================================================================== BUG: KASAN: global-out-of-bounds in memcpy include/linux/string.h:406 [inline] BUG: KASAN: global-out-of-bounds in soft_cursor+0x448/0xa20 drivers/video/fbdev/core/softcursor.c:70 Read of size 28 at addr ffffffff889625d4 by task syz-executor.0/24425 CPU: 0 PID: 24425 Comm: syz-executor.0 Not tainted 5.7.0-rc7-next-20200529-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x18f/0x20d lib/dump_stack.c:118 print_address_description.constprop.0.cold+0x5/0x413 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 check_memory_region_inline mm/kasan/generic.c:186 [inline] check_memory_region+0x141/0x190 mm/kasan/generic.c:192 memcpy+0x20/0x60 mm/kasan/common.c:105 memcpy include/linux/string.h:406 [inline] soft_cursor+0x448/0xa20 drivers/video/fbdev/core/softcursor.c:70 bit_cursor+0x11c8/0x1870 drivers/video/fbdev/core/bitblit.c:386 fbcon_cursor+0x477/0x650 drivers/video/fbdev/core/fbcon.c:1411 fbcon_scroll+0x22b/0x3620 drivers/video/fbdev/core/fbcon.c:1888 con_scroll+0x405/0x6a0 drivers/tty/vt/vt.c:637 lf+0x262/0x2b0 drivers/tty/vt/vt.c:1483 do_con_write.part.0+0x168c/0x1dc0 drivers/tty/vt/vt.c:2781 do_con_write drivers/tty/vt/vt.c:2593 [inline] con_write+0x41/0xe0 drivers/tty/vt/vt.c:3159 process_output_block drivers/tty/n_tty.c:595 [inline] n_tty_write+0x3f0/0xf90 drivers/tty/n_tty.c:2333 do_tty_write drivers/tty/tty_io.c:962 [inline] tty_write+0x495/0x800 drivers/tty/tty_io.c:1046 __vfs_write+0x76/0x100 fs/read_write.c:495 __kernel_write+0x11c/0x3a0 fs/read_write.c:516 write_pipe_buf+0x153/0x1e0 fs/splice.c:799 splice_from_pipe_feed fs/splice.c:502 [inline] __splice_from_pipe+0x3f3/0x7c0 fs/splice.c:626 splice_from_pipe+0xd9/0x140 fs/splice.c:661 default_file_splice_write fs/splice.c:811 [inline] do_splice_from fs/splice.c:847 [inline] do_splice_from+0xbc/0x110 fs/splice.c:842 direct_splice_actor+0xa3/0x110 fs/splice.c:1016 splice_direct_to_actor+0x38c/0x980 fs/splice.c:971 do_splice_direct+0x1b4/0x280 fs/splice.c:1059 do_sendfile+0x555/0xc50 fs/read_write.c:1521 __do_sys_sendfile64 fs/read_write.c:1582 [inline] __se_sys_sendfile64 fs/read_write.c:1568 [inline] __x64_sys_sendfile64+0x1cc/0x210 fs/read_write.c:1568 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:359 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45ca69 Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f271aaa7c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 00000000004fcba0 RCX: 000000000045ca69 RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000003 RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0800000080004105 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000008ed R14: 00000000004cbbd6 R15: 00007f271aaa86d4 The buggy address belongs to the variable: oid_index+0x5d4/0xa00 Memory state around the buggy address: ffffffff88962480: 00 00 00 04 fa fa fa fa 00 00 fa fa fa fa fa fa ffffffff88962500: 00 00 06 fa fa fa fa fa 00 06 fa fa fa fa fa fa >ffffffff88962580: 00 00 06 fa fa fa fa fa 00 00 01 fa fa fa fa fa ^ ffffffff88962600: 06 fa fa fa fa fa fa fa 05 fa fa fa fa fa fa fa ffffffff88962680: 00 00 00 00 fa fa fa fa 05 fa fa fa fa fa fa fa ==================================================================