KASAN: global-out-of-bounds Read in fbcon_get

KASAN: global-out-of-bounds Read in fbcon_get_font
Status: upstream: reported C repro on 2019/12/10 04:35
Reported-by: syzbot+29d4ed7f3bdedf2aa2fd@syzkaller.appspotmail.com
First crash: 69d, last: 12d

Cause bisection: the bug happens on the oldest tested release
Crash: KASAN: global-out-of-bounds Read in fbcon_get_font (log)
Repro: syz .config

similar bugs (2):
Kernel	Title	Repro	Bisected	Count	Last	Reported	Patched	Status
linux-4.19	KASAN: global-out-of-bounds Read in fbcon_get_font	C		9	18d	76d	0/1	upstream: reported C repro on 2019/12/03 08:40
linux-4.14	KASAN: global-out-of-bounds Read in fbcon_get_font	C		8	29d	75d	0/1	upstream: reported C repro on 2019/12/03 13:04

Sample crash report:

==================================================================
BUG: KASAN: global-out-of-bounds in memcpy include/linux/string.h:380 [inline]
BUG: KASAN: global-out-of-bounds in fbcon_get_font+0x2b2/0x5e0 drivers/video/fbdev/core/fbcon.c:2465
Read of size 32 at addr ffffffff88729e80 by task syz-executor135/9307

CPU: 1 PID: 9307 Comm: syz-executor135 Not tainted 5.5.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x197/0x210 lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0x5/0x30b mm/kasan/report.c:374
 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
 kasan_report+0x12/0x20 mm/kasan/common.c:639
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192
 memcpy+0x24/0x50 mm/kasan/common.c:125
 memcpy include/linux/string.h:380 [inline]
 fbcon_get_font+0x2b2/0x5e0 drivers/video/fbdev/core/fbcon.c:2465
 con_font_get drivers/tty/vt/vt.c:4446 [inline]
 con_font_op+0x20b/0x1270 drivers/tty/vt/vt.c:4605
 vt_ioctl+0xd2e/0x26d0 drivers/tty/vt/vt_ioctl.c:913
 tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660
 vfs_ioctl fs/ioctl.c:47 [inline]
 file_ioctl fs/ioctl.c:545 [inline]
 do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732
 ksys_ioctl+0xab/0xd0 fs/ioctl.c:749
 __do_sys_ioctl fs/ioctl.c:756 [inline]
 __se_sys_ioctl fs/ioctl.c:754 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754
 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x446889
Code: e8 9c b4 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fc70a887db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006dbc48 RCX: 0000000000446889
RDX: 0000000020000200 RSI: 0000000000004b60 RDI: 0000000000000004
RBP: 00000000006dbc40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc4c
R13: 00007ffc8fee4ecf R14: 00007fc70a8889c0 R15: 20c49ba5e353f7cf

The buggy address belongs to the variable:
 fontdata_8x16+0x1000/0x1120

Memory state around the buggy address:
 ffffffff88729d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffff88729e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffff88729e80: fa fa fa fa 06 fa fa fa fa fa fa fa 05 fa fa fa
                   ^
 ffffffff88729f00: fa fa fa fa 06 fa fa fa fa fa fa fa 00 00 03 fa
 ffffffff88729f80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (17):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Maintainers
ci-upstream-kasan-gce-root	2020/01/01 17:50	upstream	738d2902	25a0186e	.config	log	report	syz	C	b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-kasan-gce-selinux-root	2020/01/01 17:39	upstream	738d2902	25a0186e	.config	log	report	syz	C	b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-linux-next-kasan-gce-root	2020/01/08 03:51	linux-next	26467385	6738e0b3	.config	log	report	syz	C	b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-kasan-gce-selinux-root	2019/12/10 16:44	upstream	6794862a	5a5826a1	.config	log	report	syz		b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-kasan-gce-root	2019/12/10 10:29	upstream	6794862a	4b83c8fb	.config	log	report	syz		b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, ghalat@redhat.com, gregkh@linuxfoundation.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-linux-next-kasan-gce-root	2019/12/22 16:40	linux-next	7ddd09fc	8b967267	.config	log	report	syz		b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-linux-next-kasan-gce-root	2019/12/09 23:33	linux-next	6cf8298d	b31eda3d	.config	log	report	syz		b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, ghalat@redhat.com, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-kasan-gce-selinux-root	2020/02/04 15:59	upstream	322bf2d3	93e5e335	.config	log	report			b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-kasan-gce-root	2020/01/31 22:23	upstream	ccaaaf6f	c30117b2	.config	log	report			b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-kasan-gce-selinux-root	2020/01/30 03:50	upstream	b3a60822	5ed23f9a	.config	log	report			b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-kasan-gce-selinux-root	2020/01/15 13:56	upstream	95e20af9	fa12bd3c	.config	log	report			b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-kasan-gce-selinux-root	2020/01/13 06:23	upstream	040a3c33	53faa9fe	.config	log	report			b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-qemu-upstream	2020/01/13 03:43	upstream	040a3c33	53faa9fe	.config	log	report			b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-kasan-gce-root	2020/01/12 22:00	upstream	6327edce	31290a45	.config	log	report			b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-kasan-gce-root	2020/01/12 13:32	upstream	6327edce	31290a45	.config	log	report			b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-kasan-gce-root	2020/01/10 00:34	upstream	b07f636f	4de4e9f0	.config	log	report			b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org
ci-upstream-kasan-gce-root	2019/12/13 13:27	upstream	ae4b064e	08003f64	.config	log	report			b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, sam@ravnborg.org