From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jiri Slaby Date: Thu, 30 Jul 2020 06:46:31 +0000 Subject: Re: [PATCH] vgacon: fix out of bounds write to the scrollback buffer Message-Id: <659f8dcf-7802-1ca1-1372-eb7fefd4d8f4@kernel.org> List-Id: References: <20200729130710.GA13262@openwall.com> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: base64 To: =?UTF-8?B?5byg5LqR5rW3?= , Solar Designer Cc: Linux Fbdev development list , Kyungtae Kim , b.zolnierkie@samsung.com, Greg KH , Linux kernel mailing list , DRI devel , Anthony Liguori , Yang Yingliang , xiao.zhang@windriver.com, Linus Torvalds , "Srivatsa S. Bhat" SGksIE9UT0gsIHlvdSBzaG91bGQgaGF2ZSBDQ2VkIGFsbCB0aGUgKHB1YmxpYykgbGlzdHMuCgpP biAzMC4gMDcuIDIwLCA0OjUwLCDVxdTGuqMgd3JvdGU6Cj4gWmhhbmcgWGlhbyBwb2ludHMgb3V0 IHRoYXQgdGhlIGNoZWNrIHNob3VsZCB1c2UgPiBpbnN0ZWFkIG9mID49LAo+IG90aGVyd2lzZSB0 aGUgbGFzdCBsaW5lIHdpbGwgYmUgc2tpcC4KPiBJIGFncmVlIHdpdGggdGhhdCwgc28gSSBtb2Rp ZnkgdGhlIHBhdGNoLgo+IENvdWxkIHlvdSBwbGVhc2UgdmVyaWZ5IHRoYXQgaXQgaXMgc3RpbGwg Y29ycmVjdCBhbmQgc3VmZmljaWVudD8KCklNTywgeWVzLCBjb3JyZWN0IC0tIEkgd2FzIHRoaW5r aW5nIGFib3V0IHRoaXMgeWVzdGVyZGF5IHRvby4gSnVzdCBhbgpleGFtcGxlOiBoeXBvdGhldGlj YWxseSwgaWYgd2UgaGFkOgpzaXplX3JvdyA9IDEKdGFpbCA9IDI5CnNpemUgPSAzMAoKZGF0YVsy OV0gd291bGQgYmUgdGhlIGxhc3QgYWNjZXNzaWJsZSBtZW1iZXIuIFdyaXRpbmcgdG8gZGF0YSAr IHRhaWwgKGFzCiIyOSArIDEgPiAzMCIgZG9lc24ndCBob2xkLCBzbyB0aGUgbW9kaWZpZWQgY2hl Y2sgd291bGQgcGFzcyksIGkuZS4KZGF0YVsyOV0gaXMgc3RpbGwgT0suIFNvIHllcywgPiBpcyBP SywgPj0gd291bGQgd2FzdGUgc3BhY2UgYW5kIHdvdWxkIGJlCmFjdHVhbGx5IGluY29ycmVjdC4K Cj4gQlRXLCBaaGFuZyBYaWFvIGFsc28gcG9pbnRzIG91dCB0aGF0IHRoZSBjaGVjayBhZnRlciB0 aGUgbWVtY3B5IGNhbiBiZQo+IHJlbW92ZS4KPiBJIGFsc28gdGhpbmsgdGhhdCB3YXMgcmlnaHQs IGJ1dCB2Z2Fjb25fc2Nyb2xsYmFja19jdXItPnRhaWwgbWF5IGtlZXAKPiB0aGUgdmFsdWUgdmdh Y29uX3Njcm9sbGJhY2tfY3VyLT5zaXplIGluIHNvbWUgY2FzZS4gVGhhdCBpcyBub3QgYQo+IHBy b2JsZW0gaW4gdmdhY29uX3Njcm9sbGJhY2tfdXBkYXRlIGJlY2F1c2Ugb2YgdGhlIGNoZWNrIGJl Zm9yZSB0aGUKPiBtZW1jcHkuIEhvd2V2ZXIsIHRoYXQgbWF5IGJyZWFrIHNvbWUgb3RoZXIgY29k ZSB3aGljaCBhc3N1bWVzIHRoYXQKPiB2Z2Fjb25fc2Nyb2xsYmFja19jdXItPnRhaWwgd29uJ3Qg YmUgdmdhY29uX3Njcm9sbGJhY2tfY3VyLT5zaXplLiBJIGRvCj4gbm90IGtub3cgaWYgdGhlcmUg YXJlIHN1Y2ggY29kZSwgYW5kIGlmIGl0IGlzIHRoZSBjb2RlIGFjdHVhbGx5ICBzaG91bGQKPiBj aGVjayBpdCB0b28uIEJ1dCBJIHN0aWxsIG5vdCByZW1vdmUgdGhlIGNoZWNrIGluIHRoZSBwYXRj aCB0byBtYWtlIHN1cmUKPiBpdCB3b24ndCBicmVha3Mgb3RoZXIgY29kZS4KCkFzIEkgd3JvdGUg YWJvdXQgdGhpcyB5ZXN0ZXJkYXk6Cj1JIGFtIGFsc28gbm90IHN1cmUgdGhlIHRlc3QgSSB3YXMg cG9pbnRpbmcgb3V0IG9uIHRoZSB0b3Agb2YgdGhpcwptZXNzYWdlIHdvdWxkIGJlIG9mIGFueSB1 c2UgYWZ0ZXIgdGhlIGNoYW5nZS4gQnV0IG1heWJlIGxlYXZlIHRoZSBjb2RlCnJlc3QgaW4gcGVh Y2UuCj0KSSB3b3VsZCBsZXQgaXQgYXMgaXMgaW4gdGhpcyBwYXJ0aWN1bGFyIGNvZGUuIEVzcGVj aWFsbHkgYmVjYXVzZQp2Z2Fjb25fc2Nyb2xsZGVsdGEgdGFrZXMgLT50YWlsIGludG8gY29uc2lk ZXJhdGlvbiBhbmQgSSB3YXMgdG9vIGxhenkgdG8Kc3R1ZHkgdGhlIGNvZGUgdGhlcmUuIEJ1dCBp