Bug#1029602: vmwgfx: kernel oops when using fbterm in vmware

To: 1029602@bugs.debian.org
Subject: Bug#1029602: vmwgfx: kernel oops when using fbterm in vmware
From: Keyu Tao <taoky99@outlook.com>
Date: Wed, 25 Jan 2023 20:03:40 +0800
Message-id: <[🔎] OS0P286MB0193F12190C915F4D2C7A618B4CE9@OS0P286MB0193.JPNP286.PROD.OUTLOOK.COM>
Reply-to: Keyu Tao <taoky99@outlook.com>, 1029602@bugs.debian.org
In-reply-to: <[🔎] 167464191559.2533.18201569808173061178.reportbug@taoky-debianvm>
References: <[🔎] 167464191559.2533.18201569808173061178.reportbug@taoky-debianvm> <[🔎] 167464191559.2533.18201569808173061178.reportbug@taoky-debianvm>

Did some simple debugging on fbterm just now, and I found out thatkernel oops when fbterm running `Screen::move()`(<https://github.com/sfzhi/fbterm/blob/master/src/screen.cpp#L146>)

The most suspicious function inside is setupOffset(), which calls anioctl(), setting yoffset:


```
void FbDev::setupOffset()
{
	vinfo.yoffset = mOffsetCur;
	ioctl(fbdev_fd, FBIOPAN_DISPLAY, &vinfo);
}
```

And the "yoffset" may be used in `src_ptr` as `par->fb_y` invmw_fb_dirty_flush():


```
if (w && h) {
	dst_ptr = (u8 *)virtual  +
		(dst_y1 * par->set_fb->pitches[0] + dst_x1 * cpp);
	src_ptr = (u8 *)par->vmalloc +
		((dst_y1 + par->fb_y) * info->fix.line_length +
			(dst_x1 + par->fb_x) * cpp);

	while (h-- > 0) {
		memcpy(dst_ptr, src_ptr, w*cpp);
		dst_ptr += par->set_fb->pitches[0];
		src_ptr += info->fix.line_length;
	}

// ...
```

(so it is a out-of-bound read for real?)

On 1/25/23 18:18, Keyu Tao wrote:

Source: linux
Severity: normal
X-Debbugs-Cc: taoky99@outlook.com

Dear Maintainer,

It seems that fbterm triggers an out-of-bound memory write (memcpy) when vmwgfx loads.

Dmesg oops message:

