Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp3046847pxa; Tue, 25 Aug 2020 10:00:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxVZrA4N8UyRQ7nfg10ZX/skaRD9FJD5hKaqqAqvma4alu2G2LtbmuReUZQcloL9MVgrDOY X-Received: by 2002:a50:8e1a:: with SMTP id 26mr11368627edw.120.1598374821269; Tue, 25 Aug 2020 10:00:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598374818; cv=none; d=google.com; s=arc-20160816; b=vD6vYyJLILtZ2IMdd6P4l+ZXtYAXKXfVUAHqf6oPpzH4fVOKIC4evAC3XO1+mPATfa zouEf+lzmnAouXJifz23LgdWFeKwX9YFUee1rYBhVxt79XfbT3cuhkCp/4+qvgKYs+1t Zvo1rpsKaThb3PREv3Evz4LUEpfGi8Pqs40WICVeSsqxJ2VlGxcUWyiKIMN3lwY4iXME KOAxsbUgjRWcOnlZu3P6NrFZLZBXE3Ym5x6Lip143JCyQYe6yPsCnZzLa3688LIfei1f e7t8XKY3RBLmmN9ngw5UdfZG3lTaX+Vlb6Wyop69bscbDT99JDihq2vVma7AYqVQs3Oq 3KkA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=j6tkmt+xZGbihkF8P2j2hJ4XzWgdUQWG0VhXzGi41tw=; b=ia7zuZAVjNwtdYxfea6Ti40h95CUBsAO7Qj5erE+dMPnbLxMk04ZmXxcwmPaQusL2C myI9L3/+mFp8kQ/UfDrCoiZlQvhYMM3M+iYJe8/DTvzEu+uNNg0ADI7ILeQKyu/PsMb0 +0DZsmo+ciE+aniYb6aUhuktl2sdWirJiUNbGBFZkQyMPul8bVwwq5xPc2YF0tntR0y/ jdrtiUAarh8cn19MGpSsaH7/6FdTMw0kVc4TgRtZktIhfRbEdvWYPNr2PPRRm+8I60Bn eFTVmgHx6V2lPX+6yTXJbbI30E2ZpPPrIj0YB9nAmf2F2QGPydtEBpyd5yF0ZHqSiRe3 N9Bw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=hZ1ECiYu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s5si6509173eji.321.2020.08.25.09.59.55; Tue, 25 Aug 2020 10:00:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=hZ1ECiYu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726542AbgHYQ7V (ORCPT + 99 others); Tue, 25 Aug 2020 12:59:21 -0400 Received: from mail.kernel.org ([198.145.29.99]:54442 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726187AbgHYQ7U (ORCPT ); Tue, 25 Aug 2020 12:59:20 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6990F2075F; Tue, 25 Aug 2020 16:59:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1598374759; bh=2Eoi4JuT/2UvkyPyIIEp3dpOaCKju5u8+p+7/8hN/JQ=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=hZ1ECiYuQPey2gRphijbkFwEfU/6M9n7W+P1pXvULH2llmI0/bhQb3TX/jgoKOBrq 239qu8it0RoF3qgTO2s2yhaElpMD5WHH4CsLhCqSw2KkgJ3Ph47I8Sjf4Nit7ZYWEB Eiewmb4gmXUxxQ1L9FaiiTpzEfTIvn63Ohl2ZQWE= Date: Tue, 25 Aug 2020 18:59:35 +0200 From: Greg KH To: Peilin Ye Cc: jslaby@suse.cz, linux-kernel@vger.kernel.org, linux-serial@vger.kernel.org, syzkaller-bugs@googlegroups.com, linux-kernel-mentees@lists.linuxfoundation.org Subject: Re: [PATCH 15/16] vc_screen: extract vcs_read_buf_header Message-ID: <20200825165935.GA1527003@kroah.com> References: <20200818085706.12163-15-jslaby@suse.cz> <20200825164804.860743-1-yepeilin.cs@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200825164804.860743-1-yepeilin.cs@gmail.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 25, 2020 at 12:48:04PM -0400, Peilin Ye wrote: > Hi all, > > Link: https://syzkaller.appspot.com/bug?id=f332576321998d36cd07d09c9c1268cfed1895c9 > > As reported by syzbot, vcs_read_buf() is overflowing `con_buf16`, since > this patch removed the following check: > > - if (count > CON_BUF_SIZE) { > - count = CON_BUF_SIZE; > - filled = count - pos; > - } > > Decreasing `count` by `min(HEADER_SIZE - pos, count)` bypasses this check. > Additionally, this patch also removed updates to `skip` and `filled`. > > What should we do in order to fix it? This patch is already reverted, and it has been discussed a bit as to how to do this properly if you look at the email where this was reported to us. thanks, greg k-h