From: Daniel Vetter <daniel@ffwll.ch>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: "Maciej W. Rozycki" <macro@orcam.me.uk>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
dri-devel <dri-devel@lists.freedesktop.org>,
Linux Fbdev development list <linux-fbdev@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
syzbot <syzbot+1f29e126cf461c4de3b3@syzkaller.appspotmail.com>,
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
Colin King <colin.king@canonical.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jani Nikula <jani.nikula@intel.com>,
Jiri Slaby <jirislaby@kernel.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
"Antonino A. Daplas" <adaplas@gmail.com>
Subject: Re: [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit()
Date: Mon, 17 May 2021 15:10:19 +0200 [thread overview]
Message-ID: <CAKMK7uFfuV1GH7rvTwLCovnWvd0hYXPGbAyYELoX9PqZn3u2gQ@mail.gmail.com> (raw)
In-Reply-To: <CAKMK7uGLP2zn7LX4ATExA4DLo16shVivSd_W58X-rBZNPSb3_w@mail.gmail.com>
On Mon, May 17, 2021 at 3:07 PM Daniel Vetter <daniel@ffwll.ch> wrote:
>
> On Fri, May 14, 2021 at 10:33 PM Linus Torvalds
> <torvalds@linux-foundation.org> wrote:
> >
> > On Fri, May 14, 2021 at 1:25 PM Maciej W. Rozycki <macro@orcam.me.uk> wrote:
> > >
> > > Overall I think it does make sense to resize the text console at any
> > > time, even if the visible console (VT) chosen is in the graphics mode,
> >
> > It might make sense, but only if we call the function to update the
> > low-level data.
> >
> > Not calling it, and then starting to randomly use the (wrong)
> > geometry, and just limiting it so that it's all within the buffer -
> > THAT does not make sense.
> >
> > So I think your patch is fundamentally wrong. It basically says "let's
> > use random stale incorrect data, but just make sure that the end
> > result is still within the allocated buffer".
> >
> > My patch is at least conceptually sane.
> >
> > An alternative would be to just remove the "vcmode != KD_GRAPHICS"
> > check entirely, and always call con_resize() to update the low-level
> > data, but honestly, that seems very likelty to break something very
> > fundamentally, since it's not how any of fbcon has ever been tested,
>
> Just an aside: I think with fbdev drivers this would go boom, because
> you'd have fbcon interferring with a direct /dev/fb/* user.
Boom here means a bit of screen corruption, because fbcon overdraws
your X sessions. Fixed by the next redraw of X.
> But if your fbdev driver is actually a drm modeset driver, then we
> have additional limitations: If the userspace accesses the display
> through /dev/dri/card0, then the kernel blocks all access through
> /dev/fb/* (including fbcon) to the actual display (it only goes into
> the buffer used for fbdev emulation). And everything would be fine.
>
> Also generally you'd get away with this even in problematic cases,
> since usually you resize your console when looking at it, not when X
> or something else is using your fbdev direct access.
>
> The one thing that's left out here a bit in the cold is userspace
> modeset drivers in X. Those would get hosed. But also, we stopped
> supporting those in at least i915/amd/radeon/nouveau drivers,
> automatically falling back to the fbdev stuff in most cases (with or
> without the drm drivers underneath that), and no one screamed. So
> probably not many users left.
This one could lead to incosistent hw state, which would be worse.
> So I /think/ we could wager this, if it's the least intrusive fix from
> the kernel pov. But it has some risks that we need to revert again if
> we break some of the really old use-cases here.
Cheers, Daniel
> > Another alternative would be to just delay the resize to when vcmode
> > is put back to text mode again. That sounds somewhat reasonable to me,
> > but it's a pretty big thing.
> >
> > But no, your patch to just "knowingly use entirely wrong values, then
> > add a limit check because we know the values are possibly garbage and
> > not consistent with reality" is simply not acceptable.
> >
> > Linus
>
>
>
> --
> Daniel Vetter
> Software Engineer, Intel Corporation
> http://blog.ffwll.ch
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
next prev parent reply other threads:[~2021-05-17 13:10 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-19 17:33 BUG: unable to handle kernel paging request at ffffc90000669000, IP: [<ffffffff8139d84a>] bitfill_un Tommi Rantala
2019-12-10 16:38 ` BUG: unable to handle kernel paging request in sys_imageblit syzbot
2020-06-19 4:56 ` syzbot
2019-12-27 7:13 ` BUG: unable to handle kernel paging request in vga16fb_imageblit syzbot
2020-05-08 7:07 ` BUG: unable to handle kernel paging request in vga16fb_imageblit (2) syzbot
2021-05-01 20:31 ` [syzbot] " syzbot
2021-05-02 1:53 ` syzbot
2021-05-03 13:41 ` Tetsuo Handa
2021-05-07 11:09 ` Tetsuo Handa
2021-05-14 16:19 ` [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit() Tetsuo Handa
2021-05-14 17:29 ` Linus Torvalds
2021-05-14 17:37 ` Linus Torvalds
2021-05-14 18:23 ` Linus Torvalds
2021-05-14 20:25 ` Maciej W. Rozycki
2021-05-14 20:32 ` Linus Torvalds
2021-05-14 21:10 ` Linus Torvalds
2021-05-15 7:43 ` [PATCH v2] tty: vt: always invoke vc->vc_sw->con_resize callback Tetsuo Handa
2021-05-15 16:21 ` Maciej W. Rozycki
2021-05-15 16:32 ` Maciej W. Rozycki
2021-05-15 16:41 ` Linus Torvalds
2021-05-17 13:13 ` Daniel Vetter
2021-05-15 16:11 ` [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit() Maciej W. Rozycki
2021-05-17 13:07 ` Daniel Vetter
2021-05-17 13:10 ` Daniel Vetter [this message]
2021-05-15 0:45 ` Tetsuo Handa
2020-05-12 6:55 ` BUG: unable to handle kernel paging request in bitfill_aligned syzbot
2020-10-06 8:18 ` BUG: unable to handle kernel paging request in cfb_imageblit syzbot
2020-12-18 15:26 ` syzbot
2020-12-18 15:27 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAKMK7uFfuV1GH7rvTwLCovnWvd0hYXPGbAyYELoX9PqZn3u2gQ@mail.gmail.com \
--to=daniel@ffwll.ch \
--cc=adaplas@gmail.com \
--cc=b.zolnierkie@samsung.com \
--cc=colin.king@canonical.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=gregkh@linuxfoundation.org \
--cc=jani.nikula@intel.com \
--cc=jirislaby@kernel.org \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=macro@orcam.me.uk \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=syzbot+1f29e126cf461c4de3b3@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).