[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.168' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 64.727087][ T28] audit: type=1400 audit(1598863032.726:8): avc: denied { execmem } for pid=6821 comm="syz-executor863" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 64.804241][ T6821] ================================================================== [ 64.804282][ T6821] BUG: KASAN: global-out-of-bounds in vga16fb_imageblit+0x1c36/0x2210 [ 64.804290][ T6821] Read of size 2 at addr ffffffff8899f5be by task syz-executor863/6821 [ 64.804292][ T6821] [ 64.804302][ T6821] CPU: 0 PID: 6821 Comm: syz-executor863 Not tainted 5.9.0-rc2-syzkaller #0 [ 64.804307][ T6821] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.804310][ T6821] Call Trace: [ 64.804321][ T6821] dump_stack+0x198/0x1fd [ 64.804332][ T6821] ? vga16fb_imageblit+0x1c36/0x2210 [ 64.804339][ T6821] ? vga16fb_imageblit+0x1c36/0x2210 [ 64.804350][ T6821] print_address_description.constprop.0.cold+0x5/0x497 [ 64.804360][ T6821] ? vga16fb_imageblit+0x1c36/0x2210 [ 64.804370][ T6821] ? lockdep_hardirqs_off+0x96/0xd0 [ 64.804380][ T6821] ? vprintk_func+0x97/0x1a6 [ 64.804389][ T6821] ? vga16fb_imageblit+0x1c36/0x2210 [ 64.804397][ T6821] ? vga16fb_imageblit+0x1c36/0x2210 [ 64.804404][ T6821] kasan_report.cold+0x1f/0x37 [ 64.804416][ T6821] ? lock_downgrade+0x830/0x830 [ 64.804423][ T6821] ? vga16fb_imageblit+0x1c36/0x2210 [ 64.804433][ T6821] vga16fb_imageblit+0x1c36/0x2210 [ 64.804446][ T6821] ? fb_pad_aligned_buffer+0x14f/0x150 [ 64.804459][ T6821] soft_cursor+0x514/0xa30 [ 64.804475][ T6821] bit_cursor+0x1166/0x17d0 [ 64.804489][ T6821] ? kmalloc_array.constprop.0+0x20/0x20 [ 64.804504][ T6821] ? do_update_region+0x47c/0x630 [ 64.804514][ T6821] ? fb_get_color_depth+0x11a/0x240 [ 64.804524][ T6821] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 64.804532][ T6821] ? get_color+0x20e/0x410 [ 64.804542][ T6821] fbcon_cursor+0x537/0x660 [ 64.804550][ T6821] ? kmalloc_array.constprop.0+0x20/0x20 [ 64.804558][ T6821] ? fbcon_set_palette+0x3a8/0x490 [ 64.804569][ T6821] set_cursor+0x1d2/0x240 [ 64.804578][ T6821] redraw_screen+0x4b9/0x770 [ 64.804586][ T6821] ? vga16fb_update_fix+0x4a0/0x4a0 [ 64.804595][ T6821] ? vc_init+0x430/0x430 [ 64.804606][ T6821] ? fbcon_set_palette+0x3a8/0x490 [ 64.804616][ T6821] fbcon_modechanged+0x575/0x710 [ 64.804628][ T6821] fbcon_update_vcs+0x3a/0x50 [ 64.804637][ T6821] do_fb_ioctl+0x62e/0x690 [ 64.804646][ T6821] ? fb_set_suspend+0x1a0/0x1a0 [ 64.804656][ T6821] ? tomoyo_execute_permission+0x470/0x470 [ 64.804672][ T6821] ? lock_is_held_type+0xbb/0xf0 [ 64.804685][ T6821] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 64.804707][ T6821] ? do_vfs_ioctl+0x27d/0x1090 [ 64.804727][ T6821] ? __x64_sys_openat+0x13f/0x1f0 [ 64.804739][ T6821] fb_ioctl+0xdd/0x130 [ 64.804746][ T6821] ? do_fb_ioctl+0x690/0x690 [ 64.804755][ T6821] __x64_sys_ioctl+0x193/0x200 [ 64.804765][ T6821] do_syscall_64+0x2d/0x70 [ 64.804773][ T6821] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 64.804780][ T6821] RIP: 0033:0x4403d9 [ 64.804789][ T6821] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 64.804794][ T6821] RSP: 002b:00007ffeb15940b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 64.804803][ T6821] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403d9 [ 64.804808][ T6821] RDX: 00000000200000c0 RSI: 0000000000004601 RDI: 0000000000000003 [ 64.804813][ T6821] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 64.804818][ T6821] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401be0 [ 64.804823][ T6821] R13: 0000000000401c70 R14: 0000000000000000 R15: 0000000000000000 [ 64.804835][ T6821] [ 64.804838][ T6821] The buggy address belongs to the variable: [ 64.804845][ T6821] transl_h+0x3e/0x40 [ 64.804848][ T6821] [ 64.804850][ T6821] Memory