ZiB5b3UgYXJlIHdpbGxpbmcgdG8gc3R1ZHkgdGhlIGNvZGUgdGhlcmUgYW5kCmNvbmZpcm0gdGhl IGNoZWNrIGlzIHN1cGVyZmx1b3VzLCBmZWVsIGZyZWUgdG8gcmVtb3ZlIGl0LiBQZXJoYXBzIGlu IGEKc2VwYXJhdGUgcGF0Y2guIEkgd2FzIGFjdHVhbGx5IHRlc3Rpbmcgd2l0aCB0aGUgY2hlY2sg cmVtb3ZlZCBhbmQgZGlkbid0CmhpdCBhbnkgaXNzdWUgKHdoaWNoIG1lYW5zLCBpbiBmYWN0LCBl eGFjdGx5IG5vdGhpbmcpLgoKPiBGcm9tIGFkMTQzZWRlMjRmZjRlNjEyOTJjYzljOTYwMDAxMDBh YWNkOTcyNTkgTW9uIFNlcCAxNyAwMDowMDowMCAyMDAxCj4gRnJvbTogWXVuaGFpIFpoYW5nIDx6 aGFuZ3l1bmhhaUBuc2ZvY3VzLmNvbT4KPiBEYXRlOiBUdWUsIDI4IEp1bCAyMDIwIDA5OjU4OjAz ICswODAwCj4gU3ViamVjdDogW1BBVENIXSBGaXggZm9yIG1pc3NpbmcgY2hlY2sgaW4gdmdhY29u IHNjcm9sbGJhY2sgaGFuZGxpbmcKPiAKPiB2Z2Fjb25fc2Nyb2xsYmFja191cGRhdGUoKSBhbHdh eXMgbGVmdCBlbmJvdWdoIHJvb20gaW4gdGhlIHNjcm9sbGJhY2sKCiJsZWF2ZXMgZW5vdWdoIgoK PiBidWZmZXIgZm9yIHRoZSBuZXh0IGNhbGwsIGJ1dCBpZiB0aGUgY29uc29sZSBzaXplIGNoYW5n ZWQgdGhhdCByb29tCj4gbWlnaHQgbm90IGFjdHVhbGx5IGJlIGVub3VnaCwgYW5kIHNvIHdlIG5l ZWQgdG8gcmUtY2hlY2suCgpBbHNvLCBjb3VsZCB5b3UgYWRkIHJlYXNvbmluZyB3aHkgeW91IGFy ZSBhZGRpbmcgdGhlIGNoZWNrIHRvIHRoZSBsb29wCmFuZCBub3Qgb3V0c2lkZSAoZm9yIGluc3Rh bmNlLCB1c2UgeW91ciByZWFzb25pbmcgd2l0aCBudW1iZXJzIG9yIENTSSBNCmFzIGFuIGV4YW1w bGUpLgoKQ291bGQgeW91IGFkZCBhIHNhbXBsZSBvdXRwdXQgaGVyZSwgc29tZXRoaW5nIGxpa2Ug SSBoYWQ6Cj0gICAgVGhpcyBsZWFkcyB0byByYW5kb20gY3Jhc2hlcyBvciBLQVNBTiByZXBvcnRz IGxpa2U6CiAgICBCVUc6IEtBU0FOOiBzbGFiLW91dC1vZi1ib3VuZHMgaW4gdmdhY29uX3Njcm9s bCsweDU3YS8weDhlZAo9Ckl0J3MgdGhlbiBlYXNpZXIgdG8gZ29vZ2xlIGZvciB3aGVuIHRoaXMg aGFwcGVucyB0byBzb21lb25lIHdobyBydW5zCm5vbi1wYXRjaGVkIGtlcm5lbHMuCgo+IFRoaXMg Zml4ZXMgQ1ZFLTIwMjAtMTQzMzEuCj4gCj4gUmVwb3J0ZWQtYW5kLWRlYnVnZ2VkLWJ5OiDVxdTG uqMgPHpoYW5neXVuaGFpQG5zZm9jdXMuY29tPgo+IFJlcG9ydGVkLWFuZC1kZWJ1Z2dlZC1ieTog WWFuZyBZaW5nbGlhbmcgPHlhbmd5aW5nbGlhbmdAaHVhd2VpLmNvbT4KPiBSZXBvcnRlZC1ieTog S3l1bmd0YWUgS2ltIDxrdDA3NTVAZ21haWwuY29tPgo+IEZpeGVzOiAxNWJkYWI5NTljOWIgKFtQ QVRDSF0gdmdhY29uOiBBZGQgc3VwcG9ydCBmb3Igc29mdCBzY3JvbGxiYWNrKQo+IENjOiBMaW51 cyBUb3J2YWxkcyA8dG9ydmFsZHNAbGludXgtZm91bmRhdGlvbi5vcmc+Cj4gQ2M6IEdyZWcgS0gg PGdyZWdAa3JvYWguY29tPgo+IENjOiBTb2xhciBEZXNpZ25lciA8c29sYXJAb3BlbndhbGwuY29t Pgo+IENjOiAiU3JpdmF0c2EgUy4gQmhhdCIgPHNyaXZhdHNhQGNzYWlsLm1pdC5lZHU+Cj4gQ2M6 IEFudGhvbnkgTGlndW9yaSA8YWxpZ3VvcmlAYW1hem9uLmNvbT4KPiBDYzogWWFuZyBZaW5nbGlh bmcgPHlhbmd5aW5nbGlhbmdAaHVhd2VpLmNvbT4KPiBDYzogQmFydGxvbWllaiBab2xuaWVya2ll d2ljeiA8Yi56b2xuaWVya2llQHNhbXN1bmcuY29tPgoKT2gsIGFuZCB3ZSBzaG91bGQ6CkNjOiBz dGFibGVAdmdlci5rZXJuZWwub3JnCgo+IFNpZ25lZC1vZmYtYnk6IFl1bmhhaSBaaGFuZyA8emhh bmd5dW5oYWlAbnNmb2N1cy5jb20+Cj4gLS0tCj4gIGRyaXZlcnMvdmlkZW8vY29uc29sZS92Z2Fj b24uYyB8IDQgKysrKwo+ICAxIGZpbGUgY2hhbmdlZCwgNCBpbnNlcnRpb25zKCspCj4gCj4gZGlm ZiAtLWdpdCBhL2RyaXZlcnMvdmlkZW8vY29uc29sZS92Z2Fjb24uYyBiL2RyaXZlcnMvdmlkZW8v Y29uc29sZS92Z2Fjb24uYwo+IGluZGV4IDk5OGIwZGUxODEyZi4uMzdiNTcxMWNkOTU4IDEwMDY0 NAo+IC0tLSBhL2RyaXZlcnMvdmlkZW8vY29uc29sZS92Z2Fjb24uYwo+ICsrKyBiL2RyaXZlcnMv dmlkZW8vY29uc29sZS92Z2Fjb24uYwo+IEBAIC0yNTEsNiArMjUxLDEwIEBAIHN0YXRpYyB2b2lk IHZnYWNvbl9zY3JvbGxiYWNrX3VwZGF0ZShzdHJ1Y3QgdmNfZGF0YSAqYywgaW50IHQsIGludCBj b3VudCkKPiAgCXAgPSAodm9pZCAqKSAoYy0+dmNfb3JpZ2luICsgdCAqIGMtPnZjX3NpemVfcm93 KTsKPiAgCj4gIAl3aGlsZSAoY291bnQtLSkgewo+ICsJCWlmICgodmdhY29uX3Njcm9sbGJhY2tf Y3VyLT50YWlsICsgYy0+dmNfc2l6ZV9yb3cpID4gCj4gKwkJICAgIHZnYWNvbl9zY3JvbGxiYWNr X2N1ci0+c2l6ZSkKPiArCQkJdmdhY29uX3Njcm9sbGJhY2tfY3VyLT50YWlsID0gMDsKPiArCj4g IAkJc2NyX21lbWNweXcodmdhY29uX3Njcm9sbGJhY2tfY3VyLT5kYXRhICsKPiAgCQkJICAgIHZn YWNvbl9zY3JvbGxiYWNrX2N1ci0+dGFpbCwKPiAgCQkJICAgIHAsIGMtPnZjX3NpemVfcm93KTsK CnRoYW5rcywKLS0gCmpzCnN1c2UgbGFicw== From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.3 required=3.0 tests=BAYES_00,INCLUDES_PATCH, MAILING_LIST_MULTI,NICE_REPLY_A,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 85C58C433DF for ; Thu, 30 Jul 2020 06:46:36 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 61664206E6 for ; Thu, 30 Jul 2020 06:46:36 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 61664206E6 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=dri-devel-bounces@lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id D09846E85D; Thu, 30 Jul 2020 06:46:35 +0000 (UTC) Received: from mail-ej1-f68.google.com (mail-ej1-f68.google.com [209.85.218.68]) by gabe.freedesktop.org (Postfix) with ESMTPS id 1E4326E85D for ; Thu, 30 Jul 2020 06:46:35 +0000 (UTC) Received: by mail-ej1-f68.google.com with SMTP id a21so26806791ejj.10 for ; Wed, 29 Jul 2020 23:46:35 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=VvW/5770zwdEjP0loB0rGyzZeqTV1S8hvb/EOvhH5ns=; b=n2oQkhEiHcjS5iUb3lhcY1mcdwsTr8t6Os4tROKjn80C9BBYEBcN1Ux9TV9Wa7Iivf wkl0nxRdofiOiZjWwN5QZaK9oJIPYzEoZ8trBd4L6RqYMIuzqVaXuLVIUmLc4c+6K35Z DTmn2tAtLdQ8nSQ3WdthZfGrsLoob//DHUvOPgAfs/6T+mSeSYTbI6RbQItPuML3na4E sbwM0Ipv7DdzOrHh/2Or2OBlRgO53oqVQMm+8AARK+KaQul2DPznClUwifYrxOfRhz3M TcuMPWd4szuFRdNY3CXRLOZlIvCVPYDcWSUwAatqU3WmYGap/3MQJumhz8dhYv6otEVK hD3A== X-Gm-Message-State: AOAM5336C32nWtSFWn+6sQSRYpVRO7t0gcMUnGV7NOEUvIkwVV+BocDK RwgYlqDNH494R3G1i/u2nck= X-Google-Smtp-Source: ABdhPJz9oidJ37cVJXjWt97VdLi7NLqMYVy6XmEAAIyOjANEBvS0Sei67vqcg/JYxg4UqxI6pxM3FA== X-Received: by 2002:a17:907:94c9:: with SMTP id dn9mr1149368ejc.355.1596091593696; Wed, 29 Jul 2020 23:46:33 -0700 (PDT) Received: from ?IPv6:2a0b:e7c0:0:107::49? ([2a0b:e7c0:0:107::49]) by smtp.gmail.com with ESMTPSA id t25sm4480562ejc.34.2020.07.29.23.46.32 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 29 Jul 2020 23:46:32 -0700 (PDT) Subject: Re: [PATCH] vgacon: fix out of bounds write to the scrollback buffer To: =?UTF-8?B?5byg5LqR5rW3?