From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Peilin Ye <yepeilin.cs@gmail.com>,
Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: linux-fbdev@vger.kernel.org,
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
Jiri Slaby <jirislaby@kernel.org>,
syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org,
dri-devel@lists.freedesktop.org,
linux-kernel-mentees@lists.linuxfoundation.org
Subject: Re: [PATCH 0/3] Prevent out-of-bounds access for built-in font data buffers
Date: Thu, 24 Sep 2020 14:09:37 +0000 [thread overview]
Message-ID: <20200924140937.GA749208@kroah.com> (raw)
In-Reply-To: <cover.1600953813.git.yepeilin.cs@gmail.com>
On Thu, Sep 24, 2020 at 09:38:22AM -0400, Peilin Ye wrote:
> Hi all,
>
> syzbot has reported [1] a global out-of-bounds read issue in
> fbcon_get_font(). A malicious user may resize `vc_font.height` to a large
> value in vt_ioctl(), causing fbcon_get_font() to overflow our built-in
> font data buffers, declared in lib/fonts/font_*.c:
>
> (e.g. lib/fonts/font_8x8.c)
> #define FONTDATAMAX 2048
>
> static const unsigned char fontdata_8x8[FONTDATAMAX] = {
>
> /* 0 0x00 '^@' */
> 0x00, /* 00000000 */
> 0x00, /* 00000000 */
> 0x00, /* 00000000 */
> 0x00, /* 00000000 */
> 0x00, /* 00000000 */
> 0x00, /* 00000000 */
> 0x00, /* 00000000 */
> 0x00, /* 00000000 */
> [...]
>
> In order to perform a reliable range check, fbcon_get_font() needs to know
> `FONTDATAMAX` for each built-in font under lib/fonts/. Unfortunately, we
> do not keep that information in our font descriptor,
> `struct console_font`:
>
> (include/uapi/linux/kd.h)
> struct console_font {
> unsigned int width, height; /* font size */
> unsigned int charcount;
> unsigned char *data; /* font data with height fixed to 32 */
> };
>
> To make things worse, `struct console_font` is part of the UAPI, so we
> cannot add a new field to keep track of `FONTDATAMAX`.
>
> Fortunately, the framebuffer layer itself gives us a hint of how to
> resolve this issue without changing UAPI. When allocating a buffer for a
> user-provided font, fbcon_set_font() reserves four "extra words" at the
> beginning of the buffer:
>
> (drivers/video/fbdev/core/fbcon.c)
> new_data = kmalloc(FONT_EXTRA_WORDS * sizeof(int) + size, GFP_USER);
> [...]
> new_data += FONT_EXTRA_WORDS * sizeof(int);
> FNTSIZE(new_data) = size;
> FNTCHARCNT(new_data) = charcount;
> REFCOUNT(new_data) = 0; /* usage counter */
> [...]
> FNTSUM(new_data) = csum;
>
> Later, to get the size of a data buffer, the framebuffer layer simply
> calls FNTSIZE() on it:
>
> (drivers/video/fbdev/core/fbcon.h)
> /* Font */
> #define REFCOUNT(fd) (((int *)(fd))[-1])
> #define FNTSIZE(fd) (((int *)(fd))[-2])
> #define FNTCHARCNT(fd) (((int *)(fd))[-3])
> #define FNTSUM(fd) (((int *)(fd))[-4])
> #define FONT_EXTRA_WORDS 4
>
> Currently, this is only done for user-provided fonts. Let us do the same
> thing for built-in fonts, prepend these "extra words" (including
> `FONTDATAMAX`) to their data buffers, so that other subsystems, like the
> framebuffer layer, can use these macros on all fonts, no matter built-in
> or user-provided. As an example, this series fixes the syzbot issue in
> fbcon_get_font():
>
> (drivers/video/fbdev/core/fbcon.c)
> if (font->width <= 8) {
> j = vc->vc_font.height;
> + if (font->charcount * j > FNTSIZE(fontdata))
> + return -EINVAL;
> [...]
