From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
To: syzbot <syzbot+b38b1ef6edf0c74a8d97@syzkaller.appspotmail.com>,
george.kennedy@oracle.com, gregkh@linuxfoundation.org,
jirislaby@kernel.org, syzkaller-bugs@googlegroups.com
Cc: b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch,
dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org,
linux-kernel@vger.kernel.org, natechancellor@gmail.com
Subject: Re: [PATCH] fbcon: Fix user font detection test at fbcon_resize().
Date: Wed, 16 Sep 2020 09:01:06 +0900 [thread overview]
Message-ID: <7c52e8cd-e4cb-cd0b-40d5-b9654aec09f3@I-love.SAKURA.ne.jp> (raw)
In-Reply-To: <f6e3e611-8704-1263-d163-f52c906a4f06@I-love.SAKURA.ne.jp>
Greg, will you pick up this patch?
It seems that finding the real cause of [3] and actually fixing [3] will be difficult.
Since I can't reproduce [3] locally, I will have to try flood of "#syz test" requests
for debug printk() patches.
On 2020/09/11 7:57, Tetsuo Handa wrote:
> syzbot is reporting OOB read at fbcon_resize() [1], for
> commit 39b3cffb8cf31117 ("fbcon: prevent user font height or width change
> from causing potential out-of-bounds access") is by error using
> registered_fb[con2fb_map[vc->vc_num]]->fbcon_par->p->userfont (which was
> set to non-zero) instead of fb_display[vc->vc_num].userfont (which remains
> zero for that display).
>
> We could remove tricky userfont flag [2], for we can determine it by
> comparing address of the font data and addresses of built-in font data.
> But since that commit is failing to fix the original OOB read [3], this
> patch keeps the change minimal in case we decide to revert altogether.
>
> [1] https://syzkaller.appspot.com/bug?id=ebcbbb6576958a496500fee9cf7aa83ea00b5920
> [2] https://syzkaller.appspot.com/text?tag=Patch&x=14030853900000
> [3] https://syzkaller.appspot.com/bug?id=6fba8c186d97cf1011ab17660e633b1cc4e080c9
>
> Reported-by: syzbot <syzbot+b38b1ef6edf0c74a8d97@syzkaller.appspotmail.com>
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Fixes: 39b3cffb8cf31117 ("fbcon: prevent user font height or width change from causing potential out-of-bounds access")
> Cc: George Kennedy <george.kennedy@oracle.com>
> ---
> drivers/video/fbdev/core/fbcon.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> index 66167830fefd..dae7ae7f225a 100644
> --- a/drivers/video/fbdev/core/fbcon.c
> +++ b/drivers/video/fbdev/core/fbcon.c
> @@ -2203,7 +2203,7 @@ static int fbcon_resize(struct vc_data *vc, unsigned int width,
> struct fb_var_screeninfo var = info->var;
> int x_diff, y_diff, virt_w, virt_h, virt_fw, virt_fh;
>
> - if (ops->p && ops->p->userfont && FNTSIZE(vc->vc_font.data)) {
> + if (p->userfont && FNTSIZE(vc->vc_font.data)) {
> int size;
> int pitch = PITCH(vc->vc_font.width);
>
>
WARNING: multiple messages have this Message-ID (diff)
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
To: syzbot <syzbot+b38b1ef6edf0c74a8d97@syzkaller.appspotmail.com>,
george.kennedy@oracle.com, gregkh@linuxfoundation.org,
jirislaby@kernel.org, syzkaller-bugs@googlegroups.com
Cc: linux-fbdev@vger.kernel.org, b.zolnierkie@samsung.com,
daniel.vetter@ffwll.ch, linux-kernel@vger.kernel.org,
dri-devel@lists.freedesktop.org, natechancellor@gmail.com
Subject: Re: [PATCH] fbcon: Fix user font detection test at fbcon_resize().
