Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp1993544ybh; Fri, 24 Jul 2020 01:30:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxa9eKDQCzvkP8fhaKmhSaiEKo3xS9lKzCto1XhxfNSrEzRkv5y27KYAuHLhedb9Bs5ks1G X-Received: by 2002:a17:906:76d7:: with SMTP id q23mr8474073ejn.95.1595579447506; Fri, 24 Jul 2020 01:30:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595579447; cv=none; d=google.com; s=arc-20160816; b=VQsTM+faDNt6TgJNluEm/4DM1PuSNW3rPXVP07mtemkJzXBX3/D4XkrtrwLrYg3hBJ 0yuz6cPZBeZOYb6ALT2Hn0TpNwPdNiZOxxf/QNsBW85X5d3pGc0Oc+tcAg8bLNcIa++f tzQnCzyOvsSu+gEtMf383Xd3jb1ReBxbSdxaVL4CfSgFDoNLbn4CoHDaPKBFzxPDEcYF tCY8J5+ku0cyGALKV+DJfsAwwFI7hz56mGO6GHBm8KlAuhMnuUVs5dTVPFKzBpSMsu6b dyIjUn7uLyI9/wuPIt9gIqKtxPNEDqShCkkRN2X/VEP6rtGqt1VclJD1/tsvZy5ZaGFR 0tfQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:cms-type :content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:from:cc:to:subject:dkim-signature :dkim-filter; bh=8saHxxyOllLvB5Pj5gQEyB5HP1Jv7zofel2hqV57D+E=; b=XNPGUWgmsOs7egqutzNSuQSvXgtokxoOhUc6Ch3eby3u3CqyKFrAOio40yP7Kc6wnb 4+mGM4Z7+HLvUpEW0cLcRFZvajzO2eoWzxXiEr4R/VgVQRKNBjJAFs3WHa88xk88uboK SFXEkWezhwR+mKLgcwTFJEw3fs/ydd/Tzsfas3Zryp9uHRhgSVsn5RjINvitiKcSm/zW 8iPQO5C8K6M2phXgDEzn5wANtXE9T4+ZawNwrFzkExm9Y6GAo8uhjdjCbEK9TOUEUfK2 iD9FMwCMHSbOtv56QCjLyK+lH4tUVkn6r3IfTdO9Km0H8UWWzDI1+8QfGvVN7P4AdX10 nw+A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@samsung.com header.s=mail20170921 header.b=XblIwh0O; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=samsung.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b11si217311ejg.42.2020.07.24.01.30.24; Fri, 24 Jul 2020 01:30:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@samsung.com header.s=mail20170921 header.b=XblIwh0O; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=samsung.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726810AbgGXI3E (ORCPT + 99 others); Fri, 24 Jul 2020 04:29:04 -0400 Received: from mailout1.w1.samsung.com ([210.118.77.11]:57335 "EHLO mailout1.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726643AbgGXI3D (ORCPT ); Fri, 24 Jul 2020 04:29:03 -0400 Received: from eucas1p1.samsung.com (unknown [182.198.249.206]) by mailout1.w1.samsung.com (KnoxPortal) with ESMTP id 20200724082900euoutp014427e95d0beb27f2174e91ad00f338a2~kovTbRWll1554515545euoutp01A for ; Fri, 24 Jul 2020 08:29:00 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 mailout1.w1.samsung.com 20200724082900euoutp014427e95d0beb27f2174e91ad00f338a2~kovTbRWll1554515545euoutp01A DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samsung.com; s=mail20170921; t=1595579340; bh=8saHxxyOllLvB5Pj5gQEyB5HP1Jv7zofel2hqV57D+E=; h=Subject:To:Cc:From:Date:In-Reply-To:References:From; b=XblIwh0O/26kyKyFJAS8Gtmh2PTwkw5DLpIUfH60vrDf7Z9oeYjkEYCew0qO1eTY1 