Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp786675pxa; Wed, 19 Aug 2020 15:08:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwab28I2RIolCoPU4jztQd2elMVyeseb6tTaQObKVvuqahmCGyAyYfzcdVusT+uGoplAYer X-Received: by 2002:a05:6402:1c85:: with SMTP id cy5mr171295edb.6.1597874923294; Wed, 19 Aug 2020 15:08:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597874923; cv=none; d=google.com; s=arc-20160816; b=mvkbVCjHUwRsXIJ2JoCMFWbl6C4gNBSaJVRCFDo4bg6TwB3HC5xY57l8YGwl9ByscQ etmmrEOPh4BQ4AVaRzSeDD6rbcb284mT5cJ12dtSfvs+JtXUGycWmCvGnI6UuYT/nSaR nHKaykdjVKZDfI64+R3YUnmCfXhK5BDIRgb/IAfxrGCIDGK32NQBUZ1iw2i5kcKt/Isy fEieEH+yHiWg/fNkHVfJXsanhfrB4UJGaQgnSSGdgrs0A1nABPiMLjl3u1bg72FudOTt IX4nE8EPAUJprBAFMY64YNOTn0idG0werF0o6qZ1rdgFVUVx+QQIBydp8xLPIShZ36Ar y9TQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=kf0ZzHRJMAbFMLLUKsjOglGhImKY7cyfAyt1lKaRTFE=; b=KcCvleJLBMSfv73IhSGa4PoAcOueRNAvIrIdMdyawYSPYkEUJ4LKCFvwsGOm+yc/iJ edTjq80RMbIgNi+6Zpm6kN9gDnrR4r5U6XkpQh9eo8KmJHlcPh4V0PUk1ROT+w/IVbYU Sy9N2/1BMixyz5S2rIVyTDLH9xjR+zKW9hIKpt7pj9qMj7/Yh28sedqoCo/GuQIlvXfk x+vWMgI4PZmHg4bdwqk7VEHc8CR2GJeMO02+ajJ2S7Iv9jQTu86jUK8/AK7mbdPeDewT p6obIefftWgTT+RiC0r2BlIEWiNhEYbwvTn4vMl06UaSKpbMeT65LsOeHEHazermbwks qOqQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=XdSoOU8b; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k21si15924822eje.480.2020.08.19.15.08.19; Wed, 19 Aug 2020 15:08:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=XdSoOU8b; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726664AbgHSWHv (ORCPT + 99 others); Wed, 19 Aug 2020 18:07:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36774 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726209AbgHSWHt (ORCPT ); Wed, 19 Aug 2020 18:07:49 -0400 Received: from mail-pf1-x441.google.com (mail-pf1-x441.google.com [IPv6:2607:f8b0:4864:20::441]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 92797C061757 for ; Wed, 19 Aug 2020 15:07:49 -0700 (PDT) Received: by mail-pf1-x441.google.com with SMTP id 17so6814pfw.9 for ; Wed, 19 Aug 2020 15:07:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=kf0ZzHRJMAbFMLLUKsjOglGhImKY7cyfAyt1lKaRTFE=; b=XdSoOU8bhGfMFDMNkNB0PbGSyC9b/j1tzuVKEsB9zu7tjC2Vu7SEGSFi1W1cIQakbE o9qXTs96ee/VmG7efkxn8wb4vmhSq0ewikBueR4YGGz4OVA6fjbIeZISd2TXUVABiNcj 2cRCBsILsz+/mHHhsf+pfXMZJsKWFTExc0Fuk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=kf0ZzHRJMAbFMLLUKsjOglGhImKY7cyfAyt1lKaRTFE=; b=I8sE9LMfTYBQTrmcuB4CXrz8VVuv1OYkR7G1cA4/Y4UQdMLckduJOVph30LeR+q8Df 7USHeQBA6haNnyOMJ6taiQ9PNCtoUq21QPwtx7UDx50FP85EhVBy5jVCywXgf4uBVHz8 B2c3sSgnH9KM/RYUaZcED8E/yF4RodAWrmRQvAUCIkm54cNTqpPGUPxgQGzzy3jenec2 bawl9/uOM8heem89/iojdIIFAFddT/3DkdCT8avbtlRcMpNdQ87s56trKwm+Xmm0YV6J dujFSF5oJT2c1rFCCKjsTvw0zAjWwanebcZnU57O5rUZ6sOhn9pctI7Pc92Z/KLEcMkc Jmmw== X-Gm-Message-State: AOAM532ZeNX+2VPRtobdI4SfapVGo1cD/SQvAjs+mSmLWH/MrueAAW2Y Dg9hdcnd8aubUqXWw3rVSFRFuw== X-Received: by 2002:a62:6d04:: with SMTP id i4mr10910877pfc.188.1597874869067; Wed, 19 Aug 2020 15:07:49 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id q25sm182088pfn.181.2020.08.19.15.07.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Aug 2020 15:07:48 -0700 (PDT) Date: Wed, 19 Aug 2020 15:07:46 -0700 From: Kees Cook To: Tetsuo Handa Cc: Greg Kroah-Hartman , Jiri Slaby , Dmitry Vyukov , dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot Subject: Re: [PATCH v3] vt: Reject zero-sized screen buffer size. Message-ID: <202008191452.0278B57D43@keescook> References: <189fc902-db7c-9886-cc31-c0348435303a@i-love.sakura.ne.jp> <20200712111013.11881-1-penguin-kernel@I-love.SAKURA.ne.jp> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200712111013.11881-1-penguin-kernel@I-love.SAKURA.ne.jp> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Jul 12, 2020 at 08:10:12PM +0900, Tetsuo Handa wrote: > [...] > @@ -1125,6 +1134,11 @@ int vc_allocate(unsigned int currcons) /* return 0 on success */ > if (!*vc->vc_uni_pagedir_loc) > con_set_default_unimap(vc); > > + err = -EINVAL; > + if (vc->vc_cols > VC_MAXCOL || vc->vc_rows > VC_MAXROW || > + vc->vc_screenbuf_size > KMALLOC_MAX_SIZE || !vc->vc_screenbuf_size) > + goto err_free; > + err = -ENOMEM; > vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_KERNEL); > if (!vc->vc_screenbuf) > goto err_free; I realize this patch already landed, but I wanted to remind folks to use the check_*_overflow() helpers, which can make a lot of this kind of stuff easier to deal with. For example, in this case, I think visual_init() could likely be changed to return success/failure and do all the sanity checking: if (check_shl_overflow(vc->vc_cols, 1, &vc->vc_size_row) || check_mul_overflow(vc->vc_rows, vc->vc_size_row, &vc->vc_screenbuf_size)) return -EINVAL; -- Kees Cook