[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 68.821538][ T27] audit: type=1800 audit(1577900811.323:25): pid=9152 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 68.842569][ T27] audit: type=1800 audit(1577900811.323:26): pid=9152 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 68.899859][ T27] audit: type=1800 audit(1577900811.323:27): pid=9152 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.61' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 78.102424][ T9307] ================================================================== [ 78.102461][ T9307] BUG: KASAN: global-out-of-bounds in fbcon_get_font+0x2b2/0x5e0 [ 78.102468][ T9307] Read of size 32 at addr ffffffff88729e80 by task syz-executor135/9307 [ 78.102470][ T9307] [ 78.102480][ T9307] CPU: 1 PID: 9307 Comm: syz-executor135 Not tainted 5.5.0-rc4-syzkaller #0 [ 78.102485][ T9307] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 78.102488][ T9307] Call Trace: [ 78.102499][ T9307] dump_stack+0x197/0x210 [ 78.102506][ T9307] ? fbcon_get_font+0x2b2/0x5e0 [ 78.102519][ T9307] print_address_description.constprop.0.cold+0x5/0x30b [ 78.102526][ T9307] ? fbcon_get_font+0x2b2/0x5e0 [ 78.102532][ T9307] ? fbcon_get_font+0x2b2/0x5e0 [ 78.102541][ T9307] __kasan_report.cold+0x1b/0x41 [ 78.102549][ T9307] ? fbcon_get_font+0x2b2/0x5e0 [ 78.102558][ T9307] kasan_report+0x12/0x20 [ 78.102567][ T9307] check_memory_region+0x134/0x1a0 [ 78.102575][ T9307] memcpy+0x24/0x50 [ 78.102583][ T9307] fbcon_get_font+0x2b2/0x5e0 [ 78.102599][ T9307] ? display_to_var+0x7e0/0x7e0 [ 78.102609][ T9307] con_font_op+0x20b/0x1270 [ 78.102617][ T9307] ? mark_lock+0xc2/0x1220 [ 78.102625][ T9307] ? apparmor_cred_prepare+0x7b0/0x7b0 [ 78.102635][ T9307] ? con_write+0xd0/0xd0 [ 78.102645][ T9307] ? cap_capable+0x205/0x270 [ 78.102657][ T9307] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 78.102666][ T9307] ? security_capable+0x95/0xc0 [ 78.102677][ T9307] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 78.102686][ T9307] ? ns_capable_common+0x93/0x100 [ 78.102696][ T9307] vt_ioctl+0xd2e/0x26d0 [ 78.102705][ T9307] ? complete_change_console+0x3a0/0x3a0 [ 78.102712][ T9307] ? lock_downgrade+0x920/0x920 [ 78.102721][ T9307] ? rwlock_bug.part.0+0x90/0x90 [ 78.102731][ T9307] ? tomoyo_path_number_perm+0x214/0x520 [ 78.102739][ T9307] ? find_held_lock+0x35/0x130 [ 78.102749][ T9307] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 78.102758][ T9307] ? tty_jobctrl_ioctl+0x50/0xd40 [ 78.102766][ T9307] ? complete_change_console+0x3a0/0x3a0 [ 78.102775][ T9307] tty_ioctl+0xa37/0x14f0 [ 78.102785][ T9307] ? tty_vhangup+0x30/0x30 [ 78.102793][ T9307] ? tomoyo_path_number_perm+0x454/0x520 [ 78.102803][ T9307] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 78.102811][ T9307] ? tomoyo_path_number_perm+0x25e/0x520 [ 78.102821][ T9307] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 78.102839][ T9307] ? tty_vhangup+0x30/0x30 [ 78.102850][ T9307] do_vfs_ioctl+0x977/0x14e0 [ 78.102860][ T9307] ? compat_ioctl_preallocate+0x220/0x220 [ 78.102868][ T9307] ? __fget+0x37f/0x550 [ 78.102879][ T9307] ? ksys_dup3+0x3e0/0x3e0 [ 78.102891][ T9307] ? tomoyo_file_ioctl+0x23/0x30 [ 78.102900][ T9307] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 78.102907][ T9307] ? security_file_ioctl+0x8d/0xc0 [ 78.102919][ T9307] ksys_ioctl+0xab/0xd0 [ 78.102936][ T9307] __x64_sys_ioctl+0x73/0xb0 [ 78.102954][ T9307] do_syscall_64+0xfa/0x790 [ 78.102974][ T9307] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.102984][ T9307] RIP: 0033:0x446889 [ 78.102999][ T9307] Code: e8 9c b4 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 78.103006][ T9307] RSP: 002b:00007fc70a887db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 78.103014][ T9307] RAX: ffffffffffffffda RBX: 00000000006dbc48 RCX: 0000000000446889 [ 78.103019][ T9307] RDX: 0000000020000200 RSI: 0000000000004b60 RDI: 0000000000000004 [ 78.103024][ T9307] RBP: 00000000006dbc40 R08: 0000000000000000 R09: 0000000000000000 [ 78.103028][ T9307] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc4c [ 78.103033][ T9307] R13: 00007ffc8fee4ecf R14: 00007fc70a8889c0 R15: 20c49ba5e353f7cf [ 78.103044][ T9307] [ 78.103047][ T9307] The buggy address belongs to the variable: [ 78.103055][ T9307] fontdata_8x16+0x1000/0x1120 [ 78.103057][ T9307] [ 78.103060][ T9307] Memory state around the buggy address: [ 78.103067][ T9307] ffffffff88729d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 78.103073][ T9307] ffffffff88729e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 78.103079][ T9307] >ffffffff88729e80: fa fa fa fa 06 fa fa fa fa fa fa fa 05 fa fa fa [ 78.103083][ T9307] ^ [ 78.103089][ T9307] ffffffff88729f00: fa fa fa fa 06 fa fa fa fa fa fa fa 00 00 03 fa [ 78.103095][ T9307] ffffffff88729f80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 [ 78.103098][ T9307] ================================================================== [ 78.103101][ T9307] Disabling lock debugging due to kernel taint [ 78.103105][ T9307] Kernel panic - not syncing: panic_on_warn set ... [ 78.103114][ T9307] CPU: 1 PID: 9307 Comm: syz-executor135 Tainted: G B 5.5.0-rc4-syzkaller #0 [ 78.103118][ T9307] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 78.103120][ T9307] Call Trace: [ 78.103128][ T9307] dump_stack+0x197/0x210 [ 78.103137][ T9307] panic+0x2e3/0x75c [ 78.103144][ T9307] ? add_taint.cold+0x16/0x16 [ 78.103156][ T9307] ? trace_hardirqs_on+0x67/0x240 [ 78.103163][ T9307] ? trace_hardirqs_on+0x5e/0x240 [ 78.103170][ T9307] ? fbcon_get_font+0x2b2/0x5e0 [ 78.103177][ T9307] end_report+0x47/0x4f [ 78.103183][ T9307] ? fbcon_get_font+0x2b2/0x5e0 [ 78.103190][ T9307] __kasan_report.cold+0xe/0x41 [ 78.103197][ T9307] ? fbcon_get_font+0x2b2/0x5e0 [ 78.103204][ T9307] kasan_report+0x12/0x20 [ 78.103212][ T9307] check_memory_region+0x134/0x1a0 [ 78.103219][ T9307] memcpy+0x24/0x50 [ 78.103225][ T9307] fbcon_get_font+0x2b2/0x5e0 [ 78.103232][ T9307] ? display_to_var+0x7e0/0x7e0 [ 78.103240][ T9307] con_font_op+0x20b/0x1270 [ 78.103246][ T9307] ? mark_lock+0xc2/0x1220 [ 78.103253][ T9307] ? apparmor_cred_prepare+0x7b0/0x7b0 [ 78.103261][ T9307] ? con_write+0xd0/0xd0 [ 78.103268][ T9307] ? cap_capable+0x205/0x270 [ 78.103277][ T9307] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 78.103285][ T9307] ? security_capable+0x95/0xc0 [ 78.103294][ T9307] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 78.103301][ T9307] ? ns_capable_common+0x93/0x100 [ 78.103308][ T9307] vt_ioctl+0xd2e/0x26d0 [ 78.103315][ T9307] ? complete_change_console+0x3a0/0x3a0 [ 78.103321][ T9307] ? lock_downgrade+0x920/0x920 [ 78.103329][ T9307] ? rwlock_bug.part.0+0x90/0x90 [ 78.103337][ T9307] ? tomoyo_path_number_perm+0x214/0x520 [ 78.103343][ T9307] ? find_held_lock+0x35/0x130 [ 78.103351][ T9307] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 78.103359][ T9307] ? tty_jobctrl_ioctl+0x50/0xd40 [ 78.103365][ T9307] ? complete_change_console+0x3a0/0x3a0 [ 78.103373][ T9307] tty_ioctl+0xa37/0x14f0 [ 78.103381][ T9307] ? tty_vhangup+0x30/0x30 [ 78.103388][ T9307] ? tomoyo_path_number_perm+0x454/0x520 [ 78.103397][ T9307] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 78.103404][ T9307] ? tomoyo_path_number_perm+0x25e/0x520 [ 78.103412][ T9307] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 78.103424][ T9307] ? tty_vhangup+0x30/0x30 [ 78.103431][ T9307] do_vfs_ioctl+0x977/0x14e0 [ 78.103439][ T9307] ? compat_ioctl_preallocate+0x220/0x220 [ 78.103446][ T9307] ? __fget+0x37f/0x550 [ 78.103454][ T9307] ? ksys_dup3+0x3e0/0x3e0 [ 78.103463][ T9307] ? tomoyo_file_ioctl+0x23/0x30 [ 78.103471][ T9307] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 78.103478][ T9307] ? security_file_ioctl+0x8d/0xc0 [ 78.103485][ T9307] ksys_ioctl+0xab/0xd0 [ 78.103493][ T9307] __x64_sys_ioctl+0x73/0xb0 [ 78.103501][ T9307] do_syscall_64+0xfa/0x790 [ 78.103510][ T9307] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.103514][ T9307] RIP: 0033:0x446889 [ 78.103522][ T9307] Code: e8 9c b4 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 78.103525][ T9307] RSP: 002b:00007fc70a887db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 78.103532][ T9307] RAX: ffffffffffffffda RBX: 00000000006dbc48 RCX: 0000000000446889 [ 78.103536][ T9307] RDX: 0000000020000200 RSI: 0000000000004b60 RDI: 0000000000000004 [ 78.103540][ T9307] RBP: 00000000006dbc40 R08: 0000000000000000 R09: 0000000000000000 [ 78.103544][ T9307] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc4c [ 78.103548][ T9307] R13: 00007ffc8fee4ecf R14: 00007fc70a8889c0 R15: 20c49ba5e353f7cf [ 78.104804][ T9307] Kernel Offset: disabled [ 78.907845][ T9307] Rebooting in 86400 seconds..