syzbot


KASAN: global-out-of-bounds Read in fbcon_get_font

Status: fixed on 2020/11/16 12:12
Reported-by: syzbot+29d4ed7f3bdedf2aa2fd@syzkaller.appspotmail.com
Fix commit: 5af08640795b fbcon: Fix global-out-of-bounds read in fbcon_get_font()
First crash: 1026d, last: 729d

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: KASAN: global-out-of-bounds Read in fbcon_get_font (log)
Repro: syz .config

Fix bisection: the fix commit could be any of (bisect log):
  4557ac6b344b powerpc/64s/exception: Fix 0x1500 interrupt handler crash
  997c4431f04d Merge tag 'powerpc-5.8-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux
similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: global-out-of-bounds Read in fbcon_get_font C done 47 721d 1032d 1/1 fixed on 2020/11/10 07:26
linux-4.14 KASAN: global-out-of-bounds Read in fbcon_get_font C done 42 716d 1032d 1/1 fixed on 2020/11/13 22:55
Patch testing requests:
Created Duration User Patch Repo Result
2020/09/23 14:42 18m yepeilin.cs@gmail.com patch upstream OK
2020/09/23 12:12 9m yepeilin.cs@gmail.com upstream report log
2020/09/23 10:11 3m yepeilin.cs@gmail.com patch upstream error
2020/09/17 03:52 17m yepeilin.cs@gmail.com patch upstream OK
2020/09/16 16:47 17m yepeilin.cs@gmail.com patch upstream report log
2020/08/07 06:27 17m yepeilin.cs@gmail.com patch upstream OK

Sample crash report:
==================================================================
BUG: KASAN: global-out-of-bounds in memcpy include/linux/string.h:381 [inline]
BUG: KASAN: global-out-of-bounds in fbcon_get_font+0x28d/0x5b0 drivers/video/fbdev/core/fbcon.c:2474
Read of size 31 at addr ffffffff88752f7c by task syz-executor214/7018

CPU: 1 PID: 7018 Comm: syz-executor214 Not tainted 5.7.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x188/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0x5/0x315 mm/kasan/report.c:382
 __kasan_report.cold+0x35/0x4d mm/kasan/report.c:511
 kasan_report+0x33/0x50 mm/kasan/common.c:625
 check_memory_region_inline mm/kasan/generic.c:187 [inline]
 check_memory_region+0x141/0x190 mm/kasan/generic.c:193
 memcpy+0x20/0x60 mm/kasan/common.c:106
 memcpy include/linux/string.h:381 [inline]
 fbcon_get_font+0x28d/0x5b0 drivers/video/fbdev/core/fbcon.c:2474
 con_font_get drivers/tty/vt/vt.c:4479 [inline]
 con_font_op+0x1f7/0x1160 drivers/tty/vt/vt.c:4638
 do_fontx_ioctl drivers/tty/vt/vt_ioctl.c:273 [inline]
 vt_ioctl+0x1d31/0x26b0 drivers/tty/vt/vt_ioctl.c:945
 tty_ioctl+0xedc/0x1440 drivers/tty/tty_io.c:2656
 vfs_ioctl fs/ioctl.c:47 [inline]
 ksys_ioctl+0x11a/0x180 fs/ioctl.c:771
 __do_sys_ioctl fs/ioctl.c:780 [inline]
 __se_sys_ioctl fs/ioctl.c:778 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:778
 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x441289
Code: e8 3c ad 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffe191069a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441289
RDX: 0000000020000000 RSI: 0000000000004b6b RDI: 0000000000000003
RBP: 000000000000e23a R08: 000000000000000d R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004020b0
R13: 0000000000402140 R14: 0000000000000000 R15: 0000000000000000

