[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 61.725368][ T27] audit: type=1800 audit(1576494982.267:25): pid=8822 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 61.745108][ T27] audit: type=1800 audit(1576494982.267:26): pid=8822 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 61.790857][ T27] audit: type=1800 audit(1576494982.277:27): pid=8822 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.108' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 73.801711][ T8975] ================================================================== [ 73.801754][ T8975] BUG: KASAN: global-out-of-bounds in vga16fb_imageblit+0x1c8b/0x2200 [ 73.801761][ T8975] Read of size 2 at addr ffffffff88752218 by task syz-executor548/8975 [ 73.801763][ T8975] [ 73.801774][ T8975] CPU: 0 PID: 8975 Comm: syz-executor548 Not tainted 5.5.0-rc1-next-20191213-syzkaller #0 [ 73.801779][ T8975] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.801783][ T8975] Call Trace: [ 73.801794][ T8975] dump_stack+0x197/0x210 [ 73.801803][ T8975] ? vga16fb_imageblit+0x1c8b/0x2200 [ 73.801815][ T8975] print_address_description.constprop.0.cold+0x5/0x30b [ 73.801822][ T8975] ? vga16fb_imageblit+0x1c8b/0x2200 [ 73.801830][ T8975] ? vga16fb_imageblit+0x1c8b/0x2200 [ 73.801838][ T8975] __kasan_report.cold+0x1b/0x41 [ 73.801848][ T8975] ? vga16fb_imageblit+0x1c8b/0x2200 [ 73.801857][ T8975] kasan_report+0x12/0x20 [ 73.801866][ T8975] __asan_report_load2_noabort+0x14/0x20 [ 73.801875][ T8975] vga16fb_imageblit+0x1c8b/0x2200 [ 73.801891][ T8975] soft_cursor+0x4fb/0xa30 [ 73.801903][ T8975] ? __lock_task_sighand+0x125/0x2f0 [ 73.801916][ T8975] bit_cursor+0x12fc/0x1a60 [ 73.801929][ T8975] ? bit_clear+0x530/0x530 [ 73.801937][ T8975] ? find_held_lock+0x35/0x130 [ 73.801952][ T8975] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 73.801960][ T8975] ? get_color+0x225/0x430 [ 73.801970][ T8975] fbcon_cursor+0x487/0x660 [ 73.801977][ T8975] ? bit_clear+0x530/0x530 [ 73.801989][ T8975] hide_cursor+0x9d/0x2b0 [ 73.802001][ T8975] redraw_screen+0x60b/0x7d0 [ 73.802012][ T8975] ? respond_string+0x2c0/0x2c0 [ 73.802024][ T8975] vc_do_resize+0x10c9/0x1460 [ 73.802032][ T8975] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 73.802050][ T8975] ? vc_uniscr_alloc+0xd0/0xd0 [ 73.802064][ T8975] vc_resize+0x4d/0x60 [ 73.802072][ T8975] fbcon_modechanged+0x367/0x790 [ 73.802083][ T8975] fbcon_update_vcs+0x42/0x50 [ 73.802092][ T8975] fb_set_var+0xb32/0xdd0 [ 73.802102][ T8975] ? fb_blank+0x1a0/0x1a0 [ 73.802110][ T8975] ? lock_acquire+0x190/0x410 [ 73.802125][ T8975] ? __mutex_lock+0x458/0x13c0 [ 73.802132][ T8975] ? down+0x50/0x90 [ 73.802152][ T8975] ? do_fb_ioctl+0x335/0x7d0 [ 73.802166][ T8975] do_fb_ioctl+0x390/0x7d0 [ 73.802175][ T8975] ? fb_mmap+0x520/0x520 [ 73.802185][ T8975] ? tomoyo_path_number_perm+0x214/0x520 [ 73.802193][ T8975] ? find_held_lock+0x35/0x130 [ 73.802202][ T8975] ? tomoyo_path_number_perm+0x214/0x520 [ 73.802212][ T8975] ? lock_downgrade+0x920/0x920 [ 73.802220][ T8975] ? lockdep_hardirqs_on+0x421/0x5e0 [ 73.802231][ T8975] ? tomoyo_path_number_perm+0x454/0x520 [ 73.802252][ T8975] ? trace_hardirqs_on+0x67/0x240 [ 73.802264][ T8975] fb_ioctl+0xe6/0x130 [ 73.802271][ T8975] ? do_fb_ioctl+0x7d0/0x7d0 [ 73.802281][ T8975] do_vfs_ioctl+0x977/0x14e0 [ 73.802292][ T8975] ? compat_ioctl_preallocate+0x220/0x220 [ 73.802299][ T8975] ? chown_common+0x5c0/0x5c0 [ 73.802309][ T8975] ? __kasan_check_write+0x14/0x20 [ 73.802317][ T8975] ? up_read+0x1cd/0x810 [ 73.802331][ T8975] ? tomoyo_file_ioctl+0x23/0x30 [ 73.802340][ T8975] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 73.802348][ T8975] ? security_file_ioctl+0x8d/0xc0 [ 73.802358][ T8975] ksys_ioctl+0xab/0xd0 [ 73.802378][ T8975] __x64_sys_ioctl+0x73/0xb0 [ 73.802392][ T8975] do_syscall_64+0xfa/0x790 [ 73.802404][ T8975] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.802412][ T8975] RIP: 0033:0x440309 [ 73.802422][ T8975] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 73.802426][ T8975] RSP: 002b:00007ffc88e184e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 73.802434][ T8975] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440309 [ 73.802439][ T8975] RDX: 0000000020000100 RSI: 0000000000004601 RDI: 0000000000000003 [ 73.802444][ T8975] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 73.802448][ T8975] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b90 [ 73.802453][ T8975] R13: 0000000000401c20 R14: 0000000000000000 R15: 0000000000000000 [ 73.802463][ T8975] [ 73.802466][ T8975] The buggy address belongs to the variable: [ 73.802474][ T8975] transl_h+0x38/0x40 [ 73.802476][ T8975] [ 73.802478][ T8975] Memory state around the buggy address: [ 73.802486][ T8975] ffffffff88752100: 00 00 00 00 fa fa fa fa 00 00 00 00 00 fa fa fa [ 73.802492][ T8975] ffffffff88752180: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00 [ 73.802498][ T8975] >ffffffff88752200: fa fa fa fa 00 00 00 00 fa fa fa fa 00 01 fa fa [ 73.802502][ T8975] ^ [ 73.802507][ T8975] ffffffff88752280: fa fa fa fa 00 00 00 04 fa fa fa fa 00 00 04 fa [ 73.802513][ T8975] ffffffff88752300: fa fa fa fa 00 00 00 00 00 00 02 fa fa fa fa fa [ 73.802516][ T8975] ================================================================== [ 73.802520][ T8975] Disabling lock debugging due to kernel taint [ 73.802524][ T8975] Kernel panic - not syncing: panic_on_warn set ... [ 73.802533][ T8975] CPU: 0 PID: 8975 Comm: syz-executor548 Tainted: G B 5.5.0-rc1-next-20191213-syzkaller #0 [ 73.802537][ T8975] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.802539][ T8975] Call Trace: [ 73.802545][ T8975] dump_stack+0x197/0x210 [ 73.802554][ T8975] panic+0x2e3/0x75c [ 73.802561][ T8975] ? add_taint.cold+0x16/0x16 [ 73.802574][ T8975] ? trace_hardirqs_on+0x67/0x240 [ 73.802582][ T8975] ? trace_hardirqs_on+0x5e/0x240 [ 73.802590][ T8975] ? vga16fb_imageblit+0x1c8b/0x2200 [ 73.802597][ T8975] end_report+0x47/0x4f [ 73.802603][ T8975] ? vga16fb_imageblit+0x1c8b/0x2200 [ 73.802610][ T8975] __kasan_report.cold+0xe/0x41 [ 73.802618][ T8975] ? vga16fb_imageblit+0x1c8b/0x2200 [ 73.802625][ T8975] kasan_report+0x12/0x20 [ 73.802634][ T8975] __asan_report_load2_noabort+0x14/0x20 [ 73.802641][ T8975] vga16fb_imageblit+0x1c8b/0x2200 [ 73.802651][ T8975] soft_cursor+0x4fb/0xa30 [ 73.802659][ T8975] ? __lock_task_sighand+0x125/0x2f0 [ 73.802669][ T8975] bit_cursor+0x12fc/0x1a60 [ 73.802678][ T8975] ? bit_clear+0x530/0x530 [ 73.802684][ T8975] ? find_held_lock+0x35/0x130 [ 73.802694][ T8975] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 73.802701][ T8975] ? get_color+0x225/0x430 [ 73.802708][ T8975] fbcon_cursor+0x487/0x660 [ 73.802715][ T8975] ? bit_clear+0x530/0x530 [ 73.802723][ T8975] hide_cursor+0x9d/0x2b0 [ 73.802732][ T8975] redraw_screen+0x60b/0x7d0 [ 73.802741][ T8975] ? respond_string+0x2c0/0x2c0 [ 73.802750][ T8975] vc_do_resize+0x10c9/0x1460 [ 73.802759][ T8975] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 73.802772][ T8975] ? vc_uniscr_alloc+0xd0/0xd0 [ 73.802781][ T8975] vc_resize+0x4d/0x60 [ 73.802788][ T8975] fbcon_modechanged+0x367/0x790 [ 73.802796][ T8975] fbcon_update_vcs+0x42/0x50 [ 73.802804][ T8975] fb_set_var+0xb32/0xdd0 [ 73.802812][ T8975] ? fb_blank+0x1a0/0x1a0 [ 73.802818][ T8975] ? lock_acquire+0x190/0x410 [ 73.802828][ T8975] ? __mutex_lock+0x458/0x13c0 [ 73.802834][ T8975] ? down+0x50/0x90 [ 73.802847][ T8975] ? do_fb_ioctl+0x335/0x7d0 [ 73.802857][ T8975] do_fb_ioctl+0x390/0x7d0 [ 73.802865][ T8975] ? fb_mmap+0x520/0x520 [ 73.802872][ T8975] ? tomoyo_path_number_perm+0x214/0x520 [ 73.802879][ T8975] ? find_held_lock+0x35/0x130 [ 73.802886][ T8975] ? tomoyo_path_number_perm+0x214/0x520 [ 73.802895][ T8975] ? lock_downgrade+0x920/0x920 [ 73.802901][ T8975] ? lockdep_hardirqs_on+0x421/0x5e0 [ 73.802910][ T8975] ? tomoyo_path_number_perm+0x454/0x520 [ 73.802923][ T8975] ? trace_hardirqs_on+0x67/0x240 [ 73.802932][ T8975] fb_ioctl+0xe6/0x130 [ 73.802939][ T8975] ? do_fb_ioctl+0x7d0/0x7d0 [ 73.802946][ T8975] do_vfs_ioctl+0x977/0x14e0 [ 73.802954][ T8975] ? compat_ioctl_preallocate+0x220/0x220 [ 73.802960][ T8975] ? chown_common+0x5c0/0x5c0 [ 73.802968][ T8975] ? __kasan_check_write+0x14/0x20 [ 73.802976][ T8975] ? up_read+0x1cd/0x810 [ 73.802986][ T8975] ? tomoyo_file_ioctl+0x23/0x30 [ 73.802994][ T8975] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 73.803000][ T8975] ? security_file_ioctl+0x8d/0xc0 [ 73.803008][ T8975] ksys_ioctl+0xab/0xd0 [ 73.803016][ T8975] __x64_sys_ioctl+0x73/0xb0 [ 73.803024][ T8975] do_syscall_64+0xfa/0x790 [ 73.803034][ T8975] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.803038][ T8975] RIP: 0033:0x440309 [ 73.803045][ T8975] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 73.803049][ T8975] RSP: 002b:00007ffc88e184e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 73.803055][ T8975] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440309 [ 73.803059][ T8975] RDX: 0000000020000100 RSI: 0000000000004601 RDI: 0000000000000003 [ 73.803063][ T8975] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 73.803067][ T8975] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b90 [ 73.803071][ T8975] R13: 0000000000401c20 R14: 0000000000000000 R15: 0000000000000000 [ 73.804665][ T8975] Kernel Offset: disabled [ 74.706220][ T8975] Rebooting in 86400 seconds..