymenu.cold+0x24/0x39 [videodev]
  [ 6028.302681]  v4l_querymenu+0x81/0xa0 [videodev]
  [ 6028.302686]  __video_do_ioctl+0x1e7/0x590 [videodev]
  [ 6028.302691]  video_usercopy+0x14b/0x730 [videodev]
  [ 6028.302696]  ? video_get_user.constprop.0+0x1d0/0x1d0 [videodev]
  [ 6028.302700]  video_ioctl2+0x15/0x30 [videodev]
  [ 6028.302705]  v4l2_ioctl+0x69/0xb0 [videodev]
  [ 6028.302709]  __x64_sys_ioctl+0x9d/0xe0
  [ 6028.302711]  do_syscall_64+0x58/0x90
  [ 6028.302712]  ? do_syscall_64+0x67/0x90
  [ 6028.302712]  ? do_syscall_64+0x67/0x90
  [ 6028.302713]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
  [ 6028.302715] RIP: 0033:0x7f8631712d8f
  [ 6028.302717] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 
00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 
00 f0 ff ff 77 18 48 8b 44 24 18 64 48 2b 04 25 28 00 00
  [ 6028.302717] RSP: 002b:00007ffd35484ed0 EFLAGS: 00000246 ORIG_RAX: 
0000000000000010
  [ 6028.302719] RAX: ffffffffffffffda RBX: 0000000000000400 RCX: 
00007f8631712d8f
  [ 6028.302720] RDX: 00007ffd35485050 RSI: ffffffffc02c5625 RDI: 
0000000000000032
  [ 6028.302720] RBP: 000000000000000b R08: 0000000000000a58 R09: 
000000000000000b
  [ 6028.302721] R10: 000000080000000c R11: 0000000000000246 R12: 
00007ffd35485058
  [ 6028.302721] R13: 00007ffd35485050 R14: 000055959cc26a48 R15: 
0000000000000032
  [ 6028.302723]  </TASK>
  [ 6028.302724] 
================================================================================
  ```

  ProblemType: Bug
  DistroRelease: Ubuntu 22.10
  Package: linux-modules-extra-5.19.0-29-generic 5.19.0-29.30
  ProcVersionSignature: Ubuntu 5.19.0-29.30-generic 5.19.17
  Uname: Linux 5.19.0-29-generic x86_64
  ApportVersion: 2.23.1-0ubuntu3
  Architecture: amd64
  AudioDevicesInUse:
   USER        PID ACCESS COMMAND
   /dev/snd/controlC1:  stolk      2160 F.... wireplumber
   /dev/snd/controlC0:  stolk      2160 F.... wireplumber
   /dev/snd/seq:        stolk      2138 F.... pipewire
  CRDA: N/A
  CasperMD5CheckResult: pass
  CurrentDesktop: ubuntu:GNOME
  Date: Tue Jan 17 10:12:44 2023
  Dependencies:
   linux-modules-5.19.0-29-generic 5.19.0-29.30
   wireless-regdb 2022.06.06-0ubuntu1
  InstallationDate: Installed on 2022-08-26 (144 days ago)
  InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Alpha amd64 (20220825)
  MachineType: ASUS System Product Name
  ProcFB: 0 i915drmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.19.0-29-generic 
root=/dev/mapper/vgubuntu-root ro quiet splash intel_pstate=passive 
eisa_bus.disable_dev=1,2,3,4,5,6,7,8 vt.handoff=7
  RelatedPackageVersions:
   linux-restricted-modules-5.19.0-29-generic N/A
   linux-backports-modules-5.19.0-29-generic  N/A
   linux-firmware                             20220923.gitf09bebf3-0ubuntu1.3
  RfKill:
   
  SourcePackage: linux
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 01/13/2022
  dmi.bios.release: 10.8
  dmi.bios.vendor: American Megatrends Inc.
  dmi.bios.version: 1008
  dmi.board.asset.tag: Default string
  dmi.board.name: PRIME Z690M-PLUS D4
  dmi.board.vendor: ASUSTeK COMPUTER INC.
  dmi.board.version: Rev 1.xx
  dmi.chassis.asset.tag: Default string
  dmi.chassis.type: 3
  dmi.chassis.vendor: Default string
  dmi.chassis.version: Default string
  dmi.modalias: 
dmi:bvnAmericanMegatrendsInc.:bvr1008:bd01/13/2022:br10.8:svnASUS:pnSystemProductName:pvrSystemVersion:rvnASUSTeKCOMPUTERINC.:rnPRIMEZ690M-PLUSD4:rvrRev1.xx:cvnDefaultstring:ct3:cvrDefaultstring:skuSKU:
  dmi.product.family: To be filled by O.E.M.
  dmi.product.name: System Product Name
  dmi.product.sku: SKU
  dmi.product.version: System Version
  dmi.sys.vendor: ASUS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2003111/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 2003111] [NEW] ASAN catches bug in v4l kernel module.

Reply via email to