From: Linus Torvalds <torvalds@linux-foundation.org>
To: "Maciej W. Rozycki" <macro@orcam.me.uk>
Cc: Linux Fbdev development list <linux-fbdev@vger.kernel.org>,
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
dri-devel <dri-devel@lists.freedesktop.org>,
Jani Nikula <jani.nikula@intel.com>,
Colin King <colin.king@canonical.com>,
Jiri Slaby <jirislaby@kernel.org>,
syzbot <syzbot+1f29e126cf461c4de3b3@syzkaller.appspotmail.com>
Subject: Re: [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit()
Date: Fri, 14 May 2021 14:10:44 -0700 [thread overview]
Message-ID: <CAHk-=wjkVAjfWrmmJnJe1_MriK9gezWCew_MU=MbQNzHbGopsQ@mail.gmail.com> (raw)
In-Reply-To: <CAHk-=wioOHwKNj8AmvXWV-oL60ae0jKswAHy9e6wCYYeA5EQXg@mail.gmail.com>
On Fri, May 14, 2021 at 1:32 PM Linus Torvalds
<torvalds@linux-foundation.org> wrote:
>
> Another alternative would be to just delay the resize to when vcmode
> is put back to text mode again. That sounds somewhat reasonable to me,
> but it's a pretty big thing.
Actually thinking more about that option, it sounds horrible. It would
mean that we'd continue to use the old geometry for the actual VC
buffers for a random time, and then change it to the new geometry at
some arbitrary point.
So I think the only reasonable approach (apart from just my "don't do
that then") might be to just always call ->con_resize().
There are only actually three cases of "->con_resize()", so it might
not be too bad.
Looking at it, both sisusbcon_resize() and vgacon_resize() seem to be
trivially fine in KD_GRAPHICS mode.
vgacon already seems to have that "!vga_is_gfx" test, and does
vgacon_doresize() at vgacon_switch(). It might need to add a
vgacon_doresize() to the vgacon_blank() case 0 code so that it
actually does the right thing when going back to KD_TEXT mode.
And fbcon_resize() looks like it might be mostly ok with it too.
Again, there is a con_is_visible() test, and I suspect that might need
to be changed to
if (con_is_visible(vc) && vc->vc_mode == KD_TEXT)
instead, but it doesn't look _too_ bad.
So I think just removing the "vc->vc_mode != KD_GRAPHICS" test from
resize_screen() might be the way to go. That way, the low-level data
structures actually are in sync with the resize, and the "out of
bounds" bug should never happen.
Would you mind testing that?
Linus
next prev parent reply other threads:[~2021-05-14 21:11 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-08 7:07 BUG: unable to handle kernel paging request in vga16fb_imageblit (2) syzbot
2021-05-01 20:31 ` [syzbot] " syzbot
2021-05-02 1:53 ` syzbot
2021-05-03 13:41 ` Tetsuo Handa
2021-05-07 11:09 ` Tetsuo Handa
2021-05-14 16:19 ` [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit() Tetsuo Handa
2021-05-14 17:29 ` Linus Torvalds
2021-05-14 17:37 ` Linus Torvalds
2021-05-14 18:23 ` Linus Torvalds
2021-05-14 20:25 ` Maciej W. Rozycki
2021-05-14 20:32 ` Linus Torvalds
2021-05-14 21:10 ` Linus Torvalds [this message]
2021-05-15 7:43 ` [PATCH v2] tty: vt: always invoke vc->vc_sw->con_resize callback Tetsuo Handa
2021-05-15 16:21 ` Maciej W. Rozycki
2021-05-15 16:32 ` Maciej W. Rozycki
2021-05-15 16:41 ` Linus Torvalds
2021-05-17 13:13 ` Daniel Vetter
2021-05-15 16:11 ` [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit() Maciej W. Rozycki
2021-05-17 13:07 ` Daniel Vetter
2021-05-17 13:10 ` Daniel Vetter
2021-05-15 0:45 ` Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHk-=wjkVAjfWrmmJnJe1_MriK9gezWCew_MU=MbQNzHbGopsQ@mail.gmail.com' \
--to=torvalds@linux-foundation.org \
--cc=b.zolnierkie@samsung.com \
--cc=colin.king@canonical.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=gregkh@linuxfoundation.org \
--cc=jani.nikula@intel.com \
--cc=jirislaby@kernel.org \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=macro@orcam.me.uk \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=syzbot+1f29e126cf461c4de3b3@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).