From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 480ECC433ED for ; Fri, 14 May 2021 20:33:04 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id E607361444 for ; Fri, 14 May 2021 20:33:03 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E607361444 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=dri-devel-bounces@lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id C05916E24D; Fri, 14 May 2021 20:33:02 +0000 (UTC) Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e]) by gabe.freedesktop.org (Postfix) with ESMTPS id DE7506E24D for ; Fri, 14 May 2021 20:33:01 +0000 (UTC) Received: by mail-lf1-x12e.google.com with SMTP id a2so132345lfc.9 for ; Fri, 14 May 2021 13:33:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=z9fFCzzakKEZE6yIPzCdXzgESj8HznLN13JEu2IrUhs=; b=AZD5F3fmpvTeEhIt43za7+8EIrk2t9t9HMEYztpTlYaJJuCP+wvA3afhdJCb5YQVUE gku0fZAVygSRcHZvtbgGNSvieB4UtA0Btv4ADLqSbXfXPrX0uVMGUN+SV7Sw6GZaO0Cl LSH64wCZBlZv1NlK5Pmcnn3tyCs7yG5F18jNU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=z9fFCzzakKEZE6yIPzCdXzgESj8HznLN13JEu2IrUhs=; b=KO94y85OZjVetcnbdhMy8xO0+QqWi4KJdpFk7QZVcvyI/17SbzGwNyNtMlJQXS21L2 kwNeulNRKZkZiBE3n5kxCWCWpA4ZeICv9XGRLWsuNiZV+/HuG9eqnaQysD3M+54KAVzR R5lJRvoIyUxjFzacxTDhyGg0/UtBFZIqiK4D2EDlP/e2p45W2gRZR9CD7r/VnP1m8gB8 vx/+PvNwh4FdFi+rBE0Vp9zJvVTjFlP8XsX5qkKZbevuz7NCGkCxMro0XQXL48DSQrzK Oo0epLT6vLGRTbxktVCA6pwN8JzE3cZq3ZbsQnYV3RwIGo89b2myEmE5xIPIIv8YpSXv 02yQ== X-Gm-Message-State: AOAM531n3hGTRRdJ7lUaBcic79vTboXzobRZgHgaOKGvkrKOnEdpcHn3 4b8tIzQhET3xzAVY7mABVBPA84x+AsW3BelchgE= X-Google-Smtp-Source: ABdhPJwkOF2gcy089POw6f7iyLvWxHZ4uWgayrOiI8ar19+K99xdd2G3pUbGOxPxCJNrQCpbeHaTQg== X-Received: by 2002:a05:6512:2304:: with SMTP id o4mr33018633lfu.135.1621024379795; Fri, 14 May 2021 13:32:59 -0700 (PDT) Received: from mail-lf1-f44.google.com (mail-lf1-f44.google.com. [209.85.167.44]) by smtp.gmail.com with ESMTPSA id w5sm939630lfk.2.2021.05.14.13.32.58 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 14 May 2021 13:32:59 -0700 (PDT) Received: by mail-lf1-f44.google.com with SMTP id x19so178528lfa.2 for ; Fri, 14 May 2021 13:32:58 -0700 (PDT) X-Received: by 2002:a05:6512:36c5:: with SMTP id e5mr655215lfs.41.1621024378774; Fri, 14 May 2021 13:32:58 -0700 (PDT) MIME-Version: 1.0 References: <0000000000006bbd0c05c14f1b09@google.com> <6e21483c-06f6-404b-4018-e00ee85c456c@i-love.sakura.ne.jp> <87d928e4-b2b9-ad30-f3f0-1dfb8e4e03ed@i-love.sakura.ne.jp> <05acdda8-dc1c-5119-4326-96eed24bea0c@i-love.sakura.ne.jp> In-Reply-To: From: Linus Torvalds Date: Fri, 14 May 2021 13:32:42 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit() To: "Maciej W. Rozycki" Content-Type: text/plain; charset="UTF-8" X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Linux Fbdev development list , Bartlomiej Zolnierkiewicz , Tetsuo Handa , Greg Kroah-Hartman , syzkaller-bugs , Linux Kernel Mailing List , dri-devel , Jani Nikula , Colin King , Jiri Slaby , syzbot Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" On Fri, May 14, 2021 at 1:25 PM Maciej W. Rozycki wrote: > > Overall I think it does make sense to resize the text console at any > time, even if the visible console (VT) chosen is in the graphics mode, It might make sense, but only if we call the function to update the low-level data. Not calling it, and then starting to randomly use the (wrong) geometry, and just limiting it so that it's all within the buffer - THAT does not make sense. So I think your patch is fundamentally wrong. It basically says "let's use random stale incorrect data, but just make sure that the end result is still within the allocated buffer". My patch is at least conceptually sane. An alternative would be to just remove the "vcmode != KD_GRAPHICS" check entirely, and always call con_resize() to update the low-level data, but honestly, that seems very likelty to break something very fundamentally, since it's not how any of fbcon has ever been tested, Another alternative would be to just delay the resize to when vcmode is put back to text mode again. That sounds somewhat reasonable to me, but it's a pretty big thing. But no, your patch to just "knowingly use entirely wrong values, then add a limit check because we know the values are possibly garbage and not consistent with reality" is simply not acceptable. Linus