[PATCH 2/2] fbcon: Prevent global-out-of-bounds read in fbcon_copy_font()

From: Peilin Ye <yepeilin.cs@gmail.com>
To: Daniel Vetter <daniel.vetter@ffwll.ch>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Jiri Slaby <jirislaby@kernel.org>,
	Thomas Winischhofer <thomas@winischhofer.net>
Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
	Nicolas Pitre <nico@fluxnic.net>,
	"Gustavo A . R . Silva" <gustavoars@kernel.org>,
	Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
	George Kennedy <george.kennedy@oracle.com>,
	Nathan Chancellor <natechancellor@gmail.com>,
	Peter Rosin <peda@axentia.se>,
	linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
	dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org,
	Peilin Ye <yepeilin.cs@gmail.com>
Subject: [PATCH 2/2] fbcon: Prevent global-out-of-bounds read in fbcon_copy_font()
Date: Sat, 31 Oct 2020 03:27:23 -0400
Message-ID: <64b792b83119b0ec6caed9cb62087453b675c690.1604128640.git.yepeilin.cs@gmail.com> (raw)
In-Reply-To: <c5563eeea36aae7bd72ea2e985bc610d585ece40.1604128639.git.yepeilin.cs@gmail.com>

fbcon_copy_font() is using a signed int, `con`, as an index into
`fb_display[MAX_NR_CONSOLES]`, without bounds checking. In
con_font_copy(), `con` is being silently casted from the unsigned
`op->height`.

Let con_font_copy() and fbcon_copy_font() pass `op->height` directly, and
add a range check in fbcon_copy_font(). Also, add a comment in
con_font_op() for less confusion, since ideally `op->height` should not be
used as a console index, as the field name suggests.

This patch depends on patch "console: Remove dummy con_font_op callback
implementations".

Cc: stable@vger.kernel.org
Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
---
 drivers/tty/vt/vt.c              | 6 +++---
 drivers/video/fbdev/core/fbcon.c | 8 ++++++--
 include/linux/console.h          | 2 +-
 3 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 9506a76f3ab6..ff8ea1654a69 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -4704,9 +4704,8 @@ static int con_font_default(struct vc_data *vc, struct console_font_op *op)
 	return rc;
 }
 
-static int con_font_copy(struct vc_data *vc, struct console_font_op *op)
+static int con_font_copy(struct vc_data *vc, unsigned int con)
 {
-	int con = op->height;
 	int rc;
 
 
@@ -4735,7 +4734,8 @@ int con_font_op(struct vc_data *vc, struct console_font_op *op)
 	case KD_FONT_OP_SET_DEFAULT:
 		return con_font_default(vc, op);
 	case KD_FONT_OP_COPY:
-		return con_font_copy(vc, op);
+		/* uses op->height as a console index */
+		return con_font_copy(vc, op->height);
 	}
 	return -ENOSYS;
 }
diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index cef437817b0d..1caa98146712 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -2451,11 +2451,15 @@ static int fbcon_do_set_font(struct vc_data *vc, int w, int h,
 	return 0;
 }
 
-static int fbcon_copy_font(struct vc_data *vc, int con)
+static int fbcon_copy_font(struct vc_data *vc, unsigned int con)
 {
-	struct fbcon_display *od = &fb_display[con];
+	struct fbcon_display *od;
 	struct console_font *f = &vc->vc_font;
 
+	if (con >= MAX_NR_CONSOLES)
+		return -EINVAL;
+
+	od = &fb_display[con];
 	if (od->fontdata == f->data)
 		return 0;	/* already the same font... */
 	return fbcon_do_set_font(vc, f->width, f->height, od->fontdata, od->userfont);
diff --git a/include/linux/console.h b/include/linux/console.h
index 4b1e26c4cb42..34855d3f2afd 100644
--- a/include/linux/console.h
+++ b/include/linux/console.h
@@ -62,7 +62,7 @@ struct consw {
 	int	(*con_font_get)(struct vc_data *vc, struct console_font *font);
 	int	(*con_font_default)(struct vc_data *vc,
 			struct console_font *font, char *name);
-	int	(*con_font_copy)(struct vc_data *vc, int con);
+	int	(*con_font_copy)(struct vc_data *vc, unsigned int con);
 	int     (*con_resize)(struct vc_data *vc, unsigned int width,
 			unsigned int height, unsigned int user);
 	void	(*con_set_palette)(struct vc_data *vc,
-- 
2.25.1

