From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 411C7C433ED for ; Mon, 17 May 2021 13:07:50 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id B0D1461285 for ; Mon, 17 May 2021 13:07:49 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B0D1461285 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=ffwll.ch Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=dri-devel-bounces@lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id CA9AC6E957; Mon, 17 May 2021 13:07:48 +0000 (UTC) Received: from mail-oi1-x22f.google.com (mail-oi1-x22f.google.com [IPv6:2607:f8b0:4864:20::22f]) by gabe.freedesktop.org (Postfix) with ESMTPS id 307BB6E95A for ; Mon, 17 May 2021 13:07:47 +0000 (UTC) Received: by mail-oi1-x22f.google.com with SMTP id b25so6465957oic.0 for ; Mon, 17 May 2021 06:07:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ffwll.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dZeinS6LE1NP88+BR+f1LcsUBMPUh7N3G4KpQRQogBk=; b=aGBMVprGuoTf9++f+DatDpeTnGL5ZmpmA0esmGNR7sOjh15bPnJ5xl4LQ5QM8p55SZ k0Gr9tasB7CXqw4F9//xhZFkDKTW8P+jDQg2ksKWGRr8PQl3uomjjBlkpx26Llf80vsO aqPf6OCmWnkSEJ6/iAg/YkwZbF/CzGgpR2sG0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dZeinS6LE1NP88+BR+f1LcsUBMPUh7N3G4KpQRQogBk=; b=CUhb0Jn1M2Q4yn6y0UWcyAMeo5mosm9wP9xJ06xhrP0AQBZzPilhsbXShN5D7rEbql CJowAgfF5G+IVn/WHW5RAbFSDvl2qSw3OiXG8w7S08nwRLrzfWy3Th3WnT9te0JHmt7/ kE1lKEDRKu1yCsUzdCg8MG13djmr6puYrPk0SQaxABV1PS3sHSFP43cioUdPh5D7Xur7 im9q0CH0AYFWk097kD8xGc6OaQkj41UFubSmMDH1JFXxEBb8yXlHEWtQLBYnHeEJGqOn ZQ5A75vkwxxCTjjJX6lXsx6x53z5cBu2M/vTxyj447TJkAFHsjrXM8w+4084WGiDoUy4 kmDQ== X-Gm-Message-State: AOAM531tEgGF4Ugah95HZV87a7HSy1KTfZgY30KG/huNiZsVDM6RuaLQ 2nR2rmgJ5I8S75JH7A4U+DQCHw+cYRA8WxLb4RGlMg== X-Google-Smtp-Source: ABdhPJy7GTk1BfTS88fw/8gIr6/ZDBTUprv35YFaMITbfmvjl7jiiSuHvPGnKkFzht+U6iHn/HLP2JVzKLU+U28GVkY= X-Received: by 2002:a54:4809:: with SMTP id j9mr15251365oij.14.1621256866371; Mon, 17 May 2021 06:07:46 -0700 (PDT) MIME-Version: 1.0 References: <0000000000006bbd0c05c14f1b09@google.com> <6e21483c-06f6-404b-4018-e00ee85c456c@i-love.sakura.ne.jp> <87d928e4-b2b9-ad30-f3f0-1dfb8e4e03ed@i-love.sakura.ne.jp> <05acdda8-dc1c-5119-4326-96eed24bea0c@i-love.sakura.ne.jp> In-Reply-To: From: Daniel Vetter Date: Mon, 17 May 2021 15:07:35 +0200 Message-ID: Subject: Re: [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit() To: Linus Torvalds Content-Type: text/plain; charset="UTF-8" X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Linux Fbdev development list , Bartlomiej Zolnierkiewicz , Tetsuo Handa , Greg Kroah-Hartman , syzkaller-bugs , Linux Kernel Mailing List , dri-devel , Jani Nikula , Colin King , Jiri Slaby , syzbot , "Maciej W. Rozycki" Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" On Fri, May 14, 2021 at 10:33 PM Linus Torvalds wrote: > > On Fri, May 14, 2021 at 1:25 PM Maciej W. Rozycki wrote: > > > > Overall I think it does make sense to resize the text console at any > > time, even if the visible console (VT) chosen is in the graphics mode, > > It might make sense, but only if we call the function to update the > low-level data. > > Not calling it, and then starting to randomly use the (wrong) > geometry, and just limiting it so that it's all within the buffer - > THAT does not make sense. > > So I think your patch is fundamentally wrong. It basically says "let's > use random stale incorrect data, but just make sure that the end > result is still within the allocated buffer". > > My patch is at least conceptually sane. > > An alternative would be to just remove the "vcmode != KD_GRAPHICS" > check entirely, and always call con_resize() to update the low-level > data, but honestly, that seems very likelty to break something very > fundamentally, since it's not how any of fbcon has ever been tested, Just an aside: I think with fbdev drivers this would go boom, because you'd have fbcon interferring with a direct /dev/fb/* user. But if your fbdev driver is actually a drm modeset driver, then we have additional limitations: If the userspace accesses the display through /dev/dri/card0, then the kernel blocks all access through /dev/fb/* (including fbcon) to the actual display (it only goes into the buffer used for fbdev emulation). And everything would be fine. Also generally you'd get away with this even in problematic cases, since usually you resize your console when looking at it, not when X or something else is using your fbdev direct access. The one thing that's left out here a bit in the cold is userspace modeset drivers in X. Those would get hosed. But also, we stopped supporting those in at least i915/amd/radeon/nouveau drivers, automatically falling back to the fbdev stuff in most cases (with or without the drm drivers underneath that), and no one screamed. So probably not many users left. So I /think/ we could wager this, if it's the least intrusive fix from the kernel pov. But it has some risks that we need to revert again if we break some of the really old use-cases here. Cheers, Daniel > Another alternative would be to just delay the resize to when vcmode > is put back to text mode again. That sounds somewhat reasonable to me, > but it's a pretty big thing. > > But no, your patch to just "knowingly use entirely wrong values, then > add a limit check because we know the values are possibly garbage and > not consistent with reality" is simply not acceptable. > > Linus -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch