Warning: Permanently added '10.128.0.32' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 33.197108] audit: type=1400 audit(1599020069.121:8): avc: denied { execmem } for pid=6351 comm="syz-executor303" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 33.273152] ================================================================== [ 33.273176] BUG: KASAN: global-out-of-bounds in vga16fb_imageblit+0x1be2/0x2140 [ 33.273180] Read of size 2 at addr ffffffff86e8da1e by task syz-executor303/6351 [ 33.273182] [ 33.273188] CPU: 0 PID: 6351 Comm: syz-executor303 Not tainted 4.14.195-syzkaller #0 [ 33.273191] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.273193] Call Trace: [ 33.273200] dump_stack+0x1b2/0x283 [ 33.273210] print_address_description.cold+0x5/0x1d3 [ 33.273216] kasan_report_error.cold+0x8a/0x194 [ 33.273220] ? vga16fb_imageblit+0x1be2/0x2140 [ 33.273224] __asan_report_load2_noabort+0x68/0x70 [ 33.273229] ? vga16fb_imageblit+0x1be2/0x2140 [ 33.273233] vga16fb_imageblit+0x1be2/0x2140 [ 33.273242] ? fb_pad_unaligned_buffer+0x2f/0x2e0 [ 33.273248] soft_cursor+0x50a/0xa50 [ 33.273258] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 33.273263] bit_cursor+0x1056/0x1620 [ 33.273270] ? bit_update_start+0x1f0/0x1f0 [ 33.273279] ? do_update_region+0x41d/0x5b0 [ 33.273283] ? fb_get_color_depth+0x100/0x200 [ 33.273288] ? get_color+0x1be/0x3a0 [ 33.273293] fbcon_cursor+0x4b1/0x6a0 [ 33.273297] ? bit_update_start+0x1f0/0x1f0 [ 33.273300] ? add_softcursor+0x14/0x2d0 [ 33.273306] set_cursor+0x189/0x1e0 [ 33.273310] redraw_screen+0x57b/0x790 [ 33.273316] ? con_shutdown+0x90/0x90 [ 33.273320] ? fbcon_set_palette+0x466/0x580 [ 33.273326] fbcon_modechanged+0x68a/0x980 [ 33.273332] fbcon_event_notify+0x107/0x1760 [ 33.273340] notifier_call_chain+0x108/0x1a0 [ 33.273347] blocking_notifier_call_chain+0x79/0x90 [ 33.273352] fb_set_var+0xac5/0xc90 [ 33.273358] ? fb_set_suspend+0x110/0x110 [ 33.273362] ? __lock_acquire+0x5fc/0x3f20 [ 33.273369] ? lock_acquire+0x170/0x3f0 [ 33.273373] ? do_fb_ioctl+0x2f1/0xa70 [ 33.273383] ? _raw_spin_unlock_irq+0x24/0x80 [ 33.273392] ? do_fb_ioctl+0x2e7/0xa70 [ 33.273399] do_fb_ioctl+0x36d/0xa70 [ 33.273404] ? register_framebuffer+0x8e0/0x8e0 [ 33.273412] ? avc_has_extended_perms+0x6e4/0xbf0 [ 33.273418] ? avc_ss_reset+0x100/0x100 [ 33.273422] ? kasan_slab_free+0x12d/0x1a0 [ 33.273426] ? kasan_slab_free+0xc3/0x1a0 [ 33.273430] ? kmem_cache_free+0x7c/0x2b0 [ 33.273434] ? putname+0xcd/0x110 [ 33.273437] ? do_sys_open+0x203/0x410 [ 33.273442] ? do_syscall_64+0x1d5/0x640 [ 33.273446] ? entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.273451] ? path_lookupat+0x780/0x780 [ 33.273457] ? debug_check_no_obj_freed+0x2c0/0x674 [ 33.273470] fb_ioctl+0xdd/0x130 [ 33.273473] ? do_fb_ioctl+0xa70/0xa70 [ 33.273478] do_vfs_ioctl+0x75a/0xff0 [ 33.273483] ? selinux_inode_setxattr+0x730/0x730 [ 33.273488] ? ioctl_preallocate+0x1a0/0x1a0 [ 33.273492] ? kmem_cache_free+0x23a/0x2b0 [ 33.273497] ? putname+0xcd/0x110 [ 33.273501] ? do_sys_open+0x208/0x410 [ 33.273507] ? security_file_ioctl+0x83/0xb0 [ 33.273513] SyS_ioctl+0x7f/0xb0 [ 33.273517] ? do_vfs_ioctl+0xff0/0xff0 [ 33.273522] do_syscall_64+0x1d5/0x640 [ 33.273529] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.273533] RIP: 0033:0x4403d9 [ 33.273536] RSP: 002b:00007ffcc111aa98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 33.273541] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403d9 [ 33.273543] RDX: 00000000200001c0 RSI: 0000000000004601 RDI: 0000000000000003 [ 33.273546] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 33.273548] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401be0 [ 33.273551] R13: 0000000000401c70 R14: 0000000000000000 R15: 0000000000000000 [ 33.273557] [ 33.273559] The buggy address belongs to the variable: [ 33.273563] transl_h+0x3e/0x40 [ 33.273564] [ 33.273566] Memory state around the buggy address: [ 33.273571] ffffffff86e8d900: 02 fa fa fa fa fa fa fa 00 00 00 