Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp5660603pxb; Mon, 28 Mar 2022 15:39:01 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxHBe5Xgj+mMZePjtLxP72eWZEH4nHCerj97rPfIo2BFn8wVQHRNUVhXotxFbHJqrI8rNf2 X-Received: by 2002:a05:6870:1691:b0:de:9ebf:c91c with SMTP id j17-20020a056870169100b000de9ebfc91cmr712394oae.73.1648507141052; Mon, 28 Mar 2022 15:39:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648507141; cv=none; d=google.com; s=arc-20160816; b=TX+oLmDHbnKkNliow+zR1Hxl55FPZ0mfAmEa6Rzrl/C/DU/JSsfAIlqm1QUj398oNC 9vHXbwPCceffjfAMJLNfB/5rheZhvTH4bZwiUuudcPHAK0SUs0mjVLlOJPEItZukgDiq xZZmKrWDEIaN9ak+lYMEMZ95HCOwGe1M9UpjxLRJwpK8gR6LNhO7hnErqSw+d9vUCaq3 I5QQkha+ZXIs8kSffrMgdK7YToDQHebM8CLgt8oeWFAWn6oTuNE4cNZXGRd/zbyPwpsk ixXJH99Dn0ZTxO5aH6IsNI5fNopVnjdJiCBkbKKNFxLnCH7HUZRZ6/nxanh+HVmMSiw3 93eA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=9VEDMDRK+F+NgdG+/BTht0bpzUjaEb9tTJF4uHum5G4=; b=Qnb9iBe682eKsHfzvapspDqjCubn1QHDPJIaKEPTegS+fBmiQX5fR07ex1wZ7WdxSr fhGWcvUsHzgkIRVIoVkEMNFs8mXyEY/zKGjzA5U4ERm070Z78glb8EdsswNgalUtC8iu m80W8QD5AP1qS0xnf0buPU7ZLOJBPkNZCf5HA2weZGpJbxSYlFBO3bc/u3O0EXJfplq3 XCqw7WCQD+8FhYy2iy+eo0AS0QLjTEf83+JibYhVfBTZM8QZgRMh/8nWYsn5gDuIgF/B owvSBUCSRL6s7pWL4Tk2kQ8CQ65NfvaUp40NN08lNUJDD2BcvB4OzcZWdnBgBIUMSWc3 T3lw== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id l19-20020a9d6a93000000b005cb575fd534si11409981otq.310.2022.03.28.15.39.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 28 Mar 2022 15:39:01 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id CB0641F6F17; Mon, 28 Mar 2022 14:47:05 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240159AbiC1KLo (ORCPT + 99 others); Mon, 28 Mar 2022 06:11:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47390 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235601AbiC1KLn (ORCPT ); Mon, 28 Mar 2022 06:11:43 -0400 Received: from mail-ej1-f49.google.com (mail-ej1-f49.google.com [209.85.218.49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D0E9552E12; Mon, 28 Mar 2022 03:10:02 -0700 (PDT) Received: by mail-ej1-f49.google.com with SMTP id yy13so27586996ejb.2; Mon, 28 Mar 2022 03:10:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=9VEDMDRK+F+NgdG+/BTht0bpzUjaEb9tTJF4uHum5G4=; b=EnU8FnKFHyjtj4seCppcFejs7e/5Lq4FB6AN7IpDN60ingGOj41EgOEnbJhnyeYQCq OXoMs+E0lzXpBe7PapKNSDlAr2O9xmCJUMnEnhjd8G9owrXt1PJ9U2VjKRalNnaCtf2e TgeL4FWkHdEA7iy1vA9axgnA4fvNXCbWPWqgLx/NiPU0b56e6TgdVP4fMtq4FNPOlQTr TUmffKrK5cgVpnVTqD06irSwoy8C2NAK+ntyn7kHB/SSv4ZDdb95HR/Ly+9wlystnRRf ZKVcpBRvqf56o7CMuYtQ71Ys0Z1VlY1t6FBM889A6QSKzbTffZbaUiVvkpldkofCfwy4 tVyA== X-Gm-Message-State: AOAM533xWMy57MrJ1hVTN8G2Bov5UK/kZ0czqqe0zgxl1I8tOz/aXTT1 USCCzN06E0EzJPtV2wb5iJmuJMc7i7M= X-Received: by 2002:a17:906:27d1:b0:6df:ccdd:1a8d with SMTP id k17-20020a17090627d100b006dfccdd1a8dmr27581256ejc.751.1648462201277; Mon, 28 Mar 2022 03:10:01 -0700 (PDT) Received: from ?IPV6:2a0b:e7c0:0:107::49? ([2a0b:e7c0:0:107::49]) by smtp.gmail.com with ESMTPSA id 22-20020a17090600d600b006dfbc46efabsm5724836eji.126.2022.03.28.03.10.00 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 28 Mar 2022 03:10:00 -0700 (PDT) Message-ID: <47a6e396-3d51-79f5-a544-8942470fa2fd@kernel.org> Date: Mon, 28 Mar 2022 12:09:59 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.6.0 Subject: Re: [PATCH v3] char: tty3270: fix a missing check on list iterator Content-Language: en-US To: Xiaomeng Tong , hca@linux.ibm.com, gor@linux.ibm.com, agordeev@linux.ibm.com Cc: borntraeger@linux.ibm.com, svens@linux.ibm.com, gregkh@linuxfoundation.org, jcmvbkbc@gmail.com, elder@linaro.org, dsterba@suse.com, linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org References: <20220328093505.27902-1-xiam0nd.tong@gmail.com> From: Jiri Slaby In-Reply-To: <20220328093505.27902-1-xiam0nd.tong@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,MAILING_LIST_MULTI, NICE_REPLY_A,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 28. 03. 22, 11:35, Xiaomeng Tong wrote: > The bug is here: > if (s->len != flen) { > > The list iterator 's' will point to a bogus position containing > HEAD if the list is empty or no element is found. Could you also explain how that can happen? > This case must > be checked before any use of the iterator, otherwise it may bpass > the 'if (s->len != flen) {' in theory iif s->len's value is flen, bpass + iif -- others already commented on that and you ignored them. > or/and lead to an invalid memory access. > > To fix this bug, use a new variable 'iter' as the list iterator, > while using the origin variable 's' as a dedicated pointer to > point to the found element. And if the list is empty or no element > is found, WARN_ON and return. > > Cc: stable@vger.kernel.org > Fixes: ^1da177e4c3f4 ("Linux-2.6.12-rc2") That's barely the commit introducing the behavior. > Signed-off-by: Xiaomeng Tong > --- > changes since v2: > - WARN_ON and return (Sven Schnelle) > > changes since v1: > - reallocate s when s == NULL (Sven Schnelle) > > v1:https://lore.kernel.org/lkml/20220327064931.7775-1-xiam0nd.tong@gmail.com/ > v2:https://lore.kernel.org/lkml/20220328070543.24671-1-xiam0nd.tong@gmail.com/ > > --- > drivers/s390/char/tty3270.c | 11 ++++++++--- > 1 file changed, 8 insertions(+), 3 deletions(-) > > diff --git a/drivers/s390/char/tty3270.c b/drivers/s390/char/tty3270.c > index 5c83f71c1d0e..9d0952178322 100644 > --- a/drivers/s390/char/tty3270.c > +++ b/drivers/s390/char/tty3270.c > @@ -1109,9 +1109,9 @@ static void tty3270_put_character(struct tty3270 *tp, char ch) > static void > tty3270_convert_line(struct tty3270 *tp, int line_nr) > { > + struct string *s = NULL, *n, *iter; > struct tty3270_line *line; > struct tty3270_cell *cell; > - struct string *s, *n; > unsigned char highlight; > unsigned char f_color; > char *cp; > @@ -1142,9 +1142,14 @@ tty3270_convert_line(struct tty3270 *tp, int line_nr) > > /* Find the line in the list. */ > i = tp->view.rows - 2 - line_nr; > - list_for_each_entry_reverse(s, &tp->lines, list) > - if (--i <= 0) > + list_for_each_entry_reverse(iter, &tp->lines, list) > + if (--i <= 0) { > + s = iter; > break; > + } > + > + if(WARN_ON(!s)) > + return; > /* > * Check if the line needs to get reallocated. > */ thanks, -- js suse labs