>
> Similarly, newport_con also use these macros. It only uses three of them:
>
> (drivers/video/console/newport_con.c)
> /* borrowed from fbcon.c */
> #define REFCOUNT(fd) (((int *)(fd))[-1])
> #define FNTSIZE(fd) (((int *)(fd))[-2])
> #define FNTCHARCNT(fd) (((int *)(fd))[-3])
> #define FONT_EXTRA_WORDS 3
>
> To keep things simple, move all these macro definitions to <linux/font.h>,
> use four words instead of three, and initialize the fourth word in
> newport_set_font() properly.
>
> Many thanks to Greg Kroah-Hartman <gregkh@linuxfoundation.org>, who
> reviewed and improved this series!
>
> [1]: KASAN: global-out-of-bounds Read in fbcon_get_font
> https://syzkaller.appspot.com/bug?id\bb8be45afea11888776f897895aef9ad1c3ecfd
>
> Peilin Ye (3):
> fbdev, newport_con: Move FONT_EXTRA_WORDS macros into linux/font.h
> Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts
> fbcon: Fix global-out-of-bounds read in fbcon_get_font()
>
> drivers/video/console/newport_con.c | 7 +------
> drivers/video/fbdev/core/fbcon.c | 12 ++++++++++++
> drivers/video/fbdev/core/fbcon.h | 7 -------
> drivers/video/fbdev/core/fbcon_rotate.c | 1 +
> drivers/video/fbdev/core/tileblit.c | 1 +
> include/linux/font.h | 13 +++++++++++++
> lib/fonts/font_10x18.c | 9 ++++-----
> lib/fonts/font_6x10.c | 9 +++++----
> lib/fonts/font_6x11.c | 9 ++++-----
> lib/fonts/font_7x14.c | 9 ++++-----
> lib/fonts/font_8x16.c | 9 ++++-----
> lib/fonts/font_8x8.c | 9 ++++-----
> lib/fonts/font_acorn_8x8.c | 9 ++++++---
> lib/fonts/font_mini_4x6.c | 8 ++++----
> lib/fonts/font_pearl_8x8.c | 9 ++++-----
> lib/fonts/font_sun12x22.c | 9 ++++-----
> lib/fonts/font_sun8x16.c | 7 ++++---
> lib/fonts/font_ter16x32.c | 9 ++++-----
> 18 files changed, 79 insertions(+), 67 deletions(-)
Gotta love going backwards in arrays :)
Nice work, whole series is:
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Daniel, can you take this through your tree?
thanks,
greg k-h
WARNING: multiple messages have this Message-ID (diff)
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Peilin Ye <yepeilin.cs@gmail.com>,
Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: linux-fbdev@vger.kernel.org,
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
Jiri Slaby <jirislaby@kernel.org>,
syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org,
dri-devel@lists.freedesktop.org,
linux-kernel-mentees@lists.linuxfoundation.org
Subject: Re: [Linux-kernel-mentees] [PATCH 0/3] Prevent out-of-bounds access for built-in font data buffers
Date: Thu, 24 Sep 2020 16:09:37 +0200 [thread overview]
Message-ID: <20200924140937.GA749208@kroah.com> (raw)
In-Reply-To: <cover.1600953813.git.yepeilin.cs@gmail.com>
On Thu, Sep 24, 2020 at 09:38:22AM -0400, Peilin Ye wrote:
> Hi all,
>
> syzbot has reported [1] a global out-of-bounds read issue in
> fbcon_get_font(). A malicious user may resize `vc_font.height` to a large
> value in vt_ioctl(), causing fbcon_get_font() to overflow our built-in
> font data buffers, declared in lib/fonts/font_*.c:
>
> (e.g. lib/fonts/font_8x8.c)
> #define FONTDATAMAX 2048
>
> static const unsigned char fontdata_8x8[FONTDATAMAX] = {
>
> /* 0 0x00 '^@' */
> 0x00, /* 00000000 */
> 0x00, /* 00000000 */
> 0x00, /* 00000000 */
> 0x00, /* 00000000 */
> 0x00, /* 00000000 */
> 0x00, /* 00000000 */
> 0x00, /* 00000000 */
> 0x00, /* 00000000 */
> [...]
