KASAN: user-memory-access Read in insert_char

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: fb683b5e Linux 4.19.88
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11a63196e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=aa0c39a6a0078b1c
dashboard link: https://syzkaller.appspot.com/bug?extid=16419c6af4d7cfa3c892
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=140bf97ee00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1567eca6e00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+16419c...@syzkaller.appspotmail.com

audit: type=1400 audit(1576001585.714:36): avc: denied { map } for
pid=7716 comm="syz-executor108" path="/root/syz-executor108131634"
dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: user-memory-access in memmove include/linux/string.h:363
[inline]
BUG: KASAN: user-memory-access in scr_memmovew include/linux/vt_buffer.h:68
[inline]
BUG: KASAN: user-memory-access in insert_char+0x206/0x450
drivers/tty/vt/vt.c:839
Read of size 212 at addr 00000000ffffff3a by task syz-executor108/7716

CPU: 1 PID: 7716 Comm: syz-executor108 Not tainted 4.19.88-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
kasan_report_error mm/kasan/report.c:352 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x199/0x2ba mm/kasan/report.c:396
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memmove+0x24/0x50 mm/kasan/kasan.c:293
memmove include/linux/string.h:363 [inline]
scr_memmovew include/linux/vt_buffer.h:68 [inline]
insert_char+0x206/0x450 drivers/tty/vt/vt.c:839
csi_at drivers/tty/vt/vt.c:1965 [inline]
do_con_trol+0x3ca8/0x6070 drivers/tty/vt/vt.c:2412
do_con_write.part.0+0xfd5/0x1eb0 drivers/tty/vt/vt.c:2773
do_con_write drivers/tty/vt/vt.c:2541 [inline]
con_write+0x46/0xd0 drivers/tty/vt/vt.c:3110
process_output_block drivers/tty/n_tty.c:593 [inline]
n_tty_write+0x3f9/0x10f0 drivers/tty/n_tty.c:2331
do_tty_write drivers/tty/tty_io.c:960 [inline]
tty_write+0x458/0x7a0 drivers/tty/tty_io.c:1044
__vfs_write+0x114/0x810 fs/read_write.c:485
vfs_write+0x20c/0x560 fs/read_write.c:549
ksys_write+0x14f/0x2d0 fs/read_write.c:599
__do_sys_write fs/read_write.c:611 [inline]
__se_sys_write fs/read_write.c:608 [inline]
__x64_sys_write+0x73/0xb0 fs/read_write.c:608
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4404f9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffdbdee1938 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004404f9
RDX: 0000000000000078 RSI: 0000000020000000 RDI: 0000000000000004
RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401de0
R13: 0000000000401e70 R14: 0000000000000000 R15: 0000000000000000
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: a844dc4c Linux 4.14.158
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1248690ee00000
kernel config: https://syzkaller.appspot.com/x/.config?x=c02bef505ffc02ff
dashboard link: https://syzkaller.appspot.com/bug?extid=5c1aab02e13d79472e01

compiler: gcc (GCC) 9.0.0 20181231 (experimental)

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=148caaeae00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12f2ae41e00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:

Reported-by: syzbot+5c1aab...@syzkaller.appspotmail.com

audit: type=1400 audit(1576003063.562:36): avc: denied { map } for
pid=7073 comm="syz-executor444" path="/root/syz-executor444533648"

dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================

BUG: KASAN: user-memory-access in memmove include/linux/string.h:362

[inline]
BUG: KASAN: user-memory-access in scr_memmovew include/linux/vt_buffer.h:68
[inline]

BUG: KASAN: user-memory-access in insert_char+0xce/0x290
drivers/tty/vt/vt.c:534
Read of size 212 at addr 00000000ffffff3a by task syz-executor444/7073

CPU: 0 PID: 7073 Comm: syz-executor444 Not tainted 4.14.158-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:

__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
kasan_report_error mm/kasan/report.c:349 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0x127/0x2af mm/kasan/report.c:393

check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memmove+0x24/0x50 mm/kasan/kasan.c:293

memmove include/linux/string.h:362 [inline]
scr_memmovew include/linux/vt_buffer.h:68 [inline]
insert_char+0xce/0x290 drivers/tty/vt/vt.c:534
csi_at drivers/tty/vt/vt.c:1627 [inline]
do_con_trol+0x35bd/0x5b40 drivers/tty/vt/vt.c:2074
do_con_write.part.0+0xcc7/0x1b50 drivers/tty/vt/vt.c:2434
do_con_write drivers/tty/vt/vt.c:2205 [inline]
con_write+0x38/0xc0 drivers/tty/vt/vt.c:2787
process_output_block drivers/tty/n_tty.c:595 [inline]
n_tty_write+0x38b/0xee0 drivers/tty/n_tty.c:2333
do_tty_write drivers/tty/tty_io.c:959 [inline]
tty_write+0x3f6/0x700 drivers/tty/tty_io.c:1043
__vfs_write+0x105/0x6b0 fs/read_write.c:480
vfs_write+0x198/0x500 fs/read_write.c:544
SYSC_write fs/read_write.c:590 [inline]
SyS_write+0xfd/0x230 fs/read_write.c:582
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4404f9
RSP: 002b:00007ffea945dfe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001

[syzbot]

syzbot suspects this issue was fixed by commit:

commit 74752b81eae8ae64e97de222320026367e92c4b5
Author: Tetsuo Handa <penguin...@I-love.SAKURA.ne.jp>
Date: Sun Jul 12 11:10:12 2020 +0000

vt: Reject zero-sized screen buffer size.

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1045181c900000
start commit: fb683b5e Linux 4.19.88
git tree: linux-4.19.y

kernel config: https://syzkaller.appspot.com/x/.config?x=aa0c39a6a0078b1c
dashboard link: https://syzkaller.appspot.com/bug?extid=16419c6af4d7cfa3c892

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=140bf97ee00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1567eca6e00000

If the result looks correct, please mark the issue as fixed by replying with:

#syz fix: vt: Reject zero-sized screen buffer size.

For information about bisection process see: https://goo.gl/tpsmEJ#bisection