= , Solar Designer References: <20200729130710.GA13262@openwall.com> From: Jiri Slaby Autocrypt: addr=jslaby@suse.cz; prefer-encrypt=mutual; keydata= mQINBE6S54YBEACzzjLwDUbU5elY4GTg/NdotjA0jyyJtYI86wdKraekbNE0bC4zV+ryvH4j rrcDwGs6tFVrAHvdHeIdI07s1iIx5R/ndcHwt4fvI8CL5PzPmn5J+h0WERR5rFprRh6axhOk rSD5CwQl19fm4AJCS6A9GJtOoiLpWn2/IbogPc71jQVrupZYYx51rAaHZ0D2KYK/uhfc6neJ i0WqPlbtIlIrpvWxckucNu6ZwXjFY0f3qIRg3Vqh5QxPkojGsq9tXVFVLEkSVz6FoqCHrUTx wr+aw6qqQVgvT/McQtsI0S66uIkQjzPUrgAEtWUv76rM4ekqL9stHyvTGw0Fjsualwb0Gwdx ReTZzMgheAyoy/umIOKrSEpWouVoBt5FFSZUyjuDdlPPYyPav+hpI6ggmCTld3u2hyiHji2H cDpcLM2LMhlHBipu80s9anNeZhCANDhbC5E+NZmuwgzHBcan8WC7xsPXPaiZSIm7TKaVoOcL 9tE5aN3jQmIlrT7ZUX52Ff/hSdx/JKDP3YMNtt4B0cH6ejIjtqTd+Ge8sSttsnNM0CQUkXps w98jwz+Lxw/bKMr3NSnnFpUZaxwji3BC9vYyxKMAwNelBCHEgS/OAa3EJoTfuYOK6wT6nadm YqYjwYbZE5V/SwzMbpWu7Jwlvuwyfo5mh7w5iMfnZE+vHFwp/wARAQABtBtKaXJpIFNsYWJ5 IDxqc2xhYnlAc3VzZS5jej6JAjgEEwECACIFAk6S6NgCGwMGCwkIBwMCBhUIAgkKCwQWAgMB Ah4BAheAAAoJEL0lsQQGtHBJgDsP/j9wh0vzWXsOPO3rDpHjeC3BT5DKwjVN/KtP7uZttlkB duReCYMTZGzSrmK27QhCflZ7Tw0Naq4FtmQSH8dkqVFugirhlCOGSnDYiZAAubjTrNLTqf7e 5poQxE8mmniH/Asg4KufD9bpxSIi7gYIzaY3hqvYbVF1vYwaMTujojlixvesf0AFlE4x8WKs wpk43fmo0ZLcwObTnC3Hl1JBsPujCVY8t4E7zmLm7kOB+8EHaHiRZ4fFDWweuTzRDIJtVmrH LWvRDAYg+IH3SoxtdJe28xD9KoJw4jOX1URuzIU6dklQAnsKVqxz/rpp1+UVV6Ky6OBEFuoR 613qxHCFuPbkRdpKmHyE0UzmniJgMif3v0zm/+1A/VIxpyN74cgwxjhxhj/XZWN/LnFuER1W zTHcwaQNjq/I62AiPec5KgxtDeV+VllpKmFOtJ194nm9QM9oDSRBMzrG/2AY/6GgOdZ0+qe+ 4BpXyt8TmqkWHIsVpE7I5zVDgKE/YTyhDuqYUaWMoI19bUlBBUQfdgdgSKRMJX4vE72dl8BZ +/ONKWECTQ0hYntShkmdczcUEsWjtIwZvFOqgGDbev46skyakWyod6vSbOJtEHmEq04NegUD al3W7Y/FKSO8NqcfrsRNFWHZ3bZ2Q5X0tR6fc6gnZkNEtOm5fcWLY+NVz4HLaKrJuQINBE6S 54YBEADPnA1iy/lr3PXC4QNjl2f4DJruzW2Co37YdVMjrgXeXpiDvneEXxTNNlxUyLeDMcIQ K8obCkEHAOIkDZXZG8nr4mKzyloy040V0+XA9paVs6/ice5l+yJ1eSTs9UKvj/pyVmCAY1Co SNN7sfPaefAmIpduGacp9heXF+1Pop2PJSSAcCzwZ3PWdAJ/w1Z1Dg/tMCHGFZ2QCg4iFzg5 Bqk4N34WcG24vigIbRzxTNnxsNlU1H+tiB81fngUp2pszzgXNV7CWCkaNxRzXi7kvH+MFHu2 1m/TuujzxSv0ZHqjV+mpJBQX/VX62da0xCgMidrqn9RCNaJWJxDZOPtNCAWvgWrxkPFFvXRl t52z637jleVFL257EkMI+u6UnawUKopa+Tf+R/c+1Qg0NHYbiTbbw0pU39olBQaoJN7JpZ99 T1GIlT6zD9FeI2tIvarTv0wdNa0308l00bas+d6juXRrGIpYiTuWlJofLMFaaLYCuP+e4d8x rGlzvTxoJ5wHanilSE2hUy2NSEoPj7W+CqJYojo6wTJkFEiVbZFFzKwjAnrjwxh6O9/V3O+Z XB5RrjN8hAf/4bSo8qa2y3i39cuMT8k3nhec4P9M7UWTSmYnIBJsclDQRx5wSh0Mc9Y/psx9 B42WbV4xrtiiydfBtO6tH6c9mT5Ng+d1sN/VTSPyfQARAQABiQIfBBgBAgAJBQJOkueGAhsM AAoJEL0lsQQGtHBJN7UQAIDvgxaW8iGuEZZ36XFtewH56WYvVUefs6+Pep9ox/9ZXcETv0vk DUgPKnQAajG/ViOATWqADYHINAEuNvTKtLWmlipAI5JBgE+5g9UOT4i69OmP/is3a/dHlFZ3 qjNk1EEGyvioeycJhla0RjakKw5PoETbypxsBTXk5EyrSdD/I2Hez9YGW/RcI/WC8Y4Z/7FS ITZhASwaCOzy/vX2yC6iTx4AMFt+a6Z6uH/xGE8pG5NbGtd02r+m7SfuEDoG3Hs1iMGecPyV XxCVvSV6dwRQFc0UOZ1a6ywwCWfGOYqFnJvfSbUiCMV8bfRSWhnNQYLIuSv/nckyi8CzCYIg c21cfBvnwiSfWLZTTj1oWyj5a0PPgGOdgGoIvVjYXul3yXYeYOqbYjiC5t99JpEeIFupxIGV ciMk6t3pDrq7n7Vi/faqT+c4vnjazJi0UMfYnnAzYBa9+NkfW0w5W9Uy7kW/v7SffH/2yFiK 9HKkJqkN9xYEYaxtfl5pelF8idoxMZpTvCZY7jhnl2IemZCBMs6s338wS12Qro5WEAxV6cjD VSdmcD5l9plhKGLmgVNCTe8DPv81oDn9s0cIRLg9wNnDtj8aIiH8lBHwfUkpn32iv0uMV6Ae sLxhDWfOR4N+wu1gzXWgLel4drkCJcuYK5IL1qaZDcuGR8RPo3jbFO7Y Message-ID: <659f8dcf-7802-1ca1-1372-eb7fefd4d8f4@kernel.org> Date: Thu, 30 Jul 2020 08:46:31 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Linux