>
> In order to perform a reliable range check, fbcon_get_font() needs to know
> `FONTDATAMAX` for each built-in font under lib/fonts/. Unfortunately, we
> do not keep that information in our font descriptor,
> `struct console_font`:
>
> (include/uapi/linux/kd.h)
> struct console_font {
> unsigned int width, height; /* font size */
> unsigned int charcount;
> unsigned char *data; /* font data with height fixed to 32 */
> };
>
> To make things worse, `struct console_font` is part of the UAPI, so we
> cannot add a new field to keep track of `FONTDATAMAX`.
>
> Fortunately, the framebuffer layer itself gives us a hint of how to
> resolve this issue without changing UAPI. When allocating a buffer for a
> user-provided font, fbcon_set_font() reserves four "extra words" at the
> beginning of the buffer:
>
> (drivers/video/fbdev/core/fbcon.c)
> new_data = kmalloc(FONT_EXTRA_WORDS * sizeof(int) + size, GFP_USER);
> [...]
> new_data += FONT_EXTRA_WORDS * sizeof(int);
> FNTSIZE(new_data) = size;
> FNTCHARCNT(new_data) = charcount;
> REFCOUNT(new_data) = 0; /* usage counter */
> [...]
> FNTSUM(new_data) = csum;
>
> Later, to get the size of a data buffer, the framebuffer layer simply
> calls FNTSIZE() on it:
>
> (drivers/video/fbdev/core/fbcon.h)
> /* Font */
> #define REFCOUNT(fd) (((int *)(fd))[-1])
> #define FNTSIZE(fd) (((int *)(fd))[-2])
> #define FNTCHARCNT(fd) (((int *)(fd))[-3])
> #define FNTSUM(fd) (((int *)(fd))[-4])
> #define FONT_EXTRA_WORDS 4
>
> Currently, this is only done for user-provided fonts. Let us do the same
> thing for built-in fonts, prepend these "extra words" (including
> `FONTDATAMAX`) to their data buffers, so that other subsystems, like the
> framebuffer layer, can use these macros on all fonts, no matter built-in
> or user-provided. As an example, this series fixes the syzbot issue in
> fbcon_get_font():
>
> (drivers/video/fbdev/core/fbcon.c)
> if (font->width <= 8) {
> j = vc->vc_font.height;
> + if (font->charcount * j > FNTSIZE(fontdata))
> + return -EINVAL;
> [...]
>
> Similarly, newport_con also use these macros. It only uses three of them:
>
> (drivers/video/console/newport_con.c)
> /* borrowed from fbcon.c */
> #define REFCOUNT(fd) (((int *)(fd))[-1])
> #define FNTSIZE(fd) (((int *)(fd))[-2])
> #define FNTCHARCNT(fd) (((int *)(fd))[-3])
> #define FONT_EXTRA_WORDS 3
>
> To keep things simple, move all these macro definitions to <linux/font.h>,
> use four words instead of three, and initialize the fourth word in
> newport_set_font() properly.
>
> Many thanks to Greg Kroah-Hartman <gregkh@linuxfoundation.org>, who
> reviewed and improved this series!
>
> [1]: KASAN: global-out-of-bounds Read in fbcon_get_font
> https://syzkaller.appspot.com/bug?id=08b8be45afea11888776f897895aef9ad1c3ecfd
>
> Peilin Ye (3):
> fbdev, newport_con: Move FONT_EXTRA_WORDS macros into linux/font.h
> Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts
> fbcon: Fix global-out-of-bounds read in fbcon_get_font()
>
> drivers/video/console/newport_con.c | 7 +------
> drivers/video/fbdev/core/fbcon.c | 12 ++++++++++++
> drivers/video/fbdev/core/fbcon.h | 7 -------
> drivers/video/fbdev/core/fbcon_rotate.c | 1 +
> drivers/video/fbdev/core/tileblit.c | 1 +
> include/linux/font.h | 13 +++++++++++++
> lib/fonts/font_10x18.c | 9 ++++-----
> lib/fonts/font_6x10.c | 9 +++++----
> lib/fonts/font_6x11.c | 9 ++++-----
> lib/fonts/font_7x14.c | 9 ++++-----
> lib/fonts/font_8x16.c | 9 ++++-----
> lib/fonts/font_8x8.c | 9 ++++-----
> lib/fonts/font_acorn_8x8.c | 9 ++++++---
> lib/fonts/font_mini_4x6.c | 8 ++++----
> lib/fonts/font_pearl_8x8.c | 9 ++++-----
> lib/fonts/font_sun12x22.c | 9 ++++-----
> lib/fonts/font_sun8x16.c | 7 ++++---
> lib/fonts/font_ter16x32.c | 9 ++++-----
> 18 files changed, 79 insertions(+), 67 deletions(-)
Gotta love going backwards in arrays :)
Nice work, whole series is:
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Daniel, can you take this through your tree?
