linux-serial.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] vt: fix CVE-2020-8647
@ 2020-03-02  2:35 Ye Bin
  2020-03-02  6:42 ` Jiri Slaby
  0 siblings, 1 reply; 2+ messages in thread
From: Ye Bin @ 2020-03-02  2:35 UTC (permalink / raw)
  To: gregkh, jslaby; +Cc: linux-serial, linux-kernel, yebin10

We must calculate origin buffer end before update "old_origin", or it
will lead to access illegal memory.

BUG: KASan: use after free in vc_do_resize+0x49e/0xb30 at addr ffff88000016b9c0
Read of size 2 by task syz-executor.3/24164
page:ffffea0000005ac0 count:0 mapcount:0 mapping:          (null) index:0x0
page flags: 0xfffff00000000()
page dumped because: kasan: bad access detected
CPU: 0 PID: 24164 Comm: syz-executor.3 Not tainted 3.10.0-862.14.2.1.x86_64+ #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
Call Trace:
 [<ffffffffb059f309>] dump_stack+0x1e/0x20
 [<ffffffffaf8af957>] kasan_report+0x577/0x950
 [<ffffffffaf8ae652>] __asan_load2+0x62/0x80
 [<ffffffffafe3728e>] vc_do_resize+0x49e/0xb30
 [<ffffffffafe3795c>] vc_resize+0x3c/0x60
 [<ffffffffafe1d80d>] vt_ioctl+0x16ed/0x2670
 [<ffffffffafe0089a>] tty_ioctl+0x46a/0x1a10
 [<ffffffffaf92db3d>] do_vfs_ioctl+0x5bd/0xc40
 [<ffffffffaf92e2f2>] SyS_ioctl+0x132/0x170
 [<ffffffffb05c9b1b>] system_call_fastpath+0x22/0x27

Signed-off-by: Ye Bin <yebin10@huawei.com>
---
 drivers/tty/vt/vt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 8fa059ec6cc8..1d7217bef678 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -1231,6 +1231,7 @@ static int vc_do_resize(struct tty_struct *tty, struct vc_data *vc,
 	old_origin = vc->vc_origin;
 	new_origin = (long) newscreen;
 	new_scr_end = new_origin + new_screen_size;
+	end = old_origin + old_row_size * min(old_rows, new_rows);
 
 	if (vc->vc_y > new_rows) {
 		if (old_rows - vc->vc_y < new_rows) {
@@ -1249,7 +1250,6 @@ static int vc_do_resize(struct tty_struct *tty, struct vc_data *vc,
 		old_origin += first_copied_row * old_row_size;
 	} else
 		first_copied_row = 0;
-	end = old_origin + old_row_size * min(old_rows, new_rows);
 
 	vc_uniscr_copy_area(new_uniscr, new_cols, new_rows,
 			    get_vc_uniscr(vc), rlth/2, first_copied_row,
-- 
2.17.2


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] vt: fix CVE-2020-8647
  2020-03-02  2:35 [PATCH] vt: fix CVE-2020-8647 Ye Bin
@ 2020-03-02  6:42 ` Jiri Slaby
  0 siblings, 0 replies; 2+ messages in thread
From: Jiri Slaby @ 2020-03-02  6:42 UTC (permalink / raw)
  To: Ye Bin, gregkh; +Cc: linux-serial, linux-kernel

Hi,

you should use some better Subject. "vt: fix CVE-2020-8647" is not
descriptive at all. Something like "vt: fix use after free in
vc_resize". You can reference the CVE in the text if you want.

On 02. 03. 20, 3:35, Ye Bin wrote:
> We must calculate origin buffer end before update "old_origin", or it
> will lead to access illegal memory.

You should explain why we must. I.e. how the bad access can happen.

> BUG: KASan: use after free in vc_do_resize+0x49e/0xb30 at addr ffff88000016b9c0
> Read of size 2 by task syz-executor.3/24164

For sure, the report mentioned a Reported-by line you should add to the
fix. Could you do so?

> page:ffffea0000005ac0 count:0 mapcount:0 mapping:          (null) index:0x0
> page flags: 0xfffff00000000()
> page dumped because: kasan: bad access detected
> CPU: 0 PID: 24164 Comm: syz-executor.3 Not tainted 3.10.0-862.14.2.1.x86_64+ #2
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
> Call Trace:
>  [<ffffffffb059f309>] dump_stack+0x1e/0x20
>  [<ffffffffaf8af957>] kasan_report+0x577/0x950
>  [<ffffffffaf8ae652>] __asan_load2+0x62/0x80
>  [<ffffffffafe3728e>] vc_do_resize+0x49e/0xb30
>  [<ffffffffafe3795c>] vc_resize+0x3c/0x60
>  [<ffffffffafe1d80d>] vt_ioctl+0x16ed/0x2670
>  [<ffffffffafe0089a>] tty_ioctl+0x46a/0x1a10
>  [<ffffffffaf92db3d>] do_vfs_ioctl+0x5bd/0xc40
>  [<ffffffffaf92e2f2>] SyS_ioctl+0x132/0x170
>  [<ffffffffb05c9b1b>] system_call_fastpath+0x22/0x27
> 
> Signed-off-by: Ye Bin <yebin10@huawei.com>
> ---
>  drivers/tty/vt/vt.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
> index 8fa059ec6cc8..1d7217bef678 100644
> --- a/drivers/tty/vt/vt.c
> +++ b/drivers/tty/vt/vt.c
> @@ -1231,6 +1231,7 @@ static int vc_do_resize(struct tty_struct *tty, struct vc_data *vc,
>  	old_origin = vc->vc_origin;
>  	new_origin = (long) newscreen;
>  	new_scr_end = new_origin + new_screen_size;
> +	end = old_origin + old_row_size * min(old_rows, new_rows);
>  
>  	if (vc->vc_y > new_rows) {
>  		if (old_rows - vc->vc_y < new_rows) {
> @@ -1249,7 +1250,6 @@ static int vc_do_resize(struct tty_struct *tty, struct vc_data *vc,
>  		old_origin += first_copied_row * old_row_size;
>  	} else
>  		first_copied_row = 0;
> -	end = old_origin + old_row_size * min(old_rows, new_rows);
>  
>  	vc_uniscr_copy_area(new_uniscr, new_cols, new_rows,
>  			    get_vc_uniscr(vc), rlth/2, first_copied_row,
> 

thanks,
-- 
js
suse labs

-- 
js
suse labs

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2020-03-02  6:42 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-02  2:35 [PATCH] vt: fix CVE-2020-8647 Ye Bin
2020-03-02  6:42 ` Jiri Slaby

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).