Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp712430pxj; Fri, 14 May 2021 13:54:04 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz28xGKFRs48YRdqiJ1GVYtZlNclu3F3hLAI6wNovPD8hperBviJv8F+MUnvbTDLcEPVA+p X-Received: by 2002:a92:ca4f:: with SMTP id q15mr27799041ilo.48.1621025644244; Fri, 14 May 2021 13:54:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621025644; cv=none; d=google.com; s=arc-20160816; b=Aimf3MA7h7WF6nQx6aws9xZ4o/MC7Qjl7Tre/DHxB/vCkf7hne9hID+KVg4SQUeGEo C9906uukoDqbgYVaj1m8r77D14zj9/SqdpDzBURCO/2Tl6s0MALYGqXvLjJuBYjlEcaz 9TwFLxMfIDeMz/IaN+8Pa1qgpDZnLNVw5GwbhdM/dS7mOrKZchT38FJaifkSpSzsXuOM 1/afFQd6fyTpjeCxCh7TWk9mXEdhEHDzh08VBASlHuWouKrOs/TOUvJdaa02A2Y/1qn6 d3J87CA6JEK+0GnrkGHKRc5agAhpAyhdyJtqhSrrjVJar5iXHkl9ZXNRbvu0wb2GdUDX Jv9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=z9fFCzzakKEZE6yIPzCdXzgESj8HznLN13JEu2IrUhs=; b=G1cLN12YNG+q6eytDEyATAJDfpwyQp4gvyiskIWlou9MWyg9noVqQe02YYl7M7xveH s+el8jic94YlUychujEYmZArB6jsCOI+rms+hlLtvAnyk/O9V0limi8vlzieurYonJ+9 xIJMxDCkwYrvahicZYiJ6DZ8CwL6C4hWafCVY+Ggx7RFhA1Z/il6bKW5xnSC5KWANw4X RvYI8Hhlw5klbdwxk9K9P9SKS952Qw8f1co7mC6tRuVoR0syQXkqgrlD979iLEu12uxb ireAg8llTBiI+PHEVS1ZCC9vRFEot8Qv2egu5CxeEhnTxL+/BlpHgSJ22kYK+sO5tW7H tzVw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=AZD5F3fm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a10si8967165ilv.110.2021.05.14.13.53.51; Fri, 14 May 2021 13:54:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=AZD5F3fm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231513AbhENUky (ORCPT + 99 others); Fri, 14 May 2021 16:40:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50892 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229780AbhENUky (ORCPT ); Fri, 14 May 2021 16:40:54 -0400 Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8A23FC061574 for ; Fri, 14 May 2021 13:39:42 -0700 (PDT) Received: by mail-ed1-x534.google.com with SMTP id di13so25216edb.2 for ; Fri, 14 May 2021 13:39:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=z9fFCzzakKEZE6yIPzCdXzgESj8HznLN13JEu2IrUhs=; b=AZD5F3fmpvTeEhIt43za7+8EIrk2t9t9HMEYztpTlYaJJuCP+wvA3afhdJCb5YQVUE gku0fZAVygSRcHZvtbgGNSvieB4UtA0Btv4ADLqSbXfXPrX0uVMGUN+SV7Sw6GZaO0Cl LSH64wCZBlZv1NlK5Pmcnn3tyCs7yG5F18jNU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=z9fFCzzakKEZE6yIPzCdXzgESj8HznLN13JEu2IrUhs=; b=bMCf7QqYlCtJ+BRZf43qJiQn3UqfXgCXQpVxrFRJ5QC+pYBF1fEk/9j8BL7pOFABhH IsZ6+dhxQZh20SBeWz/mZE3wcC+q2be6Y8KM6uA6930g5Y0nL2nFB0ejHSvxuGm7fS55 6mkChdTd3HoGptPujdJeMS6UArIBo/cN8l/EuYdDOcJYgCvEeceDYeM2JX5UDrqZTMgu T3Ag06BZ+eUQtYFjVvByjENN/87JOzcpFM+AYoGrHxdH9ea/jbrBJsd3RbYO0ylyHP2z lJ+3XAZjrN8SjJqts4ZB2XCDHSsM7WfAt22MI1PQfYy4PNqSbl7Fzdu2Ld/9WfGwEq3L lcYQ== X-Gm-Message-State: AOAM533UF2CJZ5rrj05axR/Nj959QbTgZ5uXaphbAzEDSxMDy75h1yGI DTQEWjUV3VgY4jusUTFh8vn7kphOUw2THpcgV5w= X-Received: by 2002:a05:6402:5174:: with SMTP id d20mr4835384ede.248.1621024781141; Fri, 14 May 2021 13:39:41 -0700 (PDT) Received: from mail-ed1-f41.google.com (mail-ed1-f41.google.com. [209.85.208.41]) by smtp.gmail.com with ESMTPSA id n11sm4324611ejg.43.2021.05.14.13.39.40 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 14 May 2021 13:39:41 -0700 (PDT) Received: by mail-ed1-f41.google.com with SMTP id a25so11932579edr.12 for ; Fri, 14 May 2021 13:39:40 -0700 (PDT) X-Received: by 2002:a05:6512:36c5:: with SMTP id e5mr655215lfs.41.1621024378774; Fri, 14 May 2021 13:32:58 -0700 (PDT) MIME-Version: 1.0 References: <0000000000006bbd0c05c14f1b09@google.com> <6e21483c-06f6-404b-4018-e00ee85c456c@i-love.sakura.ne.jp> <87d928e4-b2b9-ad30-f3f0-1dfb8e4e03ed@i-love.sakura.ne.jp> <05acdda8-dc1c-5119-4326-96eed24bea0c@i-love.sakura.ne.jp> In-Reply-To: From: Linus Torvalds Date: Fri, 14 May 2021 13:32:42 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit() To: "Maciej W. Rozycki" Cc: Tetsuo Handa , dri-devel , Linux Fbdev development list , Linux Kernel Mailing List , Daniel Vetter , syzbot , Bartlomiej Zolnierkiewicz , Colin King , Greg Kroah-Hartman , Jani Nikula , Jiri Slaby , syzkaller-bugs , "Antonino A. Daplas" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 14, 2021 at 1:25 PM Maciej W. Rozycki wrote: > > Overall I think it does make sense to resize the text console at any > time, even if the visible console (VT) chosen is in the graphics mode, It might make sense, but only if we call the function to update the low-level data. Not calling it, and then starting to randomly use the (wrong) geometry, and just limiting it so that it's all within the buffer - THAT does not make sense. So I think your patch is fundamentally wrong. It basically says "let's use random stale incorrect data, but just make sure that the end result is still within the allocated buffer". My patch is at least conceptually sane. An alternative would be to just remove the "vcmode != KD_GRAPHICS" check entirely, and always call con_resize() to update the low-level data, but honestly, that seems very likelty to break something very fundamentally, since it's not how any of fbcon has ever been tested, Another alternative would be to just delay the resize to when vcmode is put back to text mode again. That sounds somewhat reasonable to me, but it's a pretty big thing. But no, your patch to just "knowingly use entirely wrong values, then add a limit check because we know the values are possibly garbage and not consistent with reality" is simply not acceptable. Linus