diff for duplicates of <20200926193957.GA1033221@PWN> diff --git a/a/1.txt b/N1/1.txt index ca09a4e..5653aed 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -5,7 +5,7 @@ On Sun, Sep 27, 2020 at 01:25:17AM +0900, Tetsuo Handa wrote: > > > -> Since vc_resize() with v.v_rows = 0 preserves current vc->vc_rows value, +> Since vc_resize() with v.v_rows == 0 preserves current vc->vc_rows value, > this reproducer is bypassing > > if (v.v_clin) { @@ -17,10 +17,10 @@ On Sun, Sep 27, 2020 at 01:25:17AM +0900, Tetsuo Handa wrote: > } > } > -> check by setting v.v_vlin = 1 and v.v_clin = 9. +> check by setting v.v_vlin == 1 and v.v_clin == 9. > > If v.v_vcol > 0 and v.v_vcol != vc->vc_cols (though this reproducer is passing -> v.v_vcol = 0), tty_do_resize() from vc_do_resize() from vc_resize() can make +> v.v_vcol == 0), tty_do_resize() from vc_do_resize() from vc_resize() can make > "struct tty_struct"->winsize.ws_ypixel = 1 despite > "struct tty_struct"->winsize.vc->vc_rows = vc->vc_rows (which is usually larger > than 1). Does such winsize (a row has 1 / vc->vc_rows pixel) make sense? @@ -88,9 +88,14 @@ is to add a range check in bit_putcs(), or bit_putcs_aligned(). causing more issues: KASAN: global-out-of-bounds Read in fbcon_get_font -Link: https://syzkaller.appspot.com/bug?id\bb8be45afea11888776f897895aef9ad1c3ecfd +Link: https://syzkaller.appspot.com/bug?id=08b8be45afea11888776f897895aef9ad1c3ecfd This was also caused by `VT_RESIZEX`... Thank you, Peilin Ye + +_______________________________________________ +dri-devel mailing list +dri-devel@lists.freedesktop.org +https://lists.freedesktop.org/mailman/listinfo/dri-devel diff --git a/a/content_digest b/N1/content_digest index 76e8d65..5ba44d3 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -2,7 +2,7 @@ "ref\0bbcef674-4ac6-c933-b55d-8961ada97f4c@i-love.sakura.ne.jp\0" "From\0Peilin Ye <yepeilin.cs@gmail.com>\0" "Subject\0Re: KASAN: use-after-free Read in bit_putcs\0" - "Date\0Sat, 26 Sep 2020 19:39:57 +0000\0" + "Date\0Sat, 26 Sep 2020 15:39:57 -0400\0" "To\0Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>\0" "Cc\0syzbot <syzbot+b308f5fd049fbbc6e74f@syzkaller.appspotmail.com>" linux-fbdev@vger.kernel.org @@ -24,7 +24,7 @@ "> \n" "> \n" "> \n" - "> Since vc_resize() with v.v_rows = 0 preserves current vc->vc_rows value,\n" + "> Since vc_resize() with v.v_rows == 0 preserves current vc->vc_rows value,\n" "> this reproducer is bypassing\n" "> \n" "> \tif (v.v_clin) {\n" @@ -36,10 +36,10 @@ "> \t\t}\n" "> \t}\n" "> \n" - "> check by setting v.v_vlin = 1 and v.v_clin = 9.\n" + "> check by setting v.v_vlin == 1 and v.v_clin == 9.\n" "> \n" "> If v.v_vcol > 0 and v.v_vcol != vc->vc_cols (though this reproducer is passing\n" - "> v.v_vcol = 0), tty_do_resize() from vc_do_resize() from vc_resize() can make\n" + "> v.v_vcol == 0), tty_do_resize() from vc_do_resize() from vc_resize() can make\n" "> \"struct tty_struct\"->winsize.ws_ypixel = 1 despite\n" "> \"struct tty_struct\"->winsize.vc->vc_rows = vc->vc_rows (which is usually larger\n" "> than 1). Does such winsize (a row has 1 / vc->vc_rows pixel) make sense?\n" @@ -107,11 +107,16 @@ "causing more issues:\n" "\n" "KASAN: global-out-of-bounds Read in fbcon_get_font\n" - "Link: https://syzkaller.appspot.com/bug?id\bb8be45afea11888776f897895aef9ad1c3ecfd\n" + "Link: https://syzkaller.appspot.com/bug?id=08b8be45afea11888776f897895aef9ad1c3ecfd\n" "\n" "This was also caused by `VT_RESIZEX`...\n" "\n" "Thank you,\n" - Peilin Ye + "Peilin Ye\n" + "\n" + "_______________________________________________\n" + "dri-devel mailing list\n" + "dri-devel@lists.freedesktop.org\n" + https://lists.freedesktop.org/mailman/listinfo/dri-devel -b89a662e72e68f651c658c879965720e23d2d3f2b7a030b5e95f6569570ad102 +a3a2633d02e46cc613f2e302aa87ce661aeb0aec191be9c4c5b367ff5b297b61