faCpTaS7UPXBLZXWtHHmhyCMY3t7y43WMQ2XVmj+4kNOzQgvsMVvYyHb758Zqi6KAq gJaH6XaQcSojFNbjnhwV92fKZCcOkoDJdu/O1RH8= Received: from eusmges3new.samsung.com (unknown [203.254.199.245]) by eucas1p1.samsung.com (KnoxPortal) with ESMTP id 20200724082859eucas1p183670e38979a06881f88bcdf15331454~kovS4Ds7s1538415384eucas1p1E; Fri, 24 Jul 2020 08:28:59 +0000 (GMT) Received: from eucas1p1.samsung.com ( [182.198.249.206]) by eusmges3new.samsung.com (EUCPMTA) with SMTP id AC.8D.06318.BCB9A1F5; Fri, 24 Jul 2020 09:28:59 +0100 (BST) Received: from eusmtrp2.samsung.com (unknown [182.198.249.139]) by eucas1p1.samsung.com (KnoxPortal) with ESMTPA id 20200724082859eucas1p1f7a8733834d78c409fa68c056256642d~kovSeKZ4i2610726107eucas1p1s; Fri, 24 Jul 2020 08:28:59 +0000 (GMT) Received: from eusmgms1.samsung.com (unknown [182.198.249.179]) by eusmtrp2.samsung.com (KnoxPortal) with ESMTP id 20200724082859eusmtrp2ea08706e5049ab6d8252e4deabd20d15~kovSddl2Z3074730747eusmtrp2h; Fri, 24 Jul 2020 08:28:59 +0000 (GMT) X-AuditID: cbfec7f5-371ff700000018ae-ef-5f1a9bcb50e8 Received: from eusmtip2.samsung.com ( [203.254.199.222]) by eusmgms1.samsung.com (EUCPMTA) with SMTP id 9E.19.06314.BCB9A1F5; Fri, 24 Jul 2020 09:28:59 +0100 (BST) Received: from [106.120.51.71] (unknown [106.120.51.71]) by eusmtip2.samsung.com (KnoxPortal) with ESMTPA id 20200724082858eusmtip2fb720823973bd45154401c4223222212~kovR9Qljd2769327693eusmtip2I; Fri, 24 Jul 2020 08:28:58 +0000 (GMT) Subject: Re: [PATCH v2] fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins. To: Greg Kroah-Hartman , Daniel Vetter Cc: Tetsuo Handa , Dan Carpenter , Linux Fbdev development list , syzbot , Linux Kernel Mailing List , dri-devel , George Kennedy , Jiri Slaby , Dmitry Vyukov From: Bartlomiej Zolnierkiewicz Message-ID: Date: Fri, 24 Jul 2020 10:28:56 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: <20200723142111.GA2377086@kroah.com> Content-Language: en-US Content-Transfer-Encoding: 7bit X-Brightmail-Tracker: H4sIAAAAAAAAA02Sa0gUYRSG+3YuO1pb05p4srJYVMho0zQcUqSiH+OPLPshEZiuOajorrLj eolIMzMxqVWD8oZimbblNVvdhS5q6Kqo4FqIGOWlSENNzUTxkuMo+e8573nf75wDH4XJrYQj FaWJ57QaVYyCtMWNbYs9x7sKHUPc7/7wYn6tPsaZNWMOxvTPT5OMfjhDyswtV0mZO09rSOZR 7W8JY3nwm2Cs5iKSKUyfIpjy4gn8zE727d9SnC2t17GmKoOEfV/8Ssp+vd8uYWe+D+JsTcMn nM2fdGXn6p0u2Vy19Q3nYqISOO0Jv1DbyMquIiKuc3+SOXtNmorS7LOQDQW0F6TWLRJZyJaS 05UI9M13kVj8QVBYNYKJxRyC8axuyVZkOb2NFBsVCKzZ05v5SQQfM2qkgsuODgHLlyZS4H10 EJibu6WCCaPfYfDE0kIIDZI+DTn3DEhgGe0HuR+suMA47QLZaZaNh+zpKzD7rZUQPXuhI39s