00 00 fa fa fa [ 33.273574] ffffffff86e8d980: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00 [ 33.273577] >ffffffff86e8da00: fa fa fa fa 00 00 00 00 fa fa fa fa 00 01 fa fa [ 33.273579] ^ [ 33.273582] ffffffff86e8da80: fa fa fa fa 00 00 00 04 fa fa fa fa 00 00 04 fa [ 33.273585] ffffffff86e8db00: fa fa fa fa 00 00 00 00 00 00 02 fa fa fa fa fa [ 33.273587] ================================================================== [ 33.273588] Disabling lock debugging due to kernel taint [ 33.273590] Kernel panic - not syncing: panic_on_warn set ... [ 33.273590] [ 33.273594] CPU: 0 PID: 6351 Comm: syz-executor303 Tainted: G B 4.14.195-syzkaller #0 [ 33.273596] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.273597] Call Trace: [ 33.273607] dump_stack+0x1b2/0x283 [ 33.273613] panic+0x1f9/0x42d [ 33.273617] ? add_taint.cold+0x16/0x16 [ 33.273621] ? lock_downgrade+0x740/0x740 [ 33.273627] kasan_end_report+0x43/0x49 [ 33.273631] kasan_report_error.cold+0xa7/0x194 [ 33.273634] ? vga16fb_imageblit+0x1be2/0x2140 [ 33.273638] __asan_report_load2_noabort+0x68/0x70 [ 33.273642] ? vga16fb_imageblit+0x1be2/0x2140 [ 33.273646] vga16fb_imageblit+0x1be2/0x2140 [ 33.273651] ? fb_pad_unaligned_buffer+0x2f/0x2e0 [ 33.273656] soft_cursor+0x50a/0xa50 [ 33.273661] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 33.273665] bit_cursor+0x1056/0x1620 [ 33.273671] ? bit_update_start+0x1f0/0x1f0 [ 33.273676] ? do_update_region+0x41d/0x5b0 [ 33.273679] ? fb_get_color_depth+0x100/0x200 [ 33.273683] ? get_color+0x1be/0x3a0 [ 33.273687] fbcon_cursor+0x4b1/0x6a0 [ 33.273690] ? bit_update_start+0x1f0/0x1f0 [ 33.273694] ? add_softcursor+0x14/0x2d0 [ 33.273698] set_cursor+0x189/0x1e0 [ 33.273702] redraw_screen+0x57b/0x790 [ 33.273707] ? con_shutdown+0x90/0x90 [ 33.273710] ? fbcon_set_palette+0x466/0x580 [ 33.273714] fbcon_modechanged+0x68a/0x980 [ 33.273719] fbcon_event_notify+0x107/0x1760 [ 33.273724] notifier_call_chain+0x108/0x1a0 [ 33.273729] blocking_notifier_call_chain+0x79/0x90 [ 33.273733] fb_set_var+0xac5/0xc90 [ 33.273738] ? fb_set_suspend+0x110/0x110 [ 33.273741] ? __lock_acquire+0x5fc/0x3f20 [ 33.273747] ? lock_acquire+0x170/0x3f0 [ 33.273750] ? do_fb_ioctl+0x2f1/0xa70 [ 33.273756] ? _raw_spin_unlock_irq+0x24/0x80 [ 33.273763] ? do_fb_ioctl+0x2e7/0xa70 [ 33.273768] do_fb_ioctl+0x36d/0xa70 [ 33.273772] ? register_framebuffer+0x8e0/0x8e0 [ 33.273777] ? avc_has_extended_perms+0x6e4/0xbf0 [ 33.273781] ? avc_ss_reset+0x100/0x100 [ 33.273785] ? kasan_slab_free+0x12d/0x1a0 [ 33.273789] ? kasan_slab_free+0xc3/0x1a0 [ 33.273792] ? kmem_cache_free+0x7c/0x2b0 [ 33.273795] ? putname+0xcd/0x110 [ 33.273798] ? do_sys_open+0x203/0x410 [ 33.273801] ? do_syscall_64+0x1d5/0x640 [ 33.273805] ? entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.273809] ? path_lookupat+0x780/0x780 [ 33.273813] ? debug_check_no_obj_freed+0x2c0/0x674 [ 33.273822] fb_ioctl+0xdd/0x130 [ 33.273825] ? do_fb_ioctl+0xa70/0xa70 [ 33.273829] do_vfs_ioctl+0x75a/0xff0 [ 33.273833] ? selinux_inode_setxattr+0x730/0x730 [ 33.273837] ? ioctl_preallocate+0x1a0/0x1a0 [ 33.273841] ? kmem_cache_free+0x23a/0x2b0 [ 33.273844] ? putname+0xcd/0x110 [ 33.273847] ? do_sys_open+0x208/0x410 [ 33.273852] ? security_file_ioctl+0x83/0xb0 [ 33.273856] SyS_ioctl+0x7f/0xb0 [ 33.273860] ? do_vfs_ioctl+0xff0/0xff0 [ 33.273864] do_syscall_64+0x1d5/0x640 [ 33.273870] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.273879] RIP: 0033:0x4403d9 [ 33.273880] RSP: 002b:00007ffcc111aa98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 33.273884] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403d9 [ 33.273886] RDX: 00000000200001c0 RSI: 0000000000004601 RDI: 0000000000000003 [ 33.273888] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 33.273890] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401be0 [ 33.273892] R13: 0000000000401c70 R14: 0000000000000000 R15: 0000000000000000 [ 33.275386] Kernel Offset: disabled [ 34.020218] Rebooting in 86400 seconds..