Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp544396ybx;
        Tue, 5 Nov 2019 01:34:21 -0800 (PST)
X-Google-Smtp-Source: APXvYqwBppi2E6NfP25cORvzNhDSM0qCUhT1xI5K0x5RcemGe4zHWr+DfZyVKFQCCcXGq6P7Rltb
X-Received: by 2002:a50:a695:: with SMTP id e21mr34739730edc.39.1572946461191;
        Tue, 05 Nov 2019 01:34:21 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1572946461; cv=none;
        d=google.com; s=arc-20160816;
        b=SPqdrCNSN6Bvo93bYdZjQgPe2BriwW2e9VuxHcVmp+mMVYWPCpiaOd4QoHMSnHbnTj
         KNybCTd+rbnRVmms+C+Rc+i6BbUh15/KHAfkurblY1s0/YU9xywA5KxL5ravuq9JfKGb
         9FpZeod+fVEWdMUKJ2VskVDa/Cj4/yatukOzHo2EZXRj1nOCx0/tMo5vlPOahOnZRUHY
         G0Zjz+m4ZswMM2DMMjlQ6Xku7SuWTS4G2AVm2mC8SSXG+CpPsLTui7UcF0bhPvmxUHZR
         IsE8u5x33WqWIHyo/ZLycMzrh0Hfsu9evvY3GSad3ht4iGUJacs+rAIxlir8N1fqGlzl
         J9Mw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :message-id:in-reply-to:subject:cc:to:from:date:dkim-signature
         :dkim-signature;
        bh=TRgDZeXg+jIrCUxIjL6lAFolq3MtL/aUOUMTAldOclI=;
        b=w2fcIFynimiLys5Gs699fftw0kkl54dfMTnKbzDVx/RF0AqTsU9TXBg3BTpf2lLovR
         /FmWIxXpiJzgCPPeN/XrPDSrT1Wltg08pDuDtPYSvMBZ4wyyxn7/psYtreLyP3DVioiR
         IzJQC7ZnSvcOIQ+3I5TMt4zRvvMaAvTHvjn0rYYjFXJrETidzH7Ip7w8Jxt/2Ek8n0l8
         1IkGfV4P6OjAwo2SJ8e8jOSvN3JRUK0teHMqMPKqUROKvLH/R51BHAQuuLt6qh8TdE6c
         7xaTiUZ6ZeF9dHzoQ3LHt/2MJGQxv8rCXnhlRyYMUsSo8gjlrZUDyUMA7V8ZNg+eejDh
         wSdQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@pobox.com header.s=sasl header.b="TGd/Jq0h";
       dkim=temperror (no key for signature) header.i=@fluxnic.net header.s=2016-12.pbsmtp header.b=VHxL22Xp;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id rv3si477733ejb.249.2019.11.05.01.33.57;
        Tue, 05 Nov 2019 01:34:21 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@pobox.com header.s=sasl header.b="TGd/Jq0h";
       dkim=temperror (no key for signature) header.i=@fluxnic.net header.s=2016-12.pbsmtp header.b=VHxL22Xp;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730583AbfKEJdV (ORCPT <rfc822;zhangckid@gmail.com> + 99 others);
        Tue, 5 Nov 2019 04:33:21 -0500
Received: from pb-smtp1.pobox.com ([64.147.108.70]:50913 "EHLO
        pb-smtp1.pobox.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729171AbfKEJdV (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 5 Nov 2019 04:33:21 -0500
Received: from pb-smtp1.pobox.com (unknown [127.0.0.1])
        by pb-smtp1.pobox.com (Postfix) with ESMTP id C368923272;
        Tue,  5 Nov 2019 04:33:18 -0500 (EST)
        (envelope-from nico@fluxnic.net)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date:from:to
        :cc:subject:in-reply-to:message-id:references:mime-version
        :content-type; s=sasl; bh=UI3sGkR+m+FxKVkxeX7FyuZcwwk=; b=TGd/Jq
        0hG6Tm9Z110b9Fn4OhNBW9OcNWFWLg1l3dBkZ0flDHj5679dAsgA4hjmINTbxADH
        D19cWQk0Y+r4gFs4/Vapf0SlyJ3eAAcATGDMobGEmHz0WElLtpQbKbbayKvim7gR
        ug8nIZtRn8M59sssaRexvGyjDR4fQTBLOLbx0=
Received: from pb-smtp1.nyi.icgroup.com (unknown [127.0.0.1])
        by pb-smtp1.pobox.com (Postfix) with ESMTP id B8B5123270;
        Tue,  5 Nov 2019 04:33:18 -0500 (EST)