w2NDe8CaMW9Dx2gHGBwrkYh8GBonizb2BnpGCkN3hglx7/Ow0JtDimwHE+0NUpEPwppJCAuB agQrmT83040IKvJWNxM+MNSztM7U+oijUGM+IcpnoXe8mRBkoHfDwORecYndkGt8jImyDDIz 5KLbFWqf15JbY7NMLzA9UhRsO61g2zkF284p+D+3FOEG5MDpeHUEx3tquEQlr1LzOk2E8nqs uh6tf7Wu1fb5JvRuOawF0RRS7JLBrf0hckKVwCerWxBQmGKf7Fx31zW5LFyVfIPTxoZodTEc 34IOULjCQeZZNh4spyNU8Vw0x8Vx2q2uhLJxTEUpM7KRHU3dzidbE00doc6dgdPeSZXBemvd Q3vWEP7GJ6Va6ealHdWMKiRTFyyaY0nlvhedVr71Hfr82p+ny4yzZHvgqT3Phgb0rgtKcxQJ QaFPzAEzuEtsebR73800/0Flf29HAJwaM/iOcNnOXh4v1WG3L/eYljy9S3QORxQ4H6nycMO0 vOofRlkey2YDAAA= X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrCIsWRmVeSWpSXmKPExsVy+t/xe7qnZ0vFG6w7KWPx+t90Fov/2yYy W1z5+p7NYsLDNnaLz3/Wsls0L17PZjFlwwcmixN9H1gtLu+aw2Yxu+Udq8XSua9YHLg99n5b wOKxYFOpx861q5g89s9dw+5xv/s4k8fHp7dYPNZvucriMfOtmsfnTXIBnFF6NkX5pSWpChn5 xSW2StGGFkZ6hpYWekYmlnqGxuaxVkamSvp2NimpOZllqUX6dgl6GStOz2EtOCVZsavnP3sD Y5NoFyMnh4SAicSflmNsXYxcHEICSxkl9s3pZe5i5ABKyEgcX18GUSMs8edaF1TNa0aJ0x82 MoEkhAXiJW7+WgZmiwiESexuXccOUsQssI9ZYv61V0wQHZNZJXoXNLCCVLEJWElMbF/FCGLz CthJTDpwmQXEZhFQlehpOsEOYosKREgc3jELqkZQ4uTMJ2A1nAKGEv+3TQabwyygLvFn3iVm CFtc4taT+UwQtrzE9rdzmCcwCs1C0j4LScssJC2zkLQsYGRZxSiSWlqcm55bbKhXnJhbXJqX rpecn7uJERjD24793LyD8dLG4EOMAhyMSjy8EnWS8UKsiWXFlbmHGCU4mJVEeJ3Ono4T4k1J rKxKLcqPLyrNSS0+xGgK9NxEZinR5HxgeskriTc0NTS3sDQ0NzY3NrNQEuftEDgYIySQnliS mp2aWpBaBNPHxMEp1cAoEZgRxX/ow5sZ4pFz1854GnP5bafEh5+tR9JiC/J2yP24yvdp4Y/k 9CZe/lUXbi50vM9cvt407ZvV4o29k1zmCB3cXWWy7LShpUnqkfcvAjaePjJz7p4r1tuSOQxf 2quoq3qenr16rt3R+YX2yo0bN73fm/WaSentsol9Sw/MKHz1/8uOmgwFPSWW4oxEQy3mouJE ALgVfhf3AgAA X-CMS-MailID: 20200724082859eucas1p1f7a8733834d78c409fa68c056256642d X-Msg-Generator: CA Content-Type: text/plain; charset="utf-8" X-RootMTR: 20200723142112eucas1p10a3704ee99314f54eed0c6cb2e13245c X-EPHeader: CA CMS-TYPE: 201P X-CMS-RootMailID: 20200723142112eucas1p10a3704ee99314f54eed0c6cb2e13245c References: <20200715015102.3814-1-penguin-kernel@I-love.SAKURA.ne.jp> <20200715094836.GD2571@kadam> <9e6eac10-c5c3-f518-36cc-9ea32fb5d7fe@i-love.sakura.ne.jp> <20200715151220.GE2571@kadam> <20200716100006.GN3278063@phenom.ffwll.local> <20200721160836.GA2109047@kroah.com> <20200723142111.GA2377086@kroah.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 7/23/20 4:21 PM, Greg Kroah-Hartman wrote: > On Wed, Jul 22, 2020 at 10:07:06AM +0200, Daniel Vetter wrote: >> On Tue, Jul 21, 2020 at 6:08 PM Greg Kroah-Hartman >> wrote: >>> >>> On Thu, Jul 16, 2020 at 08:27:21PM +0900, Tetsuo Handa wrote: >>>> On 2020/07/16 19:00, Daniel Vetter wrote: >>>>> On Thu, Jul 16, 2020 at 12:29:00AM +0900, Tetsuo Handa wrote: >>>>>> On 2020/07/16 0:12, Dan Carpenter wrote: >>>>>>> I've complained about integer overflows in fbdev for a long