From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jiri Slaby Date: Thu, 30 Jul 2020 07:38:24 +0000 Subject: Re: [PATCH] vgacon: fix out of bounds write to the scrollback buffer Message-Id: <008a3a1d-1908-6aea-0fae-e15b4eddff02@kernel.org> List-Id: References: <20200729130710.GA13262@openwall.com> <659f8dcf-7802-1ca1-1372-eb7fefd4d8f4@kernel.org> In-Reply-To: <659f8dcf-7802-1ca1-1372-eb7fefd4d8f4@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: base64 To: =?UTF-8?B?5byg5LqR5rW3?= , Solar Designer Cc: Linux Fbdev development list , Kyungtae Kim , b.zolnierkie@samsung.com, Greg KH , Linux kernel mailing list , DRI devel , Anthony Liguori , Yang Yingliang , xiao.zhang@windriver.com, Linus Torvalds , "Srivatsa S. Bhat" T24gMzAuIDA3LiAyMCwgODo0NiwgSmlyaSBTbGFieSB3cm90ZToKPiBIaSwgT1RPSCwgeW91IHNo b3VsZCBoYXZlIENDZWQgYWxsIHRoZSAocHVibGljKSBsaXN0cy4KPiAKPiBPbiAzMC4gMDcuIDIw LCA0OjUwLCDVxdTGuqMgd3JvdGU6Cj4+IFpoYW5nIFhpYW8gcG9pbnRzIG91dCB0aGF0IHRoZSBj aGVjayBzaG91bGQgdXNlID4gaW5zdGVhZCBvZiA+PSwKPj4gb3RoZXJ3aXNlIHRoZSBsYXN0IGxp bmUgd2lsbCBiZSBza2lwLgo+PiBJIGFncmVlIHdpdGggdGhhdCwgc28gSSBtb2RpZnkgdGhlIHBh dGNoLgo+PiBDb3VsZCB5b3UgcGxlYXNlIHZlcmlmeSB0aGF0IGl0IGlzIHN0aWxsIGNvcnJlY3Qg YW5kIHN1ZmZpY2llbnQ/Cj4gCj4gSU1PLCB5ZXMsIGNvcnJlY3QgLS0gSSB3YXMgdGhpbmtpbmcg YWJvdXQgdGhpcyB5ZXN0ZXJkYXkgdG9vLiBKdXN0IGFuCj4gZXhhbXBsZTogaHlwb3RoZXRpY2Fs bHksIGlmIHdlIGhhZDoKPiBzaXplX3JvdyA9IDEKPiB0YWlsID0gMjkKPiBzaXplID0gMzAKPiAK PiBkYXRhWzI5XSB3b3VsZCBiZSB0aGUgbGFzdCBhY2Nlc3NpYmxlIG1lbWJlci4gV3JpdGluZyB0 byBkYXRhICsgdGFpbCAoYXMKPiAiMjkgKyAxID4gMzAiIGRvZXNuJ3QgaG9sZCwgc28gdGhlIG1v ZGlmaWVkIGNoZWNrIHdvdWxkIHBhc3MpLCBpLmUuCj4gZGF0YVsyOV0gaXMgc3RpbGwgT0suIFNv IHllcywgPiBpcyBPSywgPj0gd291bGQgd2FzdGUgc3BhY2UgYW5kIHdvdWxkIGJlCj4gYWN0dWFs bHkgaW5jb3JyZWN0Lgo+IAo+PiBCVFcsIFpoYW5nIFhpYW8gYWxzbyBwb2ludHMgb3V0IHRoYXQg dGhlIGNoZWNrIGFmdGVyIHRoZSBtZW1jcHkgY2FuIGJlCj4+IHJlbW92ZS4KPj4gSSBhbHNvIHRo aW5rIHRoYXQgd2FzIHJpZ2h0LCBidXQgdmdhY29uX3Njcm9sbGJhY2tfY3VyLT50YWlsIG1heSBr ZWVwCj4+IHRoZSB2YWx1ZSB2Z2Fjb25fc2Nyb2xsYmFja19jdXItPnNpemUgaW4gc29tZSBjYXNl LiBUaGF0IGlzIG5vdCBhCj4+IHByb2JsZW0gaW4gdmdhY29uX3Njcm9sbGJhY2tfdXBkYXRlIGJl Y2F1c2Ugb2YgdGhlIGNoZWNrIGJlZm9yZSB0aGUKPj4gbWVtY3B5LiBIb3dldmVyLCB0aGF0IG1h eSBicmVhayBzb21lIG90aGVyIGNvZGUgd2hpY2ggYXNzdW1lcyB0aGF0Cj4+IHZnYWNvbl9zY3Jv bGxiYWNrX2N1ci0+dGFpbCB3b24ndCBiZSB2Z2Fjb25fc2Nyb2xsYmFja19jdXItPnNpemUuIEkg ZG8KPj4gbm90IGtub3cgaWYgdGhlcmUgYXJlIHN1Y2ggY29kZSwgYW5kIGlmIGl0IGlzIHRoZSBj b2RlIGFjdHVhbGx5ICBzaG91bGQKPj4gY2hlY2sgaXQgdG9vLiBCdXQgSSBzdGlsbCBub3QgcmVt b3ZlIHRoZSBjaGVjayBpbiB0aGUgcGF0Y2ggdG8gbWFrZSBzdXJlCj4+IGl0IHdvbid0IGJyZWFr cyBvdGhlciBjb2RlLgo+IAo+IEFzIEkgd3JvdGUgYWJvdXQgdGhpcyB5ZXN0ZXJkYXk6Cj4gPT4g SSBhbSBhbHNvIG5vdCBzdXJlIHRoZSB0ZXN0IEkgd2FzIHBvaW50aW5nIG91dCBvbiB0aGUgdG9w IG9mIHRoaXMKPiBtZXNzYWdlIHdvdWxkIGJlIG9mIGFueSB1c2UgYWZ0ZXIgdGhlIGNoYW5nZS4g QnV0IG1heWJlIGxlYXZlIHRoZSBjb2RlCj4gcmVzdCBpbiBwZWFjZS4KPiA9PiAKPiBJIHdvdWxk IGxldCBpdCBhcyBpcyBpbiB0aGlzIHBhcnRpY3VsYXIgY29kZS4gRXNwZWNpYWxseSBiZWNhdXNl Cj4gdmdhY29uX3Njcm9sbGRlbHRhIHRha2VzIC0+dGFpbCBpbnRvIGNvbnNpZGVyYXRpb24gYW5k IEkgd2FzIHRvbyBsYXp5IHRvCj4gc3R1ZHkgdGhlIGNvZGUgdGhlcmUuIEJ1dCBpZiB5b3UgYXJl IHdpbGxpbmcgdG8gc3R1ZHkgdGhlIGNvZGUgdGhlcmUgYW5kCj4gY29uZmlybSB0aGUgY2hlY2sg aXMgc3VwZXJmbHVvdXMsIGZlZWwgZnJlZSB0byByZW1vdmUgaXQuIFBlcmhhcHMgaW4gYQo+IHNl cGFyYXRlIHBhdGNoLiBJIHdhcyBhY3R1YWxseSB0ZXN0aW5nIHdpdGggdGhlIGNoZWNrIHJlbW92 ZWQgYW5kIGRpZG4ndAo+IGhpdCBhbnkgaXNzdWUgKHdoaWNoIG1lYW5zLCBpbiBmYWN0LCBleGFj dGx5IG5vdGhpbmcpLgo+IAo+PiBGcm9tIGFkMTQzZWRlMjRmZjRlNjEyOTJjYzljOTYwMDAxMDBh YWNkOTcyNTkgTW9uIFNlcCAxNyAwMDowMDowMCAyMDAxCj4+IEZyb206IFl1bmhhaSBaaGFuZyA8 emhhbmd5dW5oYWlAbnNmb2N1cy5jb20+Cj4+IERhdGU6IFR1ZSwgMjggSnVsIDIwMjAgMDk6NTg6 