From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: linux-fbdev@vger.kernel.org,
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
syzbot <syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com>,
linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
George Kennedy <george.kennedy@oracle.com>,
Jiri Slaby <jslaby@suse.com>, Dmitry Vyukov <dvyukov@google.com>
Subject: Re: [PATCH v2] fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
Date: Wed, 15 Jul 2020 23:02:58 +0900 [thread overview]
Message-ID: <b50f85c7-80e5-89c5-0aca-31d8e9892665@i-love.sakura.ne.jp> (raw)
In-Reply-To: <9e6eac10-c5c3-f518-36cc-9ea32fb5d7fe@i-love.sakura.ne.jp>
On 2020/07/15 20:17, Tetsuo Handa wrote:
> On 2020/07/15 18:48, Dan Carpenter wrote:
>>> @@ -216,7 +216,7 @@ static void bit_clear_margins(struct vc_data *vc, struct fb_info *info,
>>> region.color = color;
>>> region.rop = ROP_COPY;
>>>
>>> - if (rw && !bottom_only) {
>>> + if ((int) rw > 0 && !bottom_only) {
>>> region.dx = info->var.xoffset + rs;
>> ^^^^^^^^^^^^^^^^^^^^^^
>>
>> If you choose a very high positive "rw" then this addition can overflow.
>> info->var.xoffset comes from the user and I don't think it's checked...
>
> Well, I think it would be checked by "struct fb_ops"->check_var hook.
> For example, vmw_fb_check_var() has
>
> if ((var->xoffset + var->xres) > par->max_width ||
> (var->yoffset + var->yres) > par->max_height) {
> DRM_ERROR("Requested geom can not fit in framebuffer\n");
> return -EINVAL;
> }
>
> check. Of course, there might be integer overflow in that check...
> Having sanity check at caller of "struct fb_ops"->check_var might be nice.
>
Well, while
const int fd = open("/dev/fb0", O_ACCMODE);
struct fb_var_screeninfo var = { };
ioctl(fd, FBIOGET_VSCREENINFO, &var);
var.xres = var.yres = 4;
var.xoffset = 4294967292U;
ioctl(fd, FBIOPUT_VSCREENINFO, &var);
bypassed
(var->xoffset + var->xres) > par->max_width
check in vmw_fb_check_var(),
----------
--- a/drivers/video/fbdev/core/bitblit.c
+++ b/drivers/video/fbdev/core/bitblit.c
@@ -216,6 +216,7 @@ static void bit_clear_margins(struct vc_data *vc, struct fb_info *info,
region.color = color;
region.rop = ROP_COPY;
+ printk(KERN_INFO "%s info->var.xoffset=%u rs=%u info->var.yoffset=%u bs=%u\n", __func__, info->var.xoffset, rs, info->var.yoffset, bs);
if ((int) rw > 0 && !bottom_only) {
region.dx = info->var.xoffset + rs;
region.dy = 0;
----------
says that info->var.xoffset does not come from the user.
----------
bit_clear_margins info->var.xoffset=0 rs=1024 info->var.yoffset=0 bs=800
----------
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
next prev parent reply other threads:[~2020-07-16 9:42 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200710055329.3759-1-penguin-kernel@I-love.SAKURA.ne.jp>
2020-07-10 5:56 ` fbconsole needs more parameter validations Tetsuo Handa
2020-07-10 10:56 ` Greg Kroah-Hartman
2020-07-11 6:16 ` Tetsuo Handa
2020-07-11 11:08 ` Tetsuo Handa
2020-07-12 11:10 ` [PATCH v3] vt: Reject zero-sized screen buffer size Tetsuo Handa
2020-07-12 11:10 ` [PATCH] fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins Tetsuo Handa
[not found] ` <CGME20200714072231eucas1p17c53f0a661346ebfd316ebd5796ca346@eucas1p1.samsung.com>
2020-07-14 7:22 ` Bartlomiej Zolnierkiewicz
2020-07-14 10:27 ` Tetsuo Handa
2020-07-14 13:37 ` Tetsuo Handa
2020-07-15 1:51 ` [PATCH v2] " Tetsuo Handa
2020-07-15 9:48 ` Dan Carpenter
2020-07-15 11:17 ` Tetsuo Handa
2020-07-15 14:02 ` Tetsuo Handa [this message]
2020-07-15 15:12 ` Dan Carpenter
2020-07-15 15:29 ` Tetsuo Handa
2020-07-16 10:00 ` Daniel Vetter
2020-07-16 11:27 ` Tetsuo Handa
2020-07-21 16:08 ` Greg Kroah-Hartman
2020-07-22 8:07 ` Daniel Vetter
2020-07-23 14:21 ` Greg Kroah-Hartman
2020-07-24 8:28 ` Bartlomiej Zolnierkiewicz
2020-07-14 17:15 ` [PATCH] " George Kennedy
2020-07-15 0:24 ` Tetsuo Handa
2020-08-19 22:07 ` [PATCH v3] vt: Reject zero-sized screen buffer size Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b50f85c7-80e5-89c5-0aca-31d8e9892665@i-love.sakura.ne.jp \
--to=penguin-kernel@i-love.sakura.ne.jp \
--cc=b.zolnierkie@samsung.com \
--cc=dan.carpenter@oracle.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=dvyukov@google.com \
--cc=george.kennedy@oracle.com \
--cc=gregkh@linuxfoundation.org \
--cc=jslaby@suse.com \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).