Received: by 2002:ac0:e350:0:0:0:0:0 with SMTP id g16csp1756937imn; Sun, 31 Jul 2022 21:29:54 -0700 (PDT) X-Google-Smtp-Source: AGRyM1vQagLtMpAPDiFf/C2wz9JvJBrWDOilIGaxTWaAuRexRz1Gd/WXJw/1gdhmw1bf+C0I0U1+ X-Received: by 2002:a05:6402:11cb:b0:43c:c7a3:ff86 with SMTP id j11-20020a05640211cb00b0043cc7a3ff86mr14350384edw.383.1659328193817; Sun, 31 Jul 2022 21:29:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1659328193; cv=none; d=google.com; s=arc-20160816; b=yBqYEMALEddCILVFRN7eh+SzMOAb+pOmmQm6VftIk7tj+TMue4sMs6LblmYW99oHi4 br7nVJFdMu9UfbacK/aCFMeZAFkzBcx3OzhTZ0cFOs5QapVskzvwlemhkSAhBzxm5KhC 8yxyyNOJU/kpMIlGKYC2Iv8qMrS1wWaZwk+e+41d/sM/PxUsaHL/YkfVaWgTMRGSCYJd wLRUyIXq7Y/2QcqLoMoEU3v84UskJs9sjxfr7Kuwb36mkS08u0pYAi36gUWj1gXTisgv Cuj7ZhraUTHJeS9wmcIdZdbPmCcA/6xNj4VRMGlU0IHxyCf5ZgdeYjzxOBzZbOFcL46t j8Ng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:to:content-language:subject:user-agent:mime-version:date :message-id:dkim-signature; bh=etAZitabdudMb3urn48XAitu4tsd3smIyp9vxBgD1Fg=; b=StM7/WhkT5JGRnw2qcLdBGSWvtFYfDhGtwvdrLlOUn6p1xrN18r94HT5Z/hqPHVV32 taQb5bBId2WQUZXJsGvITo53lqv8HFwaYGp927uS8dmVLv3RzCho+G4f3sPjcejTIxr9 UW7coJrJWHjnrzWnvadmZAMA2GE8b/JBuOcGRFfZEJ2ahYn9ePGfCqBcExBDx+cdkWOU HX9HDS6UIouKIjaj+9S9K3lkwGaoqgqdtTKIv/JCVytT4twU1QU7u6+4CEJJSywW5pBq dEItUfgclrqJjMOLUODGnT3L/r4/OAiSwYvIrNUw4xNCP7bQ5u1c2jQsd5QpOdFW5MdU iDRw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=ZWqNBsV9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hc35-20020a17090716a300b0072f42bb813csi10653896ejc.134.2022.07.31.21.29.28; Sun, 31 Jul 2022 21:29:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=ZWqNBsV9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239109AbiHAEKC (ORCPT + 99 others); Mon, 1 Aug 2022 00:10:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46002 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229497AbiHAEKA (ORCPT ); Mon, 1 Aug 2022 00:10:00 -0400 Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C2D04CE3B; Sun, 31 Jul 2022 21:09:59 -0700 (PDT) Received: by mail-pl1-x62e.google.com with SMTP id v18so9348567plo.8; Sun, 31 Jul 2022 21:09:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc; bh=etAZitabdudMb3urn48XAitu4tsd3smIyp9vxBgD1Fg=; b=ZWqNBsV9OOqzQQlSjJwnkTPi+ll0ygmSlUSkm/6cMDX2JvqvW2sBDjoDMzzKdPJkqp Wlj/5XVrDgvKe4x/MfR/cD3UrC5U7uOZMsC3x/Ocr8ZJg6K5hmxz+B/dFfjbxgmkFXFf cYMBG1vCg8omNWTx0o0TtAv9NfdsqznzDFsygsI9+2spYMZUIPdsLLSjX1NI/HA3720Y ZLadfKoS84CQapQp09HkMnrwfH1WUq24sRmpjv8iHchg8Bl4doowcsZuYU4pP+rk/rst Iw05w5jhFDRzFHajSWKDtt4qzQZ4fuAZCSci6etwtXXb8jQEibc46wZlpkgfw6hJ34CY Iqhw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc; bh=etAZitabdudMb3urn48XAitu4tsd3smIyp9vxBgD1Fg=; b=onSrQvfWEZWlaBmt+HqzZdtc0hk9dh/8qepwHS6xWOExr2H+YAXcWNW9SKAy6jP2DY E+wcDUiBy6sVTtf+4tfSo4DOhnk2neFMJk3j9HgI6ZOMc7lA9SOj1qYF9Vjf3TuGxY1R c+t699M1EcTotzFABxZZ02U9qemMnwaXastsLvxW4K/QeNZEDWUdrjXQ0ikYlfyq4MHN DrWHshsBX2mlZ8BPXBpVC4ed1bNovJoNTjfVzBwGjjtLlkh9j0nsEjtW5PMRpVBd17yU ba5YZxce+czROIK254QZlI9rHiaS1tzgrHiEk9PXTOeMD9c8cHlsTHdPiRnWQAq9czfz FmIg== X-Gm-Message-State: ACgBeo0bTPRZrTLnm/Y1IksmSKvyfuWcKx+5MRYquR2vAOdXGkpaj23u