From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.4 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,NICE_REPLY_A, SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 66F88C433E0 for ; Wed, 29 Jul 2020 11:20:11 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 47F6C20809 for ; Wed, 29 Jul 2020 11:20:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1596021611; bh=sfQo1XYQGZh1YfIaqwIY4uzjVW3dDmUizxnx9/B+Cds=; h=Subject:To:Cc:References:From:Date:In-Reply-To:List-ID:From; b=PonyiWvxBMIXcWnHrIPa1EGWXbfjszzcGbbNOg6cvqRAn3uuE7NXX3NFUXFp3nkSl T59Lg76z7TXCBOguVkS+6gLWEcnju8MQSsEAV0++YdtV7PZZoJnK2BV1yeNlUJ2YcS XbEorHxnrQfjuZe6EBpgKL4u9brXpOSo01nHGvrw= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726615AbgG2LUG (ORCPT ); Wed, 29 Jul 2020 07:20:06 -0400 Received: from mail-ed1-f65.google.com ([209.85.208.65]:34873 "EHLO mail-ed1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726509AbgG2LUF (ORCPT ); Wed, 29 Jul 2020 07:20:05 -0400 Received: by mail-ed1-f65.google.com with SMTP id m20so7633462eds.2; Wed, 29 Jul 2020 04:20:03 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=NiS9IH7Od8Q9xbyIfFxNL/qSLHRh5AtTCa5eRtX/6P0=; b=Zmy5LvHf6EZfB0YKskh4TRHNgaolaveL99jWlEe2pF1Q7EnWRWklwvfXKhcTfOD820 TbORY0voLA+wtgW1fWR5aZDgC/1i8fRjBjAtXrESiDxX8ct6Ap96/G6dLK6HX/eZl2vm cH73FlZrUok6r1WwTXct4I0j4uJIDok1Hd/tMLlZ4OXkdzyMXWC7GKXOLzUtLWvk0W7d Ok4400nhYZXWQqwLonFlcmuNgnbUB9ztUTZLAu7yejYtMFNfwhV32uV3MPaZ2L/zEpBv 8cCcocxr135coE5UHQ55lkyOF2/7yRHvX5D+2JDrjPhN5vcrsT9TiuELWH9i5lBIQOzd a35g== X-Gm-Message-State: AOAM5320E6g6nNw8zRjgqztYtuPVT6sj6BiI4ww9husibM/rgWu7V1Ky SVT1r2Id09+x+A+hg2u0FFBDFtMt X-Google-Smtp-Source: ABdhPJwEICJkcOEaQN8mut/yS4vwhDihD9l4jxfSgBLLqefKZMf5ENVOkl+EfbA/uvzttuTQQojyGQ== X-Received: by 2002:aa7:c442:: with SMTP id n2mr29841866edr.309.1596021602580; Wed, 29 Jul 2020 04:20:02 -0700 (PDT) Received: from ?IPv6:2a0b:e7c0:0:107::49? ([2a0b:e7c0:0:107::49]) by smtp.gmail.com with ESMTPSA id y14sm420978ejr.35.2020.07.29.04.20.00 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 29 Jul 2020 04:20:01 -0700 (PDT) Subject: Re: [PATCH] vgacon: fix out of bounds write to the scrollback buffer To: =?UTF-8?B?5byg5LqR5rW3?= , b.zolnierkie@samsung.com Cc: linux-kernel@vger.kernel.org, Yang Yingliang , Kyungtae Kim , Linus Torvalds , Greg KH , Solar Designer , "Srivatsa S. Bhat" , Anthony Liguori , Security Officers , linux-distros@vs.openwall.org, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org References: From: Jiri Slaby Message-ID: Date: Wed, 29 Jul 2020 13:20:00 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 29. 07. 