KASAN: global-out-of-bounds Read in fbcon_get

KASAN: global-out-of-bounds Read in fbcon_get_font
Status: upstream: reported C repro on 2019/12/10 04:35
Reported-by: syzbot+29d4ed7f3bdedf2aa2fd@syzkaller.appspotmail.com
First crash: 171d, last: 5d08h

Cause bisection: the bug happens on the oldest tested release
Crash: KASAN: global-out-of-bounds Read in fbcon_get_font (log)
Repro: syz .config

similar bugs (2):
Kernel	Title	Repro	Bisected	Count	Last	Reported	Patched	Status
linux-4.19	KASAN: global-out-of-bounds Read in fbcon_get_font	C		27	4d05h	177d	0/1	upstream: reported C repro on 2019/12/03 08:40
linux-4.14	KASAN: global-out-of-bounds Read in fbcon_get_font	C		19	2d22h	177d	0/1	upstream: reported C repro on 2019/12/03 13:04

Sample crash report:

==================================================================
BUG: KASAN: global-out-of-bounds in memcpy include/linux/string.h:381 [inline]
BUG: KASAN: global-out-of-bounds in fbcon_get_font+0x28d/0x5b0 drivers/video/fbdev/core/fbcon.c:2474
Read of size 31 at addr ffffffff88752f7c by task syz-executor214/7018

CPU: 1 PID: 7018 Comm: syz-executor214 Not tainted 5.7.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x188/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0x5/0x315 mm/kasan/report.c:382
 __kasan_report.cold+0x35/0x4d mm/kasan/report.c:511
 kasan_report+0x33/0x50 mm/kasan/common.c:625
 check_memory_region_inline mm/kasan/generic.c:187 [inline]
 check_memory_region+0x141/0x190 mm/kasan/generic.c:193
 memcpy+0x20/0x60 mm/kasan/common.c:106
 memcpy include/linux/string.h:381 [inline]
 fbcon_get_font+0x28d/0x5b0 drivers/video/fbdev/core/fbcon.c:2474
 con_font_get drivers/tty/vt/vt.c:4479 [inline]
 con_font_op+0x1f7/0x1160 drivers/tty/vt/vt.c:4638
 do_fontx_ioctl drivers/tty/vt/vt_ioctl.c:273 [inline]
 vt_ioctl+0x1d31/0x26b0 drivers/tty/vt/vt_ioctl.c:945
 tty_ioctl+0xedc/0x1440 drivers/tty/tty_io.c:2656
 vfs_ioctl fs/ioctl.c:47 [inline]
 ksys_ioctl+0x11a/0x180 fs/ioctl.c:771
 __do_sys_ioctl fs/ioctl.c:780 [inline]
 __se_sys_ioctl fs/ioctl.c:778 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:778
 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x441289
Code: e8 3c ad 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffe191069a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441289
RDX: 0000000020000000 RSI: 0000000000004b6b RDI: 0000000000000003
RBP: 000000000000e23a R08: 000000000000000d R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004020b0
R13: 0000000000402140 R14: 0000000000000000 R15: 0000000000000000

The buggy address belongs to the variable:
 fontdata_8x16+0xffc/0x1120

Memory state around the buggy address:
 ffffffff88752e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffff88752f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffff88752f80: fa fa fa fa 06 fa fa fa fa fa fa fa 05 fa fa fa
                   ^
 ffffffff88753000: fa fa fa fa 06 fa fa fa fa fa fa fa 00 00 03 fa
 ffffffff88753080: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (28):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Maintainers
ci-upstream-kasan-gce-root	2020/05/11 17:30	upstream	2ef96a5b	f8f57555	.config	log	report	syz	C	b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-kasan-gce-selinux-root	2020/04/24 19:46	upstream	b4f63322	03d97a1b	.config	log	report	syz	C	b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-kasan-gce-root	2020/01/01 17:50	upstream	738d2902	25a0186e	.config	log	report	syz	C	b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-kasan-gce-selinux-root	2020/01/01 17:39	upstream	738d2902	25a0186e	.config	log	report	syz	C	b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-linux-next-kasan-gce-root	2020/05/11 15:53	linux-next	ac935d22	f8f57555	.config	log	report	syz	C	b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-linux-next-kasan-gce-root	2020/01/08 03:51	linux-next	26467385	6738e0b3	.config	log	report	syz	C	b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-kasan-gce-selinux-root	2019/12/10 16:44	upstream	6794862a	5a5826a1	.config	log	report	syz		b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-kasan-gce-root	2019/12/10 10:29	upstream	6794862a	4b83c8fb	.config	log	report	syz		b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, ghalat@redhat.com, gregkh@linuxfoundation.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-linux-next-kasan-gce-root	2019/12/22 16:40	linux-next	7ddd09fc	8b967267	.config	log	report	syz		b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-linux-next-kasan-gce-root	2019/12/09 23:33	linux-next	6cf8298d	b31eda3d	.config	log	report	syz		b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, ghalat@redhat.com, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-kasan-gce-selinux-root	2020/05/23 19:53	upstream	44456565	9682898d	.config	log	report			b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-kasan-gce-root	2020/04/29 13:53	upstream	96c9a780	496a08ae	.config	log	report			b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-kasan-gce-root	2020/04/27 22:52	upstream	51184ae3	0ce7569e	.config	log	report			b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-kasan-gce-selinux-root	2020/02/04 15:59	upstream	322bf2d3	93e5e335	.config	log	report			b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-kasan-gce-root	2020/01/31 22:23	upstream	ccaaaf6f	c30117b2	.config	log	report			b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-kasan-gce-selinux-root	2020/01/30 03:50	upstream	b3a60822	5ed23f9a	.config	log	report			b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-kasan-gce-selinux-root	2020/01/15 13:56	upstream	95e20af9	fa12bd3c	.config	log	report			b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-kasan-gce-selinux-root	2020/01/13 06:23	upstream	040a3c33	53faa9fe	.config	log	report			b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-qemu-upstream	2020/01/13 03:43	upstream	040a3c33	53faa9fe	.config	log	report			b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-kasan-gce-root	2020/01/12 22:00	upstream	6327edce	31290a45	.config	log	report			b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-kasan-gce-root	2020/01/12 13:32	upstream	6327edce	31290a45	.config	log	report			b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-kasan-gce-root	2020/01/10 00:34	upstream	b07f636f	4de4e9f0	.config	log	report			b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-kasan-gce-root	2019/12/13 13:27	upstream	ae4b064e	08003f64	.config	log	report			b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-linux-next-kasan-gce-root	2020/04/27 19:22	linux-next	ac935d22	0ce7569e	.config	log	report			b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-linux-next-kasan-gce-root	2020/04/17 00:47	linux-next	ac935d22	c743fcb3	.config	log	report			b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-linux-next-kasan-gce-root	2020/03/18 10:46	linux-next	770fbb32	97bc55ce	.config	log	report			b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-linux-next-kasan-gce-root	2020/03/02 01:44	linux-next	c99b17ac	c88c7b75	.config	log	report			b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-linux-next-kasan-gce-root	2020/02/18 13:00	linux-next	c25a951c	1ce142dc	.config	log	report			b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org