Date: Wed, 16 Sep 2020 00:01:06 +0000 [thread overview]
Message-ID: <7c52e8cd-e4cb-cd0b-40d5-b9654aec09f3@I-love.SAKURA.ne.jp> (raw)
In-Reply-To: <f6e3e611-8704-1263-d163-f52c906a4f06@I-love.SAKURA.ne.jp>
Greg, will you pick up this patch?
It seems that finding the real cause of [3] and actually fixing [3] will be difficult.
Since I can't reproduce [3] locally, I will have to try flood of "#syz test" requests
for debug printk() patches.
On 2020/09/11 7:57, Tetsuo Handa wrote:
> syzbot is reporting OOB read at fbcon_resize() [1], for
> commit 39b3cffb8cf31117 ("fbcon: prevent user font height or width change
> from causing potential out-of-bounds access") is by error using
> registered_fb[con2fb_map[vc->vc_num]]->fbcon_par->p->userfont (which was
> set to non-zero) instead of fb_display[vc->vc_num].userfont (which remains
> zero for that display).
>
> We could remove tricky userfont flag [2], for we can determine it by
> comparing address of the font data and addresses of built-in font data.
> But since that commit is failing to fix the original OOB read [3], this
> patch keeps the change minimal in case we decide to revert altogether.
>
> [1] https://syzkaller.appspot.com/bug?idëcbbb6576958a496500fee9cf7aa83ea00b5920
> [2] https://syzkaller.appspot.com/text?tag=Patch&x\x14030853900000
> [3] https://syzkaller.appspot.com/bug?idoba8c186d97cf1011ab17660e633b1cc4e080c9
>
> Reported-by: syzbot <syzbot+b38b1ef6edf0c74a8d97@syzkaller.appspotmail.com>
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Fixes: 39b3cffb8cf31117 ("fbcon: prevent user font height or width change from causing potential out-of-bounds access")
> Cc: George Kennedy <george.kennedy@oracle.com>
> ---
> drivers/video/fbdev/core/fbcon.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> index 66167830fefd..dae7ae7f225a 100644
> --- a/drivers/video/fbdev/core/fbcon.c
> +++ b/drivers/video/fbdev/core/fbcon.c
> @@ -2203,7 +2203,7 @@ static int fbcon_resize(struct vc_data *vc, unsigned int width,
> struct fb_var_screeninfo var = info->var;
> int x_diff, y_diff, virt_w, virt_h, virt_fw, virt_fh;
>
> - if (ops->p && ops->p->userfont && FNTSIZE(vc->vc_font.data)) {
> + if (p->userfont && FNTSIZE(vc->vc_font.data)) {
> int size;
> int pitch = PITCH(vc->vc_font.width);
>
>
WARNING: multiple messages have this Message-ID (diff)
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
To: syzbot <syzbot+b38b1ef6edf0c74a8d97@syzkaller.appspotmail.com>,
george.kennedy@oracle.com, gregkh@linuxfoundation.org,
jirislaby@kernel.org, syzkaller-bugs@googlegroups.com
Cc: linux-fbdev@vger.kernel.org, b.zolnierkie@samsung.com,
daniel.vetter@ffwll.ch, linux-kernel@vger.kernel.org,
dri-devel@lists.freedesktop.org, natechancellor@gmail.com
Subject: Re: [PATCH] fbcon: Fix user font detection test at fbcon_resize().
Date: Wed, 16 Sep 2020 09:01:06 +0900 [thread overview]
Message-ID: <7c52e8cd-e4cb-cd0b-40d5-b9654aec09f3@I-love.SAKURA.ne.jp> (raw)
In-Reply-To: <f6e3e611-8704-1263-d163-f52c906a4f06@I-love.SAKURA.ne.jp>
Greg, will you pick up this patch?
It seems that finding the real cause of [3] and actually fixing [3] will be difficult.
Since I can't reproduce [3] locally, I will have to try flood of "#syz test" requests
for debug printk() patches.
