linux-fbdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] video: fbdev: fix potential OOB read in vga_8planes_imageblit()
@ 2020-08-25 10:21 Tetsuo Handa
  2020-08-26  1:49 ` [PATCH v2] video: fbdev: fix " Tetsuo Handa
  0 siblings, 1 reply; 5+ messages in thread
From: Tetsuo Handa @ 2020-08-25 10:21 UTC (permalink / raw)
  To: Bartlomiej Zolnierkiewicz; +Cc: Tetsuo Handa, linux-fbdev, dri-devel

Since transl_l[16] is accessed via cdat[y] >> 4, cdat[y] needs to be
evaluated as an "unsigned char" value in order to fit 0...15 range.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 drivers/video/fbdev/vga16fb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/video/fbdev/vga16fb.c b/drivers/video/fbdev/vga16fb.c
index a20eeb8308ff..578d3541e3d6 100644
--- a/drivers/video/fbdev/vga16fb.c
+++ b/drivers/video/fbdev/vga16fb.c
@@ -1121,7 +1121,7 @@ static void vga_8planes_imageblit(struct fb_info *info, const struct fb_image *i
         char oldop = setop(0);
         char oldsr = setsr(0);
         char oldmask = selectmask();
-        const char *cdat = image->data;
+	const unsigned char *cdat = image->data;
 	u32 dx = image->dx;
         char __iomem *where;
         int y;
-- 
2.18.4

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* [PATCH v2] video: fbdev: fix OOB read in vga_8planes_imageblit()
  2020-08-25 10:21 [PATCH] video: fbdev: fix potential OOB read in vga_8planes_imageblit() Tetsuo Handa
@ 2020-08-26  1:49 ` Tetsuo Handa
  2020-08-31 10:37   ` [PATCH v2 (resend)] " Tetsuo Handa
  0 siblings, 1 reply; 5+ messages in thread
From: Tetsuo Handa @ 2020-08-26  1:49 UTC (permalink / raw)
  To: Bartlomiej Zolnierkiewicz; +Cc: linux-fbdev, dri-devel

syzbot is reporting OOB read at vga_8planes_imageblit() [1], for
"cdat[y] >> 4" can become a negative value due to "const char *cdat".

[1] https://syzkaller.appspot.com/bug?id
7a0da1557dcd1989e00cb3692b26d4173b4132

Reported-by: syzbot <syzbot+69fbd3e01470f169c8c4@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 drivers/video/fbdev/vga16fb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/video/fbdev/vga16fb.c b/drivers/video/fbdev/vga16fb.c
index a20eeb8308ff..578d3541e3d6 100644
--- a/drivers/video/fbdev/vga16fb.c
+++ b/drivers/video/fbdev/vga16fb.c
@@ -1121,7 +1121,7 @@ static void vga_8planes_imageblit(struct fb_info *info, const struct fb_image *i
         char oldop = setop(0);
         char oldsr = setsr(0);
         char oldmask = selectmask();
-        const char *cdat = image->data;
+	const unsigned char *cdat = image->data;
 	u32 dx = image->dx;
         char __iomem *where;
         int y;
-- 
2.18.4

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* [PATCH v2 (resend)] video: fbdev: fix OOB read in vga_8planes_imageblit()
  2020-08-26  1:49 ` [PATCH v2] video: fbdev: fix " Tetsuo Handa
@ 2020-08-31 10:37   ` Tetsuo Handa
  2020-09-04 14:53     ` Tetsuo Handa
  0 siblings, 1 reply; 5+ messages in thread
From: Tetsuo Handa @ 2020-08-31 10:37 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Linux Fbdev development list, DRI, Bartlomiej Zolnierkiewicz

syzbot is reporting OOB read at vga_8planes_imageblit() [1], for
"cdat[y] >> 4" can become a negative value due to "const char *cdat".