MDMgKzA4MDAKPj4gU3ViamVjdDogW1BBVENIXSBGaXggZm9yIG1pc3NpbmcgY2hlY2sgaW4gdmdh Y29uIHNjcm9sbGJhY2sgaGFuZGxpbmcKPj4KPj4gdmdhY29uX3Njcm9sbGJhY2tfdXBkYXRlKCkg YWx3YXlzIGxlZnQgZW5ib3VnaCByb29tIGluIHRoZSBzY3JvbGxiYWNrCj4gCj4gImxlYXZlcyBl bm91Z2giCj4gCj4+IGJ1ZmZlciBmb3IgdGhlIG5leHQgY2FsbCwgYnV0IGlmIHRoZSBjb25zb2xl IHNpemUgY2hhbmdlZCB0aGF0IHJvb20KPj4gbWlnaHQgbm90IGFjdHVhbGx5IGJlIGVub3VnaCwg YW5kIHNvIHdlIG5lZWQgdG8gcmUtY2hlY2suCj4gCj4gQWxzbywgY291bGQgeW91IGFkZCByZWFz b25pbmcgd2h5IHlvdSBhcmUgYWRkaW5nIHRoZSBjaGVjayB0byB0aGUgbG9vcAo+IGFuZCBub3Qg b3V0c2lkZSAoZm9yIGluc3RhbmNlLCB1c2UgeW91ciByZWFzb25pbmcgd2l0aCBudW1iZXJzIG9y IENTSSBNCj4gYXMgYW4gZXhhbXBsZSkuCj4gCj4gQ291bGQgeW91IGFkZCBhIHNhbXBsZSBvdXRw dXQgaGVyZSwgc29tZXRoaW5nIGxpa2UgSSBoYWQ6Cj4gPT4gICAgIFRoaXMgbGVhZHMgdG8gcmFu ZG9tIGNyYXNoZXMgb3IgS0FTQU4gcmVwb3J0cyBsaWtlOgo+ICAgICBCVUc6IEtBU0FOOiBzbGFi LW91dC1vZi1ib3VuZHMgaW4gdmdhY29uX3Njcm9sbCsweDU3YS8weDhlZAo+ID0+IAo+IEl0J3Mg dGhlbiBlYXNpZXIgdG8gZ29vZ2xlIGZvciB3aGVuIHRoaXMgaGFwcGVucyB0byBzb21lb25lIHdo byBydW5zCj4gbm9uLXBhdGNoZWQga2VybmVscy4KPiAKPj4gVGhpcyBmaXhlcyBDVkUtMjAyMC0x NDMzMS4KPj4KPj4gUmVwb3J0ZWQtYW5kLWRlYnVnZ2VkLWJ5OiDVxdTGuqMgPHpoYW5neXVuaGFp QG5zZm9jdXMuY29tPgo+PiBSZXBvcnRlZC1hbmQtZGVidWdnZWQtYnk6IFlhbmcgWWluZ2xpYW5n IDx5YW5neWluZ2xpYW5nQGh1YXdlaS5jb20+Cj4+IFJlcG9ydGVkLWJ5OiBLeXVuZ3RhZSBLaW0g PGt0MDc1NUBnbWFpbC5jb20+Cj4+IEZpeGVzOiAxNWJkYWI5NTljOWIgKFtQQVRDSF0gdmdhY29u OiBBZGQgc3VwcG9ydCBmb3Igc29mdCBzY3JvbGxiYWNrKQo+PiBDYzogTGludXMgVG9ydmFsZHMg PHRvcnZhbGRzQGxpbnV4LWZvdW5kYXRpb24ub3JnPgo+PiBDYzogR3JlZyBLSCA8Z3JlZ0Brcm9h aC5jb20+Cj4+IENjOiBTb2xhciBEZXNpZ25lciA8c29sYXJAb3BlbndhbGwuY29tPgo+PiBDYzog IlNyaXZhdHNhIFMuIEJoYXQiIDxzcml2YXRzYUBjc2FpbC5taXQuZWR1Pgo+PiBDYzogQW50aG9u eSBMaWd1b3JpIDxhbGlndW9yaUBhbWF6b24uY29tPgo+PiBDYzogWWFuZyBZaW5nbGlhbmcgPHlh bmd5aW5nbGlhbmdAaHVhd2VpLmNvbT4KPj4gQ2M6IEJhcnRsb21pZWogWm9sbmllcmtpZXdpY3og PGIuem9sbmllcmtpZUBzYW1zdW5nLmNvbT4KPiAKPiBPaCwgYW5kIHdlIHNob3VsZDoKPiBDYzog c3RhYmxlQHZnZXIua2VybmVsLm9yZwo+IAo+PiBTaWduZWQtb2ZmLWJ5OiBZdW5oYWkgWmhhbmcg PHpoYW5neXVuaGFpQG5zZm9jdXMuY29tPgo+PiAtLS0KPj4gIGRyaXZlcnMvdmlkZW8vY29uc29s ZS92Z2Fjb24uYyB8IDQgKysrKwo+PiAgMSBmaWxlIGNoYW5nZWQsIDQgaW5zZXJ0aW9ucygrKQo+ Pgo+PiBkaWZmIC0tZ2l0IGEvZHJpdmVycy92aWRlby9jb25zb2xlL3ZnYWNvbi5jIGIvZHJpdmVy cy92aWRlby9jb25zb2xlL3ZnYWNvbi5jCj4+IGluZGV4IDk5OGIwZGUxODEyZi4uMzdiNTcxMWNk OTU4IDEwMDY0NAo+PiAtLS0gYS9kcml2ZXJzL3ZpZGVvL2NvbnNvbGUvdmdhY29uLmMKPj4gKysr IGIvZHJpdmVycy92aWRlby9jb25zb2xlL3ZnYWNvbi5jCj4+IEBAIC0yNTEsNiArMjUxLDEwIEBA IHN0YXRpYyB2b2lkIHZnYWNvbl9zY3JvbGxiYWNrX3VwZGF0ZShzdHJ1Y3QgdmNfZGF0YSAqYywg aW50IHQsIGludCBjb3VudCkKPj4gIAlwID0gKHZvaWQgKikgKGMtPnZjX29yaWdpbiArIHQgKiBj LT52Y19zaXplX3Jvdyk7Cj4+ICAKPj4gIAl3aGlsZSAoY291bnQtLSkgewo+PiArCQlpZiAoKHZn YWNvbl9zY3JvbGxiYWNrX2N1ci0+dGFpbCArIGMtPnZjX3NpemVfcm93KSA+IAoKQW5kIGdpdCBj b21wbGFpbnMgaGVyZToKLmdpdC9yZWJhc2UtYXBwbHkvcGF0Y2g6MTM6IHRyYWlsaW5nIHdoaXRl c3BhY2UuCiAgICAgICAgICAgICAgICBpZiAoKHZnYWNvbl9zY3JvbGxiYWNrX2N1ci0+dGFpbCAr IGMtPnZjX3NpemVfcm93KSA+Cndhcm5pbmc6IDEgbGluZSBhZGRzIHdoaXRlc3BhY2UgZXJyb3Jz LgoKVGhlcmUgaXMgYSBzcGFjZSBhdCB0aGUgRU9MLgoKPj4gKwkJICAgIHZnYWNvbl9zY3JvbGxi YWNrX2N1ci0+c2l6ZSkKPj4gKwkJCXZnYWNvbl9zY3JvbGxiYWNrX2N1ci0+dGFpbCA9IDA7Cj4+ ICsKPj4gIAkJc2NyX21lbWNweXcodmdhY29uX3Njcm9sbGJhY2tfY3VyLT5kYXRhICsKPj4gIAkJ CSAgICB2Z2Fjb25fc2Nyb2xsYmFja19jdXItPnRhaWwsCj4+ICAJCQkgICAgcCwgYy0+dmNfc2l6 ZV9yb3cpOwo+IAo+IHRoYW5rcywKPiAKCgotLSAKanM= From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.3 required=3.0 tests=BAYES_00,INCLUDES_PATCH, MAILING_LIST_MULTI,NICE_REPLY_A,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B0CA1C433DF for ; Thu, 30 Jul 2020 07:38:30 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 8B1CD22B3F for ; Thu, 30 Jul 2020 07:38:30 