20, 10:19, 张云海 wrote: > On 2020/7/29 16:11, Jiri Slaby wrote: >> But the loop checks for the overflow: >> if (vgacon_scrollback_cur->tail >= vgacon_scrollback_cur->size) >> vgacon_scrollback_cur->tail = 0; >> >> So the first 2 iterations would write to the end of the buffer and this >> 3rd one should have zeroed ->tail. > > In the 2nd iteration before the check: > vgacon_scrollback_cur->tail is 65360 which is still less then > vgacon_scrollback_cur->size(65440), so the ->tail won't be zeroed. > > Then it gose to the 3rd iteration, overflow occurs. Ahh, I see now! So it must be triggered by CSI M instead. It allows for more than 1 in count. So this is PoC for this case: #include #include #include #include #include #include #include int main(int argc, char** argv) { int fd = open("/dev/tty1", O_RDWR); unsigned short size[3] = {25, 200, 0}; ioctl(fd, 0x5609, size); // VT_RESIZE write(fd, "\e[1;1H", 6); for (int i = 0; i < 30; i++) write(fd, "\e[10M", 5); } It corrupts memory, so it crashes the kernel randomly. Even with my before-loop patch. So now: could you resend your patch with improved commit message, add all those Ccs etc.? You can copy most of the Ccs from my patch verbatim. I am also not sure the test I was pointing out on the top of this message would be of any use after the change. But maybe leave the code rest in peace. thanks, -- js suse labs From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jiri Slaby Date: Wed, 29 Jul 2020 11:20:00 +0000 Subject: Re: [PATCH] vgacon: fix out of bounds write to the scrollback buffer Message-Id: List-Id: References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit To: =?UTF-8?B?5byg5LqR5rW3?= , b.zolnierkie@samsung.com Cc: Security Officers , Kyungtae Kim , Anthony Liguori , Greg KH , linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-distros@vs.openwall.org, Solar Designer , Yang Yingliang , Linus Torvalds , "Srivatsa S. Bhat" On 29. 07. 20, 10:19, 张云海 wrote: > On 2020/7/29 16:11, Jiri Slaby wrote: >> But the loop checks for the overflow: >> if (vgacon_scrollback_cur->tail >= vgacon_scrollback_cur->size) >> vgacon_scrollback_cur->tail = 0; >> >> So the first 2 iterations would write to the end of the buffer and this >> 3rd one should have zeroed ->tail. > > In the 2nd iteration before the check: > vgacon_scrollback_cur->tail is 65360 which is still less then > vgacon_scrollback_cur->size(65440), so the ->tail won't be zeroed. > > Then it gose to the 3rd iteration, overflow occurs. Ahh, I see now! So it must be triggered by CSI M instead. It allows for more than 1 in count. So this is PoC for this case: #include #include #include #include #include #include #include int main(int argc, char** argv) { int