Bug 208233

Summary: KASAN: use-after-free Read in vgacon_scroll bug
Product: Drivers Reporter: tkeri (tkeri)
Component: Console/FramebuffersAssignee: James Simmons (jsimmons)
Status: NEW ---    
Severity: normal    
Priority: P1    
Hardware: x86-64   
OS: Linux   
Kernel Version: 5.7.0+ Subsystem:
Regression: No Bisected commit-id:
Attachments: Linux config
Syzkaller reproducer
C reproducer

Description tkeri 2020-06-18 11:20:08 UTC 
BUG: KASAN: use-after-free in vgacon_scroll+0x599/0x5b0 include/linux/vt_buffer.h:49
Read of size 2101248 at addr ffff8880000b9000 by task (agetty)/431

CPU: 0 PID: 431 Comm: (agetty) Not tainted 5.7.0+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 dump_stack+0xb4/0xfe lib/dump_stack.c:77
 print_address_description.constprop.6+0x1a/0x220 mm/kasan/report.c:383
 kasan_report.cold.9+0x37/0x85 mm/kasan/report.c:513
 check_memory_region+0x198/0x200 mm/kasan/generic.c:186
 memcpy+0x1f/0x60 mm/kasan/common.c:105
 vgacon_scroll+0x599/0x5b0 include/linux/vt_buffer.h:49
 con_scroll+0x303/0x420 drivers/tty/vt/vt.c:637
 lf+0x19d/0x1b0 drivers/tty/vt/vt.c:1483
 do_con_trol+0x281/0x3660 drivers/tty/vt/vt.c:2149
 do_con_write.part.25+0x60e/0x1420 drivers/tty/vt/vt.c:2823
 con_write+0x3f/0xc0 drivers/tty/vt/vt.c:2593
 do_output_char+0x2f3/0x510 drivers/tty/n_tty.c:447
 __process_echoes+0x272/0x5c0 drivers/tty/n_tty.c:739
 process_echoes+0x8b/0xc0 drivers/tty/n_tty.c:811
 n_tty_write+0x15a/0xa00 drivers/tty/n_tty.c:2319
 tty_write+0x33a/0x640 drivers/tty/tty_io.c:962
 __vfs_write+0x50/0xa0 fs/read_write.c:495
 vfs_write+0x169/0x350 fs/read_write.c:559
 ksys_write+0xe3/0x1d0 fs/read_write.c:612
 do_syscall_64+0x8a/0x2b0 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7fcde5b8a1b0
Code: 2e 0f 1f 84 00 00 00 00 00 90 48 8b 05 19 7e 20 00 c3 0f 1f 84 00 00 00 00 00 83 3d 19 c2 20 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ae fc ff ff 48 89 04 24
RSP: 002b:00007ffcf8cbc448 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000000000a RCX: 00007fcde5b8a1b0
RDX: 000000000000000a RSI: 00007fcde6ff5cbe RDI: 0000000000000003
RBP: 00007fcde6ff5cbe R08: 00007ffcf8cbc400 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
R13: 0000000000000000 R14: ffffffffffffffff R15: 00007ffcf8cbc700

The buggy address belongs to the page:
page:ffffea0000002e40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x1000(reserved)
raw: 0000000000001000 ffffea0000002e48 ffffea0000002e48 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880000fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880000fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888000100000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff888000100080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888000100100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Comment 1 tkeri 2020-06-18 11:21:03 UTC 
Created attachment 289725 [details]
Linux config
Comment 2 tkeri 2020-06-18 11:24:39 UTC 
Created attachment 289727 [details]
Syzkaller reproducer
Comment 3 tkeri 2020-06-18 11:25:13 UTC 
Created attachment 289729 [details]
C reproducer