Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp617511ybx;
        Tue, 5 Nov 2019 02:54:26 -0800 (PST)
X-Google-Smtp-Source: APXvYqzT5ZMU+qqBdX5uc6VR04kP3StHWnFU6EVGzuAWlLO7ZgPmUdpATaVAuhmkD/ve/N9Z40gY
X-Received: by 2002:a17:906:298f:: with SMTP id x15mr28504963eje.50.1572951266157;
        Tue, 05 Nov 2019 02:54:26 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1572951266; cv=none;
        d=google.com; s=arc-20160816;
        b=B3qx7buKwaw/zfGdvalRecgT2nnpk6IPTx7VzhkwC1GqodhISrT0Hwv3cIUuc5kOOD
         FvZ1tqzWnMsk6NZ8mm+RwQ9th8QQXLaZwmX2GGKIqZ9NqOJr4Ck5ELurgS+Qr5vwSe5V
         7GImRGIDul2i+W4L43k6+n7yYVieE9FnWtn/L3BE/HpwEpaDMLLhwf3BHOqzmP6sNqNL
         RnbIvm9ylrkKqt6FAs36Z/Xb+Ac9MS+4TXO4Pybb5gC5DQUkZNNMvrG7NiDVGw0xyd33
         9NaK/F3fmWkKGlaLyHEXKUzNh4LlnFnr6VnRoRReLycas67sbKCQEA/jJpsLu4WfIwz0
         SEmQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=t/XhLmGtV4oGELxdQt2dJ/sVCPl5OR9PVnJcsPBnlMo=;
        b=MKguvrlk+M527Fkfx45n6KikF8LBKbJbfME7Qlsl52aERH7m+BIiEJLo0kJ16aY17C
         9b5hShK0xJzJiZrr1Ecoo+pl8p5FDlDDj3qFWnQKGTpDoZQ65nh3mjv1R5Xx6sHWOAB5
         ZYTh79jS/hIIYxILkRcV5DG0EVeI2642vlflM+JIGdG3F42LLl9yAG3a6N0CakkdGcPs
         vCUTIAK4HODrIpTSaTr+SvyvtIzRdN6LxwzR8jyduxh5ppnGZd/aoqj5bZE1qx4sQqdD
         F9MusZc4OJoTpYGYWkEoEKDHxKCCFDvGc/aGLwAqWFD8YByUYfB93mKhlfybzURTZKqS
         19iw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=ICvIG+0H;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w2si13037407ejv.227.2019.11.05.02.54.02;
        Tue, 05 Nov 2019 02:54:26 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=ICvIG+0H;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2388678AbfKEKxc (ORCPT <rfc822;zhangckid@gmail.com> + 99 others);
        Tue, 5 Nov 2019 05:53:32 -0500
Received: from mail-qt1-f193.google.com ([209.85.160.193]:32963 "EHLO
        mail-qt1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726867AbfKEKxc (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 5 Nov 2019 05:53:32 -0500
Received: by mail-qt1-f193.google.com with SMTP id y39so28743418qty.0
        for <linux-kernel@vger.kernel.org>; Tue, 05 Nov 2019 02:53:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=t/XhLmGtV4oGELxdQt2dJ/sVCPl5OR9PVnJcsPBnlMo=;
        b=ICvIG+0H28QhrcijQJct7LH43SjJnbvZts6U/LC/pjtvTR3hAEmw7dlsuVdTrncHqk
         EvKztIKEZ5A8QX+j2c0n6+QQiJGwI/lVhGReT1+TvlsEYwcq5SGU/qiC1TSw1oBtqREy
         QuhgCnZuEx6S14Z4Hrd+aimUvax9AAfsmgUuh8fC4NeuOFQPPFIcFcM6Mi5LaUy8unnq
         NvrDfxLp8iYwJTls/hBdJaigSDGTONt9EZU1l2+K6vp/78Q9M7TPiTfPEuSnA/g2XFX6
         Zx/yiBFp8Ovum4fmE/C7ymog+6YKqmIeg5jc1pHmn0NVonNP/j6YC8EyOsasq29nUSqf
         7i5A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=t/XhLmGtV4oGELxdQt2dJ/sVCPl5OR9PVnJcsPBnlMo=;
        b=gurEX88Yh6/ZoIxEFK1ObJATc00gkZPFyIgrTnwPK/2S0jef3cfhcbwpZXFULgB2Xy
         BNTSZcZkc9Ws3EPAdMN4BwD3F293qKzNcI5GXH2mVwaDOFFwAQKWoFgPXCNPyH4NrMTE
         TYoqkbQeE64AHMUKep1N4uYKwfRz0ppU1Ox6d67Qq3djQXkvwCpX4OlbJ+61b/rz2M3r
         w+/HNpypi8N8V+E8Qc/tLucyVUGB4bviu6KO9DPp9dVJaLsKF+vl0uAY4A6fOszIhRTD
         ecUw+zdEP+Y5wDvn1+MIn1r5Mdx3VEcTkj5bkhM7gpOOdUyMQSTO64u4Lq9Qf7+2nkn7
         FhRQ==
X-Gm-Message-State: APjAAAX41NugCGnGZyrmOuh1fwJ3CG0ONf6dNfARVuzaVvH4XmH93D8V
        RtA5TuTWpgvbdZ984miHZ6m6PrUcCelfwU1oLmbyRw==
