* [PATCH stable 4.19 4.14 0/2] add fix patch for CVE-2021-3365
@ 2022-07-29 3:11 Chen Jun
2022-07-29 3:11 ` [PATCH stable 4.19 4.14 1/2] fbcon: Prevent that screen size is smaller than font size Chen Jun
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Chen Jun @ 2022-07-29 3:11 UTC (permalink / raw)
To: stable, deller, geert, b.zolnierkie, gregkh; +Cc: xuqiang36, xiujianfeng
refer to https://lore.kernel.org/all/20220706150253.2186-1-deller@gmx.de/
3 patches are provided to fix CVE-2021-3365 (When sending malicous data
to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out
of bounds. https://nvd.nist.gov/vuln/detail/CVE-2021-33655) in mainline.
But only
commit 65a01e601dbb ("fbcon: Disallow setting font bigger than screen size")
was backported to stable (4.19,4.14).
without other two commit
commit e64242caef18 ("fbcon: Prevent that screen size is smaller than font size")
commit 6c11df58fd1a ("fbmem: Check virtual screen sizes in fb_set_var()")
The problem still exists.
static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, unsigned long arg)
fb_set_var(info, &var);
fb_notifier_call_chain(evnt, &event); // evnt = FB_EVENT_MODE_CHANGE
static int fbcon_event_notify(struct notifier_block *self,
unsigned long action, void *data)
fbcon_modechanged(info);
updatescrollmode(p, info, vc);
...
p->vrows = vyres/fh;
if (yres > (fh * (vc->vc_rows + 1)))
p->vrows -= (yres - (fh * vc->vc_rows)) / fh;
if ((yres % fh) && (vyres % fh < yres % fh))
p->vrows--; [1]
[1]: p->vrows could be -1, like what CVE-2021-3365 described.
I think, the two commits should be backported to 4.19 and 4.14.
Helge Deller (2):
fbcon: Prevent that screen size is smaller than font size
fbmem: Check virtual screen sizes in fb_set_var()
drivers/video/fbdev/core/fbcon.c | 28 ++++++++++++++++++++++++++++
drivers/video/fbdev/core/fbmem.c | 20 +++++++++++++++++---
include/linux/fbcon.h | 4 ++++
3 files changed, 49 insertions(+), 3 deletions(-)
--
2.17.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH stable 4.19 4.14 1/2] fbcon: Prevent that screen size is smaller than font size
2022-07-29 3:11 [PATCH stable 4.19 4.14 0/2] add fix patch for CVE-2021-3365 Chen Jun
@ 2022-07-29 3:11 ` Chen Jun
2022-07-29 3:11 ` [PATCH stable 4.19 4.14 2/2] fbmem: Check virtual screen sizes in fb_set_var() Chen Jun
2022-07-31 12:36 ` [PATCH stable 4.19 4.14 0/2] add fix patch for CVE-2021-3365 Greg KH
2 siblings, 0 replies; 5+ messages in thread
From: Chen Jun @ 2022-07-29 3:11 UTC (permalink / raw)
To: stable, deller, geert, b.zolnierkie, gregkh; +Cc: xuqiang36, xiujianfeng
From: Helge Deller <deller@gmx.de>
commit e64242caef18b4a5840b0e7a9bff37abd4f4f933 upstream
We need to prevent that users configure a screen size which is smaller than the
currently selected font size. Otherwise rendering chars on the screen will
access memory outside the graphics memory region.
This patch adds a new function fbcon_modechange_possible() which
implements this check and which later may be extended with other checks
if necessary. The new function is called from the FBIOPUT_VSCREENINFO
ioctl handler in fbmem.c, which will return -EINVAL if userspace asked
for a too small screen size.
