bisecting fixing commit since c7ecf3e3a71c216327980f26b1e895ce9b07ad31 building syzkaller on 25a0186eba20ef6f4f657039ff02eff52a838b1c testing commit c7ecf3e3a71c216327980f26b1e895ce9b07ad31 with gcc (GCC) 8.1.0 kernel signature: 5489a37ace72648500b53a2c31450fe50bf76d2b7818133731dc807c4a0f7a65 all runs: crashed: KASAN: global-out-of-bounds Read in fbcon_get_font testing current HEAD b94de4d19498b454645b72d08a05d32fa9074fb5 testing commit b94de4d19498b454645b72d08a05d32fa9074fb5 with gcc (GCC) 8.1.0 kernel signature: 7818d53821393ecb79feb5d4f8fac05f78e3e63870ea3c1b3c0c288a73854a09 all runs: OK # git bisect start b94de4d19498b454645b72d08a05d32fa9074fb5 c7ecf3e3a71c216327980f26b1e895ce9b07ad31 Bisecting: 2981 revisions left to test after this (roughly 12 steps) [eadf95a680792b24c2bc38bb3df8ec30ac268143] ALSA: opti9xx: shut up gcc-10 range warning testing commit eadf95a680792b24c2bc38bb3df8ec30ac268143 with gcc (GCC) 8.1.0 kernel signature: 52c11e619990dff1b116d18a6c073ed586f218646d338f0e79f4ba1c3d87ba21 all runs: crashed: KASAN: global-out-of-bounds Read in fbcon_get_font # git bisect good eadf95a680792b24c2bc38bb3df8ec30ac268143 Bisecting: 1490 revisions left to test after this (roughly 11 steps) [a08c30d9ccf19146f8477feb21b1007acd149357] brcmfmac: To fix Bss Info flag definition Bug testing commit a08c30d9ccf19146f8477feb21b1007acd149357 with gcc (GCC) 8.1.0 kernel signature: 6ad89ca75f84e6619881a18b8bb67c497468ffdb848e3e9323eeaaecd64f3d10 all runs: crashed: KASAN: global-out-of-bounds Read in fbcon_get_font # git bisect good a08c30d9ccf19146f8477feb21b1007acd149357 Bisecting: 745 revisions left to test after this (roughly 10 steps) [52f5a09ab7583ed497fc4b331311d71b7d8a6e12] mm/swapfile.c: swap_next should increase position index testing commit 52f5a09ab7583ed497fc4b331311d71b7d8a6e12 with gcc (GCC) 8.1.0 kernel signature: 98ccc82e22d384576f5a8ac413c048368c78f62ad16c7cf5a6fc842ac0e443eb all runs: basic kernel testing failed: KASAN: use-after-free Read in l2cap_sock_release # git bisect skip 52f5a09ab7583ed497fc4b331311d71b7d8a6e12 Bisecting: 745 revisions left to test after this (roughly 10 steps) [8eed535dada298f74806d4d91948305a4cea1d5f] jbd2: abort journal if free a async write error metadata buffer testing commit 8eed535dada298f74806d4d91948305a4cea1d5f with gcc (GCC) 8.1.0 kernel signature: 74b9dfbf44d3e9da7361793d6a623952b6f9677fa781333b53d4f12e64416f8b all runs: crashed: KASAN: global-out-of-bounds Read in fbcon_get_font # git bisect good 8eed535dada298f74806d4d91948305a4cea1d5f Bisecting: 569 revisions left to test after this (roughly 9 steps) [3b69fe0d6d0f760f6faba1e5e11cfacd35df8d75] ata: sata_mv, avoid trigerrable BUG_ON testing commit 3b69fe0d6d0f760f6faba1e5e11cfacd35df8d75 with gcc (GCC) 8.1.0 kernel signature: efc742db91dc8cf841bddb95141b77653dd5f0b640bf283b8854edbcafc858ed all runs: crashed: KASAN: global-out-of-bounds Read in fbcon_get_font # git bisect good 3b69fe0d6d0f760f6faba1e5e11cfacd35df8d75 Bisecting: 284 revisions left to test after this (roughly 8 steps) [c579bc45752b8b6b447baecf7d50b064c9edc8d2] clk: at91: clk-main: update key before writing AT91_CKGR_MOR testing commit c579bc45752b8b6b447baecf7d50b064c9edc8d2 with gcc (GCC) 8.1.0 kernel signature: a55736a3dc525bd7bed1b6bb5aa4c67524a1eb005ae37d3bc661588fa3603564 all runs: OK # git bisect bad c579bc45752b8b6b447baecf7d50b064c9edc8d2 Bisecting: 142 revisions left to test after this (roughly 7 steps) [1ea11b1622e91682ad4b36f737e46bb6483ebe3e] KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages testing commit 1ea11b1622e91682ad4b36f737e46bb6483ebe3e with gcc (GCC) 8.1.0 kernel signature: d6a0a5fb1cb1368304f3df9075b508417f7de17c6931b0ea5bcd6457f6c545f9 all runs: OK # git bisect bad 1ea11b1622e91682ad4b36f737e46bb6483ebe3e Bisecting: 70 revisions left to test after this (roughly 6 steps) [50e117921b322323b7272f108d9c080ad883ee0a] xfrm: clone XFRMA_SET_MARK in xfrm_do_migrate testing commit 50e117921b322323b7272f108d9c080ad883ee0a with gcc (GCC) 8.1.0 kernel signature: 1bcbe6fa550a37474f714abc7f5915c20de217052737d785cd030b05186cbf73 all runs: OK # git bisect bad 50e117921b322323b7272f108d9c080ad883ee0a Bisecting: 35 revisions left to test after this (roughly 5 steps) [1c3886dc302329f199cc04f8a56ba44d17a0df16] net/packet: fix overflow in tpacket_rcv