The buggy address belongs to the variable:
 fontdata_8x16+0xffc/0x1120

Memory state around the buggy address:
 ffffffff88752e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffff88752f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffff88752f80: fa fa fa fa 06 fa fa fa fa fa fa fa 05 fa fa fa
                   ^
 ffffffff88753000: fa fa fa fa 06 fa fa fa fa fa fa fa 00 00 03 fa
 ffffffff88753080: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (41):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-root 2020/05/11 17:30 upstream 2ef96a5bb12b f8f57555 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/04/24 19:46 upstream b4f633221f0a 03d97a1b .config log report syz C
ci-upstream-kasan-gce-root 2020/01/01 17:50 upstream 738d2902773e 25a0186e .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/01/01 17:39 upstream 738d2902773e 25a0186e .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/05/11 15:53 linux-next ac935d227366 f8f57555 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/01/08 03:51 linux-next 264673852033 6738e0b3 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2019/12/10 16:44 upstream 6794862a16ef 5a5826a1 .config log report syz
ci-upstream-kasan-gce-root 2019/12/10 10:29 upstream 6794862a16ef 4b83c8fb .config log report syz
ci-upstream-linux-next-kasan-gce-root 2019/12/22 16:40 linux-next 7ddd09fc4b74 8b967267 .config log report syz
ci-upstream-linux-next-kasan-gce-root 2019/12/09 23:33 linux-next 6cf8298daad0 b31eda3d .config log report syz
ci-upstream-kasan-gce-root 2020/10/02 04:20 upstream fcadab740480 9602ddf4 .config log report info
ci-upstream-kasan-gce-root 2020/08/12 23:20 upstream fb893de323e2 bc15f7db .config log report
ci-upstream-kasan-gce-root 2020/08/12 12:16 upstream c636eef2ee36 bb3e5fe6 .config log report
ci-upstream-kasan-gce-selinux-root 2020/08/10 08:36 upstream 9420f1ce0186 70301872 .config log report
ci-upstream-kasan-gce-root 2020/08/06 04:18 upstream fffe3ae0ee84 0487ea6f .config log report
ci-upstream-kasan-gce-root 2020/08/02 11:52 upstream ac3a0c847296 63a73341 .config log report
ci-upstream-kasan-gce-root 2020/07/25 10:28 upstream 68845a55c31b 1f7cc1ca .config log report
ci-upstream-kasan-gce-root 2020/07/21 11:30 upstream 4fa640dc5230 d88894e6 .config log report
ci-upstream-kasan-gce-root 2020/07/20 19:24 upstream 5714ee50bb43 4285ffa3 .config log report
ci-upstream-kasan-gce-root 2020/07/17 05:58 upstream f8456690ba8e 54b3c45e .config log report
ci-upstream-kasan-gce-root 2020/06/21 07:56 upstream 7ae77150d94d c655ec77 .config log report
ci-upstream-kasan-gce-selinux-root 2020/05/23 19:53 upstream 444565650a5f 9682898d .config log report
ci-upstream-kasan-gce-root 2020/04/29 13:53 upstream 96c9a7802af7 496a08ae .config log report
ci-upstream-kasan-gce-root 2020/04/27 22:52 upstream 51184ae37e05 0ce7569e .config log report
ci-upstream-kasan-gce-selinux-root 2020/02/04 15:59 upstream 322bf2d3446a 93e5e335 .config log report
ci-upstream-kasan-gce-root 2020/01/31 22:23 upstream ccaaaf6fe5a5 c30117b2 .config log report
ci-upstream-kasan-gce-selinux-root 2020/01/30 03:50 upstream b3a608222336 5ed23f9a .config log report
ci-upstream-kasan-gce-selinux-root 2020/01/15 13:56 upstream 95e20af9fb9c fa12bd3c .config log report
ci-upstream-kasan-gce-selinux-root 2020/01/13 06:23 upstream 040a3c33623b 53faa9fe .config log report
ci-qemu-upstream 2020/01/13 03:43 upstream 040a3c33623b 53faa9fe .config log report
ci-upstream-kasan-gce-root 2020/01/12 22:00 upstream 6327edceb62b 31290a45 .config log report
ci-upstream-kasan-gce-root 2020/01/12 13:32 upstream 6327edceb62b 31290a45 .config log report
ci-upstream-kasan-gce-root 2020/01/10 00:34 upstream b07f636fca1c 4de4e9f0 .config log report
ci-upstream-kasan-gce-root 2019/12/13 13:27 upstream ae4b064e2a61 08003f64 .config log report
ci-upstream-linux-next-kasan-gce-root 2020/07/12 06:52 linux-next d31958b30ea3 115e1930 .config log report
ci-upstream-linux-next-kasan-gce-root 2020/06/11 00:59 linux-next e7b08814b16b a6f7998d .config log report
ci-upstream-linux-next-kasan-gce-root 2020/04/27 19:22 linux-next ac935d227366 0ce7569e .config log report
ci-upstream-linux-next-kasan-gce-root 2020/04/17 00:47 linux-next ac935d227366 c743fcb3 .config log report
ci-upstream-linux-next-kasan-gce-root 2020/03/18 10:46 linux-next 770fbb32d34e 97bc55ce .config log report
ci-upstream-linux-next-kasan-gce-root 2020/03/02 01:44 linux-next c99b17ac0399 c88c7b75 .config log report
ci-upstream-linux-next-kasan-gce-root 2020/02/18 13:00 linux-next c25a951c50dc 1ce142dc .config log report
* Struck through repros no longer work on HEAD.