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8B1CD22B3F Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=dri-devel-bounces@lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id EB2046E882; Thu, 30 Jul 2020 07:38:29 +0000 (UTC) Received: from mail-ej1-f66.google.com (mail-ej1-f66.google.com [209.85.218.66]) by gabe.freedesktop.org (Postfix) with ESMTPS id 4EDB26E882 for ; Thu, 30 Jul 2020 07:38:28 +0000 (UTC) Received: by mail-ej1-f66.google.com with SMTP id jp10so389413ejb.0 for ; Thu, 30 Jul 2020 00:38:28 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:cc:references:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=Bk3NapliV+0H200NnpApnzvIQjKB5lHRW5bg5f2EMgs=; b=m0BzzMRCMiFqHSiI7fmaL4upgYFMBzEOJ+ZPw2AF5JqqGgT5EvYcqbqM2QEJXuEK2x oDhH3Hbwj3ojwQLVlf7ye16UjyZfFhN/5ihmKGh8fD/LEfhGHNomz1sU0FdzEuoNulHU DePM3H4Ex5d0p/HxpweVtKUS9ooGxG0rPc7zmrcj2u3ds/pn5AyQ5s0gO2z5hgrELvRN EXoIWHfwoOYvlkG82KAlp2vBcCayBxCViZkk6MBujok09WLB11AtsAo0zoXgDcps+86b llJmEir6hOY21lQjY2agFo6cv7FSEvx/SapAE/7fdMmTeYGpXn4Jm/qMJG8h0c/JBJbi T0mw== X-Gm-Message-State: AOAM530zcVx+HU6dckOIgPq+D2HsFhYcXH0xaxhN9JA/4RFqcfgTRB/O Q4KHW+rMcYsAQ9f4Lo4VSpo= X-Google-Smtp-Source: ABdhPJyJI1e/Nn8AuA4RIWylZnro3d/4HvhzZMo5nCfsHBXw7BZ9cIVJGLosjlGYmL4FhmtzT22HLA== X-Received: by 2002:a17:906:858:: with SMTP id f24mr1333330ejd.543.1596094706846; Thu, 30 Jul 2020 00:38:26 -0700 (PDT) Received: from ?IPv6:2a0b:e7c0:0:107::49? ([2a0b:e7c0:0:107::49]) by smtp.gmail.com with ESMTPSA id z17sm1993981edi.19.2020.07.30.00.38.24 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 30 Jul 2020 00:38:25 -0700 (PDT) Subject: Re: [PATCH] vgacon: fix out of bounds write to the scrollback buffer From: Jiri Slaby To: =?UTF-8?B?5byg5LqR5rW3?= , Solar Designer References: <20200729130710.GA13262@openwall.com> <659f8dcf-7802-1ca1-1372-eb7fefd4d8f4@kernel.org> Autocrypt: addr=jirislaby@kernel.org; prefer-encrypt=mutual; keydata= mQINBE6S54YBEACzzjLwDUbU5elY4GTg/NdotjA0jyyJtYI86wdKraekbNE0bC4zV+ryvH4j rrcDwGs6tFVrAHvdHeIdI07s1iIx5R/ndcHwt4fvI8CL5PzPmn5J+h0WERR5rFprRh6axhOk rSD5CwQl19fm4AJCS6A9GJtOoiLpWn2/IbogPc71jQVrupZYYx51rAaHZ0D2KYK/uhfc6neJ i0WqPlbtIlIrpvWxckucNu6ZwXjFY0f3qIRg3Vqh5QxPkojGsq9tXVFVLEkSVz6FoqCHrUTx wr+aw6qqQVgvT/McQtsI0S66uIkQjzPUrgAEtWUv76rM4ekqL9stHyvTGw0Fjsualwb0Gwdx ReTZzMgheAyoy/umIOKrSEpWouVoBt5FFSZUyjuDdlPPYyPav+hpI6ggmCTld3u2hyiHji2H cDpcLM2LMhlHBipu80s9anNeZhCANDhbC5E+NZmuwgzHBcan8WC7xsPXPaiZSIm7TKaVoOcL 9tE5aN3jQmIlrT7ZUX52Ff/hSdx/JKDP3YMNtt4B0cH6ejIjtqTd+Ge8sSttsnNM0CQUkXps w98jwz+Lxw/bKMr3NSnnFpUZaxwji3BC9vYyxKMAwNelBCHEgS/OAa3EJoTfuYOK6wT6nadm YqYjwYbZE5V/SwzMbpWu7Jwlvuwyfo5mh7w5iMfnZE+vHFwp/wARAQABtCFKaXJpIFNsYWJ5 IDxqaXJpc2xhYnlAa2VybmVsLm9yZz6JAjcEEwEIACEFAlW3RUwCGwMFCwkIBwIGFQgJCgsC BBYCAwECHgECF4AACgkQvSWxBAa0cEnVTg//TQpdIAr8Tn0VAeUjdVIH9XCFw+cPSU+zMSCH eCZoA/N6gitEcnvHoFVVM7b3hK2HgoFUNbmYC0RdcSc80pOF5gCnACSP9XWHGWzeKCARRcQR 4s5YD8I4VV5hqXcKo2DFAtIOVbHDW+0okOzcecdasCakUTr7s2fXz97uuoc2gIBB7bmHUGAH XQXHvdnCLjDjR+eJN+zrtbqZKYSfj89s/ZHn5Slug6w8qOPT1sVNGG+eWPlc5s7XYhT9z66E l5C0rG35JE4PhC+tl7BaE5IwjJlBMHf/cMJxNHAYoQ1hWQCKOfMDQ6bsEr++kGUCbHkrEFwD UVA72iLnnnlZCMevwE4hc0zVhseWhPc/KMYObU1sDGqaCesRLkE3tiE7X2cikmj/qH0CoMWe gjnwnQ2qVJcaPSzJ4QITvchEQ+tbuVAyvn9H+9MkdT7b7b2OaqYsUP8rn/2k1Td5zknUz7iF oJ0Z9wPTl6tDfF8phaMIPISYrhceVOIoL+rWfaikhBulZTIT5ihieY9nQOw6vhOfWkYvv0Dl o4GRnb2ybPQpfEs7WtetOsUgiUbfljTgILFw3CsPW8JESOGQc0Pv8ieznIighqPPFz9g+zSu Ss/rpcsqag5n9rQp/H3WW5zKUpeYcKGaPDp/vSUovMcjp8USIhzBBrmI7UWAtuedG9prjqe5 Ag0ETpLnhgEQAM+cDWLL+Wvc9cLhA2OXZ/gMmu7NbYKjfth1UyOuBd5emIO+d4RfFM02XFTI t4MxwhAryhsKQQcA4iQNldkbyeviYrPKWjLTjRXT5cD2lpWzr+Jx7mX7InV5JOz1Qq+P+nJW YIBjUKhI03ux89p58CYil24Zpyn2F5cX7U+inY8lJIBwLPBnc9Z0An/DVnUOD+0wIcYVnZAK DiIXODkGqTg3fhZwbbi+KAhtHPFM2fGw2VTUf62IHzV+eBSnamzPOBc1XsJYKRo3FHNeLuS8 