Signed-off-by: Helge Deller <deller@gmx.de>
Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
Link: https://lore.kernel.org/all/20220706150253.2186-1-deller@gmx.de/
[sudip: adjust context]
Signed-off-by: Chen Jun <chenjun102@huawei.com>
---
drivers/video/fbdev/core/fbcon.c | 28 ++++++++++++++++++++++++++++
drivers/video/fbdev/core/fbmem.c | 10 +++++++---
include/linux/fbcon.h | 4 ++++
3 files changed, 39 insertions(+), 3 deletions(-)
diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index 17ed20a73c2d..a55b3688b632 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -2729,6 +2729,34 @@ static void fbcon_set_all_vcs(struct fb_info *info)
fbcon_modechanged(info);
}
+/* let fbcon check if it supports a new screen resolution */
+int fbcon_modechange_possible(struct fb_info *info, struct fb_var_screeninfo *var)
+{
+ struct fbcon_ops *ops = info->fbcon_par;
+ struct vc_data *vc;
+ unsigned int i;
+
+ WARN_CONSOLE_UNLOCKED();
+
+ if (!ops)
+ return 0;
+
+ /* prevent setting a screen size which is smaller than font size */
+ for (i = first_fb_vc; i <= last_fb_vc; i++) {
+ vc = vc_cons[i].d;
+ if (!vc || vc->vc_mode != KD_TEXT ||
+ registered_fb[con2fb_map[i]] != info)
+ continue;
+
+ if (vc->vc_font.width > FBCON_SWAP(var->rotate, var->xres, var->yres) ||
+ vc->vc_font.height > FBCON_SWAP(var->rotate, var->yres, var->xres))
+ return -EINVAL;
+ }
+
+ return 0;
+}
+EXPORT_SYMBOL_GPL(fbcon_modechange_possible);
+
static int fbcon_mode_deleted(struct fb_info *info,
struct fb_videomode *mode)
{
diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
index 2297dfb494d6..b1733a2e0002 100644
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -1121,9 +1121,13 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd,
console_unlock();
return -ENODEV;
}
- info->flags |= FBINFO_MISC_USEREVENT;
- ret = fb_set_var(info, &var);
- info->flags &= ~FBINFO_MISC_USEREVENT;
+ ret = fbcon_modechange_possible(info, &var);
+ if (!ret) {
+ info->flags |= FBINFO_MISC_USEREVENT;
+ ret = fb_set_var(info, &var);
+ info->flags &= ~FBINFO_MISC_USEREVENT;
+ }
+ lock_fb_info(info);
unlock_fb_info(info);
console_unlock();
if (!ret && copy_to_user(argp, &var, sizeof(var)))
diff --git a/include/linux/fbcon.h b/include/linux/fbcon.h
index f68a7db14165..39939d55c834 100644
--- a/include/linux/fbcon.h
+++ b/include/linux/fbcon.h
@@ -4,9 +4,13 @@
#ifdef CONFIG_FRAMEBUFFER_CONSOLE
void __init fb_console_init(void);
void __exit fb_console_exit(void);
+int fbcon_modechange_possible(struct fb_info *info,
+ struct fb_var_screeninfo *var);
#else
static inline void fb_console_init(void) {}
static inline void fb_console_exit(void) {}
+static inline int fbcon_modechange_possible(struct fb_info *info,
+ struct fb_var_screeninfo *var) { return 0; }
#endif
#endif /* _LINUX_FBCON_H */
--
2.17.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH stable 4.19 4.14 2/2] fbmem: Check virtual screen sizes in fb_set_var()
2022-07-29 3:11 [PATCH stable 4.19 4.14 0/2] add fix patch for CVE-2021-3365 Chen Jun
2022-07-29 3:11 ` [PATCH stable 4.19 4.14 1/2] fbcon: Prevent that screen size is smaller than font size Chen Jun
@ 2022-07-29 3:11 ` Chen Jun
2022-07-31 12:36 ` [PATCH stable 4.19 4.14 0/2] add fix patch for CVE-2021-3365 Greg KH
2 siblings, 0 replies; 5+ messages in thread
From: Chen Jun @ 2022-07-29 3:11 UTC (permalink / raw)
To: stable, deller, geert, b.zolnierkie, gregkh; +Cc: xuqiang36, xiujianfeng
From: Helge Deller <deller@gmx.de>
commit 6c11df58fd1ac0aefcb3b227f72769272b939e56 upstream
Verify that the fbdev or drm driver correctly adjusted the virtual
screen sizes. On failure report the failing driver and reject the screen
size change.
