In the Linux kernel, the following vulnerability has been resolved:
vgacon: Add check for vcorigin address range in vgaconscroll()
Our in-house Syzkaller reported the following BUG (twice), which we believed was the same issue with [1]:
================================================================== BUG: KASAN: slab-out-of-bounds in vcsscrreadw+0xc2/0xd0 drivers/tty/vt/vt.c:4740 Read of size 2 at addr ffff88800f5bef60 by task syz.7.2620/12393 ... Call Trace: <TASK> _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x72/0xa0 lib/dumpstack.c:106 printaddressdescription.constprop.0+0x6b/0x3d0 mm/kasan/report.c:364 printreport+0xba/0x280 mm/kasan/report.c:475 kasanreport+0xa9/0xe0 mm/kasan/report.c:588 vcsscrreadw+0xc2/0xd0 drivers/tty/vt/vt.c:4740 vcswritebufnoattr drivers/tty/vt/vcscreen.c:493 [inline] vcswrite+0x586/0x840 drivers/tty/vt/vcscreen.c:690 vfswrite+0x219/0x960 fs/readwrite.c:584 ksyswrite+0x12e/0x260 fs/readwrite.c:639 dosyscallx64 arch/x86/entry/common.c:51 [inline] dosyscall64+0x59/0x110 arch/x86/entry/common.c:81 entrySYSCALL64afterhwframe+0x78/0xe2 ... </TASK>
Allocated by task 5614: kasansavestack+0x20/0x40 mm/kasan/common.c:45 kasansettrack+0x25/0x30 mm/kasan/common.c:52 _kasankmalloc mm/kasan/common.c:374 [inline] _kasankmalloc+0x8f/0xa0 mm/kasan/common.c:383 kasankmalloc include/linux/kasan.h:201 [inline] _dokmallocnode mm/slabcommon.c:1007 [inline] _kmalloc+0x62/0x140 mm/slabcommon.c:1020 kmalloc include/linux/slab.h:604 [inline] kzalloc include/linux/slab.h:721 [inline] vcdoresize+0x235/0xf40 drivers/tty/vt/vt.c:1193 vgaconadjustheight+0x2d4/0x350 drivers/video/console/vgacon.c:1007 vgaconfontset+0x1f7/0x240 drivers/video/console/vgacon.c:1031 confontset drivers/tty/vt/vt.c:4628 [inline] confontop+0x4da/0xa20 drivers/tty/vt/vt.c:4675 vtkioctl+0xa10/0xb30 drivers/tty/vt/vtioctl.c:474 vtioctl+0x14c/0x1870 drivers/tty/vt/vtioctl.c:752 ttyioctl+0x655/0x1510 drivers/tty/ttyio.c:2779 vfsioctl fs/ioctl.c:51 [inline] _dosysioctl fs/ioctl.c:871 [inline] _sesysioctl+0x12d/0x190 fs/ioctl.c:857 dosyscallx64 arch/x86/entry/common.c:51 [inline] dosyscall64+0x59/0x110 arch/x86/entry/common.c:81 entrySYSCALL64after_hwframe+0x78/0xe2
Last potentially related work creation: kasansavestack+0x20/0x40 mm/kasan/common.c:45 _kasanrecordauxstack+0x94/0xa0 mm/kasan/generic.c:492 _callrcucommon.constprop.0+0xc3/0xa10 kernel/rcu/tree.c:2713 netlinkrelease+0x620/0xc20 net/netlink/afnetlink.c:802 _sockrelease+0xb5/0x270 net/socket.c:663 sockclose+0x1e/0x30 net/socket.c:1425 _fput+0x408/0xab0 fs/filetable.c:384 _fputsync+0x4c/0x60 fs/filetable.c:465 _dosysclose fs/open.c:1580 [inline] _sesysclose+0x68/0xd0 fs/open.c:1565 dosyscallx64 arch/x86/entry/common.c:51 [inline] dosyscall64+0x59/0x110 arch/x86/entry/common.c:81 entrySYSCALL64after_hwframe+0x78/0xe2
Second to last potentially related work creation: kasansavestack+0x20/0x40 mm/kasan/common.c:45 _kasanrecordauxstack+0x94/0xa0 mm/kasan/generic.c:492 _callrcucommon.constprop.0+0xc3/0xa10 kernel/rcu/tree.c:2713 netlinkrelease+0x620/0xc20 net/netlink/afnetlink.c:802 _sockrelease+0xb5/0x270 net/socket.c:663 sockclose+0x1e/0x30 net/socket.c:1425 _fput+0x408/0xab0 fs/filetable.c:384 taskworkrun+0x154/0x240 kernel/taskwork.c:239 exittaskwork include/linux/taskwork.h:45 [inline] doexit+0x8e5/0x1320 kernel/exit.c:874 dogroupexit+0xcd/0x280 kernel/exit.c:1023 getsignal+0x1675/0x1850 kernel/signal.c:2905 archdosignalorrestart+0x80/0x3b0 arch/x86/kernel/signal.c:310 exittousermodeloop kernel/entry/common.c:111 [inline] exittousermodeprepare include/linux/entry-common.h:328 [inline] _syscallexittousermodework kernel/entry/common.c:207 [inline] syscallexittousermode+0x1b3/0x1e0 kernel/entry/common.c:218 dosyscall64+0x66/0x110 arch/x86/ent ---truncated---