* Re: [Linux-kernel-mentees] [PATCH 15/16] vc_screen: extract vcs_read_buf_header [not found] <20200818085706.12163-15-jslaby@suse.cz> @ 2020-08-25 16:48 ` Peilin Ye 2020-08-25 16:59 ` Greg KH 0 siblings, 1 reply; 3+ messages in thread From: Peilin Ye @ 2020-08-25 16:48 UTC (permalink / raw) To: jslaby; +Cc: syzkaller-bugs, linux-kernel, linux-serial, linux-kernel-mentees Hi all, Link: https://syzkaller.appspot.com/bug?id=f332576321998d36cd07d09c9c1268cfed1895c9 As reported by syzbot, vcs_read_buf() is overflowing `con_buf16`, since this patch removed the following check: - if (count > CON_BUF_SIZE) { - count = CON_BUF_SIZE; - filled = count - pos; - } Decreasing `count` by `min(HEADER_SIZE - pos, count)` bypasses this check. Additionally, this patch also removed updates to `skip` and `filled`. What should we do in order to fix it? Thank you, Peilin Ye _______________________________________________ Linux-kernel-mentees mailing list Linux-kernel-mentees@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Linux-kernel-mentees] [PATCH 15/16] vc_screen: extract vcs_read_buf_header 2020-08-25 16:48 ` [Linux-kernel-mentees] [PATCH 15/16] vc_screen: extract vcs_read_buf_header Peilin Ye @ 2020-08-25 16:59 ` Greg KH 2020-08-25 17:12 ` Peilin Ye 0 siblings, 1 reply; 3+ messages in thread From: Greg KH @ 2020-08-25 16:59 UTC (permalink / raw) To: Peilin Ye Cc: syzkaller-bugs, jslaby, linux-kernel, linux-serial, linux-kernel-mentees On Tue, Aug 25, 2020 at 12:48:04PM -0400, Peilin Ye wrote: > Hi all, > > Link: https://syzkaller.appspot.com/bug?id=f332576321998d36cd07d09c9c1268cfed1895c9 > > As reported by syzbot, vcs_read_buf() is overflowing `con_buf16`, since > this patch removed the following check: > > - if (count > CON_BUF_SIZE) { > - count = CON_BUF_SIZE; > - filled = count - pos; > - } > > Decreasing `count` by `min(HEADER_SIZE - pos, count)` bypasses this check. > Additionally, this patch also removed updates to `skip` and `filled`. > > What should we do in order to fix it? This patch is already reverted, and it has been discussed a bit as to how to do this properly if you look at the email where this was reported to us. thanks, greg k-h _______________________________________________ Linux-kernel-mentees mailing list Linux-kernel-mentees@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Linux-kernel-mentees] [PATCH 15/16] vc_screen: extract vcs_read_buf_header 2020-08-25 16:59 ` Greg KH @ 2020-08-25 17:12 ` Peilin Ye 0 siblings, 0 replies; 3+ messages in thread From: Peilin Ye @ 2020-08-25 17:12 UTC (permalink / raw) To: Greg KH Cc: syzkaller-bugs, jslaby, linux-kernel, linux-serial, linux-kernel-mentees On Tue, Aug 25, 2020 at 06:59:35PM +0200, Greg KH wrote: > On Tue, Aug 25, 2020 at 12:48:04PM -0400, Peilin Ye wrote: > > Hi all, > > > > Link: https://syzkaller.appspot.com/bug?id=f332576321998d36cd07d09c9c1268cfed1895c9 > > > > As reported by syzbot, vcs_read_buf() is overflowing `con_buf16`, since > > this patch removed the following check: > > > > - if (count > CON_BUF_SIZE) { > > - count = CON_BUF_SIZE; > > - filled = count - pos; > > - } > > > > Decreasing `count` by `min(HEADER_SIZE - pos, count)` bypasses this check. > > Additionally, this patch also removed updates to `skip` and `filled`. > > > > What should we do in order to fix it? > > This patch is already reverted, and it has been discussed a bit as to > how to do this properly if you look at the email where this was reported > to us. Ah, syzbot has reported this issue as two different bugs...I started looking into it without noticing your discussion under another thread. Sorry, Peilin Ye _______________________________________________ Linux-kernel-mentees mailing list Linux-kernel-mentees@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-08-25 17:13 UTC | newest] Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <20200818085706.12163-15-jslaby@suse.cz> 2020-08-25 16:48 ` [Linux-kernel-mentees] [PATCH 15/16] vc_screen: extract vcs_read_buf_header Peilin Ye 2020-08-25 16:59 ` Greg KH 2020-08-25 17:12 ` Peilin Ye
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).