[syzbot] [fbdev?] KASAN: use-after-free Write in fbcon_get_font

From: syzbot
Date: Tue Mar 21 2023 - 13:04:20 EST

Next message: syzbot: "[syzbot] [jfs?] KASAN: invalid-free in sys_mount"
Previous message: syzbot: "[syzbot] [kernel?] general protection fault in vhost_task_start"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

syzbot found the following issue on:

HEAD commit: fe15c26ee26e Linux 6.3-rc1
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=11bc9c16c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=7573cbcd881a88c9
dashboard link: https://syzkaller.appspot.com/bug?extid=5a04eb16db96950bb112
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=135becbac80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1182c9d2c80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/89d41abd07bd/disk-fe15c26e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fa75f5030ade/vmlinux-fe15c26e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/590d0f5903ee/Image-fe15c26e.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5a04eb16db96950bb112@xxxxxxxxxxxxxxxxxxxxxxxxx

==================================================================
BUG: KASAN: use-after-free in fbcon_get_font+0x240/0x8cc drivers/video/fbdev/core/fbcon.c:2290
Write of size 22062 at addr ffff0000e1bfabd6 by task syz-executor329/5944

CPU: 0 PID: 5944 Comm: syz-executor329 Not tainted 6.3.0-rc1-syzkaller-gfe15c26ee26e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:319 [inline]
print_report+0x174/0x514 mm/kasan/report.c:430
kasan_report+0xd4/0x130 mm/kasan/report.c:536
kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:187
__asan_memset+0x40/0x70 mm/kasan/shadow.c:84
fbcon_get_font+0x240/0x8cc drivers/video/fbdev/core/fbcon.c:2290
con_font_get drivers/tty/vt/vt.c:4559 [inline]
con_font_op+0x468/0xfa0 drivers/tty/vt/vt.c:4674
vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline]
vt_ioctl+0x1a90/0x252c drivers/tty/vt/vt_ioctl.c:752
tty_ioctl+0x8a4/0xd8c drivers/tty/tty_io.c:2777
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:856
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:193
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591

The buggy address belongs to the physical page:
page:00000000c3c989b0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x121800
head:00000000c3c989b0 order:10 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x5ffc00000010000(head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff0000e1bfff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000e1bfff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000e1c00000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff0000e1c00080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000e1c00100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

Next message: syzbot: "[syzbot] [jfs?] KASAN: invalid-free in sys_mount"
Previous message: syzbot: "[syzbot] [kernel?] general protection fault in vhost_task_start"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]