f4wUe7bWb9O66PPFK/RkeqNX6akkFBf9VfrZ1rTEKAyJ2uqf1EI1olYnENk4+00IBa+BavGQ 8UW9dGW3nbPrfuOV5UUvbnsSQwj67pSdrBQqilr5N/5H9z7VCDQ0dhuJNtvDSlTf2iUFBqgk 3smln31PUYiVPrMP0V4ja0i9qtO/TB01rTfTyXTRtqz53qO5dGsYiliJO5aUmh8swVpotgK4 /57h3zGsaXO9PGgnnAdqeKVITaFTLY1ISg+Ptb4KoliiOjrBMmQUSJVtkUXMrCMCeuPDGHo7 39Xc75lcHlGuM3yEB//htKjyprbLeLf1y4xPyTeeF5zg/0ztRZNKZicgEmxyUNBHHnBKHQxz 1j+mzH0HjZZtXjGu2KLJ18G07q0fpz2ZPk2D53Ww39VNI/J9ABEBAAGJAh8EGAECAAkFAk6S 54YCGwwACgkQvSWxBAa0cEk3tRAAgO+DFpbyIa4RlnfpcW17AfnpZi9VR5+zr496n2jH/1ld wRO/S+QNSA8qdABqMb9WI4BNaoANgcg0AS429Mq0taaWKkAjkkGAT7mD1Q5PiLr06Y/+Kzdr 90eUVneqM2TUQQbK+Kh7JwmGVrRGNqQrDk+gRNvKnGwFNeTkTKtJ0P8jYd7P1gZb9Fwj9YLx jhn/sVIhNmEBLBoI7PL+9fbILqJPHgAwW35rpnq4f/EYTykbk1sa13Tav6btJ+4QOgbcezWI wZ5w/JVfEJW9JXp3BFAVzRQ5nVrrLDAJZ8Y5ioWcm99JtSIIxXxt9FJaGc1Bgsi5K/+dyTKL wLMJgiBzbVx8G+fCJJ9YtlNOPWhbKPlrQ8+AY52Aagi9WNhe6XfJdh5g6ptiOILm330mkR4g W6nEgZVyIyTq3ekOuruftWL99qpP5zi+eNrMmLRQx9iecDNgFr342R9bTDlb1TLuRb+/tJ98 f/bIWIr0cqQmqQ33FgRhrG1+Xml6UXyJ2jExmlO8JljuOGeXYh6ZkIEyzqzffzBLXZCujlYQ DFXpyMNVJ2ZwPmX2mWEoYuaBU0JN7wM+/zWgOf2zRwhEuD3A2cO2PxoiIfyUEfB9SSmffaK/ S4xXoB6wvGENZ85Hg37C7WDNdaAt6Xh2uQIly5grkgvWppkNy4ZHxE+jeNsU7tg= Message-ID: <008a3a1d-1908-6aea-0fae-e15b4eddff02@kernel.org> Date: Thu, 30 Jul 2020 09:38:24 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <659f8dcf-7802-1ca1-1372-eb7fefd4d8f4@kernel.org> Content-Language: en-US X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Linux Fbdev development list , Kyungtae Kim , b.zolnierkie@samsung.com, Greg KH , Linux kernel mailing list , DRI devel , Anthony Liguori , Yang Yingliang , xiao.zhang@windriver.com, Linus Torvalds , "Srivatsa S. Bhat" Content-Type: text/plain; charset="gbk" Content-Transfer-Encoding: base64 Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" T24gMzAuIDA3LiAyMCwgODo0NiwgSmlyaSBTbGFieSB3cm90ZToKPiBIaSwgT1RPSCwgeW91IHNo b3VsZCBoYXZlIENDZWQgYWxsIHRoZSAocHVibGljKSBsaXN0cy4KPiAKPiBPbiAzMC4gMDcuIDIw LCA0OjUwLCDVxdTGuqMgd3JvdGU6Cj4+IFpoYW5nIFhpYW8gcG9pbnRzIG91dCB0aGF0IHRoZSBj aGVjayBzaG91bGQgdXNlID4gaW5zdGVhZCBvZiA+PSwKPj4gb3RoZXJ3aXNlIHRoZSBsYXN0IGxp bmUgd2lsbCBiZSBza2lwLgo+PiBJIGFncmVlIHdpdGggdGhhdCwgc28gSSBtb2RpZnkgdGhlIHBh dGNoLgo+PiBDb3VsZCB5b3UgcGxlYXNlIHZlcmlmeSB0aGF0IGl0IGlzIHN0aWxsIGNvcnJlY3Qg YW5kIHN1ZmZpY2llbnQ/Cj4gCj4gSU1PLCB5ZXMsIGNvcnJlY3QgLS0gSSB3YXMgdGhpbmtpbmcg YWJvdXQgdGhpcyB5ZXN0ZXJkYXkgdG9vLiBKdXN0IGFuCj4gZXhhbXBsZTogaHlwb3RoZXRpY2Fs bHksIGlmIHdlIGhhZDoKPiBzaXplX3JvdyA9IDEKPiB0YWlsID0gMjkKPiBzaXplID0gMzAKPiAK PiBkYXRhWzI5XSB3b3VsZCBiZSB0aGUgbGFzdCBhY2Nlc3NpYmxlIG1lbWJlci4gV3JpdGluZyB0 byBkYXRhICsgdGFpbCAoYXMKPiAiMjkgKyAxID4gMzAiIGRvZXNuJ3QgaG9sZCwgc28gdGhlIG1v ZGlmaWVkIGNoZWNrIHdvdWxkIHBhc3MpLCBpLmUuCj4gZGF0YVsyOV0gaXMgc3RpbGwgT0suIFNv IHllcywgPiBpcyBPSywgPj0gd291bGQgd2FzdGUgc3BhY2UgYW5kIHdvdWxkIGJlCj4gYWN0dWFs bHkgaW5jb3JyZWN0Lgo+IAo+PiBCVFcsIFpoYW5nIFhpYW8gYWxzbyBwb2ludHMgb3V0IHRoYXQg dGhlIGNoZWNrIGFmdGVyIHRoZSBtZW1jcHkgY2FuIGJlCj4+IHJlbW92ZS4KPj4gSSBhbHNvIHRo aW5rIHRoYXQgd2FzIHJpZ2h0LCBidXQgdmdhY29uX3Njcm9sbGJhY2tfY3VyLT50YWlsIG1heSBr ZWVwCj4+IHRoZSB2YWx1ZSB2Z2Fjb25fc2Nyb2xsYmFja19jdXItPnNpemUgaW4gc29tZSBjYXNl LiBUaGF0IGlzIG5vdCBhCj4+IHByb2JsZW0gaW4gdmdhY29uX3Njcm9sbGJhY2tfdXBkYXRlIGJl Y2F1c2Ugb2YgdGhlIGNoZWNrIGJlZm9yZSB0aGUKPj4gbWVtY3B5LiBIb3dldmVyLCB0aGF0IG1h eSBicmVhayBzb21lIG90aGVyIGNvZGUgd2hpY2ggYXNzdW1lcyB0aGF0Cj4+IHZnYWNvbl9zY3Jv bGxiYWNrX2N1ci0+dGFpbCB3b24ndCBiZSB2Z2Fjb25fc2Nyb2xsYmFja19jdXItPnNpemUuIEkg ZG8KPj4gbm90IGtub3cgaWYgdGhlcmUgYXJlIHN1Y2ggY29kZSwgYW5kIGlmIGl0IGlzIHRoZSBj b2RlIGFjdHVhbGx5ICBzaG91bGQKPj4gY2hlY2sgaXQgdG9vLiBCdXQgSSBzdGlsbCBub3QgcmVt b3ZlIHRoZSBjaGVjayBpbiB0aGUgcGF0Y2ggdG8gbWFrZSBzdXJlCj4+IGl0IHdvbid0IGJyZWFr cyBvdGhlciBjb2RlLgo+IAo+IEFzIEkgd3JvdGUgYWJvdXQgdGhpcyB5ZXN0ZXJkYXk6Cj4gPT09 