KASAN: global-out-of-bounds Read in fbcon_get

KASAN: global-out-of-bounds Read in fbcon_get_font
Status: fixed on 2020/11/16 12:12
Reported-by: syzbot+29d4ed7f3bdedf2aa2fd@syzkaller.appspotmail.com
Fix commit: 5af08640 fbcon: Fix global-out-of-bounds read in fbcon_get_font()
First crash: 515d, last: 217d

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: KASAN: global-out-of-bounds Read in fbcon_get_font (log)
Repro: syz .config

Fix bisection: the fix commit could be any of (bisect log):
4557ac6b344b powerpc/64s/exception: Fix 0x1500 interrupt handler crash
997c4431f04d Merge tag 'powerpc-5.8-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux

similar bugs (2):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
linux-4.19	KASAN: global-out-of-bounds Read in fbcon_get_font	C		done	47	210d	521d	1/1	fixed on 2020/11/10 07:26
linux-4.14	KASAN: global-out-of-bounds Read in fbcon_get_font	C		done	42	205d	521d	1/1	fixed on 2020/11/13 22:55

Patch testing requests:
Created	Duration	User	Patch	Repo	Result
2020/09/23 14:42	18m	yepeilin.cs@gmail.com	patch	upstream	OK
2020/09/23 12:12	9m	yepeilin.cs@gmail.com		upstream	report log
2020/09/23 10:11	3m	yepeilin.cs@gmail.com	patch	upstream	error
2020/09/17 03:52	17m	yepeilin.cs@gmail.com	patch	upstream	OK
2020/09/16 16:47	17m	yepeilin.cs@gmail.com	patch	upstream	report log
2020/08/07 06:27	17m	yepeilin.cs@gmail.com	patch	upstream	OK

Sample crash report:

==================================================================
BUG: KASAN: global-out-of-bounds in memcpy include/linux/string.h:381 [inline]
BUG: KASAN: global-out-of-bounds in fbcon_get_font+0x28d/0x5b0 drivers/video/fbdev/core/fbcon.c:2474
Read of size 31 at addr ffffffff88752f7c by task syz-executor214/7018

CPU: 1 PID: 7018 Comm: syz-executor214 Not tainted 5.7.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x188/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0x5/0x315 mm/kasan/report.c:382
 __kasan_report.cold+0x35/0x4d mm/kasan/report.c:511
 kasan_report+0x33/0x50 mm/kasan/common.c:625
 check_memory_region_inline mm/kasan/generic.c:187 [inline]
 check_memory_region+0x141/0x190 mm/kasan/generic.c:193
 memcpy+0x20/0x60 mm/kasan/common.c:106
 memcpy include/linux/string.h:381 [inline]
 fbcon_get_font+0x28d/0x5b0 drivers/video/fbdev/core/fbcon.c:2474
 con_font_get drivers/tty/vt/vt.c:4479 [inline]
 con_font_op+0x1f7/0x1160 drivers/tty/vt/vt.c:4638
 do_fontx_ioctl drivers/tty/vt/vt_ioctl.c:273 [inline]
 vt_ioctl+0x1d31/0x26b0 drivers/tty/vt/vt_ioctl.c:945
 tty_ioctl+0xedc/0x1440 drivers/tty/tty_io.c:2656
 vfs_ioctl fs/ioctl.c:47 [inline]
 ksys_ioctl+0x11a/0x180 fs/ioctl.c:771
 __do_sys_ioctl fs/ioctl.c:780 [inline]
 __se_sys_ioctl fs/ioctl.c:778 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:778
 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x441289
Code: e8 3c ad 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffe191069a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441289
RDX: 0000000020000000 RSI: 0000000000004b6b RDI: 0000000000000003
RBP: 000000000000e23a R08: 000000000000000d R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004020b0
R13: 0000000000402140 R14: 0000000000000000 R15: 0000000000000000

