From: Greg KH <gregkh@linuxfoundation.org>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: syzbot <syzbot+b308f5fd049fbbc6e74f@syzkaller.appspotmail.com>,
linux-fbdev@vger.kernel.org,
George Kennedy <george.kennedy@oracle.com>,
b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, deller@gmx.de,
syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org,
dri-devel@lists.freedesktop.org,
Linus Torvalds <torvalds@linux-foundation.org>,
jirislaby@kernel.org, Peilin Ye <yepeilin.cs@gmail.com>
Subject: Re: [PATCH] vt_ioctl: make VT_RESIZEX behave like VT_RESIZE
Date: Sun, 27 Sep 2020 12:06:58 +0000 [thread overview]
Message-ID: <20200927120658.GA107433@kroah.com> (raw)
In-Reply-To: <4933b81b-9b1a-355b-df0e-9b31e8280ab9@i-love.sakura.ne.jp>
On Sun, Sep 27, 2020 at 08:46:30PM +0900, Tetsuo Handa wrote:
> syzbot is reporting UAF/OOB read at bit_putcs()/soft_cursor() [1][2], for
> vt_resizex() from ioctl(VT_RESIZEX) allows setting font height larger than
> actual font height calculated by con_font_set() from ioctl(PIO_FONT).
> Since fbcon_set_font() from con_font_set() allocates minimal amount of
> memory based on actual font height calculated by con_font_set(),
> use of vt_resizex() can cause UAF/OOB read for font data.
>
> VT_RESIZEX was introduced in Linux 1.3.3, but it is unclear that what
> comes to the "+ more" part, and I couldn't find a user of VT_RESIZEX.
>
> #define VT_RESIZE 0x5609 /* set kernel's idea of screensize */
> #define VT_RESIZEX 0x560A /* set kernel's idea of screensize + more */
>
> So far we are not aware of syzbot reports caused by setting non-zero value
> to v_vlin parameter. But given that it is possible that nobody is using
> VT_RESIZEX, we can try removing support for v_clin and v_vlin parameters.
Debian code search doesn't show any users, and that's usually a good
indication of what userspace ioctls for old things like this, are being
used for.
So this makes sense to me, I'll queue it up, thanks!
greg k-h
WARNING: multiple messages have this Message-ID (diff)
From: Greg KH <gregkh@linuxfoundation.org>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: syzbot <syzbot+b308f5fd049fbbc6e74f@syzkaller.appspotmail.com>,
linux-fbdev@vger.kernel.org,
George Kennedy <george.kennedy@oracle.com>,
b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, deller@gmx.de,
syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org,
dri-devel@lists.freedesktop.org,
Linus Torvalds <torvalds@linux-foundation.org>,
jirislaby@kernel.org, Peilin Ye <yepeilin.cs@gmail.com>
Subject: Re: [PATCH] vt_ioctl: make VT_RESIZEX behave like VT_RESIZE
Date: Sun, 27 Sep 2020 14:06:58 +0200 [thread overview]
Message-ID: <20200927120658.GA107433@kroah.com> (raw)
In-Reply-To: <4933b81b-9b1a-355b-df0e-9b31e8280ab9@i-love.sakura.ne.jp>
On Sun, Sep 27, 2020 at 08:46:30PM +0900, Tetsuo Handa wrote:
> syzbot is reporting UAF/OOB read at bit_putcs()/soft_cursor() [1][2], for
> vt_resizex() from ioctl(VT_RESIZEX) allows setting font height larger than
> actual font height calculated by con_font_set() from ioctl(PIO_FONT).
> Since fbcon_set_font() from con_font_set() allocates minimal amount of
> memory based on actual font height calculated by con_font_set(),
> use of vt_resizex() can cause UAF/OOB read for font data.
>
> VT_RESIZEX was introduced in Linux 1.3.3, but it is unclear that what
> comes to the "+ more" part, and I couldn't find a user of VT_RESIZEX.
>
> #define VT_RESIZE 0x5609 /* set kernel's idea of screensize */
> #define VT_RESIZEX 0x560A /* set kernel's idea of screensize + more */
>
> So far we are not aware of syzbot reports caused by setting non-zero value
> to v_vlin parameter. But given that it is possible that nobody is using
> VT_RESIZEX, we can try removing support for v_clin and v_vlin parameters.
Debian code search doesn't show any users, and that's usually a good
indication of what userspace ioctls for old things like this, are being
used for.