Signed-off-by: Helge Deller <deller@gmx.de>
Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
Link: https://lore.kernel.org/all/20220706150253.2186-1-deller@gmx.de/
[sudip: adjust context]
Signed-off-by: Chen Jun <chenjun102@huawei.com>
---
drivers/video/fbdev/core/fbmem.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
index b1733a2e0002..a8574a2a466e 100644
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -1006,6 +1006,16 @@ fb_set_var(struct fb_info *info, struct fb_var_screeninfo *var)
if (ret)
goto done;
+ /* verify that virtual resolution >= physical resolution */
+ if (var->xres_virtual < var->xres ||
+ var->yres_virtual < var->yres) {
+ pr_warn("WARNING: fbcon: Driver '%s' missed to adjust virtual screen size (%ux%u vs. %ux%u)\n",
+ info->fix.id,
+ var->xres_virtual, var->yres_virtual,
+ var->xres, var->yres);
+ return -EINVAL;
+ }
+
if ((var->activate & FB_ACTIVATE_MASK) == FB_ACTIVATE_NOW) {
struct fb_var_screeninfo old_var;
struct fb_videomode mode;
--
2.17.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH stable 4.19 4.14 0/2] add fix patch for CVE-2021-3365
2022-07-29 3:11 [PATCH stable 4.19 4.14 0/2] add fix patch for CVE-2021-3365 Chen Jun
2022-07-29 3:11 ` [PATCH stable 4.19 4.14 1/2] fbcon: Prevent that screen size is smaller than font size Chen Jun
2022-07-29 3:11 ` [PATCH stable 4.19 4.14 2/2] fbmem: Check virtual screen sizes in fb_set_var() Chen Jun
@ 2022-07-31 12:36 ` Greg KH
2022-08-01 2:56 ` chenjun (AM)
2 siblings, 1 reply; 5+ messages in thread
From: Greg KH @ 2022-07-31 12:36 UTC (permalink / raw)
To: Chen Jun; +Cc: stable, deller, geert, b.zolnierkie, xuqiang36, xiujianfeng
On Fri, Jul 29, 2022 at 03:11:38AM +0000, Chen Jun wrote:
> refer to https://lore.kernel.org/all/20220706150253.2186-1-deller@gmx.de/
> 3 patches are provided to fix CVE-2021-3365 (When sending malicous data
> to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out
> of bounds. https://nvd.nist.gov/vuln/detail/CVE-2021-33655) in mainline.
>
> But only
> commit 65a01e601dbb ("fbcon: Disallow setting font bigger than screen size")
> was backported to stable (4.19,4.14).
>
> without other two commit
> commit e64242caef18 ("fbcon: Prevent that screen size is smaller than font size")
> commit 6c11df58fd1a ("fbmem: Check virtual screen sizes in fb_set_var()")
> The problem still exists.
>
> static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, unsigned long arg)
> fb_set_var(info, &var);
> fb_notifier_call_chain(evnt, &event); // evnt = FB_EVENT_MODE_CHANGE
>
> static int fbcon_event_notify(struct notifier_block *self,
> unsigned long action, void *data)
> fbcon_modechanged(info);
> updatescrollmode(p, info, vc);
> ...
> p->vrows = vyres/fh;
> if (yres > (fh * (vc->vc_rows + 1)))
> p->vrows -= (yres - (fh * vc->vc_rows)) / fh;
> if ((yres % fh) && (vyres % fh < yres % fh))
> p->vrows--; [1]
> [1]: p->vrows could be -1, like what CVE-2021-3365 described.
>
> I think, the two commits should be backported to 4.19 and 4.14.
>
> Helge Deller (2):
> fbcon: Prevent that screen size is smaller than font size
> fbmem: Check virtual screen sizes in fb_set_var()
>
> drivers/video/fbdev/core/fbcon.c | 28 ++++++++++++++++++++++++++++
> drivers/video/fbdev/core/fbmem.c | 20 +++++++++++++++++---
> include/linux/fbcon.h | 4 ++++
> 3 files changed, 49 insertions(+), 3 deletions(-)
>
> --
> 2.17.1
>
This breaks the build on 4.14.y, did you test it there?