thanks,
greg k-h
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
WARNING: multiple messages have this Message-ID (diff)
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Peilin Ye <yepeilin.cs@gmail.com>,
Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: linux-fbdev@vger.kernel.org,
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
Jiri Slaby <jirislaby@kernel.org>,
syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org,
dri-devel@lists.freedesktop.org,
linux-kernel-mentees@lists.linuxfoundation.org
Subject: Re: [PATCH 0/3] Prevent out-of-bounds access for built-in font data buffers
Date: Thu, 24 Sep 2020 16:09:37 +0200 [thread overview]
Message-ID: <20200924140937.GA749208@kroah.com> (raw)
In-Reply-To: <cover.1600953813.git.yepeilin.cs@gmail.com>
On Thu, Sep 24, 2020 at 09:38:22AM -0400, Peilin Ye wrote:
> Hi all,
>
> syzbot has reported [1] a global out-of-bounds read issue in
> fbcon_get_font(). A malicious user may resize `vc_font.height` to a large
> value in vt_ioctl(), causing fbcon_get_font() to overflow our built-in
> font data buffers, declared in lib/fonts/font_*.c:
>
> (e.g. lib/fonts/font_8x8.c)
> #define FONTDATAMAX 2048
>
> static const unsigned char fontdata_8x8[FONTDATAMAX] = {
>
> /* 0 0x00 '^@' */
> 0x00, /* 00000000 */
> 0x00, /* 00000000 */
> 0x00, /* 00000000 */
> 0x00, /* 00000000 */
> 0x00, /* 00000000 */
> 0x00, /* 00000000 */
> 0x00, /* 00000000 */
> 0x00, /* 00000000 */
> [...]
>
> In order to perform a reliable range check, fbcon_get_font() needs to know
> `FONTDATAMAX` for each built-in font under lib/fonts/. Unfortunately, we
> do not keep that information in our font descriptor,
> `struct console_font`:
>
> (include/uapi/linux/kd.h)
> struct console_font {
> unsigned int width, height; /* font size */
> unsigned int charcount;
> unsigned char *data; /* font data with height fixed to 32 */
> };
>
> To make things worse, `struct console_font` is part of the UAPI, so we
> cannot add a new field to keep track of `FONTDATAMAX`.
>
> Fortunately, the framebuffer layer itself gives us a hint of how to
> resolve this issue without changing UAPI. When allocating a buffer for a
> user-provided font, fbcon_set_font() reserves four "extra words" at the
> beginning of the buffer:
>
> (drivers/video/fbdev/core/fbcon.c)
> new_data = kmalloc(FONT_EXTRA_WORDS * sizeof(int) + size, GFP_USER);
> [...]
> new_data += FONT_EXTRA_WORDS * sizeof(int);
> FNTSIZE(new_data) = size;
> FNTCHARCNT(new_data) = charcount;
> REFCOUNT(new_data) = 0; /* usage counter */
> [...]
