Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp411073pxk; Thu, 24 Sep 2020 08:32:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwRPGY9RxsK9/lbOLeLIEfQAGh885HAV2seYd1p+lWLQ8AK8nU+uFdPWFbuvIgtQfxM3IG8 X-Received: by 2002:aa7:cc8d:: with SMTP id p13mr525354edt.136.1600961531561; Thu, 24 Sep 2020 08:32:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600961531; cv=none; d=google.com; s=arc-20160816; b=ch8ugW3zuBApLs7xzDfitt0lMfbItcFW+0+iPkU3TxVHTMxNpyqPM3Ogdi6R2Bmcun ixaCd91bto+OlKvyCOeyNchZK3h3wijBvXg9RwzhuLOKucY5PVDgeDb7hqZsKDAnG9ON Wp3lzYwqy323x1ed48fhiyrZZeYV3mTMyuCrJXs3adonabL7gxmfdCYebaOTuqFrjuMX 1c7tEpTEohgFY6WN0Rg/QMpUqB8eb1WmmHdVzr0EquEp7KgbAqDU22giG8IQuqzzl2En icuhT0JLz6khBIJMTVzg+LWoI7/+q05UX7/Vk2FcikU8XpufVTNu9ZrWNEhPwYl+h3Xq u8Cg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=yanHGoZJj/tcEI8AVG6llL0fhzRiqvwYaviiL5Ezz3E=; b=aXBMf0ylJEYWCLMNZCaCGuODhXh2Kd8U1SnSv+V3fndHABO7GT/Bz6lNYvWCuhGGoE Vbhg2ICoM+YAKx1tVHIC3CgPUsCECJWB8QqBQm4pL2Yt//kFQS+q9ZbFL3nbXtuqiHpN 3Oqco2UB+kVG3k4S16N7+bVEMekGZLMo6CrHiCjfo+Bd196NdqQ5X5U8YpKf4IxV0ix3 1QWW1JmkZFwmXae8yQb1W1fAMgjC+fZksBbjBPoMnr132mY3AUq7E7xdKzAqqkEXVg+o 6Au+iNaUPWyLDRUPja/YA3mD+XBddMZ2SsVksWdIPEVfLY2cRn6Fdhma9MCV7MtRxs+O VIhg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ezNq1DHk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j33si2479841edc.537.2020.09.24.08.31.47; Thu, 24 Sep 2020 08:32:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ezNq1DHk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728360AbgIXPat (ORCPT + 99 others); Thu, 24 Sep 2020 11:30:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39220 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728343AbgIXPat (ORCPT ); Thu, 24 Sep 2020 11:30:49 -0400 Received: from mail-pf1-x442.google.com (mail-pf1-x442.google.com [IPv6:2607:f8b0:4864:20::442]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D3AF8C0613CE; Thu, 24 Sep 2020 08:30:48 -0700 (PDT) Received: by mail-pf1-x442.google.com with SMTP id x22so2096513pfo.12; Thu, 24 Sep 2020 08:30:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=yanHGoZJj/tcEI8AVG6llL0fhzRiqvwYaviiL5Ezz3E=; b=ezNq1DHk4aNb+MSOycaRr9VWUq1Qil3Y4UoOygCV1AX9tQN1xlt+KEI3xDsK4hm60D GFOugf47Qt1NC/tZueImMyAiEYCqCXEP26A9qXOgblPKBalIb6Fp+r87y8OkF24rtv2e 1p8+WnTVov6uGi64oLAPHumRF4sskzWR3wFGEG7DiUIf0lWJQ/c9yG+61mFwp6K+kRct gm1ASwt/Tj9es80OzDDvf30uxyZ46OdNkhAIf6Md/MCZVpqREZu7gKj3fZk4H48JYKBB zbO82ZiSr+J1f1iAwv21h7zWDDL6cm1AKIL97ZEhHahS4+3ZCOZuy1sGWtGq/PVX+nZB nQ2A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=yanHGoZJj/tcEI8AVG6llL0fhzRiqvwYaviiL5Ezz3E=; b=LAu1tf09MvD7ntSV+aVlZFFy/1yRH3XKBb8zQyYXiC8BrVZF3mPmlvCqtPyaitO1IJ /35KGVnPymt92uCmqOO5vWx3SGa9XxUyxNewK/UqCsWx8b3dV3hMRwh6BSCIZLTTD7YZ HSvmmWGZUIIqKFj6nwvQRUXEY2NgwqOeGFkxHjCLHKWtXCnN9kEmN8Tw2vXNTRIgZeoQ xHiqQftsE47Lgmh7UfUBZ/j2GaYVY8RLaVjll0K+OUjvdFTN9pikW/FStnpyq1/PAS/J bfu13/mAudBtxnKQtyojWH0xdYFn1MGlLTo7gO7Zu0RJTDbeUC2oteiveVbat51UWqXH 3U2Q== X-Gm-Message-State: AOAM530gQuVUGdWKd7hYXV5a/DbJcxorBCr5CoC5w7UhnG5yRHnXvVaV xHoG5F4+s6tFJYQyf1DSyA== X-Received: by 2002:a62:3812:0:b029:13e:d13d:a062 with SMTP id f18-20020a6238120000b029013ed13da062mr4689781pfa.40.1600961448347; Thu, 24 Sep 2020 08:30:48 -0700 (PDT) Received: from PWN (n11212042027.netvigator.com. [112.120.42.27]) by smtp.gmail.com with ESMTPSA id u2sm2825443pji.50.2020.09.24.08.30.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Sep 2020 08:30:47 -0700 (PDT) Date: Thu, 24 Sep 2020 11:30:35 -0400 From: Peilin Ye To: David Laight Cc: Greg Kroah-Hartman , Bartlomiej Zolnierkiewicz , Jiri Slaby , Daniel Vetter , dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel-mentees@lists.linuxfoundation.org, syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org Subject: Re: [PATCH 0/3] Prevent out-of-bounds access for built-in font data buffers Message-ID: <20200924153035.GA879703@PWN> References: <0000000000006b9e8d059952095e@google.com> <20200924140937.GA749208@kroah.com> <394733ab6fae47488d078cb22f22a85b@AcuMS.aculab.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <394733ab6fae47488d078cb22f22a85b@AcuMS.aculab.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi! On Thu, Sep 24, 2020 at 02:42:18PM +0000, David Laight wrote: > > On Thu, Sep 24, 2020 at 09:38:22AM -0400, Peilin Ye wrote: > > > Hi all, > > > > > > syzbot has reported [1] a global out-of-bounds read issue in > > > fbcon_get_font(). A malicious user may resize `vc_font.height` to a large > > > value in vt_ioctl(), causing fbcon_get_font() to overflow our built-in > > > font data buffers, declared in lib/fonts/font_*.c: > ... > > > (drivers/video/fbdev/core/fbcon.c) > > > if (font->width <= 8) { > > > j = vc->vc_font.height; > > > + if (font->charcount * j > FNTSIZE(fontdata)) > > > + return -EINVAL; > > Can that still go wrong because the multiply wraps? Thank you for bringing this up! The resizing of `vc_font.height` happened in vt_resizex(): (drivers/tty/vt/vt_ioctl.c) if (v.v_clin > 32) return -EINVAL; [...] for (i = 0; i < MAX_NR_CONSOLES; i++) { [...] if (v.v_clin) vcp->vc_font.height = v.v_clin; ^^^^^^^^^^^^^^ It does check if `v.v_clin` is greater than 32. And, currently, all built-in fonts have a `charcount` of 256. Therefore, for built-in fonts and resizing happened in vt_resizex(), it cannot cause an interger overflow. However I am not very sure about user-provided fonts, and if there are other functions that can resize `height` or even `charcount` to a really huge value, but I will do more investigation and think about it. Thank you, Peilin Ye