linux-fbdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Daniel Vetter <daniel@ffwll.ch>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: "Maciej W. Rozycki" <macro@orcam.me.uk>,
	Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
	dri-devel <dri-devel@lists.freedesktop.org>,
	Linux Fbdev development list <linux-fbdev@vger.kernel.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	syzbot <syzbot+1f29e126cf461c4de3b3@syzkaller.appspotmail.com>,
	Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
	Colin King <colin.king@canonical.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Jani Nikula <jani.nikula@intel.com>,
	Jiri Slaby <jirislaby@kernel.org>,
	syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
	"Antonino A. Daplas" <adaplas@gmail.com>
Subject: Re: [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit()
Date: Mon, 17 May 2021 15:10:19 +0200	[thread overview]
Message-ID: <CAKMK7uFfuV1GH7rvTwLCovnWvd0hYXPGbAyYELoX9PqZn3u2gQ@mail.gmail.com> (raw)
In-Reply-To: <CAKMK7uGLP2zn7LX4ATExA4DLo16shVivSd_W58X-rBZNPSb3_w@mail.gmail.com>

On Mon, May 17, 2021 at 3:07 PM Daniel Vetter <daniel@ffwll.ch> wrote:
>
> On Fri, May 14, 2021 at 10:33 PM Linus Torvalds
> <torvalds@linux-foundation.org> wrote:
> >
> > On Fri, May 14, 2021 at 1:25 PM Maciej W. Rozycki <macro@orcam.me.uk> wrote:
> > >
> > >  Overall I think it does make sense to resize the text console at any
> > > time, even if the visible console (VT) chosen is in the graphics mode,
> >
> > It might make sense, but only if we call the function to update the
> > low-level data.
> >
> > Not calling it, and then starting to randomly use the (wrong)
> > geometry, and just limiting it so that it's all within the buffer -
> > THAT does not make sense.
> >
> > So I think your patch is fundamentally wrong. It basically says "let's
> > use random stale incorrect data, but just make sure that the end
> > result is still within the allocated buffer".
> >
> > My patch is at least conceptually sane.
> >
> > An alternative would be to just remove the "vcmode != KD_GRAPHICS"
> > check entirely, and always call con_resize() to update the low-level
> > data, but honestly, that seems very likelty to break something very
> > fundamentally, since it's not how any of fbcon has ever been tested,
>
> Just an aside: I think with fbdev drivers this would go boom, because
> you'd have fbcon interferring with a direct /dev/fb/* user.

Boom here means a bit of screen corruption, because fbcon overdraws
your X sessions. Fixed by the next redraw of X.

> But if your fbdev driver is actually a drm modeset driver, then we
> have additional limitations: If the userspace accesses the display
> through /dev/dri/card0, then the kernel blocks all access through
> /dev/fb/* (including fbcon) to the actual display (it only goes into
> the buffer used for fbdev emulation). And everything would be fine.
>
> Also generally you'd get away with this even in problematic cases,
> since usually you resize your console when looking at it, not when X
> or something else is using your fbdev direct access.
>
> The one thing that's left out here a bit in the cold is userspace
> modeset drivers in X. Those would get hosed. But also, we stopped
> supporting those in at least i915/amd/radeon/nouveau drivers,
> automatically falling back to the fbdev stuff in most cases (with or
> without the drm drivers underneath that), and no one screamed. So
> probably not many users left.

This one could lead to incosistent hw state, which would be worse.

> So I /think/ we could wager this, if it's the least intrusive fix from
> the kernel pov. But it has some risks that we need to revert again if
> we break some of the really old use-cases here.

Cheers, Daniel

> > Another alternative would be to just delay the resize to when vcmode
> > is put back to text mode again. That sounds somewhat reasonable to me,
> > but it's a pretty big thing.
> >
> > But no, your patch to just "knowingly use entirely wrong values, then
> > add a limit check because we know the values are possibly garbage and
> > not consistent with reality" is simply not acceptable.
> >
> >               Linus
>
>
>
> --
> Daniel Vetter
> Software Engineer, Intel Corporation
> http://blog.ffwll.ch



-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch

  reply	other threads:[~2021-05-17 13:10 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-02-19 17:33 BUG: unable to handle kernel paging request at ffffc90000669000, IP: [<ffffffff8139d84a>] bitfill_un Tommi Rantala
2019-12-10 16:38 ` BUG: unable to handle kernel paging request in sys_imageblit syzbot
2020-06-19  4:56   ` syzbot
2019-12-27  7:13 ` BUG: unable to handle kernel paging request in vga16fb_imageblit syzbot
2020-05-08  7:07 ` BUG: unable to handle kernel paging request in vga16fb_imageblit (2) syzbot
2021-05-01 20:31   ` [syzbot] " syzbot
2021-05-02  1:53   ` syzbot
2021-05-03 13:41     ` Tetsuo Handa
2021-05-07 11:09       ` Tetsuo Handa
2021-05-14 16:19         ` [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit() Tetsuo Handa
2021-05-14 17:29           ` Linus Torvalds
2021-05-14 17:37             ` Linus Torvalds
2021-05-14 18:23               ` Linus Torvalds
2021-05-14 20:25             ` Maciej W. Rozycki
2021-05-14 20:32               ` Linus Torvalds
2021-05-14 21:10                 ` Linus Torvalds
2021-05-15  7:43                   ` [PATCH v2] tty: vt: always invoke vc->vc_sw->con_resize callback Tetsuo Handa
2021-05-15 16:21                     ` Maciej W. Rozycki
2021-05-15 16:32                       ` Maciej W. Rozycki
2021-05-15 16:41                         ` Linus Torvalds
2021-05-17 13:13                           ` Daniel Vetter
2021-05-15 16:11                 ` [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit() Maciej W. Rozycki
2021-05-17 13:07                 ` Daniel Vetter
2021-05-17 13:10                   ` Daniel Vetter [this message]
2021-05-15  0:45               ` Tetsuo Handa
2020-05-12  6:55 ` BUG: unable to handle kernel paging request in bitfill_aligned syzbot
2020-10-06  8:18 ` BUG: unable to handle kernel paging request in cfb_imageblit syzbot
2020-12-18 15:26   ` syzbot
2020-12-18 15:27     ` Dmitry Vyukov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAKMK7uFfuV1GH7rvTwLCovnWvd0hYXPGbAyYELoX9PqZn3u2gQ@mail.gmail.com \
    --to=daniel@ffwll.ch \
    --cc=adaplas@gmail.com \
    --cc=b.zolnierkie@samsung.com \
    --cc=colin.king@canonical.com \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=jani.nikula@intel.com \
    --cc=jirislaby@kernel.org \
    --cc=linux-fbdev@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=macro@orcam.me.uk \
    --cc=penguin-kernel@i-love.sakura.ne.jp \
    --cc=syzbot+1f29e126cf461c4de3b3@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).