Ubuntu
linux package

ASAN catches bug in v4l kernel module.

Bug #2003111 reported by Bram Stolk
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

The package linux-modules-extra-5.19.0-29-generic has a kernel module named vivid.ko for artificial v4l streams.

When I modprobe the vivid.ko module, an invalid operation is detected by ASAN, and the created of /dev/video0 device file fails.

The offending call is v4l_querymenu

The offending operation is shift-out-of-bounds

I tried this in a virtual machine of lunar (23.04) where the modprobe succeeded. But it fails on the real machine, running kinetic (22.10)

This is a kernel bug.

```
[ 6028.277644] vivid-000: using single planar format API
[ 6028.278261] Registered IR keymap rc-cec
[ 6028.278304] rc rc0: vivid-000-vid-cap0 as /devices/platform/vivid.0/rc/rc0
[ 6028.278329] input: vivid-000-vid-cap0 as /devices/platform/vivid.0/rc/rc0/input34
[ 6028.278395] vivid-000: CEC adapter cec0 registered for HDMI input 0
[ 6028.278420] vivid-000: V4L2 capture device registered as video3
[ 6028.278422] Registered IR keymap rc-cec
[ 6028.278433] rc rc1: vivid-000-vid-out0 as /devices/platform/vivid.0/rc/rc1
[ 6028.278451] input: vivid-000-vid-out0 as /devices/platform/vivid.0/rc/rc1/input35
[ 6028.278491] vivid-000: CEC adapter cec1 registered for HDMI output 0
[ 6028.278512] vivid-000: V4L2 output device registered as video4
[ 6028.278531] vivid-000: V4L2 capture device registered as vbi0, supports raw and sliced VBI
[ 6028.278550] vivid-000: V4L2 output device registered as vbi1, supports raw and sliced VBI
[ 6028.278571] vivid-000: V4L2 capture device registered as swradio0
[ 6028.278590] vivid-000: V4L2 receiver device registered as radio0
[ 6028.278609] vivid-000: V4L2 transmitter device registered as radio1
[ 6028.278628] vivid-000: V4L2 metadata capture device registered as video5
[ 6028.278649] vivid-000: V4L2 metadata output device registered as video6
[ 6028.278669] vivid-000: V4L2 touch capture device registered as v4l-touch0
[ 6028.302648] ================================================================================
[ 6028.302651] UBSAN: shift-out-of-bounds in /build/linux-qLbdtO/linux-5.19.0/drivers/media/v4l2-core/v4l2-ctrls-api.c:1102:35
[ 6028.302652] shift exponent 64 is too large for 64-bit type 'long long unsigned int'
[ 6028.302654] CPU: 4 PID: 2138 Comm: pipewire Not tainted 5.19.0-29-generic #30-Ubuntu
[ 6028.302656] Hardware name: ASUS System Product Name/PRIME Z690M-PLUS D4, BIOS 1008 01/13/2022
[ 6028.302656] Call Trace:
[ 6028.302657] <TASK>
[ 6028.302659] show_stack+0x4e/0x61
[ 6028.302663] dump_stack_lvl+0x4a/0x6f
[ 6028.302665] dump_stack+0x10/0x18
[ 6028.302666] ubsan_epilogue+0x9/0x43
[ 6028.302668] __ubsan_handle_shift_out_of_bounds.cold+0x61/0xef
[ 6028.302669] ? mutex_lock+0x12/0x50
[ 6028.302673] v4l2_querymenu.cold+0x24/0x39 [videodev]
[ 6028.302681] v4l_querymenu+0x81/0xa0 [videodev]
[ 6028.302686] __video_do_ioctl+0x1e7/0x590 [videodev]
[ 6028.302691] video_usercopy+0x14b/0x730 [videodev]
[ 6028.302696] ? video_get_user.constprop.0+0x1d0/0x1d0 [videodev]
[ 6028.302700] video_ioctl2+0x15/0x30 [videodev]
[ 6028.302705] v4l2_ioctl+0x69/0xb0 [videodev]
[ 6028.302709] __x64_sys_ioctl+0x9d/0xe0
[ 6028.302711] do_syscall_64+0x58/0x90
[ 6028.302712] ? do_syscall_64+0x67/0x90
[ 6028.302712] ? do_syscall_64+0x67/0x90
[ 6028.302713] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 6028.302715] RIP: 0033:0x7f8631712d8f
[ 6028.302717] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 18 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 6028.302717] RSP: 002b:00007ffd35484ed0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 6028.302719] RAX: ffffffffffffffda RBX: 0000000000000400 RCX: 00007f8631712d8f
[ 6028.302720] RDX: 00007ffd35485050 RSI: ffffffffc02c5625 RDI: 0000000000000032
[ 6028.302720] RBP: 000000000000000b R08: 0000000000000a58 R09: 000000000000000b
[ 6028.302721] R10: 000000080000000c R11: 0000000000000246 R12: 00007ffd35485058
[ 6028.302721] R13: 00007ffd35485050 R14: 000055959cc26a48 R15: 0000000000000032
[ 6028.302723] </TASK>
[ 6028.302724] ================================================================================
```

