Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp853246ybg; Tue, 28 Jul 2020 22:32:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyngk8xB3QZl/kzoc6qfd4Jku278YVMJS3LbiPvzO/wp4nL/nYtt3+QUWOBi6kcDXPvGLXx X-Received: by 2002:a17:906:f0cc:: with SMTP id dk12mr10788049ejb.97.1596000742815; Tue, 28 Jul 2020 22:32:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596000742; cv=none; d=google.com; s=arc-20160816; b=tl84+BQVaBGXRBcu8XH2A47iSxx5tkyuKpCPjcESaAoe1Gw/pm6XKT2bsK8PqDw9jq pFzZLUREi6+pKcRMt7tRAFIl3Lj7hYJnZWHyEDOsGc272IBIEbCwJH/G4hwjHdfkbwpU q4mtRzZmBf4Q5ZbHz4JyartVZLYEF0O4hTssRvO3AkvRUO6EtcHnrqAmmPHa1G6F6K8F 4toZcIt/55ZzZrFhHdXgpdQaAifQrqGFmbQHdVDBP0kuX+8nY0cgbYFNzg/RTak92Jo3 D/lRHu9gWw2+W5nfaMcnJMmhdIkkxqubgJhhUAXDD73LY9OB2Dxy9QWuYq9q9BEsrn5f 5jSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from; bh=YVNdOx01jJGj54lb+01S9rvqJo95+6qwU7H7VwNS50U=; b=WVmLm7l0aS+7N0EOIQT62Oe7qkbX5hm1tBYp+wUHUTFAYP9YdSJ48+4i5nEC581kdv QOkEaPdbege/DDVnvC+ttaeHsxVT2FyFqVlVfPmL3i5uJGbTyuaBtZi08OffBuTiYT3J 8j6Bi9zwTC08AzjEFoszfwrXAWJQFJ7UFdeqNLp8NTIJinBeGFeUnawbi+A8btreD1F4 hUwSqA8j5K+KdZVlCh/5i6XVSCX0aew2l4STfP8AFPln8gn2fBtmvbjif3/5Fq2oXF2j qph0cCrxR/HAB7dKYurhc/LP6KeqDOWrnWyTYQKTiYrmhkJGF3yPLp7tlIRwVGJ/YG66 8L1g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id yh22si197296ejb.583.2020.07.28.22.32.00; Tue, 28 Jul 2020 22:32:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726709AbgG2Fau (ORCPT + 99 others); Wed, 29 Jul 2020 01:30:50 -0400 Received: from www262.sakura.ne.jp ([202.181.97.72]:51150 "EHLO www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726560AbgG2Fau (ORCPT ); Wed, 29 Jul 2020 01:30:50 -0400 Received: from fsav110.sakura.ne.jp (fsav110.sakura.ne.jp [27.133.134.237]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 06T5UUEP052197; Wed, 29 Jul 2020 14:30:30 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav110.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav110.sakura.ne.jp); Wed, 29 Jul 2020 14:30:30 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav110.sakura.ne.jp) Received: from localhost.localdomain (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 06T5UOZI052019 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 29 Jul 2020 14:30:30 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) From: Tetsuo Handa To: Greg Kroah-Hartman , Jiri Slaby Cc: dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, Bartlomiej Zolnierkiewicz , Tetsuo Handa , syzbot Subject: [PATCH] vt: Handle recursion in vc_do_resize(). Date: Wed, 29 Jul 2020 14:30:20 +0900 Message-Id: <1596000620-4075-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp> X-Mailer: git-send-email 1.8.3.1 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org syzbot is reporting OOB read bug in vc_do_resize() [1] caused by memcpy() based on outdated old_{rows,row_size} values, for resize_screen() can recurse into vc_do_resize() which changes vc->vc_{cols,rows} that outdates old_{rows,row_size} values which were read before calling resize_screen(). Minimal fix might be to read vc->vc_{rows,size_row} after resize_screen(). A different fix might be to forbid recursive vc_do_resize() request. I can't tell which fix is the better. But since I guess that new_cols == vc->vc_cols && new_rows == vc->vc_rows check could become true after returning from resize_screen(), and I assume that not calling clear_selection() when resize_screen() will return error is harmless, let's redo the check by moving resize_screen() earlier. [1] https://syzkaller.appspot.com/bug?id=c70c88cfd16dcf6e1d3c7f0ab8648b3144b5b25e Reported-by: syzbot Signed-off-by: Tetsuo Handa --- drivers/tty/vt/vt.c | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c index 42d8c67..952a067 100644 --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -1217,7 +1217,24 @@ static int vc_do_resize(struct tty_struct *tty, struct vc_data *vc, if (new_cols == vc->vc_cols && new_rows == vc->vc_rows) return 0; + if (new_screen_size > KMALLOC_MAX_SIZE || !new_screen_size) + return -EINVAL; + /* + * Since fbcon_resize() from resize_screen() can recurse into + * this function via fb_set_var(), handle recursion now. + */ + err = resize_screen(vc, new_cols, new_rows, user); + if (err) + return err; + /* Reload values in case recursion changed vc->vc_{cols,rows}. */ + new_cols = (cols ? cols : vc->vc_cols); + new_rows = (lines ? lines : vc->vc_rows); + new_row_size = new_cols << 1; + new_screen_size = new_row_size * new_rows; + + if (new_cols == vc->vc_cols && new_rows == vc->vc_rows) + return 0; if (new_screen_size > KMALLOC_MAX_SIZE || !new_screen_size) return -EINVAL; newscreen = kzalloc(new_screen_size, GFP_USER); @@ -1238,13 +1255,6 @@ static int vc_do_resize(struct tty_struct *tty, struct vc_data *vc, old_rows = vc->vc_rows; old_row_size = vc->vc_size_row; - err = resize_screen(vc, new_cols, new_rows, user); - if (err) { - kfree(newscreen); - vc_uniscr_free(new_uniscr); - return err; - } - vc->vc_rows = new_rows; vc->vc_cols = new_cols; vc->vc_size_row = new_row_size; -- 1.8.3.1