Thread (4 messages) 4 messages, 2 authors, 2020-07-30

Re: [PATCH] vgacon: Fix an out-of-bounds in vgacon_scrollback_update()

From: Jiri Slaby <jirislaby@kernel.org>
Date: 2020-07-30 13:38:15
Also in: dri-devel, lkml 

On 30. 07. 20, 15:24, Yang Yingliang wrote:
On 2020/7/30 19:04, Jiri Slaby wrote:
quoted
On 13. 07. 20, 12:57, Yang Yingliang wrote:
quoted
I got a slab-out-of-bounds report when I doing fuzz test.

[  334.989515]
=================================
[  334.989577] BUG: KASAN: slab-out-of-bounds in
vgacon_scroll+0x57a/0x8ed
[  334.989588] Write of size 1766 at addr ffff8883de69ff3e by task
test/2658
[  334.989593]
[  334.989608] CPU: 3 PID: 2658 Comm: test Not tainted
5.7.0-rc5-00005-g152036d1379f #789
[  334.989617] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
[  334.989624] Call Trace:
[  334.989646]  dump_stack+0xe4/0x14e
[  334.989676]  print_address_description.constprop.5+0x3f/0x60
[  334.989699]  ? vgacon_scroll+0x57a/0x8ed
[  334.989710]  __kasan_report.cold.8+0x92/0xaf
[  334.989735]  ? vgacon_scroll+0x57a/0x8ed
[  334.989761]  kasan_report+0x37/0x50
[  334.989789]  check_memory_region+0x1c1/0x1e0
[  334.989806]  memcpy+0x38/0x60
[  334.989824]  vgacon_scroll+0x57a/0x8ed
[  334.989876]  con_scroll+0x4ef/0x5e0
...
quoted
Because vgacon_scrollback_cur->tail plus memcpy size is greater than
vgacon_scrollback_cur->size. Fix this by checking the memcpy size.

Reported-by: Hulk Robot <redacted>
Signed-off-by: Yang Yingliang <redacted>
---
  drivers/video/console/vgacon.c | 11 ++++++++---
  1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/video/console/vgacon.c
b/drivers/video/console/vgacon.c
index 998b0de1812f..b51ffb9a208d 100644
--- a/drivers/video/console/vgacon.c
+++ b/drivers/video/console/vgacon.c
@@ -243,6 +243,7 @@ static void vgacon_scrollback_startup(void)
  static void vgacon_scrollback_update(struct vc_data *c, int t, int
count)
  {
      void *p;
+    int size;
        if (!vgacon_scrollback_cur->data ||
!vgacon_scrollback_cur->size ||
          c->vc_num != fg_console)
@@ -251,13 +252,17 @@ static void vgacon_scrollback_update(struct
vc_data *c, int t, int count)
      p = (void *) (c->vc_origin + t * c->vc_size_row);
        while (count--) {
+        size = vgacon_scrollback_cur->size -
vgacon_scrollback_cur->tail;
+        if (size > c->vc_size_row)
+            size = c->vc_size_row;
+
          scr_memcpyw(vgacon_scrollback_cur->data +
                  vgacon_scrollback_cur->tail,
-                p, c->vc_size_row);
+                p, size);
Are you sure the consumer can handle split lines? As vgacon_scrolldelta
(soff in particular) looks to me like it doesn't.

Have you tested you patch? I mean with soft scrollback on the vga
console?
I only test the patch with the reproduce program.
Out of curiosity, what is it doing? Resize and then scroll by \n (line
feed)? Can you share it?

thanks,
-- 
js
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help