[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.104' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 35.748855] audit: type=1400 audit(1588043166.476:8): avc: denied { execmem } for pid=6335 comm="syz-executor193" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 executing program [ 35.827047] ================================================================== [ 35.827069] BUG: KASAN: global-out-of-bounds in fbcon_get_font+0x262/0x530 [ 35.827074] Read of size 31 at addr ffffffff86e6949c by task syz-executor193/6337 [ 35.827075] [ 35.827080] CPU: 1 PID: 6337 Comm: syz-executor193 Not tainted 4.14.177-syzkaller #0 [ 35.827083] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.827085] Call Trace: [ 35.827094] dump_stack+0x13e/0x194 [ 35.827100] ? fbcon_get_font+0x262/0x530 [ 35.827106] print_address_description.cold+0x5/0x1e2 [ 35.827111] ? fbcon_get_font+0x262/0x530 [ 35.827115] kasan_report.cold+0xa9/0x2ae [ 35.827121] memcpy+0x20/0x50 [ 35.827125] fbcon_get_font+0x262/0x530 [ 35.827131] ? display_to_var+0x7b0/0x7b0 [ 35.827137] con_font_op+0x1c6/0xf70 [ 35.827143] ? con_write+0xc0/0xc0 [ 35.827153] ? __might_fault+0x177/0x1b0 [ 35.827159] vt_ioctl+0x16d2/0x1f20 [ 35.827165] ? _raw_spin_unlock_irqrestore+0x67/0xe0 [ 35.827169] ? complete_change_console+0x350/0x350 [ 35.827174] ? avc_ss_reset+0x100/0x100 [ 35.827180] ? find_held_lock+0x2d/0x110 [ 35.827188] ? lock_downgrade+0x6e0/0x6e0 [ 35.827193] ? __lru_cache_add+0x17b/0x250 [ 35.827198] ? tty_jobctrl_ioctl+0x3b/0xbf0 [ 35.827201] ? complete_change_console+0x350/0x350 [ 35.827207] tty_ioctl+0x6c5/0x1220 [ 35.827211] ? _raw_spin_unlock+0x29/0x40 [ 35.827215] ? tty_vhangup+0x30/0x30 [ 35.827226] ? tty_vhangup+0x30/0x30 [ 35.827233] do_vfs_ioctl+0x75a/0xfe0 [ 35.827239] ? selinux_file_mprotect+0x5c0/0x5c0 [ 35.827244] ? ioctl_preallocate+0x1a0/0x1a0 [ 35.827250] ? lock_downgrade+0x6e0/0x6e0 [ 35.827257] ? security_file_ioctl+0x76/0xb0 [ 35.827261] ? security_file_ioctl+0x83/0xb0 [ 35.827267] SyS_ioctl+0x7f/0xb0 [ 35.827270] ? do_vfs_ioctl+0xfe0/0xfe0 [ 35.827278] do_syscall_64+0x1d5/0x640 [ 35.827285] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 35.827289] RIP: 0033:0x441289 [ 35.827292] RSP: 002b:00007ffd9884c5f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 35.827297] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441289 [ 35.827300] RDX: 0000000020000000 RSI: 0000000000004b6b RDI: 0000000000000003 [ 35.827303] RBP: 0000000000008bd7 R08: 000000000000000d R09: 00000000004002c8 [ 35.827305] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004020b0 [ 35.827308] R13: 0000000000402140 R14: 0000000000000000 R15: 0000000000000000 [ 35.827315] [ 35.827316] The buggy address belongs to the variable: [ 35.827321] fontdata_8x16+0xffc/0x1120 [ 35.827322] [ 35.827324] Memory state around the buggy address: [ 35.827328] ffffffff86e69380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.827332] ffffffff86e69400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.827335] >ffffffff86e69480: 00 00 00 00 fa fa fa fa 06 fa fa fa fa fa fa fa [ 35.827337] ^ [ 35.827340] ffffffff86e69500: 05 fa fa fa fa fa fa fa 06 fa fa fa fa fa fa fa [ 35.827343] ffffffff86e69580: 00 00 03 fa fa fa fa fa 00 00 00 00 00 00 00 00 [ 35.827344] ================================================================== [ 35.827346] Disabling lock debugging due to kernel taint [ 35.827348] Kernel panic - not syncing: panic_on_warn set ... [ 35.827348] [ 35.827352] CPU: 1 PID: 6337 Comm: syz-executor193 Tainted: G B 4.14.177-syzkaller #0 [ 35.827354] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.827356] Call Trace: [ 35.827360] dump_stack+0x13e/0x194 [ 35.827365] panic+0x1f9/0x42d [ 35.827368] ? add_taint.cold+0x16/0x16 [ 35.827373] ? lock_downgrade+0x6e0/0x6e0 [ 35.827378] ? fbcon_get_font+0x262/0x530 [ 35.827381] kasan_end_report+0x43/0x49 [ 35.827385] kasan_report.cold+0x12f/0x2ae [ 35.827389] memcpy+0x20/0x50 [ 35.827392] fbcon_get_font+0x262/0x530 [ 35.827397] ? display_to_var+0x7b0/0x7b0 [ 35.827400] con_font_op+0x1c6/0xf70 [ 35.827405] ? con_write+0xc0/0xc0 [ 35.827411] ? __might_fault+0x177/0x1b0 [ 35.827415] vt_ioctl+0x16d2/0x1f20 [ 35.827419] ? _raw_spin_unlock_irqrestore+0x67/0xe0 [ 35.827422] ? complete_change_console+0x350/0x350 [ 35.827425] ? avc_ss_reset+0x100/0x100 [ 35.827428] ? find_held_lock+0x2d/0x110 [ 35.827434] ? lock_downgrade+0x6e0/0x6e0 [ 35.827437] ? __lru_cache_add+0x17b/0x250 [ 35.827440] ? tty_jobctrl_ioctl+0x3b/0xbf0 [ 35.827443] ? complete_change_console+0x350/0x350 [ 35.827447] tty_ioctl+0x6c5/0x1220 [ 35.827451] ? _raw_spin_unlock+0x29/0x40 [ 35.827454] ? tty_vhangup+0x30/0x30 [ 35.827462] ? tty_vhangup+0x30/0x30 [ 35.827466] do_vfs_ioctl+0x75a/0xfe0 [ 35.827470] ? selinux_file_mprotect+0x5c0/0x5c0 [ 35.827474] ? ioctl_preallocate+0x1a0/0x1a0 [ 35.827479] ? lock_downgrade+0x6e0/0x6e0 [ 35.827483] ? security_file_ioctl+0x76/0xb0 [ 35.827487] ? security_file_ioctl+0x83/0xb0 [ 35.827491] SyS_ioctl+0x7f/0xb0 [ 35.827494] ? do_vfs_ioctl+0xfe0/0xfe0 [ 35.827499] do_syscall_64+0x1d5/0x640 [ 35.827504] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 35.827506] RIP: 0033:0x441289 [ 35.827508] RSP: 002b:00007ffd9884c5f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 35.827512] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441289 [ 35.827514] RDX: 0000000020000000 RSI: 0000000000004b6b RDI: 0000000000000003 [ 35.827516] RBP: 0000000000008bd7 R08: 000000000000000d R09: 00000000004002c8 [ 35.827518] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004020b0 [ 35.827520] R13: 0000000000402140 R14: 0000000000000000 R15: 0000000000000000 [ 35.829053] Kernel Offset: disabled [ 36.363688] Rebooting in 86400 seconds..