Cj4gSSBhbSBhbHNvIG5vdCBzdXJlIHRoZSB0ZXN0IEkgd2FzIHBvaW50aW5nIG91dCBvbiB0aGUg dG9wIG9mIHRoaXMKPiBtZXNzYWdlIHdvdWxkIGJlIG9mIGFueSB1c2UgYWZ0ZXIgdGhlIGNoYW5n ZS4gQnV0IG1heWJlIGxlYXZlIHRoZSBjb2RlCj4gcmVzdCBpbiBwZWFjZS4KPiA9PT0KPiAKPiBJ IHdvdWxkIGxldCBpdCBhcyBpcyBpbiB0aGlzIHBhcnRpY3VsYXIgY29kZS4gRXNwZWNpYWxseSBi ZWNhdXNlCj4gdmdhY29uX3Njcm9sbGRlbHRhIHRha2VzIC0+dGFpbCBpbnRvIGNvbnNpZGVyYXRp b24gYW5kIEkgd2FzIHRvbyBsYXp5IHRvCj4gc3R1ZHkgdGhlIGNvZGUgdGhlcmUuIEJ1dCBpZiB5 b3UgYXJlIHdpbGxpbmcgdG8gc3R1ZHkgdGhlIGNvZGUgdGhlcmUgYW5kCj4gY29uZmlybSB0aGUg Y2hlY2sgaXMgc3VwZXJmbHVvdXMsIGZlZWwgZnJlZSB0byByZW1vdmUgaXQuIFBlcmhhcHMgaW4g YQo+IHNlcGFyYXRlIHBhdGNoLiBJIHdhcyBhY3R1YWxseSB0ZXN0aW5nIHdpdGggdGhlIGNoZWNr IHJlbW92ZWQgYW5kIGRpZG4ndAo+IGhpdCBhbnkgaXNzdWUgKHdoaWNoIG1lYW5zLCBpbiBmYWN0 LCBleGFjdGx5IG5vdGhpbmcpLgo+IAo+PiBGcm9tIGFkMTQzZWRlMjRmZjRlNjEyOTJjYzljOTYw MDAxMDBhYWNkOTcyNTkgTW9uIFNlcCAxNyAwMDowMDowMCAyMDAxCj4+IEZyb206IFl1bmhhaSBa aGFuZyA8emhhbmd5dW5oYWlAbnNmb2N1cy5jb20+Cj4+IERhdGU6IFR1ZSwgMjggSnVsIDIwMjAg MDk6NTg6MDMgKzA4MDAKPj4gU3ViamVjdDogW1BBVENIXSBGaXggZm9yIG1pc3NpbmcgY2hlY2sg aW4gdmdhY29uIHNjcm9sbGJhY2sgaGFuZGxpbmcKPj4KPj4gdmdhY29uX3Njcm9sbGJhY2tfdXBk YXRlKCkgYWx3YXlzIGxlZnQgZW5ib3VnaCByb29tIGluIHRoZSBzY3JvbGxiYWNrCj4gCj4gImxl YXZlcyBlbm91Z2giCj4gCj4+IGJ1ZmZlciBmb3IgdGhlIG5leHQgY2FsbCwgYnV0IGlmIHRoZSBj b25zb2xlIHNpemUgY2hhbmdlZCB0aGF0IHJvb20KPj4gbWlnaHQgbm90IGFjdHVhbGx5IGJlIGVu b3VnaCwgYW5kIHNvIHdlIG5lZWQgdG8gcmUtY2hlY2suCj4gCj4gQWxzbywgY291bGQgeW91IGFk ZCByZWFzb25pbmcgd2h5IHlvdSBhcmUgYWRkaW5nIHRoZSBjaGVjayB0byB0aGUgbG9vcAo+IGFu ZCBub3Qgb3V0c2lkZSAoZm9yIGluc3RhbmNlLCB1c2UgeW91ciByZWFzb25pbmcgd2l0aCBudW1i ZXJzIG9yIENTSSBNCj4gYXMgYW4gZXhhbXBsZSkuCj4gCj4gQ291bGQgeW91IGFkZCBhIHNhbXBs ZSBvdXRwdXQgaGVyZSwgc29tZXRoaW5nIGxpa2UgSSBoYWQ6Cj4gPT09Cj4gICAgIFRoaXMgbGVh ZHMgdG8gcmFuZG9tIGNyYXNoZXMgb3IgS0FTQU4gcmVwb3J0cyBsaWtlOgo+ICAgICBCVUc6IEtB U0FOOiBzbGFiLW91dC1vZi1ib3VuZHMgaW4gdmdhY29uX3Njcm9sbCsweDU3YS8weDhlZAo+ID09 PQo+IAo+IEl0J3MgdGhlbiBlYXNpZXIgdG8gZ29vZ2xlIGZvciB3aGVuIHRoaXMgaGFwcGVucyB0 byBzb21lb25lIHdobyBydW5zCj4gbm9uLXBhdGNoZWQga2VybmVscy4KPiAKPj4gVGhpcyBmaXhl cyBDVkUtMjAyMC0xNDMzMS4KPj4KPj4gUmVwb3J0ZWQtYW5kLWRlYnVnZ2VkLWJ5OiDVxdTGuqMg PHpoYW5neXVuaGFpQG5zZm9jdXMuY29tPgo+PiBSZXBvcnRlZC1hbmQtZGVidWdnZWQtYnk6IFlh bmcgWWluZ2xpYW5nIDx5YW5neWluZ2xpYW5nQGh1YXdlaS5jb20+Cj4+IFJlcG9ydGVkLWJ5OiBL eXVuZ3RhZSBLaW0gPGt0MDc1NUBnbWFpbC5jb20+Cj4+IEZpeGVzOiAxNWJkYWI5NTljOWIgKFtQ QVRDSF0gdmdhY29uOiBBZGQgc3VwcG9ydCBmb3Igc29mdCBzY3JvbGxiYWNrKQo+PiBDYzogTGlu dXMgVG9ydmFsZHMgPHRvcnZhbGRzQGxpbnV4LWZvdW5kYXRpb24ub3JnPgo+PiBDYzogR3JlZyBL SCA8Z3JlZ0Brcm9haC5jb20+Cj4+IENjOiBTb2xhciBEZXNpZ25lciA8c29sYXJAb3BlbndhbGwu Y29tPgo+PiBDYzogIlNyaXZhdHNhIFMuIEJoYXQiIDxzcml2YXRzYUBjc2FpbC5taXQuZWR1Pgo+ PiBDYzogQW50aG9ueSBMaWd1b3JpIDxhbGlndW9yaUBhbWF6b24uY29tPgo+PiBDYzogWWFuZyBZ aW5nbGlhbmcgPHlhbmd5aW5nbGlhbmdAaHVhd2VpLmNvbT4KPj4gQ2M6IEJhcnRsb21pZWogWm9s bmllcmtpZXdpY3ogPGIuem9sbmllcmtpZUBzYW1zdW5nLmNvbT4KPiAKPiBPaCwgYW5kIHdlIHNo b3VsZDoKPiBDYzogc3RhYmxlQHZnZXIua2VybmVsLm9yZwo+IAo+PiBTaWduZWQtb2ZmLWJ5OiBZ dW5oYWkgWmhhbmcgPHpoYW5neXVuaGFpQG5zZm9jdXMuY29tPgo+PiAtLS0KPj4gIGRyaXZlcnMv dmlkZW8vY29uc29sZS92Z2Fjb24uYyB8IDQgKysrKwo+PiAgMSBmaWxlIGNoYW5nZWQsIDQgaW5z ZXJ0aW9ucygrKQo+Pgo+PiBkaWZmIC0tZ2l0IGEvZHJpdmVycy92aWRlby9jb25zb2xlL3ZnYWNv bi5jIGIvZHJpdmVycy92aWRlby9jb25zb2xlL3ZnYWNvbi5jCj4+IGluZGV4IDk5OGIwZGUxODEy Zi4uMzdiNTcxMWNkOTU4IDEwMDY0NAo+PiAtLS0gYS9kcml2ZXJzL3ZpZGVvL2NvbnNvbGUvdmdh Y29uLmMKPj4gKysrIGIvZHJpdmVycy92aWRlby9jb25zb2xlL3ZnYWNvbi5jCj4+IEBAIC0yNTEs NiArMjUxLDEwIEBAIHN0YXRpYyB2b2lkIHZnYWNvbl9zY3JvbGxiYWNrX3VwZGF0ZShzdHJ1Y3Qg dmNfZGF0YSAqYywgaW50IHQsIGludCBjb3VudCkKPj4gIAlwID0gKHZvaWQgKikgKGMtPnZjX29y aWdpbiArIHQgKiBjLT52Y19zaXplX3Jvdyk7Cj4+ICAKPj4gIAl3aGlsZSAoY291bnQtLSkgewo+ PiArCQlpZiAoKHZnYWNvbl9zY3JvbGxiYWNrX2N1ci0+dGFpbCArIGMtPnZjX3NpemVfcm93KSA+ IAoKQW5kIGdpdCBjb21wbGFpbnMgaGVyZToKLmdpdC9yZWJhc2UtYXBwbHkvcGF0Y2g6MTM6IHRy YWlsaW5nIHdoaXRlc3BhY2UuCiAgICAgICAgICAgICAgICBpZiAoKHZnYWNvbl9zY3JvbGxiYWNr X2N1ci0+dGFpbCArIGMtPnZjX3NpemVfcm93KSA+Cndhcm5pbmc6IDEgbGluZSBhZGRzIHdoaXRl c3BhY2UgZXJyb3JzLgoKVGhlcmUgaXMgYSBzcGFjZSBhdCB0aGUgRU9MLgoKPj4gKwkJICAgIHZn YWNvbl9zY3JvbGxiYWNrX2N1ci0+c2l6ZSkKPj4gKwkJCXZnYWNvbl9zY3JvbGxiYWNrX2N1ci0+ dGFpbCA9IDA7Cj4+ICsKPj4gIAkJc2NyX21lbWNweXcodmdhY29uX3Njcm9sbGJhY2tfY3VyLT5k YXRhICsKPj4gIAkJCSAgICB2Z2Fjb25fc2Nyb2xsYmFja19jdXItPnRhaWwsCj4+ICAJCQkgICAg cCwgYy0+dmNfc2l6ZV9yb3cpOwo+IAo+IHRoYW5rcywKPiAKCgotLSAKanMKX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KZHJpLWRldmVsIG1haWxpbmcgbGlz dApkcmktZGV2ZWxAbGlzdHMuZnJlZWRlc2t0b3Aub3JnCmh0dHBzOi8vbGlzdHMuZnJlZWRlc2t0 b3Aub3JnL21haWxtYW4vbGlzdGluZm8vZHJpLWRldmVsCg== From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.4 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI, NICE_REPLY_A,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id F02C8C433DF for ; Thu, 30 Jul 2020 07:38:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id CB90422B3F for ; Thu, 30 Jul 2020 07:38:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1596094712; bh=U6xD7DWyFJngrlIfYWMFdNmXDJ0/sOwnePBKoDIiyCY=; h=Subject:From:To:Cc:References:Date:In-Reply-To:List-ID:From; b=AN/7rq0Jtkt+rygf6EiZJ0aOvOrmqcsAC801f+nO067A52FxkglCL8e7+8OjxacGs 1KlknaGYTiqgj41XKUJ43OYgc676BbkAt5j2DyabJsqkAIGvk7w0/eYsHTi8lw5Vsq j34L2BffV0/yxST9p2u3rsM8YJ6i/lYDAriG5w7s= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728697AbgG3Hic (ORCPT ); Thu, 30 Jul 2020 03:38:32 -0400 Received: from mail-ej1-f68.google.com ([209.85.218.68]:36195 "EHLO mail-ej1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726194AbgG3Hib (ORCPT ); Thu, 30 Jul 2020 03:38:31 -0400 Received: by mail-ej1-f68.google.com with SMTP id kq25so14011312ejb.3; Thu, 30 Jul 2020 00:38:27 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:cc:references:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=Bk3NapliV+0H200NnpApnzvIQjKB5lHRW5bg5f2EMgs=; b=qSqHXuo2F1YyTNX6I7zhU4DHXTp2EUkwuX3wG2NwlUJfkw3fob5Iv50plXFSdwZefz rwJ5afGVA/GaMvVlbmjAVCSWap1/4AKodGTSWApe9Sk09ciVTxNqgB8S67Kk5Pudhs+t 52Ts7cI9Pd1EjxWBot+4JMoKFKZMMAF34UKCvPSiteTdVyGa053dbtX34ppDemZnlIYi A2Vf7DFakXh0eAVI1pHgsC4bxP6v97RZy7ii/hFKxVcBRWLzyOZTBn1QZuyp6t2Vdfyl XSE5WiAfJY3JZ1Cvzsb4+BfBW3Td8c2eQmtmQa4DKooviSgJgqAgqX7Zz1okDopzQW8K 8MEg== X-Gm-Message-State: AOAM531j3QZNGYk2HB7FdP3+MXDuDqUnam5UUXhKPS3H+SwR3bEGxXzi 48U9b4Yh6U/nDOZ/id7rFHtbO8yX X-Google-Smtp-Source: ABdhPJyJI1e/Nn8AuA4RIWylZnro3d/4HvhzZMo5nCfsHBXw7BZ9cIVJGLosjlGYmL4FhmtzT22HLA== X-Received: by 2002:a17:906:858:: with SMTP id f24mr1333330ejd.543.1596094706846; Thu, 30 Jul 2020 00:38:26 -0700 (PDT) Received: from ?IPv6:2a0b:e7c0:0:107::49? ([2a0b:e7c0:0:107::49]) by smtp.gmail.com with ESMTPSA id z17sm1993981edi.19.2020.07.30.00.38.24 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 30 Jul 2020 00:38:25 -0700 (PDT) Subject: Re: [PATCH] vgacon: fix out of bounds write to the scrollback buffer From: Jiri Slaby To: =?UTF-8?B?5byg5LqR5rW3?