================================================================== BUG: KASAN: global-out-of-bounds in memcpy include/linux/string.h:347 [inline] BUG: KASAN: global-out-of-bounds in soft_cursor+0x445/0xa40 drivers/video/fbdev/core/softcursor.c:70 Read of size 32 at addr ffffffff86c69880 by task syz-executor.2/19018 CPU: 1 PID: 19018 Comm: syz-executor.2 Not tainted 4.14.184-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x283 lib/dump_stack.c:58 print_address_description.cold+0x5/0x1dc mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report mm/kasan/report.c:409 [inline] kasan_report.cold+0xa9/0x2b9 mm/kasan/report.c:393 memcpy+0x20/0x50 mm/kasan/kasan.c:302 memcpy include/linux/string.h:347 [inline] soft_cursor+0x445/0xa40 drivers/video/fbdev/core/softcursor.c:70 bit_cursor+0x1072/0x1660 drivers/video/fbdev/core/bitblit.c:386 fbcon_cursor+0x4b1/0x690 drivers/video/fbdev/core/fbcon.c:1350 hide_cursor+0x7a/0x2a0 drivers/tty/vt/vt.c:590 redraw_screen+0x2a2/0x760 drivers/tty/vt/vt.c:680 fbcon_do_set_font+0x6bd/0x990 drivers/video/fbdev/core/fbcon.c:2564 fbcon_copy_font+0x125/0x190 drivers/video/fbdev/core/fbcon.c:2579 con_font_copy drivers/tty/vt/vt.c:4238 [inline] con_font_op+0x58b/0xf70 drivers/tty/vt/vt.c:4253 vt_ioctl+0x1376/0x1f20 drivers/tty/vt/vt_ioctl.c:980 tty_ioctl+0x6c9/0x1220 drivers/tty/tty_io.c:2661 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x75a/0xfe0 fs/ioctl.c:684 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x45cb29 RSP: 002b:00007f6e93189c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00000000004e76c0 RCX: 000000000045cb29 RDX: 0000000020000040 RSI: 0000000000004b72 RDI: 0000000000000006 RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 000000000000037e R14: 00000000004c6212 R15: 00007f6e9318a6d4 The buggy address belongs to the variable: str__msr__trace_system_name+0x220/0x9a0 Memory state around the buggy address: ffffffff86c69780: fa fa fa fa 00 04 fa fa fa fa fa fa 00 02 fa fa ffffffff86c69800: fa fa fa fa 00 00 01 fa fa fa fa fa 04 fa fa fa >ffffffff86c69880: fa fa fa fa 00 00 00 00 06 fa fa fa fa fa fa fa ^ ffffffff86c69900: 00 00 00 fa fa fa fa fa 00 00 00 fa fa fa fa fa ffffffff86c69980: 00 00 00 03 fa fa fa fa 00 00 00 04 fa fa fa fa ==================================================================