================================================================== BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:348 [inline] BUG: KASAN: slab-out-of-bounds in soft_cursor+0x439/0xa30 drivers/video/fbdev/core/softcursor.c:70 Read of size 32 at addr ffff888063a01790 by task syz-executor.1/28907 CPU: 1 PID: 28907 Comm: syz-executor.1 Not tainted 4.19.105-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report mm/kasan/report.c:412 [inline] kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x123/0x190 mm/kasan/kasan.c:267 memcpy+0x24/0x50 mm/kasan/kasan.c:302 memcpy include/linux/string.h:348 [inline] soft_cursor+0x439/0xa30 drivers/video/fbdev/core/softcursor.c:70 bit_cursor+0x12fc/0x1a60 drivers/video/fbdev/core/bitblit.c:386 fbcon_cursor+0x58a/0x7b0 drivers/video/fbdev/core/fbcon.c:1369 hide_cursor+0x9e/0x300 drivers/tty/vt/vt.c:895 redraw_screen+0x2ee/0x8e0 drivers/tty/vt/vt.c:988 vc_do_resize+0x118e/0x14a0 drivers/tty/vt/vt.c:1287 vc_resize+0x4d/0x60 drivers/tty/vt/vt.c:1307 vt_ioctl+0x1fe0/0x2530 drivers/tty/vt/vt_ioctl.c:887 tty_ioctl+0x7f3/0x1510 drivers/tty/tty_io.c:2669 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:501 [inline] do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:688 ksys_ioctl+0xab/0xd0 fs/ioctl.c:705 __do_sys_ioctl fs/ioctl.c:712 [inline] __se_sys_ioctl fs/ioctl.c:710 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:710 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45c449 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fccd8a25c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fccd8a266d4 RCX: 000000000045c449 RDX: 0000000020000080 RSI: 000000000000560a RDI: 0000000000000003 RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 000000000000066b R14: 00000000004c8fe0 R15: 000000000076bf2c Allocated by task 27768: save_stack+0x45/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc mm/kasan/kasan.c:553 [inline] kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531 __do_kmalloc mm/slab.c:3727 [inline] __kmalloc+0x15d/0x750 mm/slab.c:3736 kmalloc include/linux/slab.h:520 [inline] load_elf_phdrs+0x157/0x200 fs/binfmt_elf.c:441 load_elf_binary+0x321/0x53a0 fs/binfmt_elf.c:737 search_binary_handler fs/exec.c:1653 [inline] search_binary_handler+0x179/0x570 fs/exec.c:1631 exec_binprm fs/exec.c:1695 [inline] __do_execve_file.isra.0+0x11fa/0x2110 fs/exec.c:1819 do_execveat_common fs/exec.c:1866 [inline] do_execve fs/exec.c:1883 [inline] __do_sys_execve fs/exec.c:1964 [inline] __se_sys_execve fs/exec.c:1959 [inline] __x64_sys_execve+0x8f/0xc0 fs/exec.c:1959 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 27768: save_stack+0x45/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3503 [inline] kfree+0xcf/0x220 mm/slab.c:3822 load_elf_binary+0x24aa/0x53a0 fs/binfmt_elf.c:1118 search_binary_handler fs/exec.c:1653 [inline] search_binary_handler+0x179/0x570 fs/exec.c:1631 exec_binprm fs/exec.c:1695 [inline] __do_execve_file.isra.0+0x11fa/0x2110 fs/exec.c:1819 do_execveat_common fs/exec.c:1866 [inline] do_execve fs/exec.c:1883 [inline] __do_sys_execve fs/exec.c:1964 [inline] __se_sys_execve fs/exec.c:1959 [inline] __x64_sys_execve+0x8f/0xc0 fs/exec.c:1959 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff888063a01580 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 16 bytes to the right of 512-byte region [ffff888063a01580, ffff888063a01780) The buggy address belongs to the page: page:ffffea00018e8040 count:1 mapcount:0 mapping:ffff88812c31c940 index:0xffff888063a01a80 flags: 0xfffe0000000100(slab) raw: 00fffe0000000100 ffffea0002235c88 ffffea00018a3f88 ffff88812c31c940 raw: ffff888063a01a80 ffff888063a01080 0000000100000005 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888063a01680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888063a01700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888063a01780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888063a01800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888063a01880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================