Fbdev development list , Kyungtae Kim , b.zolnierkie@samsung.com, Greg KH , Linux kernel mailing list , DRI devel , Anthony Liguori , Yang Yingliang , xiao.zhang@windriver.com, Linus Torvalds , "Srivatsa S. Bhat" Content-Type: text/plain; charset="gbk" Content-Transfer-Encoding: base64 Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" SGksIE9UT0gsIHlvdSBzaG91bGQgaGF2ZSBDQ2VkIGFsbCB0aGUgKHB1YmxpYykgbGlzdHMuCgpP biAzMC4gMDcuIDIwLCA0OjUwLCDVxdTGuqMgd3JvdGU6Cj4gWmhhbmcgWGlhbyBwb2ludHMgb3V0 IHRoYXQgdGhlIGNoZWNrIHNob3VsZCB1c2UgPiBpbnN0ZWFkIG9mID49LAo+IG90aGVyd2lzZSB0 aGUgbGFzdCBsaW5lIHdpbGwgYmUgc2tpcC4KPiBJIGFncmVlIHdpdGggdGhhdCwgc28gSSBtb2Rp ZnkgdGhlIHBhdGNoLgo+IENvdWxkIHlvdSBwbGVhc2UgdmVyaWZ5IHRoYXQgaXQgaXMgc3RpbGwg Y29ycmVjdCBhbmQgc3VmZmljaWVudD8KCklNTywgeWVzLCBjb3JyZWN0IC0tIEkgd2FzIHRoaW5r aW5nIGFib3V0IHRoaXMgeWVzdGVyZGF5IHRvby4gSnVzdCBhbgpleGFtcGxlOiBoeXBvdGhldGlj YWxseSwgaWYgd2UgaGFkOgpzaXplX3JvdyA9IDEKdGFpbCA9IDI5CnNpemUgPSAzMAoKZGF0YVsy OV0gd291bGQgYmUgdGhlIGxhc3QgYWNjZXNzaWJsZSBtZW1iZXIuIFdyaXRpbmcgdG8gZGF0YSAr IHRhaWwgKGFzCiIyOSArIDEgPiAzMCIgZG9lc24ndCBob2xkLCBzbyB0aGUgbW9kaWZpZWQgY2hl Y2sgd291bGQgcGFzcyksIGkuZS4KZGF0YVsyOV0gaXMgc3RpbGwgT0suIFNvIHllcywgPiBpcyBP SywgPj0gd291bGQgd2FzdGUgc3BhY2UgYW5kIHdvdWxkIGJlCmFjdHVhbGx5IGluY29ycmVjdC4K Cj4gQlRXLCBaaGFuZyBYaWFvIGFsc28gcG9pbnRzIG91dCB0aGF0IHRoZSBjaGVjayBhZnRlciB0 aGUgbWVtY3B5IGNhbiBiZQo+IHJlbW92ZS4KPiBJIGFsc28gdGhpbmsgdGhhdCB3YXMgcmlnaHQs IGJ1dCB2Z2Fjb25fc2Nyb2xsYmFja19jdXItPnRhaWwgbWF5IGtlZXAKPiB0aGUgdmFsdWUgdmdh Y29uX3Njcm9sbGJhY2tfY3VyLT5zaXplIGluIHNvbWUgY2FzZS4gVGhhdCBpcyBub3QgYQo+IHBy b2JsZW0gaW4gdmdhY29uX3Njcm9sbGJhY2tfdXBkYXRlIGJlY2F1c2Ugb2YgdGhlIGNoZWNrIGJl Zm9yZSB0aGUKPiBtZW1jcHkuIEhvd2V2ZXIsIHRoYXQgbWF5IGJyZWFrIHNvbWUgb3RoZXIgY29k ZSB3aGljaCBhc3N1bWVzIHRoYXQKPiB2Z2Fjb25fc2Nyb2xsYmFja19jdXItPnRhaWwgd29uJ3Qg YmUgdmdhY29uX3Njcm9sbGJhY2tfY3VyLT5zaXplLiBJIGRvCj4gbm90IGtub3cgaWYgdGhlcmUg YXJlIHN1Y2ggY29kZSwgYW5kIGlmIGl0IGlzIHRoZSBjb2RlIGFjdHVhbGx5ICBzaG91bGQKPiBj aGVjayBpdCB0b28uIEJ1dCBJIHN0aWxsIG5vdCByZW1vdmUgdGhlIGNoZWNrIGluIHRoZSBwYXRj aCB0byBtYWtlIHN1cmUKPiBpdCB3b24ndCBicmVha3Mgb3RoZXIgY29kZS4KCkFzIEkgd3JvdGUg YWJvdXQgdGhpcyB5ZXN0ZXJkYXk6Cj09PQpJIGFtIGFsc28gbm90IHN1cmUgdGhlIHRlc3QgSSB3 YXMgcG9pbnRpbmcgb3V0IG9uIHRoZSB0b3Agb2YgdGhpcwptZXNzYWdlIHdvdWxkIGJlIG9mIGFu eSB1c2UgYWZ0ZXIgdGhlIGNoYW5nZS4gQnV0IG1heWJlIGxlYXZlIHRoZSBjb2RlCnJlc3QgaW4g cGVhY2UuCj09PQoKSSB3b3VsZCBsZXQgaXQgYXMgaXMgaW4gdGhpcyBwYXJ0aWN1bGFyIGNvZGUu IEVzcGVjaWFsbHkgYmVjYXVzZQp2Z2Fjb25fc2Nyb2xsZGVsdGEgdGFrZXMgLT50YWlsIGludG8g Y29uc2lkZXJhdGlvbiBhbmQgSSB3YXMgdG9vIGxhenkgdG8Kc3R1ZHkgdGhlIGNvZGUgdGhlcmUu IEJ1dCBpZiB5b3UgYXJlIHdpbGxpbmcgdG8gc3R1ZHkgdGhlIGNvZGUgdGhlcmUgYW5kCmNvbmZp cm0gdGhlIGNoZWNrIGlzIHN1cGVyZmx1b3VzLCBmZWVsIGZyZWUgdG8gcmVtb3ZlIGl0LiBQZXJo YXBzIGluIGEKc2VwYXJhdGUgcGF0Y2guIEkgd2FzIGFjdHVhbGx5IHRlc3Rpbmcgd2l0aCB0aGUg Y2hlY2sgcmVtb3ZlZCBhbmQgZGlkbid0CmhpdCBhbnkgaXNzdWUgKHdoaWNoIG1lYW5zLCBpbiBm