The buggy address belongs to the variable:
 fontdata_8x16+0xffc/0x1120

Memory state around the buggy address:
 ffffffff88752e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffff88752f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffff88752f80: fa fa fa fa 06 fa fa fa fa fa fa fa 05 fa fa fa
                   ^
 ffffffff88753000: fa fa fa fa 06 fa fa fa fa fa fa fa 00 00 03 fa
 ffffffff88753080: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (41):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info
ci-upstream-kasan-gce-root	2020/05/11 17:30	upstream	2ef96a5b	f8f57555	.config	log	report	syz	C
ci-upstream-kasan-gce-selinux-root	2020/04/24 19:46	upstream	b4f63322	03d97a1b	.config	log	report	syz	C
ci-upstream-kasan-gce-root	2020/01/01 17:50	upstream	738d2902	25a0186e	.config	log	report	syz	C
ci-upstream-kasan-gce-selinux-root	2020/01/01 17:39	upstream	738d2902	25a0186e	.config	log	report	syz	C
ci-upstream-linux-next-kasan-gce-root	2020/05/11 15:53	linux-next	ac935d22	f8f57555	.config	log	report	syz	C
ci-upstream-linux-next-kasan-gce-root	2020/01/08 03:51	linux-next	26467385	6738e0b3	.config	log	report	syz	C
ci-upstream-kasan-gce-selinux-root	2019/12/10 16:44	upstream	6794862a	5a5826a1	.config	log	report	syz
ci-upstream-kasan-gce-root	2019/12/10 10:29	upstream	6794862a	4b83c8fb	.config	log	report	syz
ci-upstream-linux-next-kasan-gce-root	2019/12/22 16:40	linux-next	7ddd09fc	8b967267	.config	log	report	syz
ci-upstream-linux-next-kasan-gce-root	2019/12/09 23:33	linux-next	6cf8298d	b31eda3d	.config	log	report	syz
ci-upstream-kasan-gce-root	2020/10/02 04:20	upstream	fcadab74	9602ddf4	.config	log	report			info
ci-upstream-kasan-gce-root	2020/08/12 23:20	upstream	fb893de3	bc15f7db	.config	log	report
ci-upstream-kasan-gce-root	2020/08/12 12:16	upstream	c636eef2	bb3e5fe6	.config	log	report
ci-upstream-kasan-gce-selinux-root	2020/08/10 08:36	upstream	9420f1ce	70301872	.config	log	report
ci-upstream-kasan-gce-root	2020/08/06 04:18	upstream	fffe3ae0	0487ea6f	.config	log	report
ci-upstream-kasan-gce-root	2020/08/02 11:52	upstream	ac3a0c84	63a73341	.config	log	report
ci-upstream-kasan-gce-root	2020/07/25 10:28	upstream	68845a55	1f7cc1ca	.config	log	report
ci-upstream-kasan-gce-root	2020/07/21 11:30	upstream	4fa640dc	d88894e6	.config	log	report
ci-upstream-kasan-gce-root	2020/07/20 19:24	upstream	5714ee50	4285ffa3	.config	log	report
ci-upstream-kasan-gce-root	2020/07/17 05:58	upstream	f8456690	54b3c45e	.config	log	report
ci-upstream-kasan-gce-root	2020/06/21 07:56	upstream	7ae77150	c655ec77	.config	log	report
ci-upstream-kasan-gce-selinux-root	2020/05/23 19:53	upstream	44456565	9682898d	.config	log	report
ci-upstream-kasan-gce-root	2020/04/29 13:53	upstream	96c9a780	496a08ae	.config	log	report
ci-upstream-kasan-gce-root	2020/04/27 22:52	upstream	51184ae3	0ce7569e	.config	log	report
ci-upstream-kasan-gce-selinux-root	2020/02/04 15:59	upstream	322bf2d3	93e5e335	.config	log	report
ci-upstream-kasan-gce-root	2020/01/31 22:23	upstream	ccaaaf6f	c30117b2	.config	log	report
ci-upstream-kasan-gce-selinux-root	2020/01/30 03:50	upstream	b3a60822	5ed23f9a	.config	log	report
ci-upstream-kasan-gce-selinux-root	2020/01/15 13:56	upstream	95e20af9	fa12bd3c	.config	log	report
ci-upstream-kasan-gce-selinux-root	2020/01/13 06:23	upstream	040a3c33	53faa9fe	.config	log	report
ci-qemu-upstream	2020/01/13 03:43	upstream	040a3c33	53faa9fe	.config	log	report
ci-upstream-kasan-gce-root	2020/01/12 22:00	upstream	6327edce	31290a45	.config	log	report
ci-upstream-kasan-gce-root	2020/01/12 13:32	upstream	6327edce	31290a45	.config	log	report
ci-upstream-kasan-gce-root	2020/01/10 00:34	upstream	b07f636f	4de4e9f0	.config	log	report
ci-upstream-kasan-gce-root	2019/12/13 13:27	upstream	ae4b064e	08003f64	.config	log	report
ci-upstream-linux-next-kasan-gce-root	2020/07/12 06:52	linux-next	d31958b3	115e1930	.config	log	report
ci-upstream-linux-next-kasan-gce-root	2020/06/11 00:59	linux-next	e7b08814	a6f7998d	.config	log	report
ci-upstream-linux-next-kasan-gce-root	2020/04/27 19:22	linux-next	ac935d22	0ce7569e	.config	log	report
ci-upstream-linux-next-kasan-gce-root	2020/04/17 00:47	linux-next	ac935d22	c743fcb3	.config	log	report
ci-upstream-linux-next-kasan-gce-root	2020/03/18 10:46	linux-next	770fbb32	97bc55ce	.config	log	report
ci-upstream-linux-next-kasan-gce-root	2020/03/02 01:44	linux-next	c99b17ac	c88c7b75	.config	log	report
ci-upstream-linux-next-kasan-gce-root	2020/02/18 13:00	linux-next	c25a951c	1ce142dc	.config	log	report