= , Solar Designer Cc: b.zolnierkie@samsung.com, Yang Yingliang , Kyungtae Kim , Linus Torvalds , Greg KH , "Srivatsa S. Bhat" , Anthony Liguori , xiao.zhang@windriver.com, DRI devel , Linux Fbdev development list , Linux kernel mailing list References: <20200729130710.GA13262@openwall.com> <659f8dcf-7802-1ca1-1372-eb7fefd4d8f4@kernel.org> Autocrypt: addr=jirislaby@kernel.org; prefer-encrypt=mutual; keydata= mQINBE6S54YBEACzzjLwDUbU5elY4GTg/NdotjA0jyyJtYI86wdKraekbNE0bC4zV+ryvH4j rrcDwGs6tFVrAHvdHeIdI07s1iIx5R/ndcHwt4fvI8CL5PzPmn5J+h0WERR5rFprRh6axhOk rSD5CwQl19fm4AJCS6A9GJtOoiLpWn2/IbogPc71jQVrupZYYx51rAaHZ0D2KYK/uhfc6neJ i0WqPlbtIlIrpvWxckucNu6ZwXjFY0f3qIRg3Vqh5QxPkojGsq9tXVFVLEkSVz6FoqCHrUTx wr+aw6qqQVgvT/McQtsI0S66uIkQjzPUrgAEtWUv76rM4ekqL9stHyvTGw0Fjsualwb0Gwdx ReTZzMgheAyoy/umIOKrSEpWouVoBt5FFSZUyjuDdlPPYyPav+hpI6ggmCTld3u2hyiHji2H cDpcLM2LMhlHBipu80s9anNeZhCANDhbC5E+NZmuwgzHBcan8WC7xsPXPaiZSIm7TKaVoOcL 9tE5aN3jQmIlrT7ZUX52Ff/hSdx/JKDP3YMNtt4B0cH6ejIjtqTd+Ge8sSttsnNM0CQUkXps w98jwz+Lxw/bKMr3NSnnFpUZaxwji3BC9vYyxKMAwNelBCHEgS/OAa3EJoTfuYOK6wT6nadm YqYjwYbZE5V/SwzMbpWu7Jwlvuwyfo5mh7w5iMfnZE+vHFwp/wARAQABtCFKaXJpIFNsYWJ5 IDxqaXJpc2xhYnlAa2VybmVsLm9yZz6JAjcEEwEIACEFAlW3RUwCGwMFCwkIBwIGFQgJCgsC BBYCAwECHgECF4AACgkQvSWxBAa0cEnVTg//TQpdIAr8Tn0VAeUjdVIH9XCFw+cPSU+zMSCH eCZoA/N6gitEcnvHoFVVM7b3hK2HgoFUNbmYC0RdcSc80pOF5gCnACSP9XWHGWzeKCARRcQR 4s5YD8I4VV5hqXcKo2DFAtIOVbHDW+0okOzcecdasCakUTr7s2fXz97uuoc2gIBB7bmHUGAH XQXHvdnCLjDjR+eJN+zrtbqZKYSfj89s/ZHn5Slug6w8qOPT1sVNGG+eWPlc5s7XYhT9z66E l5C0rG35JE4PhC+tl7BaE5IwjJlBMHf/cMJxNHAYoQ1hWQCKOfMDQ6bsEr++kGUCbHkrEFwD UVA72iLnnnlZCMevwE4hc0zVhseWhPc/KMYObU1sDGqaCesRLkE3tiE7X2cikmj/qH0CoMWe gjnwnQ2qVJcaPSzJ4QITvchEQ+tbuVAyvn9H+9MkdT7b7b2OaqYsUP8rn/2k1Td5zknUz7iF oJ0Z9wPTl6tDfF8phaMIPISYrhceVOIoL+rWfaikhBulZTIT5ihieY9nQOw6vhOfWkYvv0Dl o4GRnb2ybPQpfEs7WtetOsUgiUbfljTgILFw3CsPW8JESOGQc0Pv8ieznIighqPPFz9g+zSu Ss/rpcsqag5n9rQp/H3WW5zKUpeYcKGaPDp/vSUovMcjp8USIhzBBrmI7UWAtuedG9prjqe5 Ag0ETpLnhgEQAM+cDWLL+Wvc9cLhA2OXZ/gMmu7NbYKjfth1UyOuBd5emIO+d4RfFM02XFTI t4MxwhAryhsKQQcA4iQNldkbyeviYrPKWjLTjRXT5cD2lpWzr+Jx7mX7InV5JOz1Qq+P+nJW YIBjUKhI03ux89p58CYil24Zpyn2F5cX7U+inY8lJIBwLPBnc9Z0An/DVnUOD+0wIcYVnZAK DiIXODkGqTg3fhZwbbi+KAhtHPFM2fGw2VTUf62IHzV+eBSnamzPOBc1XsJYKRo3FHNeLuS8 f4wUe7bWb9O66PPFK/RkeqNX6akkFBf9VfrZ1rTEKAyJ2uqf1EI1olYnENk4+00IBa+BavGQ 8UW9dGW3nbPrfuOV5UUvbnsSQwj67pSdrBQqilr5N/5H9z7VCDQ0dhuJNtvDSlTf2iUFBqgk 3smln31PUYiVPrMP0V4ja0i9qtO/TB01rTfTyXTRtqz53qO5dGsYiliJO5aUmh8swVpotgK4 /57h3zGsaXO9PGgnnAdqeKVITaFTLY1ISg+Ptb4KoliiOjrBMmQUSJVtkUXMrCMCeuPDGHo7 39Xc75lcHlGuM3yEB//htKjyprbLeLf1y4xPyTeeF5zg/0ztRZNKZicgEmxyUNBHHnBKHQxz 1j+mzH0HjZZtXjGu2KLJ18G07q0fpz2ZPk2D53Ww39VNI/J9ABEBAAGJAh8EGAECAAkFAk6S 54YCGwwACgkQvSWxBAa0cEk3tRAAgO+DFpbyIa4RlnfpcW17AfnpZi9VR5+zr496n2jH/1ld wRO/S+QNSA8qdABqMb9WI4BNaoANgcg0AS429Mq0taaWKkAjkkGAT7mD1Q5PiLr06Y/+Kzdr 90eUVneqM2TUQQbK+Kh7JwmGVrRGNqQrDk+gRNvKnGwFNeTkTKtJ0P8jYd7P1gZb9Fwj9YLx jhn/sVIhNmEBLBoI7PL+9fbILqJPHgAwW35rpnq4f/EYTykbk1sa13Tav6btJ+4QOgbcezWI wZ5w/JVfEJW9JXp3BFAVzRQ5nVrrLDAJZ8Y5ioWcm99JtSIIxXxt9FJaGc1Bgsi5K/+dyTKL wLMJgiBzbVx8G+fCJJ9YtlNOPWhbKPlrQ8+AY52Aagi9WNhe6XfJdh5g6ptiOILm330mkR4g W6nEgZVyIyTq3ekOuruftWL99qpP5zi+eNrMmLRQx9iecDNgFr342R9bTDlb1TLuRb+/tJ98 f/bIWIr0cqQmqQ33FgRhrG1+Xml6UXyJ2jExmlO8JljuOGeXYh6ZkIEyzqzffzBLXZCujlYQ DFXpyMNVJ2ZwPmX2mWEoYuaBU0JN7wM+/zWgOf2zRwhEuD3A2cO2PxoiIfyUEfB9SSmffaK/ S4xXoB6wvGENZ85Hg37C7WDNdaAt6Xh2uQIly5grkgvWppkNy4ZHxE+jeNsU7tg= Message-ID: <008a3a1d-1908-6aea-0fae-e15b4eddff02@kernel.org> Date: Thu, 30 Jul 2020 09:38:24 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <659f8dcf-7802-1ca1-1372-eb7fefd4d8f4@kernel.org> Content-Type: text/plain; charset=gbk Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 30. 07. 20, 8:46, Jiri Slaby wrote: > Hi, OTOH, you should have CCed all the (public) lists. > > On 30. 07. 