Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1146590ybl;
        Wed, 4 Dec 2019 18:05:52 -0800 (PST)
X-Google-Smtp-Source: APXvYqzqLFBiywX044fLutwST4t7kPPKNo+DqBdLK8nEWNNggBOrwiM43S70kQiFR3g+zk3ba2Bj
X-Received: by 2002:aca:de88:: with SMTP id v130mr5409123oig.108.1575511552542;
        Wed, 04 Dec 2019 18:05:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1575511552; cv=none;
        d=google.com; s=arc-20160816;
        b=yPEo3krzXAj8cQXM3vGBmdsfmyu/ZQlpHKtVede3XPdseFspoWbWXASfZoyAR5NkGW
         c0qir1WuHPvrYE9RUE6gGW3ISYlyPVeAmORDAyx3RKb3rNoI8Prc+R7k/+MEqplK6m+s
         j/iJ6ztWreTt49f0NcPL8v1LDnExahxCh8TSfo7vcFx1nvKRPP96034DAuGBa1dmRnly
         UDNuonWlZc3jodhNy8wkOTrlgXKTMYx8wpXu1irY3q035mOy4AAi4VcfPl3LJxaxLm6J
         woGXPB6ZJaOMP2rPgHKjwjRx6CqTCybitgVGRB0KgbP3a3loyzodQbQT2bN52q4uA4PE
         rbww==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:in-reply-to
         :references:date:mime-version:cc:to:from:subject:message-id;
        bh=Lb6CzwKABj1wc61zKNRHnm120DKXRjxT9mC9j51xRZk=;
        b=NQsjtwc18saCnBLdWRhFcGE1dvrkWcr4ZYrL2nKGHZp00ADpXSOnv5kvcP8j+7Pffn
         aFaaY+JUAaV4q9y2JC+1soWeL1fsvXJHCVTUu17LZqNP0IAorfECGoavy7YlouknOjeV
         zgGx2ytanqexdA1BcmUw6XgwHLy7E8PNgcpfDmtYbdOEAUq/MvPMQ5aMe6/7tmuPVz7p
         175AqNxXRgJZgpck8mZ7wSos5usSJuDsdTklOvX4SMJcULJ2zbacbSUgp1ajHbRe9J+F
         HaA7DeWXsF/fsHSzkHvCFiTnJbmh+c+JYWp3ZiQAZrACVw+EypksltDoFJJ31WfCcB2g
         AN0w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b3si3981930otc.149.2019.12.04.18.05.39;
        Wed, 04 Dec 2019 18:05:52 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728671AbfLECDy (ORCPT <rfc822;tluu11sec@gmail.com> + 99 others);
        Wed, 4 Dec 2019 21:03:54 -0500
Received: from www262.sakura.ne.jp ([202.181.97.72]:60062 "EHLO
        www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728121AbfLECDy (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 4 Dec 2019 21:03:54 -0500
Received: from fsav301.sakura.ne.jp (fsav301.sakura.ne.jp [153.120.85.132])
        by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id xB51xvft020982;
        Thu, 5 Dec 2019 10:59:57 +0900 (JST)
        (envelope-from penguin-kernel@i-love.sakura.ne.jp)
Received: from www262.sakura.ne.jp (202.181.97.72)
 by fsav301.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav301.sakura.ne.jp);
 Thu, 05 Dec 2019 10:59:57 +0900 (JST)
X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav301.sakura.ne.jp)
Received: from www262.sakura.ne.jp (localhost [127.0.0.1])
        by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id xB51xvmN020973;
        Thu, 5 Dec 2019 10:59:57 +0900 (JST)
        (envelope-from penguin-kernel@i-love.sakura.ne.jp)
Received: (from i-love@localhost)
        by www262.sakura.ne.jp (8.15.2/8.15.2/Submit) id xB51xuco020972;
        Thu, 5 Dec 2019 10:59:56 +0900 (JST)
        (envelope-from penguin-kernel@i-love.sakura.ne.jp)
Message-Id: <201912050159.xB51xuco020972@www262.sakura.ne.jp>
X-Authentication-Warning: www262.sakura.ne.jp: i-love set sender to penguin-kernel@i-love.sakura.ne.jp using -f
Subject: Re: KASAN: slab-out-of-bounds Read in =?ISO-2022-JP?B?ZmJjb25fZ2V0X2Zv?=
 =?ISO-2022-JP?B?bnQ=?=
From:   Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
To:     Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
        Daniel Vetter <daniel.vetter@ffwll.ch>,
        Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
        Sam Ravnborg <sam@ravnborg.org>,
        Grzegorz Halat <ghalat@redhat.com>
Cc:     syzbot <syzbot+4455ca3b3291de891abc@syzkaller.appspotmail.com>,
        aryabinin@virtuozzo.com, daniel.thompson@linaro.org,
        dri-devel@lists.freedesktop.org, dvyukov@google.com,
        gleb@kernel.org, gwshan@linux.vnet.ibm.com, hpa@zytor.com,
        jmorris@namei.org, kasan-dev@googlegroups.com, kvm@vger.kernel.org,
        linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        linux-security-module@vger.kernel.org, mingo@redhat.com,
        mpe@ellerman.id.au, pbonzini@redhat.com, ruscur@russell.cc,
        serge@hallyn.com, stewart@linux.vnet.ibm.com,
        syzkaller-bugs@googlegroups.com, takedakn@nttdata.co.jp,
        tglx@linutronix.de, x86@kernel.org
MIME-Version: 1.0
Date:   Thu, 05 Dec 2019 10:59:56 +0900
References: <0000000000002cfc3a0598d42b70@google.com> <0000000000003e640e0598e7abc3@google.com>
In-Reply-To: <0000000000003e640e0598e7abc3@google.com>
Content-Type: text/plain; charset="ISO-2022-JP"
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hello.

syzbot is reporting that memory allocation size at fbcon_set_font() is too small
because font's height is rounded up from 10 to 16 after memory allocation.

----------
diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index c9235a2f42f8..68fe66e435d3 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -2461,6 +2461,7 @@ static int fbcon_get_font(struct vc_data *vc, struct console_font *font)
 
 	if (font->width <= 8) {
 		j = vc->vc_font.height;
+		printk("ksize(fontdata)=%lu font->charcount=%d vc->vc_font.height=%d font->width=%u\n", ksize(fontdata), font->charcount, j, font->width);
 		for (i = 0; i < font->charcount; i++) {
 			memcpy(data, fontdata, j);
 			memset(data + j, 0, 32 - j);
@@ -2661,6 +2662,8 @@ static int fbcon_set_font(struct vc_data *vc, struct console_font *font,
 	size = h * pitch * charcount;
 
 	new_data = kmalloc(FONT_EXTRA_WORDS * sizeof(int) + size, GFP_USER);
+	if (new_data)
+		printk("ksize(new_data)=%lu h=%u pitch=%u charcount=%u font->width=%u\n", ksize(new_data), h, pitch, charcount, font->width);
 
 	if (!new_data)
 		return -ENOMEM;
----------

Normal usage:

[   27.305293] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[   27.328527] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[   27.362551] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[   27.385084] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[   27.387653] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[   27.417562] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[   27.437808] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[   27.440738] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[   27.461157] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[   27.495346] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[   27.607372] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[   27.655674] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[   27.675310] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[   27.702193] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8

syzbot's testcase:

[  115.784893] ksize(new_data)=4096 h=10 pitch=1 charcount=256 font->width=8
[  115.790269] ksize(fontdata)=4096 font->charcount=256 vc->vc_font.height=16 font->width=8