        (envelope-from nico@fluxnic.net)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=fluxnic.net;
 h=date:from:to:cc:subject:in-reply-to:message-id:references:mime-version:content-type; s=2016-12.pbsmtp; bh=zQ0sgijWpvq8TVQaO2Q8qgIXrldRTox7VuE3XUJ16aM=; b=VHxL22XpDsujIBPRyVYXAZxo/kJoRymv7PtQAIYqRQcDRfaL2EEQJZhv0fNLULJuCbA+4NMoP5+JxaBacrUIwwvy9QnTkfe1phraR+WzfPqqA9VE1euHA/84OIjQWuYGPQBnN/CRkOBa/rnZL+7I5IugtjZo/wzGn+dfZBziYn8=
Received: from yoda.home (unknown [24.203.50.76])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by pb-smtp1.pobox.com (Postfix) with ESMTPSA id E14B42326F;
        Tue,  5 Nov 2019 04:33:17 -0500 (EST)
        (envelope-from nico@fluxnic.net)
Received: from xanadu.home (xanadu.home [192.168.2.2])
        by yoda.home (Postfix) with ESMTPSA id 10ABF2DA01C8;
        Tue,  5 Nov 2019 04:33:17 -0500 (EST)
Date:   Tue, 5 Nov 2019 10:33:16 +0100 (CET)
From:   Nicolas Pitre <nico@fluxnic.net>
To:     Jiri Slaby <jslaby@suse.com>
cc:     Or Cohen <orcohen@paloaltonetworks.com>,
        Greg KH <gregkh@linuxfoundation.org>, textshell@uchuujin.de,
        Daniel Vetter <daniel.vetter@ffwll.ch>, sam@ravnborg.org,
        mpatocka@redhat.com, ghalat@redhat.com,
        linux-kernel@vger.kernel.org, jwilk@jwilk.net,
        Nadav Markus <nmarkus@paloaltonetworks.com>,
        syzkaller@googlegroups.com
Subject: Re: Bug report - slab-out-of-bounds in vcs_scr_readw
In-Reply-To: <a0550a96-a7db-60d7-c4ac-86be8c8dd275@suse.com>
Message-ID: <nycvar.YSQ.7.76.1911051030580.30289@knanqh.ubzr>
References: <CAM6JnLeEnvjjQPyLeh+8dt5wGNud_vks5k_eXJZy2T1H7ao=hQ@mail.gmail.com> <20191104152428.GA2252441@kroah.com> <nycvar.YSQ.7.76.1911041648280.30289@knanqh.ubzr> <CAM6JnLdrzCPOYyfTdmriFo7cRaGM4p2OEPd_0MHa3_WemamffA@mail.gmail.com>
 <nycvar.YSQ.7.76.1911041928030.30289@knanqh.ubzr> <c30fc539-68a8-65d7-226c-6f8e6fd8bdfb@suse.com> <CAM6JnLe88xf8hO0F=_Ni+irNt40+987tHmz9ZjppgxhnMnLxpw@mail.gmail.com> <a0550a96-a7db-60d7-c4ac-86be8c8dd275@suse.com>
User-Agent: Alpine 2.21 (LFD 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
X-Pobox-Relay-ID: 4C824268-FFAF-11E9-928C-C28CBED8090B-78420484!pb-smtp1.pobox.com
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, 5 Nov 2019, Jiri Slaby wrote:

> Because unicode uses 4 bytes. The issue is that there is no handling for
> unicode in vcs_write at all. (Compare with vcs_read.)

Exact.

----- >8

Subject: [PATCH] vcs: prevent write access to vcsu devices

Commit d21b0be246bf ("vt: introduce unicode mode for /dev/vcs") guarded
against using devices containing attributes as this is not yet
implemented. It however failed to guard against writes to any devices
as this is also unimplemented.

Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
Cc: <stable@vger.kernel.org> # v4.19+

diff --git a/drivers/tty/vt/vc_screen.c b/drivers/tty/vt/vc_screen.c
index fa07d79027..ef19b95b73 100644
--- a/drivers/tty/vt/vc_screen.c
+++ b/drivers/tty/vt/vc_screen.c
@@ -456,6 +456,9 @@ vcs_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos)
 	size_t ret;
 	char *con_buf;
 
+	if (use_unicode(inode))
+		return -EOPNOTSUPP;
+
 	con_buf = (char *) __get_free_page(GFP_KERNEL);
 	if (!con_buf)
 		return -ENOMEM;