> FNTSUM(new_data) = csum;
>
> Later, to get the size of a data buffer, the framebuffer layer simply
> calls FNTSIZE() on it:
>
> (drivers/video/fbdev/core/fbcon.h)
> /* Font */
> #define REFCOUNT(fd) (((int *)(fd))[-1])
> #define FNTSIZE(fd) (((int *)(fd))[-2])
> #define FNTCHARCNT(fd) (((int *)(fd))[-3])
> #define FNTSUM(fd) (((int *)(fd))[-4])
> #define FONT_EXTRA_WORDS 4
>
> Currently, this is only done for user-provided fonts. Let us do the same
> thing for built-in fonts, prepend these "extra words" (including
> `FONTDATAMAX`) to their data buffers, so that other subsystems, like the
> framebuffer layer, can use these macros on all fonts, no matter built-in
> or user-provided. As an example, this series fixes the syzbot issue in
> fbcon_get_font():
>
> (drivers/video/fbdev/core/fbcon.c)
> if (font->width <= 8) {
> j = vc->vc_font.height;
> + if (font->charcount * j > FNTSIZE(fontdata))
> + return -EINVAL;
> [...]
>
> Similarly, newport_con also use these macros. It only uses three of them:
>
> (drivers/video/console/newport_con.c)
> /* borrowed from fbcon.c */
> #define REFCOUNT(fd) (((int *)(fd))[-1])
> #define FNTSIZE(fd) (((int *)(fd))[-2])
> #define FNTCHARCNT(fd) (((int *)(fd))[-3])
> #define FONT_EXTRA_WORDS 3
>
> To keep things simple, move all these macro definitions to <linux/font.h>,
> use four words instead of three, and initialize the fourth word in
> newport_set_font() properly.
>
> Many thanks to Greg Kroah-Hartman <gregkh@linuxfoundation.org>, who
> reviewed and improved this series!
>
> [1]: KASAN: global-out-of-bounds Read in fbcon_get_font
> https://syzkaller.appspot.com/bug?id=08b8be45afea11888776f897895aef9ad1c3ecfd
>
> Peilin Ye (3):
> fbdev, newport_con: Move FONT_EXTRA_WORDS macros into linux/font.h
> Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts
> fbcon: Fix global-out-of-bounds read in fbcon_get_font()
>
> drivers/video/console/newport_con.c | 7 +------
> drivers/video/fbdev/core/fbcon.c | 12 ++++++++++++
> drivers/video/fbdev/core/fbcon.h | 7 -------
> drivers/video/fbdev/core/fbcon_rotate.c | 1 +
> drivers/video/fbdev/core/tileblit.c | 1 +
> include/linux/font.h | 13 +++++++++++++
> lib/fonts/font_10x18.c | 9 ++++-----
> lib/fonts/font_6x10.c | 9 +++++----
> lib/fonts/font_6x11.c | 9 ++++-----
> lib/fonts/font_7x14.c | 9 ++++-----
> lib/fonts/font_8x16.c | 9 ++++-----
> lib/fonts/font_8x8.c | 9 ++++-----
> lib/fonts/font_acorn_8x8.c | 9 ++++++---
> lib/fonts/font_mini_4x6.c | 8 ++++----
> lib/fonts/font_pearl_8x8.c | 9 ++++-----
> lib/fonts/font_sun12x22.c | 9 ++++-----
> lib/fonts/font_sun8x16.c | 7 ++++---
> lib/fonts/font_ter16x32.c | 9 ++++-----
> 18 files changed, 79 insertions(+), 67 deletions(-)
Gotta love going backwards in arrays :)
Nice work, whole series is:
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Daniel, can you take this through your tree?
thanks,
greg k-h
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
WARNING: multiple messages have this Message-ID (diff)
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Peilin Ye <yepeilin.cs@gmail.com>,
Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
Jiri Slaby <jirislaby@kernel.org>,
dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org,
linux-kernel-mentees@lists.linuxfoundation.org,
syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 0/3] Prevent out-of-bounds access for built-in font data buffers
Date: Thu, 24 Sep 2020 16:09:37 +0200 [thread overview]
Message-ID: <20200924140937.GA749208@kroah.com> (raw)
In-Reply-To: <cover.1600953813.git.yepeilin.cs@gmail.com>
On Thu, Sep 24, 2020 at 09:38:22AM -0400, Peilin Ye wrote:
> Hi all,
>
> syzbot has reported [1] a global out-of-bounds read issue in
> fbcon_get_font(). A malicious user may resize `vc_font.height` to a large
> value in vt_ioctl(), causing fbcon_get_font() to overflow our built-in
> font data buffers, declared in lib/fonts/font_*.c:
>
> (e.g. lib/fonts/font_8x8.c)
> #define FONTDATAMAX 2048
>
> static const unsigned char fontdata_8x8[FONTDATAMAX] = {
>
> /* 0 0x00 '^@' */
> 0x00, /* 00000000 */
> 0x00, /* 00000000 */
> 0x00, /* 00000000 */
> 0x00, /* 00000000 */
> 0x00, /* 00000000 */
> 0x00, /* 00000000 */
> 0x00, /* 00000000 */
> 0x00, /* 00000000 */
> [...]