testing commit 1c3886dc302329f199cc04f8a56ba44d17a0df16 with gcc (GCC) 8.1.0 kernel signature: d4c99d37c67bdfd6c2775bc6c7c5446b07f1fd8c806320699bdcd521e9d5ed80 all runs: crashed: KASAN: global-out-of-bounds Read in fbcon_get_font # git bisect good 1c3886dc302329f199cc04f8a56ba44d17a0df16 Bisecting: 17 revisions left to test after this (roughly 4 steps) [fbe293f9a67b8f34424d4ca0298db88d2845dd79] driver core: Fix probe_count imbalance in really_probe() testing commit fbe293f9a67b8f34424d4ca0298db88d2845dd79 with gcc (GCC) 8.1.0 kernel signature: b311a6e13031f5b3ba252cad177ce9d0cfbc69b3be4c071984738d7732f415e6 all runs: OK # git bisect bad fbe293f9a67b8f34424d4ca0298db88d2845dd79 Bisecting: 8 revisions left to test after this (roughly 3 steps) [43198a5b1c42e3d8aadc6524a73bb3aa3666cd43] fbcon: Fix global-out-of-bounds read in fbcon_get_font() testing commit 43198a5b1c42e3d8aadc6524a73bb3aa3666cd43 with gcc (GCC) 8.1.0 kernel signature: ceffe8bbf62a0aa82da477de96df7812723036cce1cb4890febbcdf199edf062 all runs: OK # git bisect bad 43198a5b1c42e3d8aadc6524a73bb3aa3666cd43 Bisecting: 3 revisions left to test after this (roughly 2 steps) [289fe546ea16c2dcb57c5198c5a7b7387604530e] netfilter: ctnetlink: add a range check for l3/l4 protonum testing commit 289fe546ea16c2dcb57c5198c5a7b7387604530e with gcc (GCC) 8.1.0 kernel signature: 9d50cbda423b49d56ea4dc9c34244302849df3e2582545455f0cafa09d500068 all runs: crashed: KASAN: global-out-of-bounds Read in fbcon_get_font # git bisect good 289fe546ea16c2dcb57c5198c5a7b7387604530e Bisecting: 1 revision left to test after this (roughly 1 step) [7b9eaa7241ea2cfa580b854d461be72107a4b35c] fbdev, newport_con: Move FONT_EXTRA_WORDS macros into linux/font.h testing commit 7b9eaa7241ea2cfa580b854d461be72107a4b35c with gcc (GCC) 8.1.0 kernel signature: 2f06c349d6763a63f81da3ba93c5ebc6fad81ccc94f03b1d9da1896236e551de all runs: crashed: KASAN: global-out-of-bounds Read in fbcon_get_font # git bisect good 7b9eaa7241ea2cfa580b854d461be72107a4b35c Bisecting: 0 revisions left to test after this (roughly 0 steps) [2162bcbc74817f6378a5593d527087c4b4593e16] Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts testing commit 2162bcbc74817f6378a5593d527087c4b4593e16 with gcc (GCC) 8.1.0 kernel signature: e325e99cb92473fb5c679d38389f6d782b27c1c21731cd136bbf4688137237c8 all runs: crashed: KASAN: global-out-of-bounds Read in fbcon_get_font # git bisect good 2162bcbc74817f6378a5593d527087c4b4593e16 43198a5b1c42e3d8aadc6524a73bb3aa3666cd43 is the first bad commit commit 43198a5b1c42e3d8aadc6524a73bb3aa3666cd43 Author: Peilin Ye Date: Thu Sep 24 09:43:48 2020 -0400 fbcon: Fix global-out-of-bounds read in fbcon_get_font() commit 5af08640795b2b9a940c9266c0260455377ae262 upstream. fbcon_get_font() is reading out-of-bounds. A malicious user may resize `vc->vc_font.height` to a large value, causing fbcon_get_font() to read out of `fontdata`. fbcon_get_font() handles both built-in and user-provided fonts. Fortunately, recently we have added FONT_EXTRA_WORDS support for built-in fonts, so fix it by adding range checks using FNTSIZE(). This patch depends on patch "fbdev, newport_con: Move FONT_EXTRA_WORDS macros into linux/font.h", and patch "Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts". Cc: stable@vger.kernel.org Reported-and-tested-by: syzbot+29d4ed7f3bdedf2aa2fd@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=08b8be45afea11888776f897895aef9ad1c3ecfd Signed-off-by: Peilin Ye Reviewed-by: Greg Kroah-Hartman Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/b34544687a1a09d6de630659eb7a773f4953238b.1600953813.git.yepeilin.cs@gmail.com Signed-off-by: Greg Kroah-Hartman drivers/video/fbdev/core/fbcon.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) culprit signature: ceffe8bbf62a0aa82da477de96df7812723036cce1cb4890febbcdf199edf062 parent signature: e325e99cb92473fb5c679d38389f6d782b27c1c21731cd136bbf4688137237c8 revisions tested: 16, total time: 3h42m53.897541739s (build: 2h17m59.003523627s, test: 1h23m1.280727116s) first good commit: 43198a5b1c42e3d8aadc6524a73bb3aa3666cd43 fbcon: Fix global-out-of-bounds read in fbcon_get_font() recipients (to): ["daniel.vetter@ffwll.ch" "gregkh@linuxfoundation.org" "syzbot+29d4ed7f3bdedf2aa2fd@syzkaller.appspotmail.com" "yepeilin.cs@gmail.com"] recipients (cc): []