Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp4275423ybx; Mon, 4 Nov 2019 10:35:12 -0800 (PST) X-Google-Smtp-Source: APXvYqzQW0uuhL/8/5poSCV73XAkvGOEJJiyFsyDT12rAhxR0wc0GrNsEfqoMzxgiPI1vy+E29O8 X-Received: by 2002:aa7:c44a:: with SMTP id n10mr20418815edr.282.1572892512367; Mon, 04 Nov 2019 10:35:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1572892512; cv=none; d=google.com; s=arc-20160816; b=CoDX1WYGYKsDiOVjitVkaPCl79Ovf7HYPtlYmjSMMcJpqUvs5wJZe2rCLj1ADF2EpC xjfrOsx18BkWqOW1UZoICBCcUr3JBxmbtX0s4BMo/X18BmAr02XBs411QtRLOJ4XKX6l 940lMW6GrfBUtJQn2U71HcqhhwEXgM67Ox76HFcWqPqBM+B5gk+IQsVVfxOY/f0WXqOw 4B95pM1teLYxkUUK2jLvHdQ+fgdESwgwbyqqZPXa/uDzN5eZSkh/xqqVA1ncYOxBiJYp piVIoyGwo7qEdYzL1UtnrA4Ey8P37ifIlcdU4p34BVFsrp712cXRpBdyGDpb3xp84l+h +z6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date:dkim-signature :dkim-signature; bh=ZFMN7D/V4oatEX+ou7eEFZN7pBINAjxZpSjNtjXEX/Y=; b=Ro3Q/MTYle2Ix6PzISiUblLGOey4f0FFSyixWEGj+TaIPtmdTvLsUYIhKp2WMGrAxi n7kvsfzOiwKv6XHyOvOoxnPQeb6xgd7kYQ1gVeAXqdrKkoSRrHAiMNxRlU4470oWsuc5 rCp/XG2h9vNdVB9dRl7osmGMMGvN4cUWWEE00BFnjaZ8vrebL9U5Sy2+pNQ9AXDZTZtR w99QSgq2soNqLO0Xp3TRll9q08OfKzm2bmsau5ZGcPJdR7X0/WeQqs726GXp+ZAtfKSq OLBX+KPSW9vd8TYU0t2FFDJ/0xmmte9mRI7FnsLNJTo4xMcEDXm4ID3suZ680sW+kDkH SWPg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@pobox.com header.s=sasl header.b=VooYNBPZ; dkim=temperror (no key for signature) header.i=@fluxnic.net header.s=2016-12.pbsmtp header.b=YljOLRyh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b47si8791324edb.286.2019.11.04.10.34.49; Mon, 04 Nov 2019 10:35:12 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@pobox.com header.s=sasl header.b=VooYNBPZ; dkim=temperror (no key for signature) header.i=@fluxnic.net header.s=2016-12.pbsmtp header.b=YljOLRyh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729434AbfKDSeB (ORCPT + 99 others); Mon, 4 Nov 2019 13:34:01 -0500 Received: from pb-smtp2.pobox.com ([64.147.108.71]:52880 "EHLO pb-smtp2.pobox.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727998AbfKDSeB (ORCPT ); Mon, 4 Nov 2019 13:34:01 -0500 Received: from pb-smtp2.pobox.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id B56C03E03C; Mon, 4 Nov 2019 13:33:58 -0500 (EST) (envelope-from nico@fluxnic.net) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date:from:to :cc:subject:in-reply-to:message-id:references:mime-version :content-type; s=sasl; bh=e7PwpGAxLaK9hITw0k2+J0F+lgA=; b=VooYNB PZ41R4Uru+sbw9DVsoeNvJ7dB5upcYUp0d2bxO9/pYcpnnqTBJx4CzoQ2jFaGK0H Pef/38YS49LVDkmhlarklKr5F+dx1OMNGOJ69mII1aniev3p6lsNZ26wuJBAVbNd gjcQbKYlUH9MdUUUg/t4OUFMB9yAYw2xdHnIo= Received: from pb-smtp2.nyi.icgroup.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id AC3273E03B; Mon, 4 Nov 2019 13:33:58 -0500 (EST) (envelope-from nico@fluxnic.net) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=fluxnic.net; h=date:from:to:cc:subject:in-reply-to:message-id:references:mime-version:content-type; s=2016-12.pbsmtp; bh=hQNJPUfM0xyDSLDp5OyD+58Z145FE/Z/cw3WPuEF1CE=; b=YljOLRyhL1it1+4zUaIj9VyNrM0PEkwhiEbsehzIXtpIZsi74ItN6kJUuEptVK3HExhxl/inKpr1msmBUu/mb69BnavFdRa5886U5CrFNuiPVQioaUtYG4k7AO8CtIGN4teU8aATonPYq+tpE5/fFGGaxp7YGg3xyDwkEhzVWZs= Received: from yoda.home (unknown [24.203.50.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pb-smtp2.pobox.com (Postfix) with ESMTPSA id 21DD23E03A; Mon, 4 Nov 2019 13:33:58 -0500 (EST) (envelope-from nico@fluxnic.net) Received: from xanadu.home (xanadu.home [192.168.2.2]) by yoda.home (Postfix) with ESMTPSA id 482EA2DA01A9; Mon, 4 Nov 2019 13:33:57 -0500 (EST) Date: Mon, 4 Nov 2019 19:33:57 +0100 (CET) From: Nicolas Pitre To: Or Cohen cc: Greg KH , jslaby@suse.com, textshell@uchuujin.de, Daniel Vetter , sam@ravnborg.org, mpatocka@redhat.com, ghalat@redhat.com, linux-kernel@vger.kernel.org, jwilk@jwilk.net, Nadav Markus , syzkaller@googlegroups.com Subject: Re: Bug report - slab-out-of-bounds in vcs_scr_readw In-Reply-To: Message-ID: References: <20191104152428.GA2252441@kroah.com> User-Agent: Alpine 2.21 (LFD 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Pobox-Relay-ID: A9F8731E-FF31-11E9-9E0C-D1361DBA3BAF-78420484!pb-smtp2.pobox.com Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 4 Nov 2019, Or Cohen wrote: > @gregkh@linuxfoundation.org @nico@fluxnic.net - Thanks for the quick response. > @gregkh@linuxfoundation.org - Regarding your question, I don't think > the 1 byte buffer is related to the problem. ( it's just was there in > the initial reproducer the fuzzer created, and I forgot to remove it > while reducing code from the reproducer ). I think I know what the problem is. I have no time to test it though. Please try this (untested) patch. Also please try running the same test code but with vcsa6 in addition to vcsu6 to be sure. ---------- >8 Subject: [PATCH] vcs: add missing validation on vcs_size() returned value One usage instance didn't account for the fact that vcs_size() may return a negative error code. Signed-off-by: Nicolas Pitre diff --git a/drivers/tty/vt/vc_screen.c b/drivers/tty/vt/vc_screen.c index 1f042346e7..fa07d79027 100644 --- a/drivers/tty/vt/vc_screen.c +++ b/drivers/tty/vt/vc_screen.c @@ -474,6 +474,10 @@ vcs_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos) goto unlock_out; size = vcs_size(inode); + if (size < 0) { + ret = size; + goto unlock_out; + } ret = -EINVAL; if (pos < 0 || pos > size) goto unlock_out;