So this makes sense to me, I'll queue it up, thanks!
greg k-h
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
WARNING: multiple messages have this Message-ID (diff)
From: Greg KH <gregkh@linuxfoundation.org>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: jirislaby@kernel.org, Peilin Ye <yepeilin.cs@gmail.com>,
syzbot <syzbot+b308f5fd049fbbc6e74f@syzkaller.appspotmail.com>,
b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, deller@gmx.de,
syzkaller-bugs@googlegroups.com,
Linus Torvalds <torvalds@linux-foundation.org>,
dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org,
linux-kernel@vger.kernel.org,
George Kennedy <george.kennedy@oracle.com>
Subject: Re: [PATCH] vt_ioctl: make VT_RESIZEX behave like VT_RESIZE
Date: Sun, 27 Sep 2020 14:06:58 +0200 [thread overview]
Message-ID: <20200927120658.GA107433@kroah.com> (raw)
In-Reply-To: <4933b81b-9b1a-355b-df0e-9b31e8280ab9@i-love.sakura.ne.jp>
On Sun, Sep 27, 2020 at 08:46:30PM +0900, Tetsuo Handa wrote:
> syzbot is reporting UAF/OOB read at bit_putcs()/soft_cursor() [1][2], for
> vt_resizex() from ioctl(VT_RESIZEX) allows setting font height larger than
> actual font height calculated by con_font_set() from ioctl(PIO_FONT).
> Since fbcon_set_font() from con_font_set() allocates minimal amount of
> memory based on actual font height calculated by con_font_set(),
> use of vt_resizex() can cause UAF/OOB read for font data.
>
> VT_RESIZEX was introduced in Linux 1.3.3, but it is unclear that what
> comes to the "+ more" part, and I couldn't find a user of VT_RESIZEX.
>
> #define VT_RESIZE 0x5609 /* set kernel's idea of screensize */
> #define VT_RESIZEX 0x560A /* set kernel's idea of screensize + more */
>
> So far we are not aware of syzbot reports caused by setting non-zero value
> to v_vlin parameter. But given that it is possible that nobody is using
> VT_RESIZEX, we can try removing support for v_clin and v_vlin parameters.
Debian code search doesn't show any users, and that's usually a good
indication of what userspace ioctls for old things like this, are being
used for.
So this makes sense to me, I'll queue it up, thanks!
greg k-h
next prev parent reply other threads:[~2020-09-27 12:06 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-23 17:30 KASAN: use-after-free Read in bit_putcs syzbot
2020-02-23 17:30 ` syzbot
2020-02-23 17:30 ` syzbot
2020-09-26 2:03 ` syzbot
2020-09-26 2:03 ` syzbot
2020-09-26 2:03 ` syzbot
2020-09-26 16:25 ` Tetsuo Handa
2020-09-26 16:25 ` Tetsuo Handa
2020-09-26 16:25 ` Tetsuo Handa
2020-09-26 19:39 ` Peilin Ye
2020-09-26 19:39 ` Peilin Ye
2020-09-26 19:39 ` Peilin Ye
2020-09-27 0:25 ` Tetsuo Handa
2020-09-27 0:25 ` Tetsuo Handa
2020-09-27 0:25 ` Tetsuo Handa
2020-09-27 8:28 ` Tetsuo Handa
2020-09-27 8:28 ` Tetsuo Handa
2020-09-27 8:28 ` Tetsuo Handa
2020-09-27 9:27 ` Peilin Ye
2020-09-27 9:27 ` Peilin Ye
2020-09-27 9:27 ` Peilin Ye
2020-09-27 11:46 ` [PATCH] vt_ioctl: make VT_RESIZEX behave like VT_RESIZE Tetsuo Handa
2020-09-27 11:46 ` Tetsuo Handa
2020-09-27 11:46 ` Tetsuo Handa
2020-09-27 12:06 ` Greg KH [this message]
2020-09-27 12:06 ` Greg KH
2020-09-27 12:06 ` Greg KH
2020-09-28 17:59 ` Martin Hostettler
2020-09-28 17:59 ` Martin Hostettler
2020-09-28 17:59 ` Martin Hostettler
2020-09-29 1:12 ` Tetsuo Handa
2020-09-29 1:12 ` Tetsuo Handa
2020-09-29 1:12 ` Tetsuo Handa
2020-09-29 10:52 ` Martin Hostettler
2020-09-29 10:52 ` Martin Hostettler
2020-09-29 10:52 ` Martin Hostettler
2020-09-29 16:56 ` Daniel Vetter
2020-09-29 16:56 ` Daniel Vetter
2020-09-29 16:56 ` Daniel Vetter
2020-09-29 17:10 ` Greg KH
2020-09-29 17:10 ` Greg KH
2020-09-29 17:10 ` Greg KH
2021-04-11 21:43 ` Maciej W. Rozycki
2021-04-11 21:43 ` Maciej W. Rozycki
2021-04-11 22:15 ` Linus Torvalds
2021-04-11 22:15 ` Linus Torvalds
2021-04-12 7:01 ` Daniel Vetter
2021-04-12 7:01 ` Daniel Vetter
2021-04-12 13:30 ` Maciej W. Rozycki
2021-04-12 13:30 ` Maciej W. Rozycki
2020-10-19 17:02 ` [tip: perf/urgent] " tip-bot2 for Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200927120658.GA107433@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=b.zolnierkie@samsung.com \
--cc=daniel.vetter@ffwll.ch \
--cc=deller@gmx.de \
--cc=dri-devel@lists.freedesktop.org \
--cc=george.kennedy@oracle.com \
--cc=jirislaby@kernel.org \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=syzbot+b308f5fd049fbbc6e74f@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=torvalds@linux-foundation.org \
--cc=yepeilin.cs@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.