archive mirror
 help / color / mirror / Atom feed
From: Daniel Vetter <>
To: Linus Torvalds <>
Cc: "Maciej W. Rozycki" <>,
	Tetsuo Handa <>,
	dri-devel <>,
	Linux Fbdev development list <>,
	Linux Kernel Mailing List <>,
	syzbot <>,
	Bartlomiej Zolnierkiewicz <>,
	Colin King <>,
	Greg Kroah-Hartman <>,
	Jani Nikula <>,
	Jiri Slaby <>,
	syzkaller-bugs <>,
	"Antonino A. Daplas" <>
Subject: Re: [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit()
Date: Mon, 17 May 2021 15:07:35 +0200	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

On Fri, May 14, 2021 at 10:33 PM Linus Torvalds
<> wrote:
> On Fri, May 14, 2021 at 1:25 PM Maciej W. Rozycki <> wrote:
> >
> >  Overall I think it does make sense to resize the text console at any
> > time, even if the visible console (VT) chosen is in the graphics mode,
> It might make sense, but only if we call the function to update the
> low-level data.
> Not calling it, and then starting to randomly use the (wrong)
> geometry, and just limiting it so that it's all within the buffer -
> THAT does not make sense.
> So I think your patch is fundamentally wrong. It basically says "let's
> use random stale incorrect data, but just make sure that the end
> result is still within the allocated buffer".
> My patch is at least conceptually sane.
> An alternative would be to just remove the "vcmode != KD_GRAPHICS"
> check entirely, and always call con_resize() to update the low-level
> data, but honestly, that seems very likelty to break something very
> fundamentally, since it's not how any of fbcon has ever been tested,

Just an aside: I think with fbdev drivers this would go boom, because
you'd have fbcon interferring with a direct /dev/fb/* user.

But if your fbdev driver is actually a drm modeset driver, then we
have additional limitations: If the userspace accesses the display
through /dev/dri/card0, then the kernel blocks all access through
/dev/fb/* (including fbcon) to the actual display (it only goes into
the buffer used for fbdev emulation). And everything would be fine.

Also generally you'd get away with this even in problematic cases,
since usually you resize your console when looking at it, not when X
or something else is using your fbdev direct access.

The one thing that's left out here a bit in the cold is userspace
modeset drivers in X. Those would get hosed. But also, we stopped
supporting those in at least i915/amd/radeon/nouveau drivers,
automatically falling back to the fbdev stuff in most cases (with or
without the drm drivers underneath that), and no one screamed. So
probably not many users left.

So I /think/ we could wager this, if it's the least intrusive fix from
the kernel pov. But it has some risks that we need to revert again if
we break some of the really old use-cases here.

Cheers, Daniel

> Another alternative would be to just delay the resize to when vcmode
> is put back to text mode again. That sounds somewhat reasonable to me,
> but it's a pretty big thing.
> But no, your patch to just "knowingly use entirely wrong values, then
> add a limit check because we know the values are possibly garbage and
> not consistent with reality" is simply not acceptable.
>               Linus

Daniel Vetter
Software Engineer, Intel Corporation

  parent reply	other threads:[~2021-05-17 13:08 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-02-19 17:33 BUG: unable to handle kernel paging request at ffffc90000669000, IP: [<ffffffff8139d84a>] bitfill_un Tommi Rantala
2019-12-10 16:38 ` BUG: unable to handle kernel paging request in sys_imageblit syzbot
2020-06-19  4:56   ` syzbot
2019-12-27  7:13 ` BUG: unable to handle kernel paging request in vga16fb_imageblit syzbot
2020-05-08  7:07 ` BUG: unable to handle kernel paging request in vga16fb_imageblit (2) syzbot
2021-05-01 20:31   ` [syzbot] " syzbot
2021-05-02  1:53   ` syzbot
2021-05-03 13:41     ` Tetsuo Handa
2021-05-07 11:09       ` Tetsuo Handa
2021-05-14 16:19         ` [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit() Tetsuo Handa
2021-05-14 17:29           ` Linus Torvalds
2021-05-14 17:37             ` Linus Torvalds
2021-05-14 18:23               ` Linus Torvalds
2021-05-14 20:25             ` Maciej W. Rozycki
2021-05-14 20:32               ` Linus Torvalds
2021-05-14 21:10                 ` Linus Torvalds
2021-05-15  7:43                   ` [PATCH v2] tty: vt: always invoke vc->vc_sw->con_resize callback Tetsuo Handa
2021-05-15 16:21                     ` Maciej W. Rozycki
2021-05-15 16:32                       ` Maciej W. Rozycki
2021-05-15 16:41                         ` Linus Torvalds
2021-05-17 13:13                           ` Daniel Vetter
2021-05-15 16:11                 ` [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit() Maciej W. Rozycki
2021-05-17 13:07                 ` Daniel Vetter [this message]
2021-05-17 13:10                   ` Daniel Vetter
2021-05-15  0:45               ` Tetsuo Handa
2020-05-12  6:55 ` BUG: unable to handle kernel paging request in bitfill_aligned syzbot
2020-10-06  8:18 ` BUG: unable to handle kernel paging request in cfb_imageblit syzbot
2020-12-18 15:26   ` syzbot
2020-12-18 15:27     ` Dmitry Vyukov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
    --subject='Re: [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit()' \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).