Re: KASAN: slab-out-of-bounds Read in fbcon_get_font

From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
To: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
	Daniel Vetter <daniel.vetter@ffwll.ch>,
	Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
	Sam Ravnborg <sam@ravnborg.org>,
	Grzegorz Halat <ghalat@redhat.com>
Cc: syzbot <syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com>,
	aryabinin@virtuozzo.com, daniel.thompson@linaro.org,
	dri-devel@lists.freedesktop.org, dvyukov@google.com,
	gleb@kernel.org, gwshan@linux.vnet.ibm.com, hpa@zytor.com,
	jmorris@namei.org, kasan-dev@googlegroups.com,
	kvm@vger.kernel.org, linux-fbdev@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	linux-security-module@vger.kernel.org, mingo@redhat.com,
	mpe@ellerman.id.au, pbonzini@redhat.com, ruscur@russell.cc,
	serge@hallyn.com, stewart@linux.vnet.ibm.com,
	syzkaller-bugs@googlegroups.com, takedakn@nttdata.co.jp,
	tglx@linutronix.de, x86@kernel.org
Subject: Re: KASAN: slab-out-of-bounds Read in fbcon_get_font
Date: Thu, 05 Dec 2019 10:59:56 +0900	[thread overview]
Message-ID: <201912050159.xB51xuco020972@www262.sakura.ne.jp> (raw)
In-Reply-To: <0000000000003e640e0598e7abc3@google.com>

Hello.

syzbot is reporting that memory allocation size at fbcon_set_font() is too small
because font's height is rounded up from 10 to 16 after memory allocation.

----------

diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index c9235a2f42f8..68fe66e435d3 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -2461,6 +2461,7 @@ static int fbcon_get_font(struct vc_data *vc, struct console_font *font)
 
 	if (font->width <= 8) {
 		j = vc->vc_font.height;
+		printk("ksize(fontdata)=%lu font->charcount=%d vc->vc_font.height=%d font->width=%u\n", ksize(fontdata), font->charcount, j, font->width);
 		for (i = 0; i < font->charcount; i++) {
 			memcpy(data, fontdata, j);
 			memset(data + j, 0, 32 - j);
@@ -2661,6 +2662,8 @@ static int fbcon_set_font(struct vc_data *vc, struct console_font *font,
 	size = h * pitch * charcount;
 
 	new_data = kmalloc(FONT_EXTRA_WORDS * sizeof(int) + size, GFP_USER);
+	if (new_data)
+		printk("ksize(new_data)=%lu h=%u pitch=%u charcount=%u font->width=%u\n", ksize(new_data), h, pitch, charcount, font->width);
 
 	if (!new_data)
 		return -ENOMEM;
----------

Normal usage:

[   27.305293] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[   27.328527] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[   27.362551] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[   27.385084] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[   27.387653] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[   27.417562] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[   27.437808] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[   27.440738] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[   27.461157] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[   27.495346] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[   27.607372] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[   27.655674] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[   27.675310] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[   27.702193] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8

syzbot's testcase:

[  115.784893] ksize(new_data)=4096 h=10 pitch=1 charcount=256 font->width=8
[  115.790269] ksize(fontdata)=4096 font->charcount=256 vc->vc_font.height=16 font->width=8
