Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp413154ybx; Mon, 4 Nov 2019 22:55:33 -0800 (PST) X-Google-Smtp-Source: APXvYqy1bL7TEYM+J/7zWKK7W0hz5Vc0im9peCgeUp/RQPBBtxOaRyIoZtCJSYXIw0nxgrJRwrhA X-Received: by 2002:a17:907:426e:: with SMTP id nx22mr19968660ejb.139.1572936932935; Mon, 04 Nov 2019 22:55:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1572936932; cv=none; d=google.com; s=arc-20160816; b=lQ/JNgDEl2+RJugWHti73IBecTw5oJj5mkFve4BnuXIjov9sAd4OamXUpgXLLglQF3 pkeHPYAyGt/ueHzkCLPpOTVnfRhdrPoPxL0AIROdYhoCzSD9f8joc8YNoUptGq5A4zxg CfQLS4f34rX5+wIqsUwsIDYNVQHM1b4dUZQHKtrurLxp5tw+cCws50U/vkT5Z1a8d5P3 PNhfxJvKDwD+7GPTVojW+1Aay20N7sYdNQCFq8w2hMVBlzVjCXgn3JAxj3Fa9OMyP/LH Ckz9tYd9NvEXOCCXfWmSmTjbxvz/cX6BFGoJHkzrjq/N82Pjy0aoiPxExPdGcOkjo8o/ JmUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:autocrypt:from:references:cc:to:subject; bh=8xYfQzXVg5BZsCvsLUMhcddGAmDOYQRMimM7/axXfUk=; b=M9SzV2nXUVxEY4QLMcVQRuhrb94uX7mtizjhU3bbso2X3lfX/RQfI/dG41rGy0RVgn xUoLzmsB1F/GPVOzhP3RCqE5IeDKmm6rPQ3TmAqanp9U8vQIfCG6N/jKXEcOgVZBLrte 4h7kUT6hr+o+fVsAdcmDYI3UkviXgXuIYpS8qmDp3xiBSp3WhDjs5MiNG7eu7kQoEetW +ZL+3rJhkqKR4gc9nCODrFzNhRP99W78QbElE7UWNfXbNxd7xZL/pP7txuoy5XD9m/Hw F2by/DdM6gFfBcNqoBbxC2ovye8hreo5ZiEF4qQWkh/nuLzGwJpgz+7HALUvzwwVEw96 TGvA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k1si1123416ejr.427.2019.11.04.22.55.09; Mon, 04 Nov 2019 22:55:32 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387569AbfKEGy2 (ORCPT + 99 others); Tue, 5 Nov 2019 01:54:28 -0500 Received: from mail-wm1-f68.google.com ([209.85.128.68]:35990 "EHLO mail-wm1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726988AbfKEGy1 (ORCPT ); Tue, 5 Nov 2019 01:54:27 -0500 Received: by mail-wm1-f68.google.com with SMTP id c22so18772269wmd.1 for ; Mon, 04 Nov 2019 22:54:24 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=8xYfQzXVg5BZsCvsLUMhcddGAmDOYQRMimM7/axXfUk=; b=iyucwJOoFcvAKLrHLIGAUIim50Ua45sR91nQaNzH7cqJEbR9/koONHTrx3UOsbxNyN nZlbP08DeFhFPLJxcIodnrKbaas1N1MlevpD3XMmUud6SsbISYK/+kAiRVZpgTjeQcTw jsPHqZ3jWfO501Zye4Y8Aplo/kR92qNj/r1KIhLgzvntaUqj6SnoB98V2amlmX1j6LJg tKI/L8ndjFReNGYiHQmPzWGpL7/ceNpjqJgq7x1ZitX4sLap80nhY7Lbl8LygTIdzSqA VDzcDtxEY35PAVMyrLvwdjSxQuzYBDeyMjION3VbFgj21RKa3EFWjMMt0XTlK/zReV+C 32tw== X-Gm-Message-State: APjAAAVtsZ/gO7vG4J+j9uFRZ6BVb4WFeLBc4c48m7N8URDRsdzPOCSx OwV6B7vnZQXc7vOu/Tq3UGsO+3T6 X-Received: by 2002:a05:600c:1002:: with SMTP id c2mr2591769wmc.79.1572936863809; Mon, 04 Nov 2019 22:54:23 -0800 (PST) Received: from ?IPv6:2a0b:e7c0:0:107::49? ([2a0b:e7c0:0:107::49]) by smtp.gmail.com with ESMTPSA id w132sm15767492wma.6.2019.11.04.22.54.22 