YWN0LCBleGFjdGx5IG5vdGhpbmcpLgoKPiBGcm9tIGFkMTQzZWRlMjRmZjRlNjEyOTJjYzljOTYw MDAxMDBhYWNkOTcyNTkgTW9uIFNlcCAxNyAwMDowMDowMCAyMDAxCj4gRnJvbTogWXVuaGFpIFpo YW5nIDx6aGFuZ3l1bmhhaUBuc2ZvY3VzLmNvbT4KPiBEYXRlOiBUdWUsIDI4IEp1bCAyMDIwIDA5 OjU4OjAzICswODAwCj4gU3ViamVjdDogW1BBVENIXSBGaXggZm9yIG1pc3NpbmcgY2hlY2sgaW4g dmdhY29uIHNjcm9sbGJhY2sgaGFuZGxpbmcKPiAKPiB2Z2Fjb25fc2Nyb2xsYmFja191cGRhdGUo KSBhbHdheXMgbGVmdCBlbmJvdWdoIHJvb20gaW4gdGhlIHNjcm9sbGJhY2sKCiJsZWF2ZXMgZW5v dWdoIgoKPiBidWZmZXIgZm9yIHRoZSBuZXh0IGNhbGwsIGJ1dCBpZiB0aGUgY29uc29sZSBzaXpl IGNoYW5nZWQgdGhhdCByb29tCj4gbWlnaHQgbm90IGFjdHVhbGx5IGJlIGVub3VnaCwgYW5kIHNv IHdlIG5lZWQgdG8gcmUtY2hlY2suCgpBbHNvLCBjb3VsZCB5b3UgYWRkIHJlYXNvbmluZyB3aHkg eW91IGFyZSBhZGRpbmcgdGhlIGNoZWNrIHRvIHRoZSBsb29wCmFuZCBub3Qgb3V0c2lkZSAoZm9y IGluc3RhbmNlLCB1c2UgeW91ciByZWFzb25pbmcgd2l0aCBudW1iZXJzIG9yIENTSSBNCmFzIGFu IGV4YW1wbGUpLgoKQ291bGQgeW91IGFkZCBhIHNhbXBsZSBvdXRwdXQgaGVyZSwgc29tZXRoaW5n IGxpa2UgSSBoYWQ6Cj09PQogICAgVGhpcyBsZWFkcyB0byByYW5kb20gY3Jhc2hlcyBvciBLQVNB TiByZXBvcnRzIGxpa2U6CiAgICBCVUc6IEtBU0FOOiBzbGFiLW91dC1vZi1ib3VuZHMgaW4gdmdh Y29uX3Njcm9sbCsweDU3YS8weDhlZAo9PT0KCkl0J3MgdGhlbiBlYXNpZXIgdG8gZ29vZ2xlIGZv ciB3aGVuIHRoaXMgaGFwcGVucyB0byBzb21lb25lIHdobyBydW5zCm5vbi1wYXRjaGVkIGtlcm5l bHMuCgo+IFRoaXMgZml4ZXMgQ1ZFLTIwMjAtMTQzMzEuCj4gCj4gUmVwb3J0ZWQtYW5kLWRlYnVn Z2VkLWJ5OiDVxdTGuqMgPHpoYW5neXVuaGFpQG5zZm9jdXMuY29tPgo+IFJlcG9ydGVkLWFuZC1k ZWJ1Z2dlZC1ieTogWWFuZyBZaW5nbGlhbmcgPHlhbmd5aW5nbGlhbmdAaHVhd2VpLmNvbT4KPiBS ZXBvcnRlZC1ieTogS3l1bmd0YWUgS2ltIDxrdDA3NTVAZ21haWwuY29tPgo+IEZpeGVzOiAxNWJk YWI5NTljOWIgKFtQQVRDSF0gdmdhY29uOiBBZGQgc3VwcG9ydCBmb3Igc29mdCBzY3JvbGxiYWNr KQo+IENjOiBMaW51cyBUb3J2YWxkcyA8dG9ydmFsZHNAbGludXgtZm91bmRhdGlvbi5vcmc+Cj4g Q2M6IEdyZWcgS0ggPGdyZWdAa3JvYWguY29tPgo+IENjOiBTb2xhciBEZXNpZ25lciA8c29sYXJA b3BlbndhbGwuY29tPgo+IENjOiAiU3JpdmF0c2EgUy4gQmhhdCIgPHNyaXZhdHNhQGNzYWlsLm1p dC5lZHU+Cj4gQ2M6IEFudGhvbnkgTGlndW9yaSA8YWxpZ3VvcmlAYW1hem9uLmNvbT4KPiBDYzog WWFuZyBZaW5nbGlhbmcgPHlhbmd5aW5nbGlhbmdAaHVhd2VpLmNvbT4KPiBDYzogQmFydGxvbWll aiBab2xuaWVya2lld2ljeiA8Yi56b2xuaWVya2llQHNhbXN1bmcuY29tPgoKT2gsIGFuZCB3ZSBz aG91bGQ6CkNjOiBzdGFibGVAdmdlci5rZXJuZWwub3JnCgo+IFNpZ25lZC1vZmYtYnk6IFl1bmhh aSBaaGFuZyA8emhhbmd5dW5oYWlAbnNmb2N1cy5jb20+Cj4gLS0tCj4gIGRyaXZlcnMvdmlkZW8v Y29uc29sZS92Z2Fjb24uYyB8IDQgKysrKwo+ICAxIGZpbGUgY2hhbmdlZCwgNCBpbnNlcnRpb25z KCspCj4gCj4gZGlmZiAtLWdpdCBhL2RyaXZlcnMvdmlkZW8vY29uc29sZS92Z2Fjb24uYyBiL2Ry aXZlcnMvdmlkZW8vY29uc29sZS92Z2Fjb24uYwo+IGluZGV4IDk5OGIwZGUxODEyZi4uMzdiNTcx MWNkOTU4IDEwMDY0NAo+IC0tLSBhL2RyaXZlcnMvdmlkZW8vY29uc29sZS92Z2Fjb24uYwo+ICsr KyBiL2RyaXZlcnMvdmlkZW8vY29uc29sZS92Z2Fjb24uYwo+IEBAIC0yNTEsNiArMjUxLDEwIEBA IHN0YXRpYyB2b2lkIHZnYWNvbl9zY3JvbGxiYWNrX3VwZGF0ZShzdHJ1Y3QgdmNfZGF0YSAqYywg aW50IHQsIGludCBjb3VudCkKPiAgCXAgPSAodm9pZCAqKSAoYy0+dmNfb3JpZ2luICsgdCAqIGMt PnZjX3NpemVfcm93KTsKPiAgCj4gIAl3aGlsZSAoY291bnQtLSkgewo+ICsJCWlmICgodmdhY29u X3Njcm9sbGJhY2tfY3VyLT50YWlsICsgYy0+dmNfc2l6ZV9yb3cpID4gCj4gKwkJICAgIHZnYWNv