From: Peilin Ye <yepeilin.cs@gmail.com>
To: Daniel Vetter <daniel.vetter@ffwll.ch>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jiri Slaby <jirislaby@kernel.org>,
Thomas Winischhofer <thomas@winischhofer.net>
Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
Nicolas Pitre <nico@fluxnic.net>,
"Gustavo A . R . Silva" <gustavoars@kernel.org>,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
George Kennedy <george.kennedy@oracle.com>,
Nathan Chancellor <natechancellor@gmail.com>,
Peter Rosin <peda@axentia.se>,
linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org,
Peilin Ye <yepeilin.cs@gmail.com>
Subject: [PATCH 2/2] fbcon: Prevent global-out-of-bounds read in fbcon_copy_font()
Date: Sat, 31 Oct 2020 03:27:23 -0400 [thread overview]
Message-ID: <64b792b83119b0ec6caed9cb62087453b675c690.1604128640.git.yepeilin.cs@gmail.com> (raw)
In-Reply-To: <c5563eeea36aae7bd72ea2e985bc610d585ece40.1604128639.git.yepeilin.cs@gmail.com>
fbcon_copy_font() is using a signed int, `con`, as an index into
`fb_display[MAX_NR_CONSOLES]`, without bounds checking. In
con_font_copy(), `con` is being silently casted from the unsigned
`op->height`.
Let con_font_copy() and fbcon_copy_font() pass `op->height` directly, and
add a range check in fbcon_copy_font(). Also, add a comment in
con_font_op() for less confusion, since ideally `op->height` should not be
used as a console index, as the field name suggests.
This patch depends on patch "console: Remove dummy con_font_op callback
implementations".
Cc: stable@vger.kernel.org
Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
---
drivers/tty/vt/vt.c | 6 +++---
drivers/video/fbdev/core/fbcon.c | 8 ++++++--
include/linux/console.h | 2 +-
3 files changed, 10 insertions(+), 6 deletions(-)
diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 9506a76f3ab6..ff8ea1654a69 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -4704,9 +4704,8 @@ static int con_font_default(struct vc_data *vc, struct console_font_op *op)
return rc;
}
-static int con_font_copy(struct vc_data *vc, struct console_font_op *op)
+static int con_font_copy(struct vc_data *vc, unsigned int con)
{
- int con = op->height;
int rc;
@@ -4735,7 +4734,8 @@ int con_font_op(struct vc_data *vc, struct console_font_op *op)
case KD_FONT_OP_SET_DEFAULT:
return con_font_default(vc, op);
case KD_FONT_OP_COPY:
- return con_font_copy(vc, op);
+ /* uses op->height as a console index */
+ return con_font_copy(vc, op->height);
}
return -ENOSYS;
}
diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index cef437817b0d..1caa98146712 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -2451,11 +2451,15 @@ static int fbcon_do_set_font(struct vc_data *vc, int w, int h,
return 0;
}
-static int fbcon_copy_font(struct vc_data *vc, int con)
+static int fbcon_copy_font(struct vc_data *vc, unsigned int con)
{
- struct fbcon_display *od = &fb_display[con];
+ struct fbcon_display *od;
struct console_font *f = &vc->vc_font;
+ if (con >= MAX_NR_CONSOLES)
+ return -EINVAL;
+
+ od = &fb_display[con];
if (od->fontdata == f->data)
return 0; /* already the same font... */
return fbcon_do_set_font(vc, f->width, f->height, od->fontdata, od->userfont);
diff --git a/include/linux/console.h b/include/linux/console.h
index 4b1e26c4cb42..34855d3f2afd 100644
--- a/include/linux/console.h
+++ b/include/linux/console.h
@@ -62,7 +62,7 @@ struct consw {
int (*con_font_get)(struct vc_data *vc, struct console_font *font);
int (*con_font_default)(struct vc_data *vc,
struct console_font *font, char *name);
- int (*con_font_copy)(struct vc_data *vc, int con);
+ int (*con_font_copy)(struct vc_data *vc, unsigned int con);
int (*con_resize)(struct vc_data *vc, unsigned int width,
unsigned int height, unsigned int user);
void (*con_set_palette)(struct vc_data *vc,
--
2.25.1
WARNING: multiple messages have this Message-ID (diff)
From: Peilin Ye <yepeilin.cs@gmail.com>
To: Daniel Vetter <daniel.vetter@ffwll.ch>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jiri Slaby <jirislaby@kernel.org>,
Thomas Winischhofer <thomas@winischhofer.net>
Cc: linux-fbdev@vger.kernel.org, linux-usb@vger.kernel.org,
Nicolas Pitre <nico@fluxnic.net>,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
"Gustavo A . R . Silva" <gustavoars@kernel.org>,
dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org,
George Kennedy <george.kennedy@oracle.com>,
Peilin Ye <yepeilin.cs@gmail.com>,
Nathan Chancellor <natechancellor@gmail.com>,
Peter Rosin <peda@axentia.se>
Subject: [PATCH 2/2] fbcon: Prevent global-out-of-bounds read in fbcon_copy_font()
Date: Sat, 31 Oct 2020 03:27:23 -0400 [thread overview]
Message-ID: <64b792b83119b0ec6caed9cb62087453b675c690.1604128640.git.yepeilin.cs@gmail.com> (raw)
In-Reply-To: <c5563eeea36aae7bd72ea2e985bc610d585ece40.1604128639.git.yepeilin.cs@gmail.com>
fbcon_copy_font() is using a signed int, `con`, as an index into
`fb_display[MAX_NR_CONSOLES]`, without bounds checking. In
con_font_copy(), `con` is being silently casted from the unsigned
`op->height`.