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 04 Nov 2019 22:54:23 -0800 (PST) Subject: Re: Bug report - slab-out-of-bounds in vcs_scr_readw To: Nicolas Pitre , Or Cohen Cc: Greg KH , textshell@uchuujin.de, Daniel Vetter , sam@ravnborg.org, mpatocka@redhat.com, ghalat@redhat.com, linux-kernel@vger.kernel.org, jwilk@jwilk.net, Nadav Markus , syzkaller@googlegroups.com References: <20191104152428.GA2252441@kroah.com> From: Jiri Slaby Autocrypt: addr=jslaby@suse.com; prefer-encrypt=mutual; keydata= mQINBE6S54YBEACzzjLwDUbU5elY4GTg/NdotjA0jyyJtYI86wdKraekbNE0bC4zV+ryvH4j rrcDwGs6tFVrAHvdHeIdI07s1iIx5R/ndcHwt4fvI8CL5PzPmn5J+h0WERR5rFprRh6axhOk rSD5CwQl19fm4AJCS6A9GJtOoiLpWn2/IbogPc71jQVrupZYYx51rAaHZ0D2KYK/uhfc6neJ i0WqPlbtIlIrpvWxckucNu6ZwXjFY0f3qIRg3Vqh5QxPkojGsq9tXVFVLEkSVz6FoqCHrUTx wr+aw6qqQVgvT/McQtsI0S66uIkQjzPUrgAEtWUv76rM4ekqL9stHyvTGw0Fjsualwb0Gwdx ReTZzMgheAyoy/umIOKrSEpWouVoBt5FFSZUyjuDdlPPYyPav+hpI6ggmCTld3u2hyiHji2H cDpcLM2LMhlHBipu80s9anNeZhCANDhbC5E+NZmuwgzHBcan8WC7xsPXPaiZSIm7TKaVoOcL 9tE5aN3jQmIlrT7ZUX52Ff/hSdx/JKDP3YMNtt4B0cH6ejIjtqTd+Ge8sSttsnNM0CQUkXps w98jwz+Lxw/bKMr3NSnnFpUZaxwji3BC9vYyxKMAwNelBCHEgS/OAa3EJoTfuYOK6wT6nadm YqYjwYbZE5V/SwzMbpWu7Jwlvuwyfo5mh7w5iMfnZE+vHFwp/wARAQABtBxKaXJpIFNsYWJ5 IDxqc2xhYnlAc3VzZS5jb20+iQI4BBMBAgAiBQJOkujrAhsDBgsJCAcDAgYVCAIJCgsEFgID AQIeAQIXgAAKCRC9JbEEBrRwSc1VD/9CxnyCYkBrzTfbi/F3/tTstr3cYOuQlpmufoEjCIXx PNnBVzP7XWPaHIUpp5tcweG6HNmHgnaJScMHHyG83nNAoCEPihyZC2ANQjgyOcnzDOnW2Gzf 8v34FDQqj8CgHulD5noYBrzYRAss6K42yUxUGHOFI1Ky1602OCBRtyJrMihio0gNuC1lE4YZ juGZEU6MYO1jKn8QwGNpNKz/oBs7YboU7bxNTgKrxX61cSJuknhB+7rHOQJSXdY02Tt31R8G diot+1lO/SoB47Y0Bex7WGTXe13gZvSyJkhZa5llWI/2d/s1aq5pgrpMDpTisIpmxFx2OEkb jM95kLOs/J8bzostEoEJGDL4u8XxoLnOEjWyT82eKkAe4j7IGQlA9QQR2hCMsBdvZ/EoqTcd SqZSOto9eLQkjZLz0BmeYIL8SPkgnVAJ/FEK44NrHUGzjzdkE7a0jNvHt8ztw6S+gACVpysi QYo2OH8hZGaajtJ8mrgN2Lxg7CpQ0F6t/N1aa/+A2FwdRw5sHBqA4PH8s0Apqu66Q94YFzzu 8OWkSPLgTjtyZcez79EQt02u8xH8dikk7API/PYOY+462qqbahpRGaYdvloaw7tOQJ224pWJ 4xePwtGyj4raAeczOcBQbKKW6hSH9iz7E5XUdpJqO3iZ9psILk5XoyO53wwhsLgGcrkCDQRO kueGARAAz5wNYsv5a9z1wuEDY5dn+Aya7s1tgqN+2HVTI64F3l6Yg753hF8UzTZcVMi3gzHC ECvKGwpBBwDiJA2V2RvJ6+Jis8paMtONFdPlwPaWlbOv4nHuZfsidXkk7PVCr4/6clZggGNQ qEjTe7Hz2nnwJiKXbhmnKfYXlxftT6KdjyUkgHAs8Gdz1nQCf8NWdQ4P7TAhxhWdkAoOIhc4 OQapODd+FnBtuL4oCG0c8UzZ8bDZVNR/rYgfNX54FKdqbM84FzVewlgpGjcUc14u5Lx/jBR7 ttZv07ro88Ur9GR6o1fpqSQUF/1V+tnWtMQoDIna6p/UQjWiVicQ2Tj7TQgFr4Fq8ZDxRb10 Zbeds+t+45XlRS9uexJDCPrulJ2sFCqKWvk3/kf3PtUINDR2G4k228NKVN/aJQUGqCTeyaWf fU9RiJU+sw/RXiNrSL2q079MHTWtN9PJdNG2rPneo7l0axiKWIk7lpSaHyzBWmi2Arj/nuHf Maxpc708aCecB2p4pUhNoVMtjUhKD4+1vgqiWKI6OsEyZBRIlW2RRcysIwJ648MYejvf1dzv