X-Received: by 2002:ac8:5514:: with SMTP id j20mr16512390qtq.257.1572951210377;
 Tue, 05 Nov 2019 02:53:30 -0800 (PST)
MIME-Version: 1.0
References: <CAM6JnLeEnvjjQPyLeh+8dt5wGNud_vks5k_eXJZy2T1H7ao=hQ@mail.gmail.com>
 <20191104152428.GA2252441@kroah.com> <nycvar.YSQ.7.76.1911041648280.30289@knanqh.ubzr>
 <CAM6JnLdrzCPOYyfTdmriFo7cRaGM4p2OEPd_0MHa3_WemamffA@mail.gmail.com>
 <nycvar.YSQ.7.76.1911041928030.30289@knanqh.ubzr> <c30fc539-68a8-65d7-226c-6f8e6fd8bdfb@suse.com>
 <CAM6JnLe88xf8hO0F=_Ni+irNt40+987tHmz9ZjppgxhnMnLxpw@mail.gmail.com>
 <a0550a96-a7db-60d7-c4ac-86be8c8dd275@suse.com> <nycvar.YSQ.7.76.1911051030580.30289@knanqh.ubzr>
 <fb1744cd-2680-1459-16de-8d6a4afd666d@suse.com>
In-Reply-To: <fb1744cd-2680-1459-16de-8d6a4afd666d@suse.com>
From:   Dmitry Vyukov <dvyukov@google.com>
Date:   Tue, 5 Nov 2019 11:53:18 +0100
Message-ID: <CACT4Y+bw_fuhC0q2Wb0K=+z9p_E+apZr9h7_+HWOhAe6_g7KgQ@mail.gmail.com>
Subject: Re: Bug report - slab-out-of-bounds in vcs_scr_readw
To:     Jiri Slaby <jslaby@suse.com>
Cc:     Nicolas Pitre <nico@fluxnic.net>,
        Or Cohen <orcohen@paloaltonetworks.com>,
        Greg KH <gregkh@linuxfoundation.org>, textshell@uchuujin.de,
        Daniel Vetter <daniel.vetter@ffwll.ch>,
        Sam Ravnborg <sam@ravnborg.org>, mpatocka@redhat.com,
        ghalat@redhat.com, LKML <linux-kernel@vger.kernel.org>,
        jwilk@jwilk.net, Nadav Markus <nmarkus@paloaltonetworks.com>,
        syzkaller <syzkaller@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Nov 5, 2019 at 11:29 AM Jiri Slaby <jslaby@suse.com> wrote:
>
> On 05. 11. 19, 10:33, Nicolas Pitre wrote:
> > Subject: [PATCH] vcs: prevent write access to vcsu devices
> >
> > Commit d21b0be246bf ("vt: introduce unicode mode for /dev/vcs") guarded
> > against using devices containing attributes as this is not yet
> > implemented. It however failed to guard against writes to any devices
> > as this is also unimplemented.
> >
> > Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
> > Cc: <stable@vger.kernel.org> # v4.19+
> >
> > diff --git a/drivers/tty/vt/vc_screen.c b/drivers/tty/vt/vc_screen.c
> > index fa07d79027..ef19b95b73 100644
> > --- a/drivers/tty/vt/vc_screen.c
> > +++ b/drivers/tty/vt/vc_screen.c
> > @@ -456,6 +456,9 @@ vcs_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos)
> >       size_t ret;
> >       char *con_buf;
> >
> > +     if (use_unicode(inode))
> > +             return -EOPNOTSUPP;
>
> Looks good to me. I am also thinking about a ban directly in open:
>
> if (use_unicode(inode) && (filp->f_flags & O_ACCMODE) != O_RDONLY)
>   return -EOPNOTSUPP;
>
> Would that break the unicode users?


On a related note, syzbot seems to get very similar bug reports on
some downstream kernels (4.15):
KASAN: use-after-free Read in vcs_scr_readw
KASAN: use-after-free Write in vcs_scr_writew

but not on upstream. I wonder why. And if we are missing some good
config in upstream kernel or something. This all fuzzing is somewhat
random, so it might have just happened without particular reasons
(maybe it will discover it later). But wanted to check if there are
some low hanging fruits. Anything obviously missing in:
https://github.com/google/syzkaller/blob/master/dashboard/config/upstream-kasan.config
?