fd = open("/dev/tty1", O_RDWR); unsigned short size[3] = {25, 200, 0}; ioctl(fd, 0x5609, size); // VT_RESIZE write(fd, "\e[1;1H", 6); for (int i = 0; i < 30; i++) write(fd, "\e[10M", 5); } It corrupts memory, so it crashes the kernel randomly. Even with my before-loop patch. So now: could you resend your patch with improved commit message, add all those Ccs etc.? You can copy most of the Ccs from my patch verbatim. I am also not sure the test I was pointing out on the top of this message would be of any use after the change. But maybe leave the code rest in peace. thanks, -- js suse labs From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=3.0 tests=BAYES_00,MAILING_LIST_MULTI, NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2FB5DC433DF for ; Wed, 29 Jul 2020 11:20:06 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 0CDEA20809 for ; Wed, 29 Jul 2020 11:20:05 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0CDEA20809 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=dri-devel-bounces@lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 4DA5F6E4C4; Wed, 29 Jul 2020 11:20:05 +0000 (UTC) Received: from mail-ed1-f66.google.com (mail-ed1-f66.google.com [209.85.208.66]) by gabe.freedesktop.org (Postfix) with ESMTPS id 223A36E4C4 for ; Wed, 29 Jul 2020 11:20:04 +0000 (UTC) Received: by mail-ed1-f66.google.com with SMTP id q4so13902356edv.13 for ; Wed, 29 Jul 2020 04:20:04 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=NiS9IH7Od8Q9xbyIfFxNL/qSLHRh5AtTCa5eRtX/6P0=; b=oYvpKrCmqIeD8iRj1X4ApnzVEOtPWr3rEMBBYgOBfok3BXhsXdMlVmvZohhJOvih18 jNE4k14oGdpSsLPJbtBRkrMlNcue8sN+y+RgaDPQkLvZImfBgA5BMfbmVN+VolVAUuK3 B0sDwAnpzUQemc5d2Li9iDhKtZVUYvZixrVljnoDDdFqglT1YQnlErefF837QUMaP4Hd DydvIGNa7DQuHLfVjVFnNJE0Nx4jtiI9D56P1/8oGTuZk0CuQHSzSKf6uB9qvs4Qi9mI wrGUL4hgEwDvT5soktEjK+np1dfcauBpYKDPA4SlyIeS4dbrR9zRgHws9ZYFUXTLzTvG dLPg== X-Gm-Message-State: AOAM532MhTVeE7XqXHnsoLXYD8Pg/zCgIyDCqqIA/JtpEmPWiYsbGl2+ 8cLtcQzPWOUBNegqKw+5Q7A= X-Google-Smtp-Source: ABdhPJwEICJkcOEaQN8mut/yS4vwhDihD9l4jxfSgBLLqefKZMf5ENVOkl+EfbA/uvzttuTQQojyGQ== X-Received: by 2002:aa7:c442:: with SMTP id n2mr29841866edr.309.1596021602580; Wed, 29 Jul 2020 04:20:02 -0700 (PDT) Received: from ?IPv6:2a0b:e7c0:0:107::49? ([2a0b:e7c0:0:107::49]) by smtp.gmail.com with ESMTPSA id y14sm420978ejr.35.2020.07.29.04.20.00 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 29 Jul 2020 04:20:01 -0700 (PDT) Subject: Re: [PATCH] vgacon: fix out of bounds write to the scrollback buffer To: =?UTF-8?B?5byg5LqR5rW3?