fbcon scrollback broken was Re: Linux 5.9-rc6
diff mbox series

Message ID 20200923113914.GA18149@duo.ucw.cz
State New, archived
Headers show
Series
  • fbcon scrollback broken was Re: Linux 5.9-rc6
Related show

Commit Message

Pavel Machek Sept. 23, 2020, 11:39 a.m. UTC
Hi!

> The one thing that does show up in the diffstat is the softscroll
> removal (both fbcon and vgacon), and there are people who want to save
> that, but we'll see if some maintainer steps up. I'm not willing to
> resurrect it in the broken form it was in, so I doubt that will happen
> in 5.9, but we'll see what happens.

Could you... like try not to make the job harder by merging miriad of
"let's kill the documentation" patches?

I needed the feature twice already this month, once during fsck, and
then five minutes ago, when oops scrolled by me during system
shutdown. Unfortunately, shift-pageup was not available to take a look
what is going on there.

Unfortunately, Greg backported your "fix" to all the stable releases,
so resulting damage will not be easy to repair.

For the record, making the security problem unexploitable should be as
simple as patch below.

Unfortunately, Linus' changelog does not exactly tell me what all the
known problems are. Willy Tarreau pointed me to
https://www.openwall.com/lists/oss-security/2020/09/15/2 , which has
some information, but all I can reproduce are transient screen
artefacts. If someone has more detailed information, that would be
helpful.

Best regards,
								Pavel

Comments

Pavel Machek Sept. 23, 2020, 12:03 p.m. UTC | #1
Hi!

> > The one thing that does show up in the diffstat is the softscroll
> > removal (both fbcon and vgacon), and there are people who want to save
> > that, but we'll see if some maintainer steps up. I'm not willing to
> > resurrect it in the broken form it was in, so I doubt that will happen
> > in 5.9, but we'll see what happens.
> 
> Could you... like try not to make the job harder by merging miriad of
> "let's kill the documentation" patches?
> 
> I needed the feature twice already this month, once during fsck, and
> then five minutes ago, when oops scrolled by me during system
> shutdown. Unfortunately, shift-pageup was not available to take a look
> what is going on there.
> 
> Unfortunately, Greg backported your "fix" to all the stable releases,
> so resulting damage will not be easy to repair.
> 
> For the record, making the security problem unexploitable should be as
> simple as patch below.
> 
> Unfortunately, Linus' changelog does not exactly tell me what all the
> known problems are. Willy Tarreau pointed me to
> https://www.openwall.com/lists/oss-security/2020/09/15/2 , which has
> some information, but all I can reproduce are transient screen
> artefacts. If someone has more detailed information, that would be
> helpful.

I can now reproduce it. C code from
https://www.openwall.com/lists/oss-security/2020/09/15/2 + this patch
makes the issue easy to see.

Best regards,
								Pavel

diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 5f1183b0b89d..5a8a43c0b546 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -1209,6 +1209,7 @@ static int vc_do_resize(struct tty_struct *tty, struct vc_data *vc,
 	rlth = min(old_row_size, new_row_size);
 	rrem = new_row_size - rlth;
 	old_origin = vc->vc_origin;
+	vc->vc_origin = NULL;
 	new_origin = (long) newscreen;
 	new_scr_end = new_origin + new_screen_size;
 
diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index 75ebbbf0a1fb..6ceae7ea1ccc 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -2818,6 +2818,11 @@ static void fbcon_scrolldelta(struct vc_data *vc, int lines)
 	struct display *disp = &fb_display[fg_console];
 	int offset, limit, scrollback_old;
 
+	if (!vc->vc_origin) {
+		printk("scrolldelta races with resize?!\n");
+		return;
+	}
+
 	if (softback_top) {
 		if (vc->vc_num != fg_console)
 			return;

Patch
diff mbox series

diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 19cd4a4b1939..cb2d3e7eeac8 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -3211,6 +3212,9 @@  int tioclinux(struct tty_struct *tty, unsigned long arg)
 			ret = fg_console;
 			break;
 		case TIOCL_SCROLLCONSOLE:
+			ret = -EPERM;
+			break;
+		  
 			if (get_user(lines, (s32 __user *)(p+4))) {
 				ret = -EFAULT;
 			} else {