Hello, We found the following issue using syzkaller on Linux v6.10. In `fast_imageblit`, there is an out-of-bounds memory access when executing `*dst++ = colortab[(*src >> 7) & bit_mask];` Although Syzbot has found a similar bug (https://syzkaller.appspot.com/bug?extid=3d3864c27a5e770e7654), the bug we discovered can be triggered on Linux v6.10. Meanwhile, Syzbot failed to trigger the crash for 396 days. Thus, it looks like this is a new bug. Unfortunately, the syzkaller failed to generate a reproducer. But at least we have the report: ================================================================== BUG: KASAN: vmalloc-out-of-bounds in fast_imageblit drivers/video/fbdev/core/sysimgblt.c:257 [inline] BUG: KASAN: vmalloc-out-of-bounds in sys_imageblit+0x1c22/0x2600 drivers/video/fbdev/core/sysimgblt.c:326 Write of size 4 at addr ffffc90002ad9190 by task syz.0.802/17876 CPU: 0 PID: 17876 Comm: syz.0.802 Not tainted 6.10.0 #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x23d/0x360 lib/dump_stack.c:114 print_address_description+0x77/0x360 mm/kasan/report.c:377 print_report+0xfd/0x210 mm/kasan/report.c:488 kasan_report+0x13f/0x170 mm/kasan/report.c:601 fast_imageblit drivers/video/fbdev/core/sysimgblt.c:257 [inline] sys_imageblit+0x1c22/0x2600 drivers/video/fbdev/core/sysimgblt.c:326 drm_fbdev_generic_defio_imageblit+0x2a/0xf0 drivers/gpu/drm/drm_fbdev_generic.c:37 bit_putcs+0x18a3/0x1d90 fbcon_putcs+0x34f/0x520 drivers/video/fbdev/core/fbcon.c:1288 con_putc drivers/tty/vt/vt.c:302 [inline] complement_pos+0x3f4/0xa70 drivers/tty/vt/vt.c:757 highlight_pointer drivers/tty/vt/selection.c:63 [inline] clear_selection+0x17/0x70 drivers/tty/vt/selection.c:85 hide_cursor+0x80/0x480 drivers/tty/vt/vt.c:844 redraw_screen+0x1d7/0xe70 drivers/tty/vt/vt.c:948 fbcon_blank+0x61f/0xae0 drivers/video/fbdev/core/fbcon.c:2231 do_unblank_screen+0x294/0x760 drivers/tty/vt/vt.c:4563 unblank_screen drivers/tty/vt/vt.c:4582 [inline] tioclinux+0x186/0x4c0 drivers/tty/vt/vt.c:3357 vt_ioctl+0x9d4/0x2060 drivers/tty/vt/vt_ioctl.c:761 tty_ioctl+0x906/0xdb0 drivers/tty/tty_io.c:2803 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x7e/0x150 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x67/0x6f RIP: 0033:0x7f77eff809b9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f77f0e57038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f77f0145f80 RCX: 00007f77eff809b9 RDX: 0000000020000580 RSI: 000000000000541c RDI: 0000000000000018 RBP: 00007f77efff4f70 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f77f0145f80 R15: 00007ffd3ddd4628 </TASK> Memory state around the buggy address: ffffc90002ad9080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc90002ad9100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 >ffffc90002ad9180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffffc90002ad9200: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc90002ad9280: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ==================================================================