= , b.zolnierkie@samsung.com References: From: Jiri Slaby Message-ID: Date: Wed, 29 Jul 2020 13:20:00 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Security Officers , Kyungtae Kim , Anthony Liguori , Greg KH , linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-distros@vs.openwall.org, Solar Designer , Yang Yingliang , Linus Torvalds , "Srivatsa S. Bhat" Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" T24gMjkuIDA3LiAyMCwgMTA6MTksIOW8oOS6kea1tyB3cm90ZToKPiBPbiAyMDIwLzcvMjkgMTY6 MTEsIEppcmkgU2xhYnkgd3JvdGU6Cj4+IEJ1dCB0aGUgbG9vcCBjaGVja3MgZm9yIHRoZSBvdmVy ZmxvdzoKPj4gICBpZiAodmdhY29uX3Njcm9sbGJhY2tfY3VyLT50YWlsID49IHZnYWNvbl9zY3Jv bGxiYWNrX2N1ci0+c2l6ZSkKPj4gICAgICAgICB2Z2Fjb25fc2Nyb2xsYmFja19jdXItPnRhaWwg PSAwOwo+Pgo+PiBTbyB0aGUgZmlyc3QgMiBpdGVyYXRpb25zIHdvdWxkIHdyaXRlIHRvIHRoZSBl bmQgb2YgdGhlIGJ1ZmZlciBhbmQgdGhpcwo+PiAzcmQgb25lIHNob3VsZCBoYXZlIHplcm9lZCAt PnRhaWwuCj4gCj4gSW4gdGhlIDJuZCAgaXRlcmF0aW9uIGJlZm9yZSB0aGUgY2hlY2s6Cj4gdmdh Y29uX3Njcm9sbGJhY2tfY3VyLT50YWlsIGlzIDY1MzYwIHdoaWNoIGlzIHN0aWxsIGxlc3MgdGhl bgo+IHZnYWNvbl9zY3JvbGxiYWNrX2N1ci0+c2l6ZSg2NTQ0MCksIHNvIHRoZSAtPnRhaWwgd29u J3QgYmUgemVyb2VkLgo+IAo+IFRoZW4gaXQgZ29zZSB0byB0aGUgM3JkICBpdGVyYXRpb24sIG92 ZXJmbG93IG9jY3Vycy4KCkFoaCwgSSBzZWUgbm93ISBTbyBpdCBtdXN0IGJlIHRyaWdnZXJlZCBi eSBDU0kgTSBpbnN0ZWFkLiBJdCBhbGxvd3MgZm9yCm1vcmUgdGhhbiAxIGluIGNvdW50LiBTbyB0 aGlzIGlzIFBvQyBmb3IgdGhpcyBjYXNlOgojaW5jbHVkZSA8c3RkaW8uaD4KI2luY2x1ZGUgPHN0 ZGxpYi5oPgojaW5jbHVkZSA8dW5pc3RkLmg+CiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4KI2luY2x1 ZGUgPHN5cy9zdGF0Lmg+CiNpbmNsdWRlIDxzeXMvaW9jdGwuaD4KI2luY2x1ZGUgPGZjbnRsLmg+ CgppbnQgbWFpbihpbnQgYXJnYywgY2hhcioqIGFyZ3YpCnsKICAgICAgICBpbnQgZmQgPSBvcGVu KCIvZGV2L3R0eTEiLCBPX1JEV1IpOwogICAgICAgIHVuc2lnbmVkIHNob3J0IHNpemVbM10gPSB7 MjUsIDIwMCwgMH07CiAgICAgICAgaW9jdGwoZmQsIDB4NTYwOSwgc2l6ZSk7IC8vIFZUX1JFU0la RQoKICAgICAgICB3cml0ZShmZCwgIlxlWzE7MUgiLCA2KTsKICAgICAgICBmb3IgKGludCBpID0g MDsgaSA8IDMwOyBpKyspCiAgICAgICAgICAgICAgICB3cml0ZShmZCwgIlxlWzEwTSIsIDUpOwp9 CgpJdCBjb3JydXB0cyBtZW1vcnksIHNvIGl0IGNyYXNoZXMgdGhlIGtlcm5lbCByYW5kb21seS4g RXZlbiB3aXRoIG15CmJlZm9yZS1sb29wIHBhdGNoLgoKU28gbm93OiBjb3VsZCB5b3UgcmVzZW5k IHlvdXIgcGF0Y2ggd2l0aCBpbXByb3ZlZCBjb21taXQgbWVzc2FnZSwgYWRkCmFsbCB0aG9zZSBD Y3MgZXRjLj8gWW91IGNhbiBjb3B5IG1vc3Qgb2YgdGhlIENjcyBmcm9tIG15IHBhdGNoIHZlcmJh dGltLgoKSSBhbSBhbHNvIG5vdCBzdXJlIHRoZSB0ZXN0IEkgd2FzIHBvaW50aW5nIG91dCBvbiB0 aGUgdG9wIG9mIHRoaXMKbWVzc2FnZSB3b3VsZCBiZSBvZiBhbnkgdXNlIGFmdGVyIHRoZSBjaGFu Z2UuIEJ1dCBtYXliZSBsZWF2ZSB0aGUgY29kZQpyZXN0IGluIHBlYWNlLgoKdGhhbmtzLAotLSAK anMKc3VzZSBsYWJzCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fCmRyaS1kZXZlbCBtYWlsaW5nIGxpc3QKZHJpLWRldmVsQGxpc3RzLmZyZWVkZXNrdG9wLm9y ZwpodHRwczovL2xpc3RzLmZyZWVkZXNrdG9wLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2RyaS1kZXZl bAo=