m5eCmoAMYfWpSdjbsuMpgrtbPa4LnGl2/Q== X-Received: by 2002:a17:902:8c8a:b0:16e:ceb1:d90a with SMTP id t10-20020a1709028c8a00b0016eceb1d90amr8679912plo.170.1659326999161; Sun, 31 Jul 2022 21:09:59 -0700 (PDT) Received: from [192.168.0.110] ([103.159.189.156]) by smtp.gmail.com with ESMTPSA id h17-20020a170902f55100b0016dbce87aecsm8425736plf.182.2022.07.31.21.09.55 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 31 Jul 2022 21:09:58 -0700 (PDT) Message-ID: <3d33d2c6-ad56-a442-2458-5892138a4d9d@gmail.com> Date: Mon, 1 Aug 2022 10:09:45 +0600 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: [syzbot] KASAN: vmalloc-out-of-bounds Write in imageblit (2) Content-Language: en-US To: Helge Deller , syzbot , dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, Greg Kroah-Hartman , Jiri Slaby References: <000000000000bbdd0405d120c155@google.com> <20220729065139.6529-1-khalid.masum.92@gmail.com> <7973ec94-75ad-c133-032e-b83beeb2d397@gmail.com> From: Khalid Masum In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 7/31/22 21:39, Helge Deller wrote: > On 7/31/22 15:55, Khalid Masum wrote: >> On 7/30/22 23:25, Helge Deller wrote: >>> On 7/29/22 08:51, Khalid Masum wrote: >>>> Here is a simplified reproducer for the issue: >>>> >>>> https://gist.githubusercontent.com/Labnann/923d6b9b3a19848fc129637b839b8a55/raw/a68271fcc724569735fe27f80817e561b3ff629a/reproducer.c >>> >>> The reproducer does this: >>> ioctl(3, TIOCLINUX, TIOCL_SETSEL, selection: xs:3  ys:0  xe:0 ye:0 mode:0)  = 0 >>> -> sets the text selection area >>> ioctl(4, KDFONTOP)  with op=0 (con_font_set), charcount=512  width=8  height=32, 0x20000000) = 0 >>> -> changes the font size. >>> >>> It does not crash with current Linus' head (v5.19-rc8). >>> Kernel v5.16, which was used by this KASAN report, hasn't received backports >>> since months, so I tried stable kernel v5.15.58 instead, and this >>> kernel crashed with the reproducer. >>> >>> The reproducer brings up two issues with current code: >>> 1. The reproducer uses ioctl(TIOCLINUX, TIOCL_SETSEL) and hands over (invalid) >>> zero-values for ys and ye for the starting lines. >>> This is wrong, since the API seems to expect a "1" as the very first line for the selection. >> >> Why do you think that API expects a 1? > > because the code in drivers/tty/vt/selection.c indicates this: > See: > static int vc_selection(struct vc_data *vc, struct tiocl_selection *v, struct tty_struct *tty) > { > int ps, pe; > ... > v->xs = min_t(u16, v->xs - 1, vc->vc_cols - 1); > v->ys = min_t(u16, v->ys - 1, vc->vc_rows - 1); > v->xe = min_t(u16, v->xe - 1, vc->vc_cols - 1); > v->ye = min_t(u16, v->ye - 1, vc->vc_rows - 1); > ... > ps = v->ys * vc->vc_size_row + (v->xs << 1); > pe = v->ye * vc->vc_size_row + (v->xe << 1); > > The userspace-provided xs,ys,xe and ye values are decremented by one > before ps and pe (the pointers into the text screen array) are calculated. > So, for the xs...ye values in the range from 1..max-screen-lines/columns > are expected. Oh. I got it. It is pretty simple. Thanks again for explaining. > > Helge Khalid Masum