Hi! > > The one thing that does show up in the diffstat is the softscroll > > removal (both fbcon and vgacon), and there are people who want to save > > that, but we'll see if some maintainer steps up. I'm not willing to > > resurrect it in the broken form it was in, so I doubt that will happen > > in 5.9, but we'll see what happens. > > Could you... like try not to make the job harder by merging miriad of > "let's kill the documentation" patches? > > I needed the feature twice already this month, once during fsck, and > then five minutes ago, when oops scrolled by me during system > shutdown. Unfortunately, shift-pageup was not available to take a look > what is going on there. > > Unfortunately, Greg backported your "fix" to all the stable releases, > so resulting damage will not be easy to repair. > > For the record, making the security problem unexploitable should be as > simple as patch below. > > Unfortunately, Linus' changelog does not exactly tell me what all the > known problems are. Willy Tarreau pointed me to > https://www.openwall.com/lists/oss-security/2020/09/15/2 , which has > some information, but all I can reproduce are transient screen > artefacts. If someone has more detailed information, that would be > helpful. I can now reproduce it. C code from https://www.openwall.com/lists/oss-security/2020/09/15/2 + this patch makes the issue easy to see. Best regards, Pavel diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c index 5f1183b0b89d..5a8a43c0b546 100644 --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -1209,6 +1209,7 @@ static int vc_do_resize(struct tty_struct *tty, struct vc_data *vc, rlth = min(old_row_size, new_row_size); rrem = new_row_size - rlth; old_origin = vc->vc_origin; + vc->vc_origin = NULL; new_origin = (long) newscreen; new_scr_end = new_origin + new_screen_size; diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c index 75ebbbf0a1fb..6ceae7ea1ccc 100644 --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -2818,6 +2818,11 @@ static void fbcon_scrolldelta(struct vc_data *vc, int lines) struct display *disp = &fb_display[fg_console]; int offset, limit, scrollback_old; + if (!vc->vc_origin) { + printk("scrolldelta races with resize?!\n"); + return; + } + if (softback_top) { if (vc->vc_num != fg_console) return; -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html