diff --git a/a/1.txt b/N2/1.txt index ca09a4e..5bc2fa4 100644 --- a/a/1.txt +++ b/N2/1.txt @@ -5,7 +5,7 @@ On Sun, Sep 27, 2020 at 01:25:17AM +0900, Tetsuo Handa wrote: > > > -> Since vc_resize() with v.v_rows = 0 preserves current vc->vc_rows value, +> Since vc_resize() with v.v_rows == 0 preserves current vc->vc_rows value, > this reproducer is bypassing > > if (v.v_clin) { @@ -17,10 +17,10 @@ On Sun, Sep 27, 2020 at 01:25:17AM +0900, Tetsuo Handa wrote: > } > } > -> check by setting v.v_vlin = 1 and v.v_clin = 9. +> check by setting v.v_vlin == 1 and v.v_clin == 9. > > If v.v_vcol > 0 and v.v_vcol != vc->vc_cols (though this reproducer is passing -> v.v_vcol = 0), tty_do_resize() from vc_do_resize() from vc_resize() can make +> v.v_vcol == 0), tty_do_resize() from vc_do_resize() from vc_resize() can make > "struct tty_struct"->winsize.ws_ypixel = 1 despite > "struct tty_struct"->winsize.vc->vc_rows = vc->vc_rows (which is usually larger > than 1). Does such winsize (a row has 1 / vc->vc_rows pixel) make sense? @@ -88,7 +88,7 @@ is to add a range check in bit_putcs(), or bit_putcs_aligned(). causing more issues: KASAN: global-out-of-bounds Read in fbcon_get_font -Link: https://syzkaller.appspot.com/bug?id\bb8be45afea11888776f897895aef9ad1c3ecfd +Link: https://syzkaller.appspot.com/bug?id=08b8be45afea11888776f897895aef9ad1c3ecfd This was also caused by `VT_RESIZEX`... diff --git a/a/content_digest b/N2/content_digest index 76e8d65..0a76a17 100644 --- a/a/content_digest +++ b/N2/content_digest @@ -2,18 +2,18 @@ "ref\0bbcef674-4ac6-c933-b55d-8961ada97f4c@i-love.sakura.ne.jp\0" "From\0Peilin Ye <yepeilin.cs@gmail.com>\0" "Subject\0Re: KASAN: use-after-free Read in bit_putcs\0" - "Date\0Sat, 26 Sep 2020 19:39:57 +0000\0" + "Date\0Sat, 26 Sep 2020 15:39:57 -0400\0" "To\0Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>\0" "Cc\0syzbot <syzbot+b308f5fd049fbbc6e74f@syzkaller.appspotmail.com>" - linux-fbdev@vger.kernel.org b.zolnierkie@samsung.com daniel.vetter@ffwll.ch deller@gmx.de - syzkaller-bugs@googlegroups.com - linux-kernel@vger.kernel.org - dri-devel@lists.freedesktop.org gregkh@linuxfoundation.org jirislaby@kernel.org + syzkaller-bugs@googlegroups.com + dri-devel@lists.freedesktop.org + linux-fbdev@vger.kernel.org + linux-kernel@vger.kernel.org " yepeilin.cs@gmail.com\0" "\00:1\0" "b\0" @@ -24,7 +24,7 @@ "> \n" "> \n" "> \n" - "> Since vc_resize() with v.v_rows = 0 preserves current vc->vc_rows value,\n" + "> Since vc_resize() with v.v_rows == 0 preserves current vc->vc_rows value,\n" "> this reproducer is bypassing\n" "> \n" "> \tif (v.v_clin) {\n" @@ -36,10 +36,10 @@ "> \t\t}\n" "> \t}\n" "> \n" - "> check by setting v.v_vlin = 1 and v.v_clin = 9.\n" + "> check by setting v.v_vlin == 1 and v.v_clin == 9.\n" "> \n" "> If v.v_vcol > 0 and v.v_vcol != vc->vc_cols (though this reproducer is passing\n" - "> v.v_vcol = 0), tty_do_resize() from vc_do_resize() from vc_resize() can make\n" + "> v.v_vcol == 0), tty_do_resize() from vc_do_resize() from vc_resize() can make\n" "> \"struct tty_struct\"->winsize.ws_ypixel = 1 despite\n" "> \"struct tty_struct\"->winsize.vc->vc_rows = vc->vc_rows (which is usually larger\n" "> than 1). Does such winsize (a row has 1 / vc->vc_rows pixel) make sense?\n" @@ -107,11 +107,11 @@ "causing more issues:\n" "\n" "KASAN: global-out-of-bounds Read in fbcon_get_font\n" - "Link: https://syzkaller.appspot.com/bug?id\bb8be45afea11888776f897895aef9ad1c3ecfd\n" + "Link: https://syzkaller.appspot.com/bug?id=08b8be45afea11888776f897895aef9ad1c3ecfd\n" "\n" "This was also caused by `VT_RESIZEX`...\n" "\n" "Thank you,\n" Peilin Ye -b89a662e72e68f651c658c879965720e23d2d3f2b7a030b5e95f6569570ad102 +5a4c1246a3669b95c29b260d1627e8197ad393e0e21c8f9102b2ce3022789390
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.