Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp2368116pxk; Sun, 27 Sep 2020 05:09:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw9VqYG6AgqreAeJ6j9FiHYgqcqLsWyAjWmOO0yuTCPlMEA1pVTnK5Dyc57dUhAvfk78Ke4 X-Received: by 2002:a17:906:70d4:: with SMTP id g20mr11545943ejk.413.1601208545724; Sun, 27 Sep 2020 05:09:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1601208545; cv=none; d=google.com; s=arc-20160816; b=RL/kntMDqRLwsk94L2HaO8JHZRZzzFsIHdm4+xK6JRGpPLAEkWx3xZ9e3QFJxxUSV4 vSHHLM1kECNxMk/tP9YQ5L6/+xYBFodQEvBqmT9JkpNOu1Q8Ol7QrPN2UKUfYIJls0c4 OeMB9nU6sgYxx142a5r6AYZ3e/sCk9roB+LuZ79qC7XtFct3+NwizfFrc7vNHGNPkCpX 0pelP7Xa4awqf0PatMHF/z86vk5iCfSHzPJB0QyhlPkGsyQ9JuZ3nbdlE7fjtVw3LEum sZoqqtyZwkWOJdaB9fm2CVcvWWJdWt5zHwiosGuEPEtcGFnFNlpJ34Wc52cXOybljTZk jopA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=xwVewwjjqMY2o5CDQSt+ojEaCp/oDmClWUpSWprRALg=; b=ip18bhlZvWmA1BN4oiSPtwROX/h1LU0ylD35a4laG4j/NzRb4HtJk27DVkjV6UK0ba eXHX4Xez9kU9kNb92+cTlvxYRxw0Ad8dTwuc9HELHYz7+i2ThwpdXPei21uiBDUkQLuw rXtLyjMf2pOcQGrnvkjpIayVDdwVmk2WpPSx6Z8RkZ/fH7HG3R0z2I3L4l0HUfzMW4zj yN2B7TtAJnmhJcOuWp1nRzHyWB1sml/jtuNgxtZVGifF8oAJ00D9t2HobhN1lgYfsxyI UZK9v4vNXDjFup4+UmpokojhEHSlAmJDhpl7AKOGvMTMsGYNya2XDZHU/Sy/GOtxiFMx W8lA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=MhENV1Hh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w6si5899836edl.52.2020.09.27.05.08.42; Sun, 27 Sep 2020 05:09:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=MhENV1Hh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726415AbgI0MGt (ORCPT + 99 others); Sun, 27 Sep 2020 08:06:49 -0400 Received: from mail.kernel.org ([198.145.29.99]:56676 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726252AbgI0MGs (ORCPT ); Sun, 27 Sep 2020 08:06:48 -0400 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 79D8D2389F; Sun, 27 Sep 2020 12:06:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1601208408; bh=QHcjNHJZuDxl5EUnjYYZQunEgwhM8w3ezdc49mZGgGk=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=MhENV1HhflQPaxWUfLAnc6xTsItA6RXILvigXqyJWPKkbFAPMCkJVMaX0LMBGtxDv VD10aaV577rK1wy6dsfF2VGujJnB9EOtOtdyar0yJntRwOhsLxPrgL/pFy8cydevtl lKU4Nn3veJpPIIJWbfngaBgZCLwMidu1oEsDhDbI= Date: Sun, 27 Sep 2020 14:06:58 +0200 From: Greg KH To: Tetsuo Handa Cc: jirislaby@kernel.org, Peilin Ye , syzbot , b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, deller@gmx.de, syzkaller-bugs@googlegroups.com, Linus Torvalds , dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, George Kennedy Subject: Re: [PATCH] vt_ioctl: make VT_RESIZEX behave like VT_RESIZE Message-ID: <20200927120658.GA107433@kroah.com> References: <000000000000226d3f05b02dd607@google.com> <47907f77-b14b-b433-45c6-a315193f0c1a@i-love.sakura.ne.jp> <494395bc-a7dd-fdb1-8196-a236a266ef54@i-love.sakura.ne.jp> <20200927092701.GA1037755@PWN> <4933b81b-9b1a-355b-df0e-9b31e8280ab9@i-love.sakura.ne.jp> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4933b81b-9b1a-355b-df0e-9b31e8280ab9@i-love.sakura.ne.jp> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Sep 27, 2020 at 08:46:30PM +0900, Tetsuo Handa wrote: > syzbot is reporting UAF/OOB read at bit_putcs()/soft_cursor() [1][2], for > vt_resizex() from ioctl(VT_RESIZEX) allows setting font height larger than > actual font height calculated by con_font_set() from ioctl(PIO_FONT). > Since fbcon_set_font() from con_font_set() allocates minimal amount of > memory based on actual font height calculated by con_font_set(), > use of vt_resizex() can cause UAF/OOB read for font data. > > VT_RESIZEX was introduced in Linux 1.3.3, but it is unclear that what > comes to the "+ more" part, and I couldn't find a user of VT_RESIZEX. > > #define VT_RESIZE 0x5609 /* set kernel's idea of screensize */ > #define VT_RESIZEX 0x560A /* set kernel's idea of screensize + more */ > > So far we are not aware of syzbot reports caused by setting non-zero value > to v_vlin parameter. But given that it is possible that nobody is using > VT_RESIZEX, we can try removing support for v_clin and v_vlin parameters. Debian code search doesn't show any users, and that's usually a good indication of what userspace ioctls for old things like this, are being used for. So this makes sense to me, I'll queue it up, thanks! greg k-h