Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp617511ybx; Tue, 5 Nov 2019 02:54:26 -0800 (PST) X-Google-Smtp-Source: APXvYqzT5ZMU+qqBdX5uc6VR04kP3StHWnFU6EVGzuAWlLO7ZgPmUdpATaVAuhmkD/ve/N9Z40gY X-Received: by 2002:a17:906:298f:: with SMTP id x15mr28504963eje.50.1572951266157; Tue, 05 Nov 2019 02:54:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1572951266; cv=none; d=google.com; s=arc-20160816; b=B3qx7buKwaw/zfGdvalRecgT2nnpk6IPTx7VzhkwC1GqodhISrT0Hwv3cIUuc5kOOD FvZ1tqzWnMsk6NZ8mm+RwQ9th8QQXLaZwmX2GGKIqZ9NqOJr4Ck5ELurgS+Qr5vwSe5V 7GImRGIDul2i+W4L43k6+n7yYVieE9FnWtn/L3BE/HpwEpaDMLLhwf3BHOqzmP6sNqNL RnbIvm9ylrkKqt6FAs36Z/Xb+Ac9MS+4TXO4Pybb5gC5DQUkZNNMvrG7NiDVGw0xyd33 9NaK/F3fmWkKGlaLyHEXKUzNh4LlnFnr6VnRoRReLycas67sbKCQEA/jJpsLu4WfIwz0 SEmQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=t/XhLmGtV4oGELxdQt2dJ/sVCPl5OR9PVnJcsPBnlMo=; b=MKguvrlk+M527Fkfx45n6KikF8LBKbJbfME7Qlsl52aERH7m+BIiEJLo0kJ16aY17C 9b5hShK0xJzJiZrr1Ecoo+pl8p5FDlDDj3qFWnQKGTpDoZQ65nh3mjv1R5Xx6sHWOAB5 ZYTh79jS/hIIYxILkRcV5DG0EVeI2642vlflM+JIGdG3F42LLl9yAG3a6N0CakkdGcPs vCUTIAK4HODrIpTSaTr+SvyvtIzRdN6LxwzR8jyduxh5ppnGZd/aoqj5bZE1qx4sQqdD F9MusZc4OJoTpYGYWkEoEKDHxKCCFDvGc/aGLwAqWFD8YByUYfB93mKhlfybzURTZKqS 19iw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ICvIG+0H; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w2si13037407ejv.227.2019.11.05.02.54.02; Tue, 05 Nov 2019 02:54:26 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ICvIG+0H; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388678AbfKEKxc (ORCPT + 99 others); Tue, 5 Nov 2019 05:53:32 -0500 Received: from mail-qt1-f193.google.com ([209.85.160.193]:32963 "EHLO mail-qt1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726867AbfKEKxc (ORCPT ); Tue, 5 Nov 2019 05:53:32 -0500 Received: by mail-qt1-f193.google.com with SMTP id y39so28743418qty.0 for ; Tue, 05 Nov 2019 02:53:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=t/XhLmGtV4oGELxdQt2dJ/sVCPl5OR9PVnJcsPBnlMo=; b=ICvIG+0H28QhrcijQJct7LH43SjJnbvZts6U/LC/pjtvTR3hAEmw7dlsuVdTrncHqk EvKztIKEZ5A8QX+j2c0n6+QQiJGwI/lVhGReT1+TvlsEYwcq5SGU/qiC1TSw1oBtqREy QuhgCnZuEx6S14Z4Hrd+aimUvax9AAfsmgUuh8fC4NeuOFQPPFIcFcM6Mi5LaUy8unnq NvrDfxLp8iYwJTls/hBdJaigSDGTONt9EZU1l2+K6vp/78Q9M7TPiTfPEuSnA/g2XFX6 Zx/yiBFp8Ovum4fmE/C7ymog+6YKqmIeg5jc1pHmn0NVonNP/j6YC8EyOsasq29nUSqf 7i5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=t/XhLmGtV4oGELxdQt2dJ/sVCPl5OR9PVnJcsPBnlMo=; b=gurEX88Yh6/ZoIxEFK1ObJATc00gkZPFyIgrTnwPK/2S0jef3cfhcbwpZXFULgB2Xy BNTSZcZkc9Ws3EPAdMN4BwD3F293qKzNcI5GXH2mVwaDOFFwAQKWoFgPXCNPyH4NrMTE TYoqkbQeE64AHMUKep1N4uYKwfRz0ppU1Ox6d67Qq3djQXkvwCpX4OlbJ+61b/rz2M3r w+/HNpypi8N8V+E8Qc/tLucyVUGB4bviu6KO9DPp9dVJaLsKF+vl0uAY4A6fOszIhRTD ecUw+zdEP+Y5wDvn1+MIn1r5Mdx3VEcTkj5bkhM7gpOOdUyMQSTO64u4Lq9Qf7+2nkn7 FhRQ== X-Gm-Message-State: APjAAAX41NugCGnGZyrmOuh1fwJ3CG0ONf6dNfARVuzaVvH4XmH93D8V RtA5TuTWpgvbdZ984miHZ6m6PrUcCelfwU1oLmbyRw== X-Received: by 2002:ac8:5514:: with SMTP id j20mr16512390qtq.257.1572951210377; Tue, 05 Nov 2019 02:53:30 -0800 (PST) MIME-Version: 1.0 References: <20191104152428.GA2252441@kroah.com> In-Reply-To: From: Dmitry Vyukov Date: Tue, 5 Nov 2019 11:53:18 +0100 Message-ID: Subject: Re: Bug report - slab-out-of-bounds in vcs_scr_readw To: Jiri Slaby Cc: Nicolas Pitre , Or Cohen , Greg KH , textshell@uchuujin.de, Daniel Vetter , Sam Ravnborg , mpatocka@redhat.com, ghalat@redhat.com, LKML , jwilk@jwilk.net, Nadav Markus , syzkaller Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 5, 2019 at 11:29 AM Jiri Slaby wrote: > > On 05. 11. 19, 10:33, Nicolas Pitre wrote: > > Subject: [PATCH] vcs: prevent write access to vcsu devices > > > > Commit d21b0be246bf ("vt: introduce unicode mode for /dev/vcs") guarded > > against using devices containing attributes as this is not yet > > implemented. It however failed to guard against writes to any devices > > as this is also unimplemented. > > > > Signed-off-by: Nicolas Pitre > > Cc: # v4.19+ > > > > diff --git a/drivers/tty/vt/vc_screen.c b/drivers/tty/vt/vc_screen.c > > index fa07d79027..ef19b95b73 100644 > > --- a/drivers/tty/vt/vc_screen.c > > +++ b/drivers/tty/vt/vc_screen.c > > @@ -456,6 +456,9 @@ vcs_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos) > > size_t ret; > > char *con_buf; > > > > + if (use_unicode(inode)) > > + return -EOPNOTSUPP; > > Looks good to me. I am also thinking about a ban directly in open: > > if (use_unicode(inode) && (filp->f_flags & O_ACCMODE) != O_RDONLY) > return -EOPNOTSUPP; > > Would that break the unicode users? On a related note, syzbot seems to get very similar bug reports on some downstream kernels (4.15): KASAN: use-after-free Read in vcs_scr_readw KASAN: use-after-free Write in vcs_scr_writew but not on upstream. I wonder why. And if we are missing some good config in upstream kernel or something. This all fuzzing is somewhat random, so it might have just happened without particular reasons (maybe it will discover it later). But wanted to check if there are some low hanging fruits. Anything obviously missing in: https://github.com/google/syzkaller/blob/master/dashboard/config/upstream-kasan.config ?