[PATCH 4.9 06/42] vt: Clear selection before changing the font

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	syzbot+14b0e8f3fd1612e35350@syzkaller.appspotmail.com,
	stable <stable@kernel.org>,
	Khalid Masum <khalid.masum.92@gmail.com>,
	Helge Deller <deller@gmx.de>
Subject: [PATCH 4.9 06/42] vt: Clear selection before changing the font
Date: Tue, 13 Sep 2022 16:07:37 +0200	[thread overview]
Message-ID: <20220913140342.566361976@linuxfoundation.org> (raw)
In-Reply-To: <20220913140342.228397194@linuxfoundation.org>

From: Helge Deller <deller@gmx.de>

commit 566f9c9f89337792070b5a6062dff448b3e7977f upstream.

When changing the console font with ioctl(KDFONTOP) the new font size
can be bigger than the previous font. A previous selection may thus now
be outside of the new screen size and thus trigger out-of-bounds
accesses to graphics memory if the selection is removed in
vc_do_resize().

Prevent such out-of-memory accesses by dropping the selection before the
various con_font_set() console handlers are called.

Reported-by: syzbot+14b0e8f3fd1612e35350@syzkaller.appspotmail.com
Cc: stable <stable@kernel.org>
Tested-by: Khalid Masum <khalid.masum.92@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Link: https://lore.kernel.org/r/YuV9apZGNmGfjcor@p100
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/tty/vt/vt.c |   12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -4183,9 +4183,11 @@ static int con_font_set(struct vc_data *
 	console_lock();
 	if (vc->vc_mode != KD_TEXT)
 		rc = -EINVAL;
-	else if (vc->vc_sw->con_font_set)
+	else if (vc->vc_sw->con_font_set) {
+		if (vc_is_sel(vc))
+			clear_selection();
 		rc = vc->vc_sw->con_font_set(vc, &font, op->flags);
-	else
+	} else
 		rc = -ENOSYS;
 	console_unlock();
 	kfree(font.data);
@@ -4212,9 +4214,11 @@ static int con_font_default(struct vc_da
 		console_unlock();
 		return -EINVAL;
 	}
-	if (vc->vc_sw->con_font_default)
+	if (vc->vc_sw->con_font_default) {
+		if (vc_is_sel(vc))
+			clear_selection();
 		rc = vc->vc_sw->con_font_default(vc, &font, s);
-	else
+	} else
 		rc = -ENOSYS;
 	console_unlock();
 	if (!rc) {

next prev parent reply	other threads:[~2022-09-13 15:33 UTC|newest]

Thread overview: 50+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-13 14:07 [PATCH 4.9 00/42] 4.9.328-rc1 review Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 01/42] fbdev: fb_pm2fb: Avoid potential divide by zero error Greg Kroah-Hartman
2022-11-23  6:34   ` Ulrich Hecht
2022-11-30 16:41     ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 02/42] platform/x86: pmc_atom: Fix SLP_TYPx bitfield mask Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 03/42] wifi: cfg80211: debugfs: fix return type in ht40allow_map_read() Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 04/42] serial: fsl_lpuart: RS485 RTS polariy is inverse Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 05/42] staging: rtl8712: fix use after free bugs Greg Kroah-Hartman
2022-09-13 14:07 ` Greg Kroah-Hartman [this message]
2022-09-13 14:07 ` [PATCH 4.9 07/42] USB: serial: ftdi_sio: add Omron CS1W-CIF31 device id Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 08/42] hwmon: (gpio-fan) Fix array out of bounds access Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 09/42] xhci: Add grace period after xHC start to prevent premature runtime suspend Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 10/42] USB: serial: cp210x: add Decagon UCA device id Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 11/42] USB: serial: option: add support for OPPO R11 diag port Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 12/42] USB: serial: option: add support for Cinterion MV32-WA/WB RmNet mode Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 13/42] USB: cdc-acm: Add Icom PMR F3400 support (0c26:0020) Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 14/42] usb-storage: Add ignore-residue quirk for NXP PN7462AU Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 15/42] s390/hugetlb: fix prepare_hugepage_range() check for 2 GB hugepages Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 16/42] s390: fix nospec table alignments Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 17/42] USB: core: Prevent nested device-reset calls Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 18/42] usb: gadget: mass_storage: Fix cdrom data transfers on MAC-OS Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 19/42] wifi: mac80211: Dont finalize CSA in IBSS mode if state is disconnected Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 20/42] net: mac802154: Fix a condition in the receive path Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 21/42] ALSA: seq: oss: Fix data-race for max_midi_devs access Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 22/42] ALSA: seq: Fix data-race at module auto-loading Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 23/42] fs: only do a memory barrier for the first set_buffer_uptodate() Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 24/42] Revert "mm: kmemleak: take a full lowmem check in kmemleak_*_phys()" Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 25/42] drm/radeon: add a force flush to delay work when radeon Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 26/42] parisc: ccio-dma: Handle kmalloc failure in ccio_init_resources() Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 27/42] parisc: Add runtime check to prevent PA2.0 kernels on PA1.x machines Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.9 28/42] fbdev: chipsfb: Add missing pci_disable_device() in chipsfb_pci_init() Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 29/42] ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc() Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 30/42] ALSA: aloop: Fix random zeros in capture data when using jiffies timer Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 31/42] ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 32/42] scsi: mpt3sas: Fix use-after-free warning Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 33/42] driver core: Dont probe devices after bus_type.match() probe deferral Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 34/42] netfilter: br_netfilter: Drop dst references before setting Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 35/42] netfilter: nf_conntrack_irc: Fix forged IP logic Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 36/42] sch_sfb: Dont assume the skb is still around after enqueueing to child Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 37/42] tipc: fix shift wrapping bug in map_get() Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 38/42] tcp: fix early ETIMEDOUT after spurious non-SACK RTO Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 39/42] sch_sfb: Also store skb len before calling child enqueue Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 40/42] usb: dwc3: fix PHY disable sequence Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 41/42] MIPS: loongson32: ls1c: Fix hang during startup Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.9 42/42] SUNRPC: use _bh spinlocking on ->transport_lock Greg Kroah-Hartman
2022-09-14  9:50 ` [PATCH 4.9 00/42] 4.9.328-rc1 review Pavel Machek
2022-09-14 12:40 ` Naresh Kamboju
2022-09-14 15:26 ` Jon Hunter
2022-09-14 17:46 ` Florian Fainelli
2022-09-15  0:16 ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220913140342.566361976@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=deller@gmx.de \
    --cc=khalid.masum.92@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+14b0e8f3fd1612e35350@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.