Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751301AbdH0SYM (ORCPT ); Sun, 27 Aug 2017 14:24:12 -0400 Received: from smtp-fw-9102.amazon.com ([207.171.184.29]:25672 "EHLO smtp-fw-9102.amazon.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751264AbdH0SYL (ORCPT ); Sun, 27 Aug 2017 14:24:11 -0400 X-IronPort-AV: E=Sophos;i="5.41,437,1498521600"; d="scan'208";a="562951980" From: =?UTF-8?q?Jan=20H=2E=20Sch=C3=B6nherr?= To: "H. Peter Anvin" Cc: Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, =?UTF-8?q?Jan=20H=2E=20Sch=C3=B6nherr?= Subject: [PATCH] x86/boot: Prevent faulty bootparams.screeninfo from causing harm Date: Sun, 27 Aug 2017 20:23:43 +0200 Message-Id: <1503858223-14983-1-git-send-email-jschoenh@amazon.de> X-Mailer: git-send-email 2.3.1.dirty MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 794 Lines: 27 If a zero for the number of lines manages to slip through, scroll() may underflow some offset calculations, causing accesses outside the video memory. Make the check in __putstr() more pessimistic to prevent that. Signed-off-by: Jan H. Schönherr --- arch/x86/boot/compressed/misc.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c index a0838ab..c14217c 100644 --- a/arch/x86/boot/compressed/misc.c +++ b/arch/x86/boot/compressed/misc.c @@ -116,8 +116,7 @@ void __putstr(const char *s) } } - if (boot_params->screen_info.orig_video_mode == 0 && - lines == 0 && cols == 0) + if (lines == 0 || cols == 0) return; x = boot_params->screen_info.orig_x; -- 2.3.1.dirty