>
> In order to perform a reliable range check, fbcon_get_font() needs to know
> `FONTDATAMAX` for each built-in font under lib/fonts/. Unfortunately, we
> do not keep that information in our font descriptor,
> `struct console_font`:
>
> (include/uapi/linux/kd.h)
> struct console_font {
> unsigned int width, height; /* font size */
> unsigned int charcount;
> unsigned char *data; /* font data with height fixed to 32 */
> };
>
> To make things worse, `struct console_font` is part of the UAPI, so we
> cannot add a new field to keep track of `FONTDATAMAX`.
>
> Fortunately, the framebuffer layer itself gives us a hint of how to
> resolve this issue without changing UAPI. When allocating a buffer for a
> user-provided font, fbcon_set_font() reserves four "extra words" at the
> beginning of the buffer:
>
> (drivers/video/fbdev/core/fbcon.c)
> new_data = kmalloc(FONT_EXTRA_WORDS * sizeof(int) + size, GFP_USER);
> [...]
> new_data += FONT_EXTRA_WORDS * sizeof(int);
> FNTSIZE(new_data) = size;
> FNTCHARCNT(new_data) = charcount;
> REFCOUNT(new_data) = 0; /* usage counter */
> [...]
> FNTSUM(new_data) = csum;
>
> Later, to get the size of a data buffer, the framebuffer layer simply
> calls FNTSIZE() on it:
>
> (drivers/video/fbdev/core/fbcon.h)
> /* Font */
> #define REFCOUNT(fd) (((int *)(fd))[-1])
> #define FNTSIZE(fd) (((int *)(fd))[-2])
> #define FNTCHARCNT(fd) (((int *)(fd))[-3])
> #define FNTSUM(fd) (((int *)(fd))[-4])
> #define FONT_EXTRA_WORDS 4
>
> Currently, this is only done for user-provided fonts. Let us do the same
> thing for built-in fonts, prepend these "extra words" (including
> `FONTDATAMAX`) to their data buffers, so that other subsystems, like the
> framebuffer layer, can use these macros on all fonts, no matter built-in
> or user-provided. As an example, this series fixes the syzbot issue in
> fbcon_get_font():
>
> (drivers/video/fbdev/core/fbcon.c)
> if (font->width <= 8) {
> j = vc->vc_font.height;
> + if (font->charcount * j > FNTSIZE(fontdata))
> + return -EINVAL;
> [...]
>
> Similarly, newport_con also use these macros. It only uses three of them:
>
> (drivers/video/console/newport_con.c)
> /* borrowed from fbcon.c */
> #define REFCOUNT(fd) (((int *)(fd))[-1])
> #define FNTSIZE(fd) (((int *)(fd))[-2])
> #define FNTCHARCNT(fd) (((int *)(fd))[-3])
> #define FONT_EXTRA_WORDS 3
>
> To keep things simple, move all these macro definitions to <linux/font.h>,
> use four words instead of three, and initialize the fourth word in
> newport_set_font() properly.
>
> Many thanks to Greg Kroah-Hartman <gregkh@linuxfoundation.org>, who
> reviewed and improved this series!
>
> [1]: KASAN: global-out-of-bounds Read in fbcon_get_font
> https://syzkaller.appspot.com/bug?id=08b8be45afea11888776f897895aef9ad1c3ecfd
>
> Peilin Ye (3):
> fbdev, newport_con: Move FONT_EXTRA_WORDS macros into linux/font.h
> Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts
> fbcon: Fix global-out-of-bounds read in fbcon_get_font()
>
> drivers/video/console/newport_con.c | 7 +------
> drivers/video/fbdev/core/fbcon.c | 12 ++++++++++++
> drivers/video/fbdev/core/fbcon.h | 7 -------
> drivers/video/fbdev/core/fbcon_rotate.c | 1 +
> drivers/video/fbdev/core/tileblit.c | 1 +
> include/linux/font.h | 13 +++++++++++++
> lib/fonts/font_10x18.c | 9 ++++-----
> lib/fonts/font_6x10.c | 9 +++++----
> lib/fonts/font_6x11.c | 9 ++++-----
> lib/fonts/font_7x14.c | 9 ++++-----
> lib/fonts/font_8x16.c | 9 ++++-----
> lib/fonts/font_8x8.c | 9 ++++-----
> lib/fonts/font_acorn_8x8.c | 9 ++++++---
> lib/fonts/font_mini_4x6.c | 8 ++++----
> lib/fonts/font_pearl_8x8.c | 9 ++++-----
> lib/fonts/font_sun12x22.c | 9 ++++-----
> lib/fonts/font_sun8x16.c | 7 ++++---
> lib/fonts/font_ter16x32.c | 9 ++++-----
> 18 files changed, 79 insertions(+), 67 deletions(-)
Gotta love going backwards in arrays :)
Nice work, whole series is:
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Daniel, can you take this through your tree?
thanks,
greg k-h
next prev parent reply other threads:[~2020-09-24 14:09 UTC|newest]
Thread overview: 114+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-10 4:35 KASAN: global-out-of-bounds Read in fbcon_get_font syzbot
2019-12-10 4:35 ` syzbot
2019-12-10 4:35 ` syzbot
2020-01-01 17:40 ` syzbot
2020-01-01 17:40 ` syzbot
2020-01-01 17:40 ` syzbot
2020-09-24 13:38 ` [PATCH 0/3] Prevent out-of-bounds access for built-in font data buffers Peilin Ye
2020-09-24 13:38 ` Peilin Ye
2020-09-24 13:38 ` Peilin Ye
2020-09-24 13:38 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-24 13:40 ` [PATCH 1/3] fbdev, newport_con: Move FONT_EXTRA_WORDS macros into linux/font.h Peilin Ye
2020-09-24 13:40 ` Peilin Ye
2020-09-24 13:40 ` Peilin Ye
2020-09-24 13:40 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-24 13:42 ` [PATCH 2/3] Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts Peilin Ye
2020-09-24 13:42 ` Peilin Ye
2020-09-24 13:42 ` Peilin Ye
2020-09-24 13:42 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-24 13:43 ` [PATCH 3/3] fbcon: Fix global-out-of-bounds read in fbcon_get_font() Peilin Ye
2020-09-24 13:43 ` Peilin Ye
2020-09-24 13:43 ` Peilin Ye
2020-09-24 13:43 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-24 14:09 ` Greg Kroah-Hartman [this message]
2020-09-24 14:09 ` [PATCH 0/3] Prevent out-of-bounds access for built-in font data buffers Greg Kroah-Hartman
2020-09-24 14:09 ` Greg Kroah-Hartman
2020-09-24 14:09 ` [Linux-kernel-mentees] " Greg Kroah-Hartman
2020-09-24 14:25 ` Peilin Ye
2020-09-24 14:25 ` Peilin Ye
2020-09-24 14:25 ` Peilin Ye
2020-09-24 14:25 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-24 14:42 ` David Laight
2020-09-24 14:42 ` David Laight
2020-09-24 14:42 ` David Laight
2020-09-24 14:42 ` [Linux-kernel-mentees] " David Laight
2020-09-24 15:30 ` Peilin Ye
2020-09-24 15:30 ` Peilin Ye
2020-09-24 15:30 ` Peilin Ye
2020-09-24 15:30 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-24 15:45 ` Dan Carpenter
2020-09-24 15:45 ` Dan Carpenter
2020-09-24 15:45 ` Dan Carpenter
2020-09-24 15:45 ` [Linux-kernel-mentees] " Dan Carpenter
2020-09-24 16:59 ` Peilin Ye
2020-09-24 16:59 ` Peilin Ye
2020-09-24 16:59 ` Peilin Ye
2020-09-24 16:59 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-25 8:38 ` Daniel Vetter
2020-09-25 8:38 ` Daniel Vetter
2020-09-25 8:38 ` Daniel Vetter
2020-09-25 8:38 ` [Linux-kernel-mentees] " Daniel Vetter
2020-09-25 6:46 ` Jiri Slaby
2020-09-25 6:46 ` Jiri Slaby
2020-09-25 6:46 ` Jiri Slaby
2020-09-25 6:46 ` [Linux-kernel-mentees] " Jiri Slaby
2020-09-25 10:13 ` Peilin Ye
2020-09-25 10:13 ` Peilin Ye
2020-09-25 10:13 ` Peilin Ye
2020-09-25 10:13 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-25 13:25 ` Daniel Vetter
2020-09-25 13:25 ` Daniel Vetter
2020-09-25 13:25 ` Daniel Vetter
2020-09-25 13:25 ` [Linux-kernel-mentees] " Daniel Vetter
2020-09-25 15:35 ` Peilin Ye
2020-09-25 15:35 ` Peilin Ye
2020-09-25 15:35 ` Peilin Ye
2020-09-25 15:35 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-29 9:09 ` Daniel Vetter
2020-09-29 9:09 ` Daniel Vetter
2020-09-29 9:09 ` Daniel Vetter
2020-09-29 9:09 ` [Linux-kernel-mentees] " Daniel Vetter
2020-09-29 9:44 ` Peilin Ye
2020-09-29 9:44 ` Peilin Ye
2020-09-29 9:44 ` Peilin Ye
2020-09-29 9:44 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-29 12:34 ` Peilin Ye
2020-09-29 12:34 ` Peilin Ye
2020-09-29 12:34 ` Peilin Ye
2020-09-29 12:34 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-29 14:38 ` Daniel Vetter
2020-09-29 14:38 ` Daniel Vetter
2020-09-29 14:38 ` Daniel Vetter
2020-09-29 14:38 ` [Linux-kernel-mentees] " Daniel Vetter
2020-09-30 7:11 ` Peilin Ye
2020-09-30 7:11 ` Peilin Ye
2020-09-30 7:11 ` Peilin Ye
2020-09-30 7:11 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-30 9:53 ` Daniel Vetter
2020-09-30 9:53 ` Daniel Vetter
2020-09-30 9:53 ` Daniel Vetter
2020-09-30 9:53 ` [Linux-kernel-mentees] " Daniel Vetter
2020-09-30 10:55 ` Peilin Ye
2020-09-30 10:55 ` Peilin Ye
2020-09-30 10:55 ` Peilin Ye
2020-09-30 10:55 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-30 11:25 ` Daniel Vetter
2020-09-30 11:25 ` Daniel Vetter
2020-09-30 11:25 ` Daniel Vetter
2020-09-30 11:25 ` [Linux-kernel-mentees] " Daniel Vetter
2020-09-30 11:52 ` Greg Kroah-Hartman
2020-09-30 11:52 ` Greg Kroah-Hartman
2020-09-30 11:52 ` Greg Kroah-Hartman
2020-09-30 11:52 ` [Linux-kernel-mentees] " Greg Kroah-Hartman
2020-09-30 12:58 ` Peilin Ye
2020-09-30 12:58 ` Peilin Ye
2020-09-30 12:58 ` Peilin Ye
2020-09-30 12:58 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-30 5:26 ` Jiri Slaby
2020-09-30 5:26 ` Jiri Slaby
2020-09-30 5:26 ` Jiri Slaby
2020-09-30 5:26 ` [Linux-kernel-mentees] " Jiri Slaby
2020-09-30 7:16 ` Peilin Ye
2020-09-30 7:16 ` Peilin Ye
2020-09-30 7:16 ` Peilin Ye
2020-09-30 7:16 ` [Linux-kernel-mentees] " Peilin Ye
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200924140937.GA749208@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=b.zolnierkie@samsung.com \
--cc=daniel.vetter@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=jirislaby@kernel.org \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=yepeilin.cs@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.