state around the buggy address: [ 64.804857][ T6821] ffffffff8899f480: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 [ 64.804864][ T6821] ffffffff8899f500: 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 [ 64.804869][ T6821] >ffffffff8899f580: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 [ 64.804873][ T6821] ^ [ 64.804878][ T6821] ffffffff8899f600: 00 01 f9 f9 f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9 [ 64.804884][ T6821] ffffffff8899f680: 00 00 04 f9 f9 f9 f9 f9 00 00 00 00 00 00 02 f9 [ 64.804887][ T6821] ================================================================== [ 64.804890][ T6821] Disabling lock debugging due to kernel taint [ 64.804894][ T6821] Kernel panic - not syncing: panic_on_warn set ... [ 64.804902][ T6821] CPU: 0 PID: 6821 Comm: syz-executor863 Tainted: G B 5.9.0-rc2-syzkaller #0 [ 64.804905][ T6821] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.804907][ T6821] Call Trace: [ 64.804913][ T6821] dump_stack+0x198/0x1fd [ 64.804921][ T6821] ? vga16fb_imageblit+0x1b90/0x2210 [ 64.804928][ T6821] panic+0x347/0x7c0 [ 64.804935][ T6821] ? __warn_printk+0xf3/0xf3 [ 64.804944][ T6821] ? trace_hardirqs_on+0x55/0x220 [ 64.804952][ T6821] ? vga16fb_imageblit+0x1c36/0x2210 [ 64.804958][ T6821] ? vga16fb_imageblit+0x1c36/0x2210 [ 64.804964][ T6821] end_report+0x4d/0x53 [ 64.804970][ T6821] kasan_report.cold+0xd/0x37 [ 64.804977][ T6821] ? lock_downgrade+0x830/0x830 [ 64.804984][ T6821] ? vga16fb_imageblit+0x1c36/0x2210 [ 64.804991][ T6821] vga16fb_imageblit+0x1c36/0x2210 [ 64.804999][ T6821] ? fb_pad_aligned_buffer+0x14f/0x150 [ 64.805006][ T6821] soft_cursor+0x514/0xa30 [ 64.805015][ T6821] bit_cursor+0x1166/0x17d0 [ 64.805024][ T6821] ? kmalloc_array.constprop.0+0x20/0x20 [ 64.805050][ T6821] ? do_update_region+0x47c/0x630 [ 64.805058][ T6821] ? fb_get_color_depth+0x11a/0x240 [ 64.805065][ T6821] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 64.805071][ T6821] ? get_color+0x20e/0x410 [ 64.805078][ T6821] fbcon_cursor+0x537/0x660 [ 64.805085][ T6821] ? kmalloc_array.constprop.0+0x20/0x20 [ 64.805092][ T6821] ? fbcon_set_palette+0x3a8/0x490 [ 64.805099][ T6821] set_cursor+0x1d2/0x240 [ 64.805107][ T6821] redraw_screen+0x4b9/0x770 [ 64.805113][ T6821] ? vga16fb_update_fix+0x4a0/0x4a0 [ 64.805120][ T6821] ? vc_init+0x430/0x430 [ 64.805128][ T6821] ? fbcon_set_palette+0x3a8/0x490 [ 64.805135][ T6821] fbcon_modechanged+0x575/0x710 [ 64.805143][ T6821] fbcon_update_vcs+0x3a/0x50 [ 64.805150][ T6821] do_fb_ioctl+0x62e/0x690 [ 64.805157][ T6821] ? fb_set_suspend+0x1a0/0x1a0 [ 64.805165][ T6821] ? tomoyo_execute_permission+0x470/0x470 [ 64.805180][ T6821] ? lock_is_held_type+0xbb/0xf0 [ 64.805188][ T6821] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 64.805195][ T6821] ? do_vfs_ioctl+0x27d/0x1090 [ 64.805205][ T6821] ? __x64_sys_openat+0x13f/0x1f0 [ 64.805213][ T6821] fb_ioctl+0xdd/0x130 [ 64.805220][ T6821] ? do_fb_ioctl+0x690/0x690 [ 64.805227][ T6821] __x64_sys_ioctl+0x193/0x200 [ 64.805234][ T6821] do_syscall_64+0x2d/0x70 [ 64.805241][ T6821] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 64.805245][ T6821] RIP: 0033:0x4403d9 [ 64.805252][ T6821] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 64.805255][ T6821] RSP: 002b:00007ffeb15940b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 64.805262][ T6821] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403d9 [ 64.805266][ T6821] RDX: 00000000200000c0 RSI: 0000000000004601 RDI: 0000000000000003 [ 64.805270][ T6821] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 64.805274][ T6821] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401be0 [ 64.805278][ T6821] R13: 0000000000401c70 R14: 0000000000000000 R15: 0000000000000000 [ 64.806469][ T6821] Kernel Offset: disabled [ 65.532153][ T6821] Rebooting in 86400 seconds..