From: Samuel Thibault <samuel.thibault@ens-lyon.org> To: gregkh@linuxfoundation.org Cc: linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, Sanan Hasanov <sanan.hasanov@Knights.ucf.edu>, Samuel Thibault <samuel.thibault@ens-lyon.org>, keescook@chromium.org, syzbot+3af17071816b61e807ed@syzkaller.appspotmail.com, akpm@linux-foundation.org, linux-hardening@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, Jiri Slaby <jirislaby@kernel.org> Subject: [PATCH] VT: Protect KD_FONT_OP_GET_TALL from unbound access Date: Mon, 6 Mar 2023 10:49:21 +0100 [thread overview] Message-ID: <20230306094921.tik5ewne4ft6mfpo@begin> (raw) In ioctl(KD_FONT_OP_GET_TALL), userland tells through op->height which vpitch should be used to copy over the font. In con_font_get, we were not checking that it is within the maximum height value, and thus userland could make the vc->vc_sw->con_font_get(vc, &font, vpitch); call possibly overflow the allocated max_font_size bytes, and the copy_to_user(op->data, font.data, c) call possibly read out of that allocated buffer. By checking vpitch against max_font_height, the max_font_size buffer will always be large enough for the vc->vc_sw->con_font_get(vc, &font, vpitch) call (since we already prevent loading a font larger than that), and c = (font.width+7)/8 * vpitch * font.charcount will always remain below max_font_size. Fixes: 24d69384bcd3 ("VT: Add KD_FONT_OP_SET/GET_TALL operations") Reported-by: syzbot+3af17071816b61e807ed@syzkaller.appspotmail.com Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Jiri Slaby <jirislaby@kernel.org> diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c index 57a5c23b51d4..3c2ea9c098f7 100644 --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -4545,6 +4545,9 @@ static int con_font_get(struct vc_data *vc, struct console_font_op *op) int c; unsigned int vpitch = op->op == KD_FONT_OP_GET_TALL ? op->height : 32; + if (vpitch > max_font_height) + return -EINVAL; + if (op->data) { font.data = kvmalloc(max_font_size, GFP_KERNEL); if (!font.data)
WARNING: multiple messages have this Message-ID (diff)
From: Samuel Thibault <samuel.thibault@ens-lyon.org> To: gregkh@linuxfoundation.org Cc: linux-fbdev@vger.kernel.org, keescook@chromium.org, syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-mm@kvack.org, syzbot+3af17071816b61e807ed@syzkaller.appspotmail.com, linux-hardening@vger.kernel.org, Sanan Hasanov <sanan.hasanov@Knights.ucf.edu>, Samuel Thibault <samuel.thibault@ens-lyon.org>, akpm@linux-foundation.org, Jiri Slaby <jirislaby@kernel.org> Subject: [PATCH] VT: Protect KD_FONT_OP_GET_TALL from unbound access Date: Mon, 6 Mar 2023 10:49:21 +0100 [thread overview] Message-ID: <20230306094921.tik5ewne4ft6mfpo@begin> (raw) In ioctl(KD_FONT_OP_GET_TALL), userland tells through op->height which vpitch should be used to copy over the font. In con_font_get, we were not checking that it is within the maximum height value, and thus userland could make the vc->vc_sw->con_font_get(vc, &font, vpitch); call possibly overflow the allocated max_font_size bytes, and the copy_to_user(op->data, font.data, c) call possibly read out of that allocated buffer. By checking vpitch against max_font_height, the max_font_size buffer will always be large enough for the vc->vc_sw->con_font_get(vc, &font, vpitch) call (since we already prevent loading a font larger than that), and c = (font.width+7)/8 * vpitch * font.charcount will always remain below max_font_size. Fixes: 24d69384bcd3 ("VT: Add KD_FONT_OP_SET/GET_TALL operations") Reported-by: syzbot+3af17071816b61e807ed@syzkaller.appspotmail.com Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Jiri Slaby <jirislaby@kernel.org> diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c index 57a5c23b51d4..3c2ea9c098f7 100644 --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -4545,6 +4545,9 @@ static int con_font_get(struct vc_data *vc, struct console_font_op *op) int c; unsigned int vpitch = op->op == KD_FONT_OP_GET_TALL ? op->height : 32; + if (vpitch > max_font_height) + return -EINVAL; + if (op->data) { font.data = kvmalloc(max_font_size, GFP_KERNEL); if (!font.data)
next reply other threads:[~2023-03-06 9:49 UTC|newest] Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top 2023-03-06 9:49 Samuel Thibault [this message] 2023-03-06 9:49 ` [PATCH] VT: Protect KD_FONT_OP_GET_TALL from unbound access Samuel Thibault
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20230306094921.tik5ewne4ft6mfpo@begin \ --to=samuel.thibault@ens-lyon.org \ --cc=akpm@linux-foundation.org \ --cc=dri-devel@lists.freedesktop.org \ --cc=gregkh@linuxfoundation.org \ --cc=jirislaby@kernel.org \ --cc=keescook@chromium.org \ --cc=linux-fbdev@vger.kernel.org \ --cc=linux-hardening@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-mm@kvack.org \ --cc=sanan.hasanov@Knights.ucf.edu \ --cc=syzbot+3af17071816b61e807ed@syzkaller.appspotmail.com \ --cc=syzkaller-bugs@googlegroups.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.