time... >>>>>>> >>>>>>> What I'd like to see is something like the following maybe. I don't >>>>>>> know how to get the vc_data in fbmem.c so it doesn't include your checks >>>>>>> for negative. >>>>>> >>>>>> Yes. Like I said "Thus, I consider that we need more sanity/constraints checks." at >>>>>> https://lore.kernel.org/lkml/b1e7dd6a-fc22-bba8-0abb-d3e779329bce@i-love.sakura.ne.jp/ , >>>>>> we want basic checks. That's a task for fbdev people who should be familiar with >>>>>> necessary constraints. >>>>> >>>>> I think the worldwide supply of people who understand fbdev and willing to >>>>> work on it is roughly 0. So if someone wants to fix this mess properly >>>>> (which likely means adding tons of over/underflow checks at entry points, >>>>> since you're never going to catch the driver bugs, there's too many and >>>>> not enough people who care) they need to fix this themselves. >>>> >>>> But I think we can enforce reasonable constraint which is much stricter than Dan's basic_checks() >>>> (which used INT_MAX). For example, do we need to accept var->{xres,yres} >= 1048576, for >>>> "32768 rows or cols" * "32 pixels per character" = 1045876 and vc_do_resize() accepts only >>>> rows and cols < 32768 ? >>>> >>>>> >>>>> Just to avoid confusion here. >>>>> >>>>>> Anyway, my two patches are small and low cost; can we apply these patches regardless >>>>>> of basic checks? >>>>> >>>>> Which two patches where? >>>> >>>> [PATCH v3] vt: Reject zero-sized screen buffer size. >>>> from https://lkml.kernel.org/r/20200712111013.11881-1-penguin-kernel@I-love.SAKURA.ne.jp >>> >>> This is now in my tree. >>> >>>> [PATCH v2] fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins. >>>> from https://lkml.kernel.org/r/20200715015102.3814-1-penguin-kernel@I-love.SAKURA.ne.jp >>> >>> That should be taken by the fbdev maintainer, but I can take it too if >>> people want. >> >> Just missed this weeks pull request train and feeling like not worth >> making this an exception (it's been broken forever after all), so >> maybe best if you just add this to vt. >> >> Acked-by: Daniel Vetter >> >> Also this avoids the impression I know what's going on in fbdev code, >> maybe with sufficient abandon from my side someone will pop up who >> cares an fixes the bazillion of syzkaller issues we seem to have >> around console/vt and everything related. > > Great, will go queue it up now, thanks! Fine with me, thanks! PS I'll later queue the patch from George to drm-misc-next (after reading both fbdev patches in detail it seems that both are needed). Best regards, -- Bartlomiej Zolnierkiewicz Samsung R&D Institute Poland Samsung Electronics