20, 4:50, ÕÅÔƺ£ wrote: >> Zhang Xiao points out that the check should use > instead of >=, >> otherwise the last line will be skip. >> I agree with that, so I modify the patch. >> Could you please verify that it is still correct and sufficient? > > IMO, yes, correct -- I was thinking about this yesterday too. Just an > example: hypothetically, if we had: > size_row = 1 > tail = 29 > size = 30 > > data[29] would be the last accessible member. Writing to data + tail (as > "29 + 1 > 30" doesn't hold, so the modified check would pass), i.e. > data[29] is still OK. So yes, > is OK, >= would waste space and would be > actually incorrect. > >> BTW, Zhang Xiao also points out that the check after the memcpy can be >> remove. >> I also think that was right, but vgacon_scrollback_cur->tail may keep >> the value vgacon_scrollback_cur->size in some case. That is not a >> problem in vgacon_scrollback_update because of the check before the >> memcpy. However, that may break some other code which assumes that >> vgacon_scrollback_cur->tail won't be vgacon_scrollback_cur->size. I do >> not know if there are such code, and if it is the code actually should >> check it too. But I still not remove the check in the patch to make sure >> it won't breaks other code. > > As I wrote about this yesterday: > === > I am also not sure the test I was pointing out on the top of this > message would be of any use after the change. But maybe leave the code > rest in peace. > === > > I would let it as is in this particular code. Especially because > vgacon_scrolldelta takes ->tail into consideration and I was too lazy to > study the code there. But if you are willing to study the code there and > confirm the check is superfluous, feel free to remove it. Perhaps in a > separate patch. I was actually testing with the check removed and didn't > hit any issue (which means, in fact, exactly nothing). > >> From ad143ede24ff4e61292cc9c96000100aacd97259 Mon Sep 17 00:00:00 2001 >> From: Yunhai Zhang >> Date: Tue, 28 Jul 2020 09:58:03 +0800 >> Subject: [PATCH] Fix for missing check in vgacon scrollback handling >> >> vgacon_scrollback_update() always left enbough room in the scrollback > > "leaves enough" > >> buffer for the next call, but if the console size changed that room >> might not actually be enough, and so we need to re-check. > > Also, could you add reasoning why you are adding the check to the loop > and not outside (for instance, use your reasoning with numbers or CSI M > as an example). > > Could you add a sample output here, something like I had: > === > This leads to random crashes or KASAN reports like: > BUG: KASAN: slab-out-of-bounds in vgacon_scroll+0x57a/0x8ed > === > > It's then easier to google for when this happens to someone who runs > non-patched kernels. > >> This fixes CVE-2020-14331. >> >> Reported-and-debugged-by: ÕÅÔƺ£ >> Reported-and-debugged-by: Yang Yingliang >> Reported-by: Kyungtae Kim >> Fixes: 15bdab959c9b ([PATCH] vgacon: Add support for soft scrollback) >> Cc: Linus Torvalds >> Cc: Greg KH >> Cc: Solar Designer >> Cc: "Srivatsa S. Bhat" >> Cc: Anthony Liguori >> Cc: Yang Yingliang >> Cc: Bartlomiej Zolnierkiewicz > > Oh, and we should: > Cc: stable@vger.kernel.org > >> Signed-off-by: Yunhai Zhang >> --- >> drivers/video/console/vgacon.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c >> index 998b0de1812f..37b5711cd958 100644 >> --- a/drivers/video/console/vgacon.c >> +++ b/drivers/video/console/vgacon.c >> @@ -251,6 +251,10 @@ static void vgacon_scrollback_update(struct vc_data *c, int t, int count) >> p = (void *) (c->vc_origin + t * c->vc_size_row); >> >> while (count--) { >> + if ((vgacon_scrollback_cur->tail + c->vc_size_row) > And git complains here: .git/rebase-apply/patch:13: trailing whitespace. if ((vgacon_scrollback_cur->tail + c->vc_size_row) > warning: 1 line adds whitespace errors. There is a space at the EOL. >> + vgacon_scrollback_cur->size) >> + vgacon_scrollback_cur->tail = 0; >> + >> scr_memcpyw(vgacon_scrollback_cur->data + >> vgacon_scrollback_cur->tail, >> p, c->vc_size_row); > > thanks, > -- js