Let con_font_copy() and fbcon_copy_font() pass `op->height` directly, and
add a range check in fbcon_copy_font(). Also, add a comment in
con_font_op() for less confusion, since ideally `op->height` should not be
used as a console index, as the field name suggests.
This patch depends on patch "console: Remove dummy con_font_op callback
implementations".
Cc: stable@vger.kernel.org
Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
---
drivers/tty/vt/vt.c | 6 +++---
drivers/video/fbdev/core/fbcon.c | 8 ++++++--
include/linux/console.h | 2 +-
3 files changed, 10 insertions(+), 6 deletions(-)
diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 9506a76f3ab6..ff8ea1654a69 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -4704,9 +4704,8 @@ static int con_font_default(struct vc_data *vc, struct console_font_op *op)
return rc;
}
-static int con_font_copy(struct vc_data *vc, struct console_font_op *op)
+static int con_font_copy(struct vc_data *vc, unsigned int con)
{
- int con = op->height;
int rc;
@@ -4735,7 +4734,8 @@ int con_font_op(struct vc_data *vc, struct console_font_op *op)
case KD_FONT_OP_SET_DEFAULT:
return con_font_default(vc, op);
case KD_FONT_OP_COPY:
- return con_font_copy(vc, op);
+ /* uses op->height as a console index */
+ return con_font_copy(vc, op->height);
}
return -ENOSYS;
}
diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index cef437817b0d..1caa98146712 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -2451,11 +2451,15 @@ static int fbcon_do_set_font(struct vc_data *vc, int w, int h,
return 0;
}
-static int fbcon_copy_font(struct vc_data *vc, int con)
+static int fbcon_copy_font(struct vc_data *vc, unsigned int con)
{
- struct fbcon_display *od = &fb_display[con];
+ struct fbcon_display *od;
struct console_font *f = &vc->vc_font;
+ if (con >= MAX_NR_CONSOLES)
+ return -EINVAL;
+
+ od = &fb_display[con];
if (od->fontdata == f->data)
return 0; /* already the same font... */
return fbcon_do_set_font(vc, f->width, f->height, od->fontdata, od->userfont);
diff --git a/include/linux/console.h b/include/linux/console.h
index 4b1e26c4cb42..34855d3f2afd 100644
--- a/include/linux/console.h
+++ b/include/linux/console.h
@@ -62,7 +62,7 @@ struct consw {
int (*con_font_get)(struct vc_data *vc, struct console_font *font);
int (*con_font_default)(struct vc_data *vc,
struct console_font *font, char *name);
- int (*con_font_copy)(struct vc_data *vc, int con);
+ int (*con_font_copy)(struct vc_data *vc, unsigned int con);
int (*con_resize)(struct vc_data *vc, unsigned int width,
unsigned int height, unsigned int user);
void (*con_set_palette)(struct vc_data *vc,
--
2.25.1
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
next prev parent reply other threads:[~2020-10-31 7:28 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-31 7:24 [PATCH 1/2] console: Remove dummy con_font_op() callback implementations Peilin Ye
2020-10-31 7:24 ` Peilin Ye
2020-10-31 7:27 ` Peilin Ye [this message]
2020-10-31 7:27 ` [PATCH 2/2] fbcon: Prevent global-out-of-bounds read in fbcon_copy_font() Peilin Ye
2020-11-02 2:51 ` kernel test robot
2020-11-02 9:36 ` [PATCH v2 1/2] console: Remove dummy con_font_op() callback implementations Peilin Ye
2020-11-02 9:36 ` Peilin Ye
2020-11-02 9:37 ` [PATCH v2 2/2] tty/vt: Avoid passing struct console_font_op to con_font_copy() Peilin Ye
2020-11-02 9:37 ` Peilin Ye
2020-11-02 10:10 ` Daniel Vetter
2020-11-02 10:10 ` Daniel Vetter
2020-11-02 11:12 ` Peilin Ye
2020-11-02 11:12 ` Peilin Ye
2020-11-02 11:30 ` Daniel Vetter
2020-11-02 11:30 ` Daniel Vetter
2020-11-02 9:47 ` [PATCH v2 1/2] console: Remove dummy con_font_op() callback implementations Jiri Slaby
2020-11-02 9:47 ` Jiri Slaby
2020-11-02 10:13 ` Daniel Vetter
2020-11-02 10:13 ` Daniel Vetter
2020-11-02 10:52 ` Peilin Ye
2020-11-02 10:52 ` Peilin Ye
2020-11-06 10:50 ` [PATCH " Greg Kroah-Hartman
2020-11-06 10:50 ` Greg Kroah-Hartman
2020-11-10 12:49 ` Daniel Vetter
2020-11-10 12:49 ` Daniel Vetter
2020-11-10 13:24 ` Peilin Ye
2020-11-10 13:24 ` Peilin Ye
2020-11-10 13:46 ` Daniel Vetter
2020-11-10 13:46 ` Daniel Vetter
2020-11-10 13:55 ` Peilin Ye
2020-11-10 13:55 ` Peilin Ye
2020-11-10 14:56 ` Greg Kroah-Hartman
2020-11-10 14:56 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=64b792b83119b0ec6caed9cb62087453b675c690.1604128640.git.yepeilin.cs@gmail.com \
--to=yepeilin.cs@gmail.com \
--cc=b.zolnierkie@samsung.com \
--cc=daniel.vetter@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=george.kennedy@oracle.com \
--cc=gregkh@linuxfoundation.org \
--cc=gustavoars@kernel.org \
--cc=jirislaby@kernel.org \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=natechancellor@gmail.com \
--cc=nico@fluxnic.net \
--cc=peda@axentia.se \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=thomas@winischhofer.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.