The error is:
ERROR: "is_console_locked" [drivers/video/fbdev/core/fb.ko] undefined!
Can you please fix this up and also do a 4.9.y version?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH stable 4.19 4.14 0/2] add fix patch for CVE-2021-3365
2022-07-31 12:36 ` [PATCH stable 4.19 4.14 0/2] add fix patch for CVE-2021-3365 Greg KH
@ 2022-08-01 2:56 ` chenjun (AM)
0 siblings, 0 replies; 5+ messages in thread
From: chenjun (AM) @ 2022-08-01 2:56 UTC (permalink / raw)
To: Greg KH; +Cc: stable, deller, geert, b.zolnierkie, xuqiang (M), Xiujianfeng
在 2022/7/31 20:37, Greg KH 写道:
> On Fri, Jul 29, 2022 at 03:11:38AM +0000, Chen Jun wrote:
>> refer to https://lore.kernel.org/all/20220706150253.2186-1-deller@gmx.de/
>> 3 patches are provided to fix CVE-2021-3365 (When sending malicous data
>> to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out
>> of bounds. https://nvd.nist.gov/vuln/detail/CVE-2021-33655) in mainline.
>>
>> But only
>> commit 65a01e601dbb ("fbcon: Disallow setting font bigger than screen size")
>> was backported to stable (4.19,4.14).
>>
>> without other two commit
>> commit e64242caef18 ("fbcon: Prevent that screen size is smaller than font size")
>> commit 6c11df58fd1a ("fbmem: Check virtual screen sizes in fb_set_var()")
>> The problem still exists.
>>
>> static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, unsigned long arg)
>> fb_set_var(info, &var);
>> fb_notifier_call_chain(evnt, &event); // evnt = FB_EVENT_MODE_CHANGE
>>
>> static int fbcon_event_notify(struct notifier_block *self,
>> unsigned long action, void *data)
>> fbcon_modechanged(info);
>> updatescrollmode(p, info, vc);
>> ...
>> p->vrows = vyres/fh;
>> if (yres > (fh * (vc->vc_rows + 1)))
>> p->vrows -= (yres - (fh * vc->vc_rows)) / fh;
>> if ((yres % fh) && (vyres % fh < yres % fh))
>> p->vrows--; [1]
>> [1]: p->vrows could be -1, like what CVE-2021-3365 described.
>>
>> I think, the two commits should be backported to 4.19 and 4.14.
>>
>> Helge Deller (2):
>> fbcon: Prevent that screen size is smaller than font size
>> fbmem: Check virtual screen sizes in fb_set_var()
>>
>> drivers/video/fbdev/core/fbcon.c | 28 ++++++++++++++++++++++++++++
>> drivers/video/fbdev/core/fbmem.c | 20 +++++++++++++++++---
>> include/linux/fbcon.h | 4 ++++
>> 3 files changed, 49 insertions(+), 3 deletions(-)
>>
>> --
>> 2.17.1
>>
>
> This breaks the build on 4.14.y, did you test it there?
>
> The error is:
> ERROR: "is_console_locked" [drivers/video/fbdev/core/fb.ko] undefined!
>
if CONFIG_FRAMEBUFFER_CONSOLE = M,
"d48de54a9dab printk: Export is_console_locked" is needed, which merged
in 4.19.
I will sent the patch.
> Can you please fix this up and also do a 4.9.y version?
>
ok, I will do it.
> thanks,
>
> greg k-h
>
--
Regards
Chen Jun
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-08-01 2:56 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-07-29 3:11 [PATCH stable 4.19 4.14 0/2] add fix patch for CVE-2021-3365 Chen Jun
2022-07-29 3:11 ` [PATCH stable 4.19 4.14 1/2] fbcon: Prevent that screen size is smaller than font size Chen Jun
2022-07-29 3:11 ` [PATCH stable 4.19 4.14 2/2] fbmem: Check virtual screen sizes in fb_set_var() Chen Jun
2022-07-31 12:36 ` [PATCH stable 4.19 4.14 0/2] add fix patch for CVE-2021-3365 Greg KH
2022-08-01 2:56 ` chenjun (AM)
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.