BUG: KASAN: slab-out-of-bounds in soft_cursor+0x454/0xa30

[report] BUG: KASAN: slab-out-of-bounds in soft_cursor+0x454/0xa30
Posted by Wang Liang 3 weeks, 2 days ago
Hello, my local syzkaller report a KASAN slab-out-of-bounds issue:

 ==================================================================
 BUG: KASAN: slab-out-of-bounds in soft_cursor+0x454/0xa30
 Read of size 128 at addr ffff88810f53d000 by task test/674

 CPU: 1 UID: 0 PID: 674 Comm: test Not tainted 6.17.0-rc4+ #272 PREEMPT(none)
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
 Call Trace:
  <TASK>
  dump_stack_lvl+0xab/0xe0
  print_address_description.constprop.0+0x2c/0x3d0
  print_report+0xb4/0x270
  kasan_report+0xb8/0xf0
  kasan_check_range+0x39/0x1c0
  __asan_memcpy+0x24/0x60
  soft_cursor+0x454/0xa30
  ccw_cursor+0x1715/0x1ce0
  fbcon_cursor+0x410/0x5f0
  hide_cursor+0x8b/0x230
  redraw_screen+0x5c7/0x740
  vc_do_resize+0xcdd/0xe90
  fbcon_do_set_font+0x45d/0x940
  fbcon_set_font+0x83b/0x980
  con_font_op+0x805/0xa10
  vt_k_ioctl+0x2f9/0xb00
  vt_ioctl+0x14a/0x1870
  tty_ioctl+0x6d0/0x1610
  __x64_sys_ioctl+0x194/0x210
  do_syscall_64+0x5f/0x2d0
  entry_SYSCALL_64_after_hwframe+0x76/0x7e
  </TASK>

 Allocated by task 613:
  kasan_save_stack+0x24/0x50
  kasan_save_track+0x14/0x30
  __kasan_kmalloc+0x7f/0x90
  __kmalloc_noprof+0x1f5/0x510
  fbcon_rotate_font+0x440/0xee0
  fbcon_switch+0x751/0x1480
  redraw_screen+0x2b6/0x740
  vc_do_resize+0xcdd/0xe90
  fbcon_modechanged+0x333/0x6d0
  fbcon_set_all_vcs+0x1e0/0x3c0
  rotate_all_store+0x2e4/0x370
  dev_attr_store+0x5c/0x90
  sysfs_kf_write+0x1db/0x270
  kernfs_fop_write_iter+0x365/0x510
  vfs_write+0xa5e/0xd70
  ksys_write+0x129/0x240
  do_syscall_64+0x5f/0x2d0
  entry_SYSCALL_64_after_hwframe+0x76/0x7e

This issue can be reproduced by:
 echo 3 > /sys/devices/virtual/graphics/fbcon/rotate_all
 ioctl(fd, KDFONTOP, &font_op); // set bigger width or height

When exec KD_FONT_OP_SET cmd, function fbcon_do_set_font() update
vc->vc_font.width/height, but visit the old ops->fontbuffer in
ccw_cursor(), which will be updated in fbcon_rotate_font() later.

fbcon_set_font
    fbcon_do_set_font
        // update vc->vc_font.width/height
        vc->vc_font.width = w;
        vc->vc_font.height = h;
        vc_do_resize
            redraw_screen
                // ops->fontbuffer is old, but width/height is new
                hide_cursor
                    ccw_cursor
                        src = ops->fontbuffer + (...*vc->vc_font.width));
                // update ops->fontbuffer
                fbcon_switch
                    fbcon_rotate_font
                        ops->fontbuffer = kmalloc_array(len, d_cellsize);

I am not sure below code is ok to fix this issue, although it can prevent
the KASAN report.

diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 62049ceb34de..12dc2fa30417 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -953,7 +953,6 @@  void redraw_screen(struct vc_data *vc, int is_switch)
 		if (tty0dev)
 			sysfs_notify(&tty0dev->kobj, NULL, "active");
 	} else {
-		hide_cursor(vc);
 		redraw = 1;
 	}
 
@@ -964,6 +963,8 @@  void redraw_screen(struct vc_data *vc, int is_switch)
 		set_origin(vc);
 		update = vc->vc_sw->con_switch(vc);
 		set_palette(vc);
+		if (!is_switch)
+			hide_cursor(vc);
 		/*
 		 * If console changed from mono<->color, the best we can do
 		 * is to clear the buffer attributes. As it currently stands,