On 2020/09/11 7:57, Tetsuo Handa wrote:
> syzbot is reporting OOB read at fbcon_resize() [1], for
> commit 39b3cffb8cf31117 ("fbcon: prevent user font height or width change
> from causing potential out-of-bounds access") is by error using
> registered_fb[con2fb_map[vc->vc_num]]->fbcon_par->p->userfont (which was
> set to non-zero) instead of fb_display[vc->vc_num].userfont (which remains
> zero for that display).
>
> We could remove tricky userfont flag [2], for we can determine it by
> comparing address of the font data and addresses of built-in font data.
> But since that commit is failing to fix the original OOB read [3], this
> patch keeps the change minimal in case we decide to revert altogether.
>
> [1] https://syzkaller.appspot.com/bug?id=ebcbbb6576958a496500fee9cf7aa83ea00b5920
> [2] https://syzkaller.appspot.com/text?tag=Patch&x=14030853900000
> [3] https://syzkaller.appspot.com/bug?id=6fba8c186d97cf1011ab17660e633b1cc4e080c9
>
> Reported-by: syzbot <syzbot+b38b1ef6edf0c74a8d97@syzkaller.appspotmail.com>
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Fixes: 39b3cffb8cf31117 ("fbcon: prevent user font height or width change from causing potential out-of-bounds access")
> Cc: George Kennedy <george.kennedy@oracle.com>
> ---
> drivers/video/fbdev/core/fbcon.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> index 66167830fefd..dae7ae7f225a 100644
> --- a/drivers/video/fbdev/core/fbcon.c
> +++ b/drivers/video/fbdev/core/fbcon.c
> @@ -2203,7 +2203,7 @@ static int fbcon_resize(struct vc_data *vc, unsigned int width,
> struct fb_var_screeninfo var = info->var;
> int x_diff, y_diff, virt_w, virt_h, virt_fw, virt_fh;
>
> - if (ops->p && ops->p->userfont && FNTSIZE(vc->vc_font.data)) {
> + if (p->userfont && FNTSIZE(vc->vc_font.data)) {
> int size;
> int pitch = PITCH(vc->vc_font.width);
>
>
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
next prev parent reply other threads:[~2020-09-16 0:01 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-20 5:35 KASAN: global-out-of-bounds Read in fbcon_resize syzbot
2020-08-20 5:35 ` syzbot
2020-08-20 5:35 ` syzbot
2020-09-10 22:57 ` [PATCH] fbcon: Fix user font detection test at fbcon_resize() Tetsuo Handa
2020-09-10 22:57 ` Tetsuo Handa
2020-09-10 22:57 ` Tetsuo Handa
2020-09-16 0:01 ` Tetsuo Handa [this message]
2020-09-16 0:01 ` Tetsuo Handa
2020-09-16 0:01 ` Tetsuo Handa
2020-09-16 7:44 ` Daniel Vetter
2020-09-16 7:44 ` Daniel Vetter
2020-09-16 7:44 ` Daniel Vetter
2020-09-16 8:26 ` Greg KH
2020-09-16 8:26 ` Greg KH
2020-09-16 8:26 ` Greg KH
2020-09-16 10:06 ` Tetsuo Handa
2020-09-16 10:06 ` Tetsuo Handa
2020-09-16 10:06 ` Tetsuo Handa
2020-09-16 12:35 ` Greg KH
2020-09-16 12:35 ` Greg KH
2020-09-16 12:35 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7c52e8cd-e4cb-cd0b-40d5-b9654aec09f3@I-love.SAKURA.ne.jp \
--to=penguin-kernel@i-love.sakura.ne.jp \
--cc=b.zolnierkie@samsung.com \
--cc=daniel.vetter@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=george.kennedy@oracle.com \
--cc=gregkh@linuxfoundation.org \
--cc=jirislaby@kernel.org \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=natechancellor@gmail.com \
--cc=syzbot+b38b1ef6edf0c74a8d97@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.