Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp241861imm; Tue, 17 Jul 2018 18:05:22 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfjtTu2wEvO7pHDVVob5zOv/ETJvFkPhRmRim/II/lxSmb46dKwkY8UIJ/QV6rRWi6qdAtZ X-Received: by 2002:a17:902:59da:: with SMTP id d26-v6mr3774620plj.42.1531875922813; Tue, 17 Jul 2018 18:05:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531875922; cv=none; d=google.com; s=arc-20160816; b=KIX3ULPU+s8JZVwk0ZYkR1px05ZJ38oH+fDvpd03PiNx/1bAyX6M8NRa6rBSTN+Iem kHkI6ywV4a3vMeWWRxA78YIQb0yPkxj2A9+JeGbqP8gASOFo8VI5QapOnrs7Yv+B1TFv h94757LZmdlj7eaTW9DU7nyz2NnQwrOaidIF7SarV3L+OmViLHkj2IWaHisKwWwyeDFU +kKCml71D9fNEnmjvB2oZ48x2hFS3+CHZLY00fHG6/mKn6rN4BTV/uW9iGVOCU6p294N ZkXu2AMsZsja1q5fyKQK464+YiN8N3xKwZI3iuj2LvH/mUX3PA88Oou2DP21CLim1jLg Dgrw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=GwA3VnsEM1cysAa3byCjW7NaMWmmNc4Zj6OlBrUh0Ec=; b=CRbF1xII+u4yzYI0j/RdfdM886bpPsXtcmFlCdhUHDgjpqIkQVyfqeveNWUxTR61Xh yDm1qWiZH9TZg3+MvqNobW2aWEFIiFoOy53RTJMii5MF7WuZGPeU+jtcMXMdFnxOqJZx KkdHbq4CxlgRr+nDTZLP5gn0T7gu5QBeAjCDym0z68HoxpukPCeJPCbsvIKGPpjRI4r7 2V2qz2898ax+i4oLjBRP+1TFIOJCME89x5+zrPVdWV5vdzp6f9ehqGcjaXrm6XXlGn+w MHDk8n5rfU4ALAZ6tKhBVzmdBaW05NHNZZ5TAQLL9V/JIrIHBgDwlVJlYYDGNbRbIq16 X5Yg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@pobox.com header.s=sasl header.b=OzW4KCOd; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h8-v6si2214012pgr.379.2018.07.17.18.05.07; Tue, 17 Jul 2018 18:05:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@pobox.com header.s=sasl header.b=OzW4KCOd; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731420AbeGRBiD (ORCPT + 99 others); Tue, 17 Jul 2018 21:38:03 -0400 Received: from pb-smtp1.pobox.com ([64.147.108.70]:60165 "EHLO pb-smtp1.pobox.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730652AbeGRBiD (ORCPT ); Tue, 17 Jul 2018 21:38:03 -0400 Received: from pb-smtp1.pobox.com (unknown [127.0.0.1]) by pb-smtp1.pobox.com (Postfix) with ESMTP id E16F6EDF44; Tue, 17 Jul 2018 21:02:45 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=from:to:cc :subject:date:message-id:in-reply-to:references; s=sasl; bh=9hsx isrz4BLrEl8XObgHlrjSsws=; b=OzW4KCOdmo8spVgkr75GOZKgdUx6eIiYKmH3 zTfQOCQjHPvlrAynzpeqMU76Bj31mXV6xXZQ8dx6CvlVBTZnfsQX57WH6dFlZLKA Z9lBv9FuVIQwhWDTes27bk8dcG0wbYnZnDIFb01+OfLSWBQGMUpZymdYl7fC8/fG XBp/uds= Received: from pb-smtp1.nyi.icgroup.com (unknown [127.0.0.1]) by pb-smtp1.pobox.com (Postfix) with ESMTP id CAD06EDF40; Tue, 17 Jul 2018 21:02:45 -0400 (EDT) Received: from yoda.home (unknown [70.82.104.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pb-smtp1.pobox.com (Postfix) with ESMTPSA id 3ACD4EDF3B; Tue, 17 Jul 2018 21:02:45 -0400 (EDT) Received: from xanadu.home (xanadu.home [192.168.2.2]) by yoda.home (Postfix) with ESMTP id 629022DA0492; Tue, 17 Jul 2018 21:02:44 -0400 (EDT) From: Nicolas Pitre To: Greg Kroah-Hartman Cc: Kees Cook , Geert Uytterhoeven , Adam Borowski , Dave Mielke , Samuel Thibault , linux-kernel@vger.kernel.org, linux-console@vger.kernel.org Subject: [PATCH 1/3] vt: avoid a VLA in the unicode screen scroll function Date: Tue, 17 Jul 2018 21:02:40 -0400 Message-Id: <20180718010242.5254-2-nicolas.pitre@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180718010242.5254-1-nicolas.pitre@linaro.org> References: <20180718010242.5254-1-nicolas.pitre@linaro.org> X-Pobox-Relay-ID: 47C947BC-8A26-11E8-A67C-063AD72159A7-78420484!pb-smtp1.pobox.com Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The nr argument is typically small: most often nr == 1. However this could be abused with a very large explicit scroll in a resized screen. Make the code scroll lines one at a time in all cases to avoid the VLA. Anything smarter is most likely not warranted here. Requested-by: Kees Cook Signed-off-by: Nicolas Pitre --- drivers/tty/vt/vt.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c index 2d14bb195d..03e79f7787 100644 --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -433,20 +433,22 @@ static void vc_uniscr_scroll(struct vc_data *vc, unsigned int t, unsigned int b, if (uniscr) { unsigned int s, d, rescue, clear; - char32_t *save[nr]; s = clear = t; - d = t + nr; - rescue = b - nr; + d = t + 1; + rescue = b - 1; if (dir == SM_UP) { swap(s, d); swap(clear, rescue); } - memcpy(save, uniscr->lines + rescue, nr * sizeof(*save)); - memmove(uniscr->lines + d, uniscr->lines + s, - (b - t - nr) * sizeof(*uniscr->lines)); - memcpy(uniscr->lines + clear, save, nr * sizeof(*save)); - vc_uniscr_clear_lines(vc, clear, nr); + while (nr--) { + char32_t *tmp; + tmp = uniscr->lines[rescue]; + memmove(uniscr->lines + d, uniscr->lines + s, + (b - t - 1) * sizeof(*uniscr->lines)); + uniscr->lines[clear] = tmp; + vc_uniscr_clear_lines(vc, clear, 1); + } } } -- 2.17.1