On Sun, Sep 27, 2020 at 05:28:12PM +0900, Tetsuo Handa wrote: > Well, vt_io_ioctl(PIO_FONT) initializes "struct console_font_op op;" with > > op.width = 8; > op.height = 0; > op.charcount = 256; > > and calls con_font_set() from con_font_op(). But the "/* Need to guess font height [compat] */" > chunk in con_font_set() guesses font's height due to being initialized with op.height = 0. > Then, con_font_set() calls fbcon_set_font() via vc->vc_sw->con_font_set(), and fbcon_set_font() > allocates minimal amount of memory for font data based on font's height calcllated by con_font_set(). > > Therefore, any attempt to change font's height (like vt_resizex()) larger than font's height > calculated by con_font_set() can cause OOB read of memory block for font data. If we allocate > maximal amount of memory for any font, OOB read of memory block for font data should not happen. > > ---------------------------------------- > > static char fontdata[8192] = { 2 }; > > [ 227.065369] bit_putcs: width=1 cellsize=1 count€ maxcnt92 scan_align=0 buf_align=0 image.height=1 > [ 227.066254] bit_putcs: width=1 cellsize=1 count€ maxcnt92 scan_align=0 buf_align=0 image.height=1 > [ 227.067642] vc˙ff8880d69b4000 v.v_rows=0 v.v_cols=0 v.v_vlin=1 v.v_clin=9 v.v_vcol=0 v.v_ccol=0 ret=0 > [ 227.067699] vcp˙ff8880d69b4000 before: ->vc_rowsH0 ->vc_cols€ ->vc_scan_lines=1 save_scan_lines@0 ->vc_font.height=9 save_font_height=1 > [ 227.067774] vcp˙ff8880d69b4000 after: ->vc_rowsH0 ->vc_cols€ ->vc_scan_lines=1 save_scan_lines@0 ->vc_font.height=9 save_font_height=1 ret=0 > [ 227.067831] vcp˙ff8880cac4b000 before: ->vc_rows0 ->vc_cols€ ->vc_scan_lines=1 save_scan_lines=0 ->vc_font.height=9 save_font_height > [ 227.067891] vcp˙ff8880cac4b000 after: ->vc_rows0 ->vc_cols€ ->vc_scan_lines=1 save_scan_lines=0 ->vc_font.height=9 save_font_height ret=0 > [ 227.067947] vcp˙ff8880c6180000 before: ->vc_rows0 ->vc_cols€ ->vc_scan_lines=1 save_scan_lines=0 ->vc_font.height=9 save_font_height > [ 227.068007] vcp˙ff8880c6180000 after: ->vc_rows0 ->vc_cols€ ->vc_scan_lines=1 save_scan_lines=0 ->vc_font.height=9 save_font_height ret=0 > [ 227.068063] vcp˙ff8880d6b84000 before: ->vc_rows0 ->vc_cols€ ->vc_scan_lines=1 save_scan_lines=0 ->vc_font.height=9 save_font_height > [ 227.068123] vcp˙ff8880d6b84000 after: ->vc_rows0 ->vc_cols€ ->vc_scan_lines=1 save_scan_lines=0 ->vc_font.height=9 save_font_height ret=0 > [ 227.068179] vcp˙ff8880ca8c0000 before: ->vc_rows0 ->vc_cols€ ->vc_scan_lines=1 save_scan_lines=0 ->vc_font.height=9 save_font_height > [ 227.068255] vcp˙ff8880ca8c0000 after: ->vc_rows0 ->vc_cols€ ->vc_scan_lines=1 save_scan_lines=0 ->vc_font.height=9 save_font_height ret=0 > [ 227.068455] vcp˙ff8880cbd5d000 before: ->vc_rows0 ->vc_cols€ ->vc_scan_lines=1 save_scan_lines=0 ->vc_font.height=9 save_font_height > [ 227.068515] vcp˙ff8880cbd5d000 after: ->vc_rows0 ->vc_cols€ ->vc_scan_lines=1 save_scan_lines=0 ->vc_font.height=9 save_font_height ret=0 > [ 227.084709] ================================= > [ 227.084729] BUG: KASAN: slab-out-of-bounds in soft_cursor+0x34e/0x4a0 > [ 227.084748] Read of size 9 at addr ffff8880c98d5930 by task a.out/1662 Very interesting, I remember seeing this on the syzbot dashboard... Yes, I guess it is this one: KASAN: slab-out-of-bounds Read in soft_cursor https://syzkaller.appspot.com/bug?idk8355d27b2b94fb5cedf4655e3a59162d9e48e3 There is a `0x560aul` ioctl() in the reproducer, which is `VT_RESIZEX`. Thank you, Peilin Ye