Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp53158ybh; Tue, 14 Jul 2020 17:40:04 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxaDZaN+j9K9Bmhcm0lkS3YandReDMCULAHK/p/9d8/og7ZNVDELcwtE40UI64m3vEqT2Gb X-Received: by 2002:a17:906:fcba:: with SMTP id qw26mr6818447ejb.112.1594773604659; Tue, 14 Jul 2020 17:40:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594773604; cv=none; d=google.com; s=arc-20160816; b=I3zXE2tIZako9nvdl993r15BXb4N0DSP76qd9aJdyuG67j5x/morrVntU0ShKhZyxH h/9OfoOKPoeDyIvi+ZzfynBw+v/JIEanFYNkasFvwgYG9XOGVCXry7fLs7rqxKh3C8eN scr7rnQ6dvf4wI1esyOMevlOAuwgaxbMRspzOwLDnSlurnrloN32XdJt95FKVcVOzlgN Qbm+aMNhKZZXT57bqzPpZOhVBOvc6aVTMbaOnWDWyYnSBfN2LgAF0RmOd6T2WaUGMCRW to3qpv+AqbcPOd3tKKx8uOlmGNpPMkmM2SdsbOkxpMr24AVUTXNErtoKgKYNg3cLWPXu /u8Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=uee8lJTanTXis5Ixi5j6TtxXuRj1QHwm3OwLiK9/VgE=; b=nsch/fvF9qxsBV73jcc9dCPqLVCmZUannA8swUFDasB6wDQhkl+Djfd1xau92ms8bH XiPMSPm0wsKR++NeNBHI3sd0aOR+azeYip3sZCk+i+fANurzMwBsoTNVX74GOgkFsoH8 eiGMb49CVoEK71nNsONV+QDOQdEGoWgFAwco2pD84oZfJDK48hcC60g1yXGtEZ2MB8M9 JzwoUFFRTgDKsLW/OVO8t72wBaJjalBurrV4W4FR2zJSf4lkuDlHnT80BAl14LauHmks vbNvWa0wuSvSSUx+YRbmhVIOgLFGt+944p8+VFassXQaa4uUktJgAAem5KYmwAYrBHT2 j3XQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u9si229599ejf.344.2020.07.14.17.39.42; Tue, 14 Jul 2020 17:40:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726863AbgGOAYL (ORCPT + 99 others); Tue, 14 Jul 2020 20:24:11 -0400 Received: from www262.sakura.ne.jp ([202.181.97.72]:53878 "EHLO www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726142AbgGOAYL (ORCPT ); Tue, 14 Jul 2020 20:24:11 -0400 Received: from fsav401.sakura.ne.jp (fsav401.sakura.ne.jp [133.242.250.100]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 06F0O9m6009533; Wed, 15 Jul 2020 09:24:09 +0900 (JST) (envelope-from penguin-kernel@i-love.sakura.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav401.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav401.sakura.ne.jp); Wed, 15 Jul 2020 09:24:09 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav401.sakura.ne.jp) Received: from [192.168.1.9] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 06F0O80A009529 (version=TLSv1.2 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 15 Jul 2020 09:24:09 +0900 (JST) (envelope-from penguin-kernel@i-love.sakura.ne.jp) Subject: Re: [PATCH] fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins. To: George Kennedy , Bartlomiej Zolnierkiewicz Cc: Greg Kroah-Hartman , Jiri Slaby , linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org, Dmitry Vyukov , linux-kernel@vger.kernel.org, Dan Carpenter References: <189fc902-db7c-9886-cc31-c0348435303a@i-love.sakura.ne.jp> <20200712111013.11881-1-penguin-kernel@I-love.SAKURA.ne.jp> <20200712111013.11881-2-penguin-kernel@I-love.SAKURA.ne.jp> From: Tetsuo Handa Message-ID: Date: Wed, 15 Jul 2020 09:24:06 +0900 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2020/07/15 2:15, George Kennedy wrote: > Can you try the a.out built from the original Syzkaller modified repro C program? It walks 0-7 through xres and yres of the fb_var_screeninfo struct. I'm not familiar with exploit code. What do you want to explain via this program? > struct fb_var_screeninfo *varp = (struct fb_var_screeninfo *)0x200001c0; > struct fb_var_screeninfo *starting_varp = malloc(sizeof(struct fb_var_screeninfo *)); > memcpy(starting_varp, varp, sizeof(struct fb_var_screeninfo)); > memcpy(varp, starting_varp, sizeof(struct fb_var_screeninfo)); At least, I suspect there is a memory corruption bug in this program because of malloc()ing only sizeof(struct fb_var_screeninfo *) bytes.