[PATCH] tty vt: fix character insertion overflow

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] tty vt: fix character insertion overflow
@ 2013-02-25  1:06 Nicolas Pitre
  2013-02-25  8:50 ` Jean-Francois Moine
  0 siblings, 1 reply; 2+ messages in thread
From: Nicolas Pitre @ 2013-02-25  1:06 UTC (permalink / raw)
  To: Linus Torvalds; +Cc: Jean-François Moine, Greg Kroah-Hartman, linux-kernel

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1276 bytes --]

Commit 81732c3b2f (tty vt: Fix line garbage in virtual console on
command line edition) broke insert_char() in multiple ways.  Then
commit b1a925f44a (tty vt: Fix a regression in command line edition)
partially fixed it.  However, the buffer being moved is still too large
and overflowing beyond the end of the current line, corrupting existing
characters on the next line.

Example test case:

echo -e "abc\nde\x1b[A\x1b[4h \x1b[4l\x1b[B"

Expected result:

ab c
de

Current result:

ab c
 e

Needless to say that this is very annoying when inserting words in the
middle of paragraphs with certain text editors.

Signed-off-by: Nicolas Pitre <nico@linaro.org>
Cc: Jean-François Moine <moinejf@free.fr>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: <stable@vger.kernel.org>

diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 1a27280..6c4abea 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -539,7 +539,7 @@ static void insert_char(struct vc_data *vc, unsigned int nr)
 {
 	unsigned short *p = (unsigned short *) vc->vc_pos;

-	scr_memmovew(p + nr, p, (vc->vc_cols - vc->vc_x) * 2);
+	scr_memmovew(p + nr, p, (vc->vc_cols - vc->vc_x - nr) * 2);
 	scr_memsetw(p, vc->vc_video_erase_char, nr * 2);
 	vc->vc_need_wrap = 0;
 	if (DO_UPDATE(vc))

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] tty vt: fix character insertion overflow
  2013-02-25  1:06 [PATCH] tty vt: fix character insertion overflow Nicolas Pitre
@ 2013-02-25  8:50 ` Jean-Francois Moine
  0 siblings, 0 replies; 2+ messages in thread
From: Jean-Francois Moine @ 2013-02-25  8:50 UTC (permalink / raw)
  To: Nicolas Pitre; +Cc: Linus Torvalds, Greg Kroah-Hartman, linux-kernel

On Sun, 24 Feb 2013 20:06:09 -0500 (EST)
Nicolas Pitre <nicolas.pitre@linaro.org> wrote:

> Commit 81732c3b2f (tty vt: Fix line garbage in virtual console on
> command line edition) broke insert_char() in multiple ways.  Then
> commit b1a925f44a (tty vt: Fix a regression in command line edition)
> partially fixed it.  However, the buffer being moved is still too large
> and overflowing beyond the end of the current line, corrupting existing
> characters on the next line.

and

> One detail I didn't mention explicitly is that the cursor can be moved 
> to the last screen line, and then the sequence ESC [ <n> @ is all that 
> is needed to shovel 2*n bytes from that bottom screen line into adjacent 
> memory which could potentially be exploited in some way.

You are right, this bug is critical. Sorry.

Acked-by: Jean-François Moine <moinejf@free.fr>

-- 
Ken ar c'hentañ	|	      ** Breizh ha Linux atav! **
Jef		|		http://moinejf.free.fr/

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2013-02-25  8:50 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-02-25  1:06 [PATCH] tty vt: fix character insertion overflow Nicolas Pitre
2013-02-25  8:50 ` Jean-Francois Moine

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.