Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp376983pxk; Thu, 24 Sep 2020 07:46:21 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy5LxyNCGQGfNP2pchz7sYJPtR/AX+glRgtJRKshmAl9KEXYbIg6gK3QA9FfbJMinhshgWZ X-Received: by 2002:a17:907:110f:: with SMTP id qu15mr216663ejb.359.1600958781552; Thu, 24 Sep 2020 07:46:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600958781; cv=none; d=google.com; s=arc-20160816; b=y4HRgTTtUU0X2GW3jMZ/4IagCnQaYnF7ijOXD+SF+kUIiCiFgHncIR2d8AuwWbf7E1 mEO00Kgi5s0GA2drBoDxjTiqNCPUnspZ939bfnNBbBLoMmnTJwvrwzFUvzAnGbMmbS9h V50K6uu8UnOm/mn4dHQtwvc/ep03YEXLI9OfnPQIHF7w8EkK0lThOls7xj/kgaOXiNHq LvrY3kge/xQm48ycPQqU2ctXmecK2FA2xZZ2Vp51cSNrsUjhxaYYoqsgz4F+IIjn/l1L 6d+yYMtwSMfui/01OTJ1O5SOt4SZ6bmCv/RMKyjDRflZHUQQ9P1miYFsge850Tme78bn pdeg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-language:content-transfer-encoding :mime-version:accept-language:in-reply-to:references:message-id:date :thread-index:thread-topic:subject:cc:to:from; bh=Rv/wCchxuqfimEOoICFaloZMZRJkaVawn+a/WibWVpQ=; b=BSA171jbItKSVG0yglUnK4hyLNYhYFoNJ9NBcVJs5ftPiM3kpIchVTv3w0bNeaifag vkzVT0xw4wSrwWwZWakdgrjfPKGcpMvEPu9jt/G5BJ465pTm9df3tv/Wlai0cPd1Qx0k hc5LZzzPpz5eiQJXwPN+HlMH9JechudlumAAkDQ9vyXb1C5bdU5+rr3c6QNt1AQNVbHf sUQeYKWD261nts0xOdUC6jKFlHZsqHdDsa0I0UguRTscGZPKo5tzhETjU1gwCxCFdstw aRMaI2sNP62SBaAXLtWLICX5tAEaIVuBmeIUxf6ER/pt9Rucjbr0JcMWgaT+YAVPK46S RRDw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p3si2331825edx.219.2020.09.24.07.45.55; Thu, 24 Sep 2020 07:46:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728114AbgIXOmY convert rfc822-to-8bit (ORCPT + 99 others); Thu, 24 Sep 2020 10:42:24 -0400 Received: from eu-smtp-delivery-151.mimecast.com ([185.58.86.151]:57386 "EHLO eu-smtp-delivery-151.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727889AbgIXOmY (ORCPT ); Thu, 24 Sep 2020 10:42:24 -0400 Received: from AcuMS.aculab.com (156.67.243.126 [156.67.243.126]) (Using TLS) by relay.mimecast.com with ESMTP id uk-mta-263-piLz1VFuP7WR1Dja3TezJQ-1; Thu, 24 Sep 2020 15:42:19 +0100 X-MC-Unique: piLz1VFuP7WR1Dja3TezJQ-1 Received: from AcuMS.Aculab.com (fd9f:af1c:a25b:0:43c:695e:880f:8750) by AcuMS.aculab.com (fd9f:af1c:a25b:0:43c:695e:880f:8750) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Thu, 24 Sep 2020 15:42:18 +0100 Received: from AcuMS.Aculab.com ([fe80::43c:695e:880f:8750]) by AcuMS.aculab.com ([fe80::43c:695e:880f:8750%12]) with mapi id 15.00.1347.000; Thu, 24 Sep 2020 15:42:18 +0100 From: David Laight To: 'Greg Kroah-Hartman' , Peilin Ye , Daniel Vetter CC: Bartlomiej Zolnierkiewicz , Jiri Slaby , "dri-devel@lists.freedesktop.org" , "linux-fbdev@vger.kernel.org" , "linux-kernel-mentees@lists.linuxfoundation.org" , "syzkaller-bugs@googlegroups.com" , "linux-kernel@vger.kernel.org" Subject: RE: [PATCH 0/3] Prevent out-of-bounds access for built-in font data buffers Thread-Topic: [PATCH 0/3] Prevent out-of-bounds access for built-in font data buffers Thread-Index: AQHWknxPKqK+ilVBT0etUz37fvqXO6l33I9A Date: Thu, 24 Sep 2020 14:42:18 +0000 Message-ID: <394733ab6fae47488d078cb22f22a85b@AcuMS.aculab.com> References: <0000000000006b9e8d059952095e@google.com> <20200924140937.GA749208@kroah.com> In-Reply-To: <20200924140937.GA749208@kroah.com> Accept-Language: en-GB, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.202.205.107] MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=C51A453 smtp.mailfrom=david.laight@aculab.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: aculab.com Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT Content-Language: en-US Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Thu, Sep 24, 2020 at 09:38:22AM -0400, Peilin Ye wrote: > > Hi all, > > > > syzbot has reported [1] a global out-of-bounds read issue in > > fbcon_get_font(). A malicious user may resize `vc_font.height` to a large > > value in vt_ioctl(), causing fbcon_get_font() to overflow our built-in > > font data buffers, declared in lib/fonts/font_*.c: ... > > (drivers/video/fbdev/core/fbcon.c) > > if (font->width <= 8) { > > j = vc->vc_font.height; > > + if (font->charcount * j > FNTSIZE(fontdata)) > > + return -EINVAL; Can that still go wrong because the multiply wraps? David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)