[1] https://syzkaller.appspot.com/bug?id
7a0da1557dcd1989e00cb3692b26d4173b4132

Reported-by: syzbot <syzbot+69fbd3e01470f169c8c4@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 drivers/video/fbdev/vga16fb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/video/fbdev/vga16fb.c b/drivers/video/fbdev/vga16fb.c
index a20eeb8308ff..578d3541e3d6 100644
--- a/drivers/video/fbdev/vga16fb.c
+++ b/drivers/video/fbdev/vga16fb.c
@@ -1121,7 +1121,7 @@ static void vga_8planes_imageblit(struct fb_info *info, const struct fb_image *i
         char oldop = setop(0);
         char oldsr = setsr(0);
         char oldmask = selectmask();
-        const char *cdat = image->data;
+	const unsigned char *cdat = image->data;
 	u32 dx = image->dx;
         char __iomem *where;
         int y;
-- 
2.18.4

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH v2 (resend)] video: fbdev: fix OOB read in vga_8planes_imageblit()
  2020-08-31 10:37   ` [PATCH v2 (resend)] " Tetsuo Handa
@ 2020-09-04 14:53     ` Tetsuo Handa
  2020-09-04 15:24       ` Greg Kroah-Hartman
  0 siblings, 1 reply; 5+ messages in thread
From: Tetsuo Handa @ 2020-09-04 14:53 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Linux Fbdev development list, DRI, Bartlomiej Zolnierkiewicz

Hello, Greg.

Since nobody is interested in this bug, can you directly pick up
this obvious patch without waiting for maintainer's response?

On 2020/08/31 19:37, Tetsuo Handa wrote:
> syzbot is reporting OOB read at vga_8planes_imageblit() [1], for
> "cdat[y] >> 4" can become a negative value due to "const char *cdat".
> 
> [1] https://syzkaller.appspot.com/bug?id
7a0da1557dcd1989e00cb3692b26d4173b4132
> 
> Reported-by: syzbot <syzbot+69fbd3e01470f169c8c4@syzkaller.appspotmail.com>
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> ---
>  drivers/video/fbdev/vga16fb.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/video/fbdev/vga16fb.c b/drivers/video/fbdev/vga16fb.c
> index a20eeb8308ff..578d3541e3d6 100644
> --- a/drivers/video/fbdev/vga16fb.c
> +++ b/drivers/video/fbdev/vga16fb.c
> @@ -1121,7 +1121,7 @@ static void vga_8planes_imageblit(struct fb_info *info, const struct fb_image *i
>          char oldop = setop(0);
>          char oldsr = setsr(0);
>          char oldmask = selectmask();
> -        const char *cdat = image->data;
> +	const unsigned char *cdat = image->data;
>  	u32 dx = image->dx;
>          char __iomem *where;
>          int y;
> 

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH v2 (resend)] video: fbdev: fix OOB read in vga_8planes_imageblit()
  2020-09-04 14:53     ` Tetsuo Handa
@ 2020-09-04 15:24       ` Greg Kroah-Hartman
  0 siblings, 0 replies; 5+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-04 15:24 UTC (permalink / raw)
  To: Tetsuo Handa; +Cc: Linux Fbdev development list, DRI, Bartlomiej Zolnierkiewicz

On Fri, Sep 04, 2020 at 11:53:16PM +0900, Tetsuo Handa wrote:
> Hello, Greg.
> 
> Since nobody is interested in this bug, can you directly pick up
> this obvious patch without waiting for maintainer's response?

I'll pick it up now.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-09-04 15:24 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-25 10:21 [PATCH] video: fbdev: fix potential OOB read in vga_8planes_imageblit() Tetsuo Handa
2020-08-26  1:49 ` [PATCH v2] video: fbdev: fix " Tetsuo Handa
2020-08-31 10:37   ` [PATCH v2 (resend)] " Tetsuo Handa
2020-09-04 14:53     ` Tetsuo Handa
2020-09-04 15:24       ` Greg Kroah-Hartman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).