bl9zY3JvbGxiYWNrX2N1ci0+c2l6ZSkKPiArCQkJdmdhY29uX3Njcm9sbGJhY2tfY3VyLT50YWls ID0gMDsKPiArCj4gIAkJc2NyX21lbWNweXcodmdhY29uX3Njcm9sbGJhY2tfY3VyLT5kYXRhICsK PiAgCQkJICAgIHZnYWNvbl9zY3JvbGxiYWNrX2N1ci0+dGFpbCwKPiAgCQkJICAgIHAsIGMtPnZj X3NpemVfcm93KTsKCnRoYW5rcywKLS0gCmpzCnN1c2UgbGFicwpfX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fXwpkcmktZGV2ZWwgbWFpbGluZyBsaXN0CmRyaS1k ZXZlbEBsaXN0cy5mcmVlZGVza3RvcC5vcmcKaHR0cHM6Ly9saXN0cy5mcmVlZGVza3RvcC5vcmcv bWFpbG1hbi9saXN0aW5mby9kcmktZGV2ZWwK From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.4 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI, NICE_REPLY_A,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D6131C433E1 for ; Thu, 30 Jul 2020 06:46:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id AF61D206E6 for ; Thu, 30 Jul 2020 06:46:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1596091598; bh=xvqWS7CZoxjvuY4gZz1/7/xQt6ZD0TfcxHp9St78Pjk=; h=Subject:To:Cc:References:From:Date:In-Reply-To:List-ID:From; b=uF8CGC7irHHQ+GD7n5GffXuu73XmgFDkgwdLZTqHUC5yx9huMXOOEJN0DBNvulod3 AJtVW9rGjynmGRKxKLhtRgo0wNo7NdrBb/PqNw3+iCpz6yB5vZk+eIGknPpUsWMlMG hrQxuoZJkMftzcDXOHqkVHSLRtd6ezpFCxQdVWmk= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728778AbgG3Gqh (ORCPT ); Thu, 30 Jul 2020 02:46:37 -0400 Received: from mail-ej1-f66.google.com ([209.85.218.66]:37500 "EHLO mail-ej1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725892AbgG3Gqh (ORCPT ); Thu, 30 Jul 2020 02:46:37 -0400 Received: by mail-ej1-f66.google.com with SMTP id qc22so12042345ejb.4; Wed, 29 Jul 2020 23:46:34 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=VvW/5770zwdEjP0loB0rGyzZeqTV1S8hvb/EOvhH5ns=; b=K8Ncut16Dy74iSG9N70LUm44js+zJp+txfKEKYYwBqHjgkUThhfCo3imov/f3AP8n3 +PoPDNORyU1WjCVCglgLVI7YwyfwCJ+ZtOQD6Xb/+KtWs3DPF3gqEsIncCTwMR//wALO 9FkiRljCU+X5smUasRL9m0fX9olSSKFzBwCJbg8x1Dj+nPICgp8DnfntODVd8ifdWj0q Qq7SNzh6/bXwSiMMGeKd+7GRsdhesXKK1nQ6CjJfzLFkBb8KtQiB1VPW1RxJ2m783qAk FLFkHFmcwbuEEcZBKZreLppkqGNBYfBa5AYWe35r+fMbLYfqe+ldRC9u379CantMyDOI DsSQ== X-Gm-Message-State: AOAM532XgSQUXyIUpjNBQW4scL7okC61NV5uHvVWINrKMqVLXQOuleSv DdUaJZ10lssrvG/IAxI3poYxsWdy X-Google-Smtp-Source: ABdhPJz9oidJ37cVJXjWt97VdLi7NLqMYVy6XmEAAIyOjANEBvS0Sei67vqcg/JYxg4UqxI6pxM3FA== X-Received: by 2002:a17:907:94c9:: with SMTP id dn9mr1149368ejc.355.1596091593696; Wed, 29 Jul 2020 23:46:33 -0700 (PDT) Received: from ?IPv6:2a0b:e7c0:0:107::49? ([2a0b:e7c0:0:107::49]) by smtp.gmail.com with ESMTPSA id t25sm4480562ejc.34.2020.07.29.23.46.32 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 29 Jul 2020 23:46:32 -0700 (PDT) Subject: Re: [PATCH] vgacon: fix out of bounds write to the scrollback buffer To: =?UTF-8?B?5byg5LqR5rW3?