syzbot


KASAN: global-out-of-bounds Read in fbcon_get_font

Status: fixed on 2020/11/10 07:26
Reported-by: syzbot+31388007bce57db44c24@syzkaller.appspotmail.com
Fix commit: 43198a5b1c42 fbcon: Fix global-out-of-bounds read in fbcon_get_font()
First crash: 1815d, last: 1503d
Fix bisection: fixed by (bisect log) :
commit 43198a5b1c42e3d8aadc6524a73bb3aa3666cd43
Author: Peilin Ye <yepeilin.cs@gmail.com>
Date: Thu Sep 24 13:43:48 2020 +0000

  fbcon: Fix global-out-of-bounds read in fbcon_get_font()

  
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: global-out-of-bounds Read in fbcon_get_font fbdev C inconclusive inconclusive 41 1511d 1808d 15/28 fixed on 2020/11/16 12:12
linux-4.14 KASAN: global-out-of-bounds Read in fbcon_get_font C done 42 1499d 1815d 1/1 fixed on 2020/11/13 22:55
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2020/11/08 20:05 3h43m bisect fix linux-4.19.y OK (1) job log
2020/09/17 02:33 23m bisect fix linux-4.19.y OK (0) job log log

Sample crash report:
audit: type=1400 audit(1577900454.396:35): avc:  denied  { map } for  pid=7719 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
audit: type=1400 audit(1577900465.766:36): avc:  denied  { map } for  pid=7731 comm="syz-executor364" path="/root/syz-executor364662320" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: global-out-of-bounds in memcpy include/linux/string.h:348 [inline]
BUG: KASAN: global-out-of-bounds in fbcon_get_font+0x2b2/0x5e0 drivers/video/fbdev/core/fbcon.c:2443
Read of size 32 at addr ffffffff87ecb9e0 by task syz-executor364/7733

CPU: 0 PID: 7733 Comm: syz-executor364 Not tainted 4.19.92-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x197/0x210 lib/dump_stack.c:118
 print_address_description.cold+0x5/0x20d mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report mm/kasan/report.c:412 [inline]
 kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
 memcpy+0x24/0x50 mm/kasan/kasan.c:302
 memcpy include/linux/string.h:348 [inline]
 fbcon_get_font+0x2b2/0x5e0 drivers/video/fbdev/core/fbcon.c:2443
 con_font_get drivers/tty/vt/vt.c:4400 [inline]
 con_font_op+0x20b/0x1250 drivers/tty/vt/vt.c:4559
 vt_ioctl+0xd2e/0x2530 drivers/tty/vt/vt_ioctl.c:913
 tty_ioctl+0x7f3/0x1510 drivers/tty/tty_io.c:2669
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:501 [inline]
 do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:688
 ksys_ioctl+0xab/0xd0 fs/ioctl.c:705
 __do_sys_ioctl fs/ioctl.c:712 [inline]
 __se_sys_ioctl fs/ioctl.c:710 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:710
 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4459b9
Code: e8 fc b8 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 8b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fa968113db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006dac58 RCX: 00000000004459b9
RDX: 0000000020000200 RSI: 0000000000004b60 RDI: 0000000000000007
RBP: 00000000006dac50 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac5c
R13: 00007ffece8c78ff R14: 00007fa9681149c0 R15: 20c49ba5e353f7cf

The buggy address belongs to the variable:
 fontdata_8x16+0x1000/0x1120

Memory state around the buggy address:
 ffffffff87ecb880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffff87ecb900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffff87ecb980: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
                                                       ^
 ffffffff87ecba00: 06 fa fa fa fa fa fa fa 05 fa fa fa fa fa fa fa
 ffffffff87ecba80: 06 fa fa fa fa fa fa fa 00 00 03 fa fa fa fa fa
==================================================================