[  214.780971] BUG: unable to handle page fault for address: ffffae3dc1171000
[  214.781348] #PF: supervisor write access in kernel mode
[  214.781691] #PF: error_code(0x0002) - not-present page
[  214.782130] PGD 1000067 P4D 1000067 PUD 11b3067 PMD 2427067 PTE 0
[  214.782610] Oops: 0002 [#1] SMP PTI
[  214.783069] CPU: 0 PID: 372 Comm: kworker/0:4 Kdump: loaded Not tainted 5.10.0-21-amd64 #1 Debian 5.10.162-1
[  214.783902] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/22/2020
[  214.784694] Workqueue: events vmw_fb_dirty_flush [vmwgfx]
[  214.785153] RIP: 0010:memcpy_orig+0x29/0x123
[  214.785765] Code: 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe 7c 35 48 83 ea 20 48 83 ea 20 4c 8b 06 4c 8b 4e 08 4c 8b 56 10 4c 8b 5e 18 48 8d 76 20 <4c> 89 07 4c 89 4f 08 4c 89 57 10 4c 89 5f 18 48 8d 7f 20 73 d4 83
[  214.787323] RSP: 0018:ffffae3dc0807e00 EFLAGS: 00010202
[  214.787721] RAX: ffffae3dc1170c00 RBX: ffff9f70f41c9000 RCX: 0000000000000c80
[  214.788147] RDX: 0000000000000840 RSI: ffffae3dc0e93a20 RDI: ffffae3dc1171000
[  214.788553] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[  214.788983] R10: 0000000000000000 R11: 0000000000000000 R12: ffffae3dc0e93600
[  214.789386] R13: ffff9f70f41c94e8 R14: ffff9f70e2c56400 R15: 0000000000000c80
[  214.790137] FS:  0000000000000000(0000) GS:ffff9f7111800000(0000) knlGS:0000000000000000
[  214.790680] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  214.791290] CR2: ffffae3dc1171000 CR3: 000000002360a003 CR4: 00000000003706f0
[  214.791729] Call Trace:
[  214.792302]  vmw_fb_dirty_flush+0x247/0x350 [vmwgfx]
[  214.792777]  process_one_work+0x1b3/0x350
[  214.793187]  worker_thread+0x53/0x3e0
[  214.793626]  ? process_one_work+0x350/0x350
[  214.794045]  kthread+0x118/0x140
[  214.794448]  ? __kthread_bind_mask+0x60/0x60
[  214.794871]  ret_from_fork+0x1f/0x30
[  214.795260] Modules linked in: xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc intel_rapl_msr intel_rapl_common intel_pmc_core kvm_intel kvm irqbypass rapl overlay vmw_balloon btusb btrtl btbcm joydev btintel pcspkr serio_raw bluetooth snd_ens1371 snd_ac97_codec ac97_bus gameport snd_rawmidi snd_seq_device jitterentropy_rng snd_pcm snd_timer drbg ansi_cprng snd ecdh_generic rfkill soundcore ecc sg vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock vmw_vmci ac evdev binfmt_misc parport_pc ppdev nfsd configfs fuse lp parport auth_rpcgss nfs_acl lockd grace sunrpc ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 btrfs blake2b_generic raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear md_mod dm_mirror dm_region_hash dm_log dm_mod
[  214.795316]  hid_generic usbhid hid sd_mod t10_pi crc_t10dif crct10dif_generic crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel sr_mod cdrom ghash_clmulni_intel ata_generic vmwgfx aesni_intel xhci_pci libaes crypto_simd ttm cryptd ata_piix glue_helper drm_kms_helper cec xhci_hcd ehci_pci drm uhci_hcd mptspi mptscsih ehci_hcd mptbase libata psmouse scsi_transport_spi usbcore e1000 usb_common scsi_mod i2c_piix4 button
[  214.803260] CR2: ffffae3dc1171000
[  214.803722] ---[ end trace d0b2266ea0877554 ]---
[  214.804283] RIP: 0010:memcpy_orig+0x29/0x123
[  214.804727] Code: 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe 7c 35 48 83 ea 20 48 83 ea 20 4c 8b 06 4c 8b 4e 08 4c 8b 56 10 4c 8b 5e 18 48 8d 76 20 <4c> 89 07 4c 89 4f 08 4c 89 57 10 4c 89 5f 18 48 8d 7f 20 73 d4 83
[  214.806126] RSP: 0018:ffffae3dc0807e00 EFLAGS: 00010202
[  214.806585] RAX: ffffae3dc1170c00 RBX: ffff9f70f41c9000 RCX: 0000000000000c80
[  214.807069] RDX: 0000000000000840 RSI: ffffae3dc0e93a20 RDI: ffffae3dc1171000
[  214.807549] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[  214.808025] R10: 0000000000000000 R11: 0000000000000000 R12: ffffae3dc0e93600
[  214.808658] R13: ffff9f70f41c94e8 R14: ffff9f70e2c56400 R15: 0000000000000c80
[  214.809137] FS:  0000000000000000(0000) GS:ffff9f7111800000(0000) knlGS:0000000000000000
[  214.809596] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  214.810078] CR2: ffffae3dc1171000 CR3: 000000002360a003 CR4: 00000000003706f0

How to reproduce:

1. sudo apt install fbterm
2. Switch to TTY (such as tty1), and run fbterm by users with read and write permission to /dev/fb0
3. Run fbterm, and hold Enter for a few seconds (to make it scroll)
4. Oops!


-- System Information:
Debian Release: 11.6
   APT prefers stable-updates
   APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-21-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_DIE
Locale: LANG=en_US.UTF-8, LC_CTYPE=zh_CN.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Reply to:

References:
- Bug#1029602: vmwgfx: kernel oops when using fbterm in vmware
  - From: Keyu Tao <taoky99@outlook.com>

Prev by Date: Processed: Re: Bug#1029602: vmwgfx: kernel oops when using fbterm in vmware
Next by Date: Bug#1029584: Info received (Bug#1029584: Acknowledgement (linux-image-6.1.0-1-amd64: Mouswheel reports way too many events with Debian kernel config))
Previous by thread: Processed: Re: Bug#1029602: vmwgfx: kernel oops when using fbterm in vmware
Next by thread: Bug#1029602: vmwgfx: kernel oops when using fbterm in vmware
Index(es):
- Date
- Thread