ProblemType: Bug
DistroRelease: Ubuntu 22.10
Package: linux-modules-extra-5.19.0-29-generic 5.19.0-29.30
ProcVersionSignature: Ubuntu 5.19.0-29.30-generic 5.19.17
Uname: Linux 5.19.0-29-generic x86_64
ApportVersion: 2.23.1-0ubuntu3
Architecture: amd64
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC1: stolk 2160 F.... wireplumber
 /dev/snd/controlC0: stolk 2160 F.... wireplumber
 /dev/snd/seq: stolk 2138 F.... pipewire
CRDA: N/A
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Tue Jan 17 10:12:44 2023
Dependencies:
 linux-modules-5.19.0-29-generic 5.19.0-29.30
 wireless-regdb 2022.06.06-0ubuntu1
InstallationDate: Installed on 2022-08-26 (144 days ago)
InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Alpha amd64 (20220825)
MachineType: ASUS System Product Name
ProcFB: 0 i915drmfb
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.19.0-29-generic root=/dev/mapper/vgubuntu-root ro quiet splash intel_pstate=passive eisa_bus.disable_dev=1,2,3,4,5,6,7,8 vt.handoff=7
RelatedPackageVersions:
 linux-restricted-modules-5.19.0-29-generic N/A
 linux-backports-modules-5.19.0-29-generic N/A
 linux-firmware 20220923.gitf09bebf3-0ubuntu1.3
RfKill:

SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 01/13/2022
dmi.bios.release: 10.8
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: 1008
dmi.board.asset.tag: Default string
dmi.board.name: PRIME Z690M-PLUS D4
dmi.board.vendor: ASUSTeK COMPUTER INC.
dmi.board.version: Rev 1.xx
dmi.chassis.asset.tag: Default string
dmi.chassis.type: 3
dmi.chassis.vendor: Default string
dmi.chassis.version: Default string
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr1008:bd01/13/2022:br10.8:svnASUS:pnSystemProductName:pvrSystemVersion:rvnASUSTeKCOMPUTERINC.:rnPRIMEZ690M-PLUSD4:rvrRev1.xx:cvnDefaultstring:ct3:cvrDefaultstring:skuSKU:
dmi.product.family: To be filled by O.E.M.
dmi.product.name: System Product Name
dmi.product.sku: SKU
dmi.product.version: System Version
dmi.sys.vendor: ASUS

Revision history for this message
Bram Stolk (b-stolk) wrote :
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Status changed to Confirmed

This change was made by a bot.

Changed in linux (Ubuntu):
status: New → Confirmed
Revision history for this message
Bram Stolk (b-stolk) wrote :

lunar running on VM, kernel version 5.19.0-21-generic is not affected.

kinetic running on HW, kernel version 5.19.0-29-generic is affected.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.