= , Solar Designer Cc: b.zolnierkie@samsung.com, Yang Yingliang , Kyungtae Kim , Linus Torvalds , Greg KH , "Srivatsa S. Bhat" , Anthony Liguori , xiao.zhang@windriver.com, DRI devel , Linux Fbdev development list , Linux kernel mailing list References: <20200729130710.GA13262@openwall.com> From: Jiri Slaby Autocrypt: addr=jslaby@suse.cz; prefer-encrypt=mutual; keydata= mQINBE6S54YBEACzzjLwDUbU5elY4GTg/NdotjA0jyyJtYI86wdKraekbNE0bC4zV+ryvH4j rrcDwGs6tFVrAHvdHeIdI07s1iIx5R/ndcHwt4fvI8CL5PzPmn5J+h0WERR5rFprRh6axhOk rSD5CwQl19fm4AJCS6A9GJtOoiLpWn2/IbogPc71jQVrupZYYx51rAaHZ0D2KYK/uhfc6neJ i0WqPlbtIlIrpvWxckucNu6ZwXjFY0f3qIRg3Vqh5QxPkojGsq9tXVFVLEkSVz6FoqCHrUTx wr+aw6qqQVgvT/McQtsI0S66uIkQjzPUrgAEtWUv76rM4ekqL9stHyvTGw0Fjsualwb0Gwdx ReTZzMgheAyoy/umIOKrSEpWouVoBt5FFSZUyjuDdlPPYyPav+hpI6ggmCTld3u2hyiHji2H cDpcLM2LMhlHBipu80s9anNeZhCANDhbC5E+NZmuwgzHBcan8WC7xsPXPaiZSIm7TKaVoOcL 9tE5aN3jQmIlrT7ZUX52Ff/hSdx/JKDP3YMNtt4B0cH6ejIjtqTd+Ge8sSttsnNM0CQUkXps w98jwz+Lxw/bKMr3NSnnFpUZaxwji3BC9vYyxKMAwNelBCHEgS/OAa3EJoTfuYOK6wT6nadm YqYjwYbZE5V/SwzMbpWu7Jwlvuwyfo5mh7w5iMfnZE+vHFwp/wARAQABtBtKaXJpIFNsYWJ5 IDxqc2xhYnlAc3VzZS5jej6JAjgEEwECACIFAk6S6NgCGwMGCwkIBwMCBhUIAgkKCwQWAgMB Ah4BAheAAAoJEL0lsQQGtHBJgDsP/j9wh0vzWXsOPO3rDpHjeC3BT5DKwjVN/KtP7uZttlkB duReCYMTZGzSrmK27QhCflZ7Tw0Naq4FtmQSH8dkqVFugirhlCOGSnDYiZAAubjTrNLTqf7e 5poQxE8mmniH/Asg4KufD9bpxSIi7gYIzaY3hqvYbVF1vYwaMTujojlixvesf0AFlE4x8WKs wpk43fmo0ZLcwObTnC3Hl1JBsPujCVY8t4E7zmLm7kOB+8EHaHiRZ4fFDWweuTzRDIJtVmrH LWvRDAYg+IH3SoxtdJe28xD9KoJw4jOX1URuzIU6dklQAnsKVqxz/rpp1+UVV6Ky6OBEFuoR 613qxHCFuPbkRdpKmHyE0UzmniJgMif3v0zm/+1A/VIxpyN74cgwxjhxhj/XZWN/LnFuER1W zTHcwaQNjq/I62AiPec5KgxtDeV+VllpKmFOtJ194nm9QM9oDSRBMzrG/2AY/6GgOdZ0+qe+ 4BpXyt8TmqkWHIsVpE7I5zVDgKE/YTyhDuqYUaWMoI19bUlBBUQfdgdgSKRMJX4vE72dl8BZ +/ONKWECTQ0hYntShkmdczcUEsWjtIwZvFOqgGDbev46skyakWyod6vSbOJtEHmEq04NegUD al3W7Y/FKSO8NqcfrsRNFWHZ3bZ2Q5X0tR6fc6gnZkNEtOm5fcWLY+NVz4HLaKrJuQINBE6S 54YBEADPnA1iy/lr3PXC4QNjl2f4DJruzW2Co37YdVMjrgXeXpiDvneEXxTNNlxUyLeDMcIQ K8obCkEHAOIkDZXZG8nr4mKzyloy040V0+XA9paVs6/ice5l+yJ1eSTs9UKvj/pyVmCAY1Co SNN7sfPaefAmIpduGacp9heXF+1Pop2PJSSAcCzwZ3PWdAJ/w1Z1Dg/tMCHGFZ2QCg4iFzg5 Bqk4N34WcG24vigIbRzxTNnxsNlU1H+tiB81fngUp2pszzgXNV7CWCkaNxRzXi7kvH+MFHu2 1m/TuujzxSv0ZHqjV+mpJBQX/VX62da0xCgMidrqn9RCNaJWJxDZOPtNCAWvgWrxkPFFvXRl t52z637jleVFL257EkMI+u6UnawUKopa+Tf+R/c+1Qg0NHYbiTbbw0pU39olBQaoJN7JpZ99 T1GIlT6zD9FeI2tIvarTv0wdNa0308l00bas+d6juXRrGIpYiTuWlJofLMFaaLYCuP+e4d8x rGlzvTxoJ5wHanilSE2hUy2NSEoPj7W+CqJYojo6wTJkFEiVbZFFzKwjAnrjwxh6O9/V3O+Z XB5RrjN8hAf/4bSo8qa2y3i39cuMT8k3nhec4P9M7UWTSmYnIBJsclDQRx5wSh0Mc9Y/psx9 B42WbV4xrtiiydfBtO6tH6c9mT5Ng+d1sN/VTSPyfQARAQABiQIfBBgBAgAJBQJOkueGAhsM AAoJEL0lsQQGtHBJN7UQAIDvgxaW8iGuEZZ36XFtewH56WYvVUefs6+Pep9ox/9ZXcETv0vk DUgPKnQAajG/ViOATWqADYHINAEuNvTKtLWmlipAI5JBgE+5g9UOT4i69OmP/is3a/dHlFZ3 qjNk1EEGyvioeycJhla0RjakKw5PoETbypxsBTXk5EyrSdD/I2Hez9YGW/RcI/WC8Y4Z/7FS ITZhASwaCOzy/vX2yC6iTx4AMFt+a6Z6uH/xGE8pG5NbGtd02r+m7SfuEDoG3Hs1iMGecPyV XxCVvSV6dwRQFc0UOZ1a6ywwCWfGOYqFnJvfSbUiCMV8bfRSWhnNQYLIuSv/nckyi8CzCYIg c21cfBvnwiSfWLZTTj1oWyj5a0PPgGOdgGoIvVjYXul3yXYeYOqbYjiC5t99JpEeIFupxIGV ciMk6t3pDrq7n7Vi/faqT+c4vnjazJi0UMