From: Peilin Ye <yepeilin.cs@gmail.com>
To: David Laight <David.Laight@ACULAB.COM>
Cc: linux-fbdev@vger.kernel.org,
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
Daniel Vetter <daniel.vetter@ffwll.ch>,
syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org,
dri-devel@lists.freedesktop.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jiri Slaby <jirislaby@kernel.org>,
linux-kernel-mentees@lists.linuxfoundation.org
Subject: Re: [PATCH 0/3] Prevent out-of-bounds access for built-in font data buffers
Date: Thu, 24 Sep 2020 15:30:35 +0000 [thread overview]
Message-ID: <20200924153035.GA879703@PWN> (raw)
In-Reply-To: <394733ab6fae47488d078cb22f22a85b@AcuMS.aculab.com>
Hi!
On Thu, Sep 24, 2020 at 02:42:18PM +0000, David Laight wrote:
> > On Thu, Sep 24, 2020 at 09:38:22AM -0400, Peilin Ye wrote:
> > > Hi all,
> > >
> > > syzbot has reported [1] a global out-of-bounds read issue in
> > > fbcon_get_font(). A malicious user may resize `vc_font.height` to a large
> > > value in vt_ioctl(), causing fbcon_get_font() to overflow our built-in
> > > font data buffers, declared in lib/fonts/font_*.c:
> ...
> > > (drivers/video/fbdev/core/fbcon.c)
> > > if (font->width <= 8) {
> > > j = vc->vc_font.height;
> > > + if (font->charcount * j > FNTSIZE(fontdata))
> > > + return -EINVAL;
>
> Can that still go wrong because the multiply wraps?
Thank you for bringing this up!
The resizing of `vc_font.height` happened in vt_resizex():
(drivers/tty/vt/vt_ioctl.c)
if (v.v_clin > 32)
return -EINVAL;
[...]
for (i = 0; i < MAX_NR_CONSOLES; i++) {
[...]
if (v.v_clin)
vcp->vc_font.height = v.v_clin;
^^^^^^^^^^^^^^
It does check if `v.v_clin` is greater than 32. And, currently, all
built-in fonts have a `charcount` of 256.
Therefore, for built-in fonts and resizing happened in vt_resizex(), it
cannot cause an interger overflow.
However I am not very sure about user-provided fonts, and if there are
other functions that can resize `height` or even `charcount` to a really
huge value, but I will do more investigation and think about it.
Thank you,
Peilin Ye
WARNING: multiple messages have this Message-ID (diff)
From: Peilin Ye <yepeilin.cs@gmail.com>
To: David Laight <David.Laight@ACULAB.COM>
Cc: linux-fbdev@vger.kernel.org,
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
Daniel Vetter <daniel.vetter@ffwll.ch>,
syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org,
dri-devel@lists.freedesktop.org,
Jiri Slaby <jirislaby@kernel.org>,
linux-kernel-mentees@lists.linuxfoundation.org
Subject: Re: [Linux-kernel-mentees] [PATCH 0/3] Prevent out-of-bounds access for built-in font data buffers
Date: Thu, 24 Sep 2020 11:30:35 -0400 [thread overview]
Message-ID: <20200924153035.GA879703@PWN> (raw)
In-Reply-To: <394733ab6fae47488d078cb22f22a85b@AcuMS.aculab.com>
Hi!
On Thu, Sep 24, 2020 at 02:42:18PM +0000, David Laight wrote:
> > On Thu, Sep 24, 2020 at 09:38:22AM -0400, Peilin Ye wrote:
> > > Hi all,
> > >
> > > syzbot has reported [1] a global out-of-bounds read issue in
> > > fbcon_get_font(). A malicious user may resize `vc_font.height` to a large
> > > value in vt_ioctl(), causing fbcon_get_font() to overflow our built-in
> > > font data buffers, declared in lib/fonts/font_*.c:
> ...
> > > (drivers/video/fbdev/core/fbcon.c)
> > > if (font->width <= 8) {
> > > j = vc->vc_font.height;
> > > + if (font->charcount * j > FNTSIZE(fontdata))
> > > + return -EINVAL;
>
> Can that still go wrong because the multiply wraps?
Thank you for bringing this up!
The resizing of `vc_font.height` happened in vt_resizex():
(drivers/tty/vt/vt_ioctl.c)
if (v.v_clin > 32)
return -EINVAL;
[...]
for (i = 0; i < MAX_NR_CONSOLES; i++) {
[...]
if (v.v_clin)
vcp->vc_font.height = v.v_clin;
^^^^^^^^^^^^^^
It does check if `v.v_clin` is greater than 32. And, currently, all
built-in fonts have a `charcount` of 256.
Therefore, for built-in fonts and resizing happened in vt_resizex(), it
cannot cause an interger overflow.
However I am not very sure about user-provided fonts, and if there are
other functions that can resize `height` or even `charcount` to a really
huge value, but I will do more investigation and think about it.
Thank you,
Peilin Ye
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
WARNING: multiple messages have this Message-ID (diff)
From: Peilin Ye <yepeilin.cs@gmail.com>
To: David Laight <David.Laight@ACULAB.COM>
Cc: linux-fbdev@vger.kernel.org,
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
Daniel Vetter <daniel.vetter@ffwll.ch>,
syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org,
dri-devel@lists.freedesktop.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jiri Slaby <jirislaby@kernel.org>,
linux-kernel-mentees@lists.linuxfoundation.org
Subject: Re: [PATCH 0/3] Prevent out-of-bounds access for built-in font data buffers
Date: Thu, 24 Sep 2020 11:30:35 -0400 [thread overview]
Message-ID: <20200924153035.GA879703@PWN> (raw)
In-Reply-To: <394733ab6fae47488d078cb22f22a85b@AcuMS.aculab.com>
Hi!
On Thu, Sep 24, 2020 at 02:42:18PM +0000, David Laight wrote:
> > On Thu, Sep 24, 2020 at 09:38:22AM -0400, Peilin Ye wrote:
> > > Hi all,
> > >
> > > syzbot has reported [1] a global out-of-bounds read issue in
> > > fbcon_get_font(). A malicious user may resize `vc_font.height` to a large
> > > value in vt_ioctl(), causing fbcon_get_font() to overflow our built-in
> > > font data buffers, declared in lib/fonts/font_*.c:
> ...
> > > (drivers/video/fbdev/core/fbcon.c)
> > > if (font->width <= 8) {
> > > j = vc->vc_font.height;
> > > + if (font->charcount * j > FNTSIZE(fontdata))
> > > + return -EINVAL;
>
> Can that still go wrong because the multiply wraps?
Thank you for bringing this up!
The resizing of `vc_font.height` happened in vt_resizex():
(drivers/tty/vt/vt_ioctl.c)
if (v.v_clin > 32)
return -EINVAL;
[...]
for (i = 0; i < MAX_NR_CONSOLES; i++) {
[...]
if (v.v_clin)
vcp->vc_font.height = v.v_clin;
^^^^^^^^^^^^^^
It does check if `v.v_clin` is greater than 32. And, currently, all
built-in fonts have a `charcount` of 256.
Therefore, for built-in fonts and resizing happened in vt_resizex(), it
cannot cause an interger overflow.
However I am not very sure about user-provided fonts, and if there are
other functions that can resize `height` or even `charcount` to a really
huge value, but I will do more investigation and think about it.
Thank you,
Peilin Ye
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
WARNING: multiple messages have this Message-ID (diff)
From: Peilin Ye <yepeilin.cs@gmail.com>
To: David Laight <David.Laight@ACULAB.COM>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
Jiri Slaby <jirislaby@kernel.org>,
Daniel Vetter <daniel.vetter@ffwll.ch>,
dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org,
linux-kernel-mentees@lists.linuxfoundation.org,
syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 0/3] Prevent out-of-bounds access for built-in font data buffers
Date: Thu, 24 Sep 2020 11:30:35 -0400 [thread overview]
Message-ID: <20200924153035.GA879703@PWN> (raw)
In-Reply-To: <394733ab6fae47488d078cb22f22a85b@AcuMS.aculab.com>
Hi!
On Thu, Sep 24, 2020 at 02:42:18PM +0000, David Laight wrote:
> > On Thu, Sep 24, 2020 at 09:38:22AM -0400, Peilin Ye wrote:
> > > Hi all,
> > >
> > > syzbot has reported [1] a global out-of-bounds read issue in
> > > fbcon_get_font(). A malicious user may resize `vc_font.height` to a large
> > > value in vt_ioctl(), causing fbcon_get_font() to overflow our built-in
> > > font data buffers, declared in lib/fonts/font_*.c:
> ...
> > > (drivers/video/fbdev/core/fbcon.c)
> > > if (font->width <= 8) {
> > > j = vc->vc_font.height;
> > > + if (font->charcount * j > FNTSIZE(fontdata))
> > > + return -EINVAL;
>
> Can that still go wrong because the multiply wraps?
Thank you for bringing this up!
The resizing of `vc_font.height` happened in vt_resizex():
(drivers/tty/vt/vt_ioctl.c)
if (v.v_clin > 32)
return -EINVAL;
[...]
for (i = 0; i < MAX_NR_CONSOLES; i++) {
[...]
if (v.v_clin)
vcp->vc_font.height = v.v_clin;
^^^^^^^^^^^^^^
It does check if `v.v_clin` is greater than 32. And, currently, all
built-in fonts have a `charcount` of 256.
Therefore, for built-in fonts and resizing happened in vt_resizex(), it
cannot cause an interger overflow.
However I am not very sure about user-provided fonts, and if there are
other functions that can resize `height` or even `charcount` to a really
huge value, but I will do more investigation and think about it.
Thank you,
Peilin Ye
next prev parent reply other threads:[~2020-09-24 15:30 UTC|newest]
Thread overview: 114+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-10 4:35 KASAN: global-out-of-bounds Read in fbcon_get_font syzbot
2019-12-10 4:35 ` syzbot
2019-12-10 4:35 ` syzbot
2020-01-01 17:40 ` syzbot
2020-01-01 17:40 ` syzbot
2020-01-01 17:40 ` syzbot
2020-09-24 13:38 ` [PATCH 0/3] Prevent out-of-bounds access for built-in font data buffers Peilin Ye
2020-09-24 13:38 ` Peilin Ye
2020-09-24 13:38 ` Peilin Ye
2020-09-24 13:38 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-24 13:40 ` [PATCH 1/3] fbdev, newport_con: Move FONT_EXTRA_WORDS macros into linux/font.h Peilin Ye
2020-09-24 13:40 ` Peilin Ye
2020-09-24 13:40 ` Peilin Ye
2020-09-24 13:40 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-24 13:42 ` [PATCH 2/3] Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts Peilin Ye
2020-09-24 13:42 ` Peilin Ye
2020-09-24 13:42 ` Peilin Ye
2020-09-24 13:42 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-24 13:43 ` [PATCH 3/3] fbcon: Fix global-out-of-bounds read in fbcon_get_font() Peilin Ye
2020-09-24 13:43 ` Peilin Ye
2020-09-24 13:43 ` Peilin Ye
2020-09-24 13:43 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-24 14:09 ` [PATCH 0/3] Prevent out-of-bounds access for built-in font data buffers Greg Kroah-Hartman
2020-09-24 14:09 ` Greg Kroah-Hartman
2020-09-24 14:09 ` Greg Kroah-Hartman
2020-09-24 14:09 ` [Linux-kernel-mentees] " Greg Kroah-Hartman
2020-09-24 14:25 ` Peilin Ye
2020-09-24 14:25 ` Peilin Ye
2020-09-24 14:25 ` Peilin Ye
2020-09-24 14:25 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-24 14:42 ` David Laight
2020-09-24 14:42 ` David Laight
2020-09-24 14:42 ` David Laight
2020-09-24 14:42 ` [Linux-kernel-mentees] " David Laight
2020-09-24 15:30 ` Peilin Ye [this message]
2020-09-24 15:30 ` Peilin Ye
2020-09-24 15:30 ` Peilin Ye
2020-09-24 15:30 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-24 15:45 ` Dan Carpenter
2020-09-24 15:45 ` Dan Carpenter
2020-09-24 15:45 ` Dan Carpenter
2020-09-24 15:45 ` [Linux-kernel-mentees] " Dan Carpenter
2020-09-24 16:59 ` Peilin Ye
2020-09-24 16:59 ` Peilin Ye
2020-09-24 16:59 ` Peilin Ye
2020-09-24 16:59 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-25 8:38 ` Daniel Vetter
2020-09-25 8:38 ` Daniel Vetter
2020-09-25 8:38 ` Daniel Vetter
2020-09-25 8:38 ` [Linux-kernel-mentees] " Daniel Vetter
2020-09-25 6:46 ` Jiri Slaby
2020-09-25 6:46 ` Jiri Slaby
2020-09-25 6:46 ` Jiri Slaby
2020-09-25 6:46 ` [Linux-kernel-mentees] " Jiri Slaby
2020-09-25 10:13 ` Peilin Ye
2020-09-25 10:13 ` Peilin Ye
2020-09-25 10:13 ` Peilin Ye
2020-09-25 10:13 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-25 13:25 ` Daniel Vetter
2020-09-25 13:25 ` Daniel Vetter
2020-09-25 13:25 ` Daniel Vetter
2020-09-25 13:25 ` [Linux-kernel-mentees] " Daniel Vetter
2020-09-25 15:35 ` Peilin Ye
2020-09-25 15:35 ` Peilin Ye
2020-09-25 15:35 ` Peilin Ye
2020-09-25 15:35 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-29 9:09 ` Daniel Vetter
2020-09-29 9:09 ` Daniel Vetter
2020-09-29 9:09 ` Daniel Vetter
2020-09-29 9:09 ` [Linux-kernel-mentees] " Daniel Vetter
2020-09-29 9:44 ` Peilin Ye
2020-09-29 9:44 ` Peilin Ye
2020-09-29 9:44 ` Peilin Ye
2020-09-29 9:44 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-29 12:34 ` Peilin Ye
2020-09-29 12:34 ` Peilin Ye
2020-09-29 12:34 ` Peilin Ye
2020-09-29 12:34 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-29 14:38 ` Daniel Vetter
2020-09-29 14:38 ` Daniel Vetter
2020-09-29 14:38 ` Daniel Vetter
2020-09-29 14:38 ` [Linux-kernel-mentees] " Daniel Vetter
2020-09-30 7:11 ` Peilin Ye
2020-09-30 7:11 ` Peilin Ye
2020-09-30 7:11 ` Peilin Ye
2020-09-30 7:11 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-30 9:53 ` Daniel Vetter
2020-09-30 9:53 ` Daniel Vetter
2020-09-30 9:53 ` Daniel Vetter
2020-09-30 9:53 ` [Linux-kernel-mentees] " Daniel Vetter
2020-09-30 10:55 ` Peilin Ye
2020-09-30 10:55 ` Peilin Ye
2020-09-30 10:55 ` Peilin Ye
2020-09-30 10:55 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-30 11:25 ` Daniel Vetter
2020-09-30 11:25 ` Daniel Vetter
2020-09-30 11:25 ` Daniel Vetter
2020-09-30 11:25 ` [Linux-kernel-mentees] " Daniel Vetter
2020-09-30 11:52 ` Greg Kroah-Hartman
2020-09-30 11:52 ` Greg Kroah-Hartman
2020-09-30 11:52 ` Greg Kroah-Hartman
2020-09-30 11:52 ` [Linux-kernel-mentees] " Greg Kroah-Hartman
2020-09-30 12:58 ` Peilin Ye
2020-09-30 12:58 ` Peilin Ye
2020-09-30 12:58 ` Peilin Ye
2020-09-30 12:58 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-30 5:26 ` Jiri Slaby
2020-09-30 5:26 ` Jiri Slaby
2020-09-30 5:26 ` Jiri Slaby
2020-09-30 5:26 ` [Linux-kernel-mentees] " Jiri Slaby
2020-09-30 7:16 ` Peilin Ye
2020-09-30 7:16 ` Peilin Ye
2020-09-30 7:16 ` Peilin Ye
2020-09-30 7:16 ` [Linux-kernel-mentees] " Peilin Ye
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200924153035.GA879703@PWN \
--to=yepeilin.cs@gmail.com \
--cc=David.Laight@ACULAB.COM \
--cc=b.zolnierkie@samsung.com \
--cc=daniel.vetter@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=gregkh@linuxfoundation.org \
--cc=jirislaby@kernel.org \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.