Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp786675pxa;
        Wed, 19 Aug 2020 15:08:43 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwab28I2RIolCoPU4jztQd2elMVyeseb6tTaQObKVvuqahmCGyAyYfzcdVusT+uGoplAYer
X-Received: by 2002:a05:6402:1c85:: with SMTP id cy5mr171295edb.6.1597874923294;
        Wed, 19 Aug 2020 15:08:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1597874923; cv=none;
        d=google.com; s=arc-20160816;
        b=mvkbVCjHUwRsXIJ2JoCMFWbl6C4gNBSaJVRCFDo4bg6TwB3HC5xY57l8YGwl9ByscQ
         etmmrEOPh4BQ4AVaRzSeDD6rbcb284mT5cJ12dtSfvs+JtXUGycWmCvGnI6UuYT/nSaR
         nHKaykdjVKZDfI64+R3YUnmCfXhK5BDIRgb/IAfxrGCIDGK32NQBUZ1iw2i5kcKt/Isy
         fEieEH+yHiWg/fNkHVfJXsanhfrB4UJGaQgnSSGdgrs0A1nABPiMLjl3u1bg72FudOTt
         IX4nE8EPAUJprBAFMY64YNOTn0idG0werF0o6qZ1rdgFVUVx+QQIBydp8xLPIShZ36Ar
         y9TQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date
         :dkim-signature;
        bh=kf0ZzHRJMAbFMLLUKsjOglGhImKY7cyfAyt1lKaRTFE=;
        b=KcCvleJLBMSfv73IhSGa4PoAcOueRNAvIrIdMdyawYSPYkEUJ4LKCFvwsGOm+yc/iJ
         edTjq80RMbIgNi+6Zpm6kN9gDnrR4r5U6XkpQh9eo8KmJHlcPh4V0PUk1ROT+w/IVbYU
         Sy9N2/1BMixyz5S2rIVyTDLH9xjR+zKW9hIKpt7pj9qMj7/Yh28sedqoCo/GuQIlvXfk
         x+vWMgI4PZmHg4bdwqk7VEHc8CR2GJeMO02+ajJ2S7Iv9jQTu86jUK8/AK7mbdPeDewT
         p6obIefftWgTT+RiC0r2BlIEWiNhEYbwvTn4vMl06UaSKpbMeT65LsOeHEHazermbwks
         qOqQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=XdSoOU8b;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id k21si15924822eje.480.2020.08.19.15.08.19;
        Wed, 19 Aug 2020 15:08:43 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=XdSoOU8b;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726664AbgHSWHv (ORCPT <rfc822;rao.subba.venkata@gmail.com>
        + 99 others); Wed, 19 Aug 2020 18:07:51 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36774 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726209AbgHSWHt (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 19 Aug 2020 18:07:49 -0400
Received: from mail-pf1-x441.google.com (mail-pf1-x441.google.com [IPv6:2607:f8b0:4864:20::441])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 92797C061757
        for <linux-kernel@vger.kernel.org>; Wed, 19 Aug 2020 15:07:49 -0700 (PDT)
Received: by mail-pf1-x441.google.com with SMTP id 17so6814pfw.9
        for <linux-kernel@vger.kernel.org>; Wed, 19 Aug 2020 15:07:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to;
        bh=kf0ZzHRJMAbFMLLUKsjOglGhImKY7cyfAyt1lKaRTFE=;
        b=XdSoOU8bhGfMFDMNkNB0PbGSyC9b/j1tzuVKEsB9zu7tjC2Vu7SEGSFi1W1cIQakbE
         o9qXTs96ee/VmG7efkxn8wb4vmhSq0ewikBueR4YGGz4OVA6fjbIeZISd2TXUVABiNcj
         2cRCBsILsz+/mHHhsf+pfXMZJsKWFTExc0Fuk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to;
        bh=kf0ZzHRJMAbFMLLUKsjOglGhImKY7cyfAyt1lKaRTFE=;
        b=I8sE9LMfTYBQTrmcuB4CXrz8VVuv1OYkR7G1cA4/Y4UQdMLckduJOVph30LeR+q8Df
         7USHeQBA6haNnyOMJ6taiQ9PNCtoUq21QPwtx7UDx50FP85EhVBy5jVCywXgf4uBVHz8
         B2c3sSgnH9KM/RYUaZcED8E/yF4RodAWrmRQvAUCIkm54cNTqpPGUPxgQGzzy3jenec2
         bawl9/uOM8heem89/iojdIIFAFddT/3DkdCT8avbtlRcMpNdQ87s56trKwm+Xmm0YV6J
         dujFSF5oJT2c1rFCCKjsTvw0zAjWwanebcZnU57O5rUZ6sOhn9pctI7Pc92Z/KLEcMkc
         Jmmw==
X-Gm-Message-State: AOAM532ZeNX+2VPRtobdI4SfapVGo1cD/SQvAjs+mSmLWH/MrueAAW2Y
        Dg9hdcnd8aubUqXWw3rVSFRFuw==
X-Received: by 2002:a62:6d04:: with SMTP id i4mr10910877pfc.188.1597874869067;
        Wed, 19 Aug 2020 15:07:49 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
        by smtp.gmail.com with ESMTPSA id q25sm182088pfn.181.2020.08.19.15.07.47
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 19 Aug 2020 15:07:48 -0700 (PDT)
Date:   Wed, 19 Aug 2020 15:07:46 -0700
From:   Kees Cook <keescook@chromium.org>
To:     Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Jiri Slaby <jslaby@suse.com>,
        Dmitry Vyukov <dvyukov@google.com>,
        dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org,
        linux-kernel@vger.kernel.org,
        syzbot <syzbot+017265e8553724e514e8@syzkaller.appspotmail.com>
Subject: Re: [PATCH v3] vt: Reject zero-sized screen buffer size.
Message-ID: <202008191452.0278B57D43@keescook>
References: <189fc902-db7c-9886-cc31-c0348435303a@i-love.sakura.ne.jp>
 <20200712111013.11881-1-penguin-kernel@I-love.SAKURA.ne.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200712111013.11881-1-penguin-kernel@I-love.SAKURA.ne.jp>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sun, Jul 12, 2020 at 08:10:12PM +0900, Tetsuo Handa wrote:
> [...]
> @@ -1125,6 +1134,11 @@ int vc_allocate(unsigned int currcons)	/* return 0 on success */
>  	if (!*vc->vc_uni_pagedir_loc)
>  		con_set_default_unimap(vc);
>  
> +	err = -EINVAL;
> +	if (vc->vc_cols > VC_MAXCOL || vc->vc_rows > VC_MAXROW ||
> +	    vc->vc_screenbuf_size > KMALLOC_MAX_SIZE || !vc->vc_screenbuf_size)
> +		goto err_free;
> +	err = -ENOMEM;
>  	vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_KERNEL);
>  	if (!vc->vc_screenbuf)
>  		goto err_free;

I realize this patch already landed, but I wanted to remind folks to
use the check_*_overflow() helpers, which can make a lot of this kind
of stuff easier to deal with.

For example, in this case, I think visual_init() could likely be changed
to return success/failure and do all the sanity checking:

	if (check_shl_overflow(vc->vc_cols, 1, &vc->vc_size_row) ||
	    check_mul_overflow(vc->vc_rows, vc->vc_size_row, &vc->vc_screenbuf_size))
		return -EINVAL;


-- 
Kees Cook