From: Peilin Ye <yepeilin.cs@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Cc: linux-fbdev@vger.kernel.org,
Daniel Vetter <daniel.vetter@ffwll.ch>,
syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org,
dri-devel@lists.freedesktop.org,
Jiri Slaby <jirislaby@kernel.org>,
Peilin Ye <yepeilin.cs@gmail.com>,
linux-kernel-mentees@lists.linuxfoundation.org
Subject: [PATCH 3/3] fbcon: Fix global-out-of-bounds read in fbcon_get_font()
Date: Thu, 24 Sep 2020 13:43:48 +0000 [thread overview]
Message-ID: <b34544687a1a09d6de630659eb7a773f4953238b.1600953813.git.yepeilin.cs@gmail.com> (raw)
In-Reply-To: <ef18af00c35fb3cc826048a5f70924ed6ddce95b.1600953813.git.yepeilin.cs@gmail.com>
fbcon_get_font() is reading out-of-bounds. A malicious user may resize
`vc->vc_font.height` to a large value, causing fbcon_get_font() to
read out of `fontdata`.
fbcon_get_font() handles both built-in and user-provided fonts.
Fortunately, recently we have added FONT_EXTRA_WORDS support for built-in
fonts, so fix it by adding range checks using FNTSIZE().
This patch depends on patch "fbdev, newport_con: Move FONT_EXTRA_WORDS
macros into linux/font.h", and patch "Fonts: Support FONT_EXTRA_WORDS
macros for built-in fonts".
Cc: stable@vger.kernel.org
Reported-and-tested-by: syzbot+29d4ed7f3bdedf2aa2fd@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?id\bb8be45afea11888776f897895aef9ad1c3ecfd
Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
---
drivers/video/fbdev/core/fbcon.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index 66167830fefd..bda24c64e646 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -2492,6 +2492,9 @@ static int fbcon_get_font(struct vc_data *vc, struct console_font *font)
if (font->width <= 8) {
j = vc->vc_font.height;
+ if (font->charcount * j > FNTSIZE(fontdata))
+ return -EINVAL;
+
for (i = 0; i < font->charcount; i++) {
memcpy(data, fontdata, j);
memset(data + j, 0, 32 - j);
@@ -2500,6 +2503,9 @@ static int fbcon_get_font(struct vc_data *vc, struct console_font *font)
}
} else if (font->width <= 16) {
j = vc->vc_font.height * 2;
+ if (font->charcount * j > FNTSIZE(fontdata))
+ return -EINVAL;
+
for (i = 0; i < font->charcount; i++) {
memcpy(data, fontdata, j);
memset(data + j, 0, 64 - j);
@@ -2507,6 +2513,9 @@ static int fbcon_get_font(struct vc_data *vc, struct console_font *font)
fontdata += j;
}
} else if (font->width <= 24) {
+ if (font->charcount * (vc->vc_font.height * sizeof(u32)) > FNTSIZE(fontdata))
+ return -EINVAL;
+
for (i = 0; i < font->charcount; i++) {
for (j = 0; j < vc->vc_font.height; j++) {
*data++ = fontdata[0];
@@ -2519,6 +2528,9 @@ static int fbcon_get_font(struct vc_data *vc, struct console_font *font)
}
} else {
j = vc->vc_font.height * 4;
+ if (font->charcount * j > FNTSIZE(fontdata))
+ return -EINVAL;
+
for (i = 0; i < font->charcount; i++) {
memcpy(data, fontdata, j);
memset(data + j, 0, 128 - j);
--
2.25.1
next prev parent reply other threads:[~2020-09-24 13:43 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-10 4:35 KASAN: global-out-of-bounds Read in fbcon_get_font syzbot
2020-01-01 17:40 ` syzbot
2020-09-24 13:38 ` [PATCH 0/3] Prevent out-of-bounds access for built-in font data buffers Peilin Ye
2020-09-24 13:40 ` [PATCH 1/3] fbdev, newport_con: Move FONT_EXTRA_WORDS macros into linux/font.h Peilin Ye
2020-09-24 13:42 ` [PATCH 2/3] Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts Peilin Ye
2020-09-24 13:43 ` Peilin Ye [this message]
2020-09-24 14:09 ` [PATCH 0/3] Prevent out-of-bounds access for built-in font data buffers Greg Kroah-Hartman
2020-09-24 14:25 ` Peilin Ye
2020-09-24 14:42 ` David Laight
2020-09-24 15:30 ` Peilin Ye
2020-09-24 15:45 ` Dan Carpenter
2020-09-24 16:59 ` Peilin Ye
2020-09-25 8:38 ` Daniel Vetter
2020-09-25 6:46 ` Jiri Slaby
2020-09-25 10:13 ` Peilin Ye
2020-09-25 13:25 ` Daniel Vetter
2020-09-25 15:35 ` Peilin Ye
2020-09-29 9:09 ` Daniel Vetter
2020-09-29 9:44 ` Peilin Ye
2020-09-29 12:34 ` Peilin Ye
2020-09-29 14:38 ` Daniel Vetter
2020-09-30 7:11 ` Peilin Ye
2020-09-30 9:53 ` Daniel Vetter
2020-09-30 10:55 ` Peilin Ye
2020-09-30 11:25 ` Daniel Vetter
2020-09-30 11:52 ` Greg Kroah-Hartman
2020-09-30 12:58 ` Peilin Ye
2020-09-30 5:26 ` Jiri Slaby
2020-09-30 7:16 ` Peilin Ye
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b34544687a1a09d6de630659eb7a773f4953238b.1600953813.git.yepeilin.cs@gmail.com \
--to=yepeilin.cs@gmail.com \
--cc=b.zolnierkie@samsung.com \
--cc=daniel.vetter@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=gregkh@linuxfoundation.org \
--cc=jirislaby@kernel.org \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).