Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp53158ybh;
        Tue, 14 Jul 2020 17:40:04 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxaDZaN+j9K9Bmhcm0lkS3YandReDMCULAHK/p/9d8/og7ZNVDELcwtE40UI64m3vEqT2Gb
X-Received: by 2002:a17:906:fcba:: with SMTP id qw26mr6818447ejb.112.1594773604659;
        Tue, 14 Jul 2020 17:40:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1594773604; cv=none;
        d=google.com; s=arc-20160816;
        b=I3zXE2tIZako9nvdl993r15BXb4N0DSP76qd9aJdyuG67j5x/morrVntU0ShKhZyxH
         h/9OfoOKPoeDyIvi+ZzfynBw+v/JIEanFYNkasFvwgYG9XOGVCXry7fLs7rqxKh3C8eN
         scr7rnQ6dvf4wI1esyOMevlOAuwgaxbMRspzOwLDnSlurnrloN32XdJt95FKVcVOzlgN
         Qbm+aMNhKZZXT57bqzPpZOhVBOvc6aVTMbaOnWDWyYnSBfN2LgAF0RmOd6T2WaUGMCRW
         to3qpv+AqbcPOd3tKKx8uOlmGNpPMkmM2SdsbOkxpMr24AVUTXNErtoKgKYNg3cLWPXu
         /u8Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject;
        bh=uee8lJTanTXis5Ixi5j6TtxXuRj1QHwm3OwLiK9/VgE=;
        b=nsch/fvF9qxsBV73jcc9dCPqLVCmZUannA8swUFDasB6wDQhkl+Djfd1xau92ms8bH
         XiPMSPm0wsKR++NeNBHI3sd0aOR+azeYip3sZCk+i+fANurzMwBsoTNVX74GOgkFsoH8
         eiGMb49CVoEK71nNsONV+QDOQdEGoWgFAwco2pD84oZfJDK48hcC60g1yXGtEZ2MB8M9
         JzwoUFFRTgDKsLW/OVO8t72wBaJjalBurrV4W4FR2zJSf4lkuDlHnT80BAl14LauHmks
         vbNvWa0wuSvSSUx+YRbmhVIOgLFGt+944p8+VFassXQaa4uUktJgAAem5KYmwAYrBHT2
         j3XQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id u9si229599ejf.344.2020.07.14.17.39.42;
        Tue, 14 Jul 2020 17:40:04 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726863AbgGOAYL (ORCPT <rfc822;1990.zhangzhen@gmail.com>
        + 99 others); Tue, 14 Jul 2020 20:24:11 -0400
Received: from www262.sakura.ne.jp ([202.181.97.72]:53878 "EHLO
        www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726142AbgGOAYL (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 14 Jul 2020 20:24:11 -0400
Received: from fsav401.sakura.ne.jp (fsav401.sakura.ne.jp [133.242.250.100])
        by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 06F0O9m6009533;
        Wed, 15 Jul 2020 09:24:09 +0900 (JST)
        (envelope-from penguin-kernel@i-love.sakura.ne.jp)
Received: from www262.sakura.ne.jp (202.181.97.72)
 by fsav401.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav401.sakura.ne.jp);
 Wed, 15 Jul 2020 09:24:09 +0900 (JST)
X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav401.sakura.ne.jp)
Received: from [192.168.1.9] (M106072142033.v4.enabler.ne.jp [106.72.142.33])
        (authenticated bits=0)
        by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 06F0O80A009529
        (version=TLSv1.2 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
        Wed, 15 Jul 2020 09:24:09 +0900 (JST)
        (envelope-from penguin-kernel@i-love.sakura.ne.jp)
Subject: Re: [PATCH] fbdev: Detect integer underflow at "struct
 fbcon_ops"->clear_margins.
To:     George Kennedy <george.kennedy@oracle.com>,
        Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Jiri Slaby <jslaby@suse.com>, linux-fbdev@vger.kernel.org,
        dri-devel@lists.freedesktop.org,
        Dmitry Vyukov <dvyukov@google.com>,
        linux-kernel@vger.kernel.org,
        Dan Carpenter <dan.carpenter@oracle.com>
References: <189fc902-db7c-9886-cc31-c0348435303a@i-love.sakura.ne.jp>
 <20200712111013.11881-1-penguin-kernel@I-love.SAKURA.ne.jp>
 <20200712111013.11881-2-penguin-kernel@I-love.SAKURA.ne.jp>
 <CGME20200714072231eucas1p17c53f0a661346ebfd316ebd5796ca346@eucas1p1.samsung.com>
 <db4b3346-b9f8-a428-1445-1fcbd8521e1d@samsung.com>
 <e00078d1-e5fb-a019-3036-cb182ed2e40b@i-love.sakura.ne.jp>
 <c5bf6d5c-8d0a-8df5-2a11-38bf37a11d67@oracle.com>
From:   Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Message-ID: <a2433659-4f95-d508-11de-8273fd2b6632@i-love.sakura.ne.jp>
Date:   Wed, 15 Jul 2020 09:24:06 +0900
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:68.0) Gecko/20100101
 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <c5bf6d5c-8d0a-8df5-2a11-38bf37a11d67@oracle.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 2020/07/15 2:15, George Kennedy wrote:
> Can you try the a.out built from the original Syzkaller modified repro C program? It walks 0-7 through xres and yres of the fb_var_screeninfo struct.

I'm not familiar with exploit code. What do you want to explain via this program?

>   struct fb_var_screeninfo *varp = (struct fb_var_screeninfo *)0x200001c0;
>   struct fb_var_screeninfo *starting_varp = malloc(sizeof(struct fb_var_screeninfo *));

>     memcpy(starting_varp, varp, sizeof(struct fb_var_screeninfo));

>             memcpy(varp, starting_varp, sizeof(struct fb_var_screeninfo));

At least, I suspect there is a memory corruption bug in this program
because of malloc()ing only sizeof(struct fb_var_screeninfo *) bytes.