mVweUa4zfIQH/+G0qPKmtst4t/XLjE/JN54XnOD/TO1Fk0pmJyASbHJQ0EcecEodDHPWP6bM fQeNlm1eMa7YosnXwbTurR+nPZk+TYPndbDf1U0j8n0AEQEAAYkCHwQYAQIACQUCTpLnhgIb DAAKCRC9JbEEBrRwSTe1EACA74MWlvIhrhGWd+lxbXsB+elmL1VHn7Ovj3qfaMf/WV3BE79L 5A1IDyp0AGoxv1YjgE1qgA2ByDQBLjb0yrS1ppYqQCOSQYBPuYPVDk+IuvTpj/4rN2v3R5RW d6ozZNRBBsr4qHsnCYZWtEY2pCsOT6BE28qcbAU15ORMq0nQ/yNh3s/WBlv0XCP1gvGOGf+x UiE2YQEsGgjs8v719sguok8eADBbfmumerh/8RhPKRuTWxrXdNq/pu0n7hA6Btx7NYjBnnD8 lV8Qlb0lencEUBXNFDmdWussMAlnxjmKhZyb30m1IgjFfG30UloZzUGCyLkr/53JMovAswmC IHNtXHwb58Ikn1i2U049aFso+WtDz4BjnYBqCL1Y2F7pd8l2HmDqm2I4gubffSaRHiBbqcSB lXIjJOrd6Q66u5+1Yv32qk/nOL542syYtFDH2J5wM2AWvfjZH1tMOVvVMu5Fv7+0n3x/9shY ivRypCapDfcWBGGsbX5eaXpRfInaMTGaU7wmWO44Z5diHpmQgTLOrN9/MEtdkK6OVhAMVenI w1UnZnA+ZfaZYShi5oFTQk3vAz7/NaA5/bNHCES4PcDZw7Y/GiIh/JQR8H1JKZ99or9LjFeg HrC8YQ1nzkeDfsLtYM11oC3peHa5AiXLmCuSC9ammQ3LhkfET6N42xTu2A== Message-ID: Date: Tue, 5 Nov 2019 07:54:21 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.1.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=iso-8859-2 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 04. 11. 19, 19:33, Nicolas Pitre wrote: > On Mon, 4 Nov 2019, Or Cohen wrote: > >> @gregkh@linuxfoundation.org @nico@fluxnic.net - Thanks for the quick response. >> @gregkh@linuxfoundation.org - Regarding your question, I don't think >> the 1 byte buffer is related to the problem. ( it's just was there in >> the initial reproducer the fuzzer created, and I forgot to remove it >> while reducing code from the reproducer ). > > I think I know what the problem is. I have no time to test it though. > > Please try this (untested) patch. Also please try running the same test > code but with vcsa6 in addition to vcsu6 to be sure. > > ---------- >8 > Subject: [PATCH] vcs: add missing validation on vcs_size() returned value > > One usage instance didn't account for the fact that vcs_size() may > return a negative error code. > > Signed-off-by: Nicolas Pitre > > diff --git a/drivers/tty/vt/vc_screen.c b/drivers/tty/vt/vc_screen.c > index 1f042346e7..fa07d79027 100644 > --- a/drivers/tty/vt/vc_screen.c > +++ b/drivers/tty/vt/vc_screen.c > @@ -474,6 +474,10 @@ vcs_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos) > goto unlock_out; > > size = vcs_size(inode); > + if (size < 0) { > + ret = size; > + goto unlock_out; > + } > ret = -EINVAL; > if (pos < 0 || pos > size) > goto unlock_out; pos must be >= 0, so "pos > size" would catch this case as a side effect, or am I missing something? That being said, the patch is correct, but won't fix the issue IMO. thanks, -- js suse labs