Crashes (47):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/01/01 17:43 linux-4.19.y c7ecf3e3a71c 25a0186e .config console log report syz C ci2-linux-4-19
2019/12/03 07:39 linux-4.19.y 174651bdf802 ab342da3 .config console log report syz C ci2-linux-4-19
2019/12/09 23:48 linux-4.19.y fb683b5e3f53 b31eda3d .config console log report syz ci2-linux-4-19
2020/10/09 20:05 linux-4.19.y a1b977b49b66 fa79ed2a .config console log report info ci2-linux-4-19
2020/10/05 20:47 linux-4.19.y b09c34517e1a 1880b4a9 .config console log report info ci2-linux-4-19
2020/08/18 02:17 linux-4.19.y c14d30dc9987 5ce13532 .config console log report ci2-linux-4-19
2020/08/16 02:14 linux-4.19.y c14d30dc9987 5ce13532 .config console log report ci2-linux-4-19
2020/08/14 04:30 linux-4.19.y c14d30dc9987 54ce1ed6 .config console log report ci2-linux-4-19
2020/08/12 21:25 linux-4.19.y c14d30dc9987 0d7bd2e0 .config console log report ci2-linux-4-19
2020/07/20 19:40 linux-4.19.y 17a87580a885 8caeeeb7 .config console log report ci2-linux-4-19
2020/07/20 19:31 linux-4.19.y 17a87580a885 8caeeeb7 .config console log report ci2-linux-4-19
2020/07/19 07:46 linux-4.19.y 17a87580a885 9c812472 .config console log report ci2-linux-4-19
2020/07/15 18:06 linux-4.19.y dce0f88600e4 ada108d0 .config console log report ci2-linux-4-19
2020/07/15 11:29 linux-4.19.y dce0f88600e4 ada108d0 .config console log report ci2-linux-4-19
2020/07/11 00:18 linux-4.19.y dce0f88600e4 18d18b59 .config console log report ci2-linux-4-19
2020/07/10 06:04 linux-4.19.y dce0f88600e4 edf162e8 .config console log report ci2-linux-4-19
2020/07/03 17:52 linux-4.19.y 399849e4654e 6e569755 .config console log report ci2-linux-4-19
2020/06/21 06:08 linux-4.19.y 3fc898571b97 c655ec77 .config console log report ci2-linux-4-19
2020/06/20 09:13 linux-4.19.y 3fc898571b97 c655ec77 .config console log report ci2-linux-4-19
2020/06/12 15:07 linux-4.19.y 3fc898571b97 819b58b0 .config console log report ci2-linux-4-19
2020/06/12 11:57 linux-4.19.y 3fc898571b97 819b58b0 .config console log report ci2-linux-4-19
2020/06/08 16:37 linux-4.19.y 106fa147d3da 7604bb03 .config console log report ci2-linux-4-19
2020/06/07 04:23 linux-4.19.y 4707d8e57273 e6b89e4e .config console log report ci2-linux-4-19
2020/05/24 23:20 linux-4.19.y 1bab61d3e8cd ce7ca010 .config console log report ci2-linux-4-19
2020/05/24 03:08 linux-4.19.y 1bab61d3e8cd 96c92ad3 .config console log report ci2-linux-4-19
2020/05/15 21:20 linux-4.19.y 258f0cf7ac3b d7f9fffa .config console log report ci2-linux-4-19
2020/05/08 00:24 linux-4.19.y 84920cc7fbe1 6c70a1c2 .config console log report ci2-linux-4-19
2020/05/01 15:59 linux-4.19.y 765675379b62 143a10e9 .config console log report ci2-linux-4-19
2020/05/01 07:14 linux-4.19.y 765675379b62 3698959a .config console log report ci2-linux-4-19
2020/04/30 12:44 linux-4.19.y 765675379b62 3698959a .config console log report ci2-linux-4-19
2020/04/30 01:07 linux-4.19.y 765675379b62 2dd552a5 .config console log report ci2-linux-4-19
2020/04/29 13:25 linux-4.19.y 7edd66cf6167 ba2806db .config console log report ci2-linux-4-19
2020/04/25 15:37 linux-4.19.y 7edd66cf6167 a113ba38 .config console log report ci2-linux-4-19
2020/04/25 01:25 linux-4.19.y 7edd66cf6167 03d97a1b .config console log report ci2-linux-4-19
2020/04/12 14:06 linux-4.19.y dda0e2920330 36b0b050 .config console log report ci2-linux-4-19
2020/03/31 02:55 linux-4.19.y 54b4fa6d3955 c8d1cc20 .config console log report ci2-linux-4-19
2020/03/24 05:35 linux-4.19.y 14cfdbd39e31 33e14df3 .config console log report ci2-linux-4-19
2020/03/22 14:18 linux-4.19.y 14cfdbd39e31 78267cec .config console log report ci2-linux-4-19
2020/03/18 09:18 linux-4.19.y 93556fb211fa 97bc55ce .config console log report ci2-linux-4-19
2020/03/12 13:51 linux-4.19.y 569209711609 d850e9d0 .config console log report ci2-linux-4-19
2020/02/18 22:05 linux-4.19.y 9b15f7fae677 012fbc32 .config console log report ci2-linux-4-19
2020/01/30 03:58 linux-4.19.y 7cdefde351b6 5ed23f9a .config console log report ci2-linux-4-19
2020/01/14 12:54 linux-4.19.y dcd888983542 32881205 .config console log report ci2-linux-4-19
2020/01/04 23:09 linux-4.19.y 3d40d7117e35 68256974 .config console log report ci2-linux-4-19
2019/12/22 19:56 linux-4.19.y 672481c2deff 8b967267 .config console log report ci2-linux-4-19
2019/12/22 17:16 linux-4.19.y 672481c2deff 8b967267 .config console log report ci2-linux-4-19
2019/12/10 18:37 linux-4.19.y fb683b5e3f53 4b83c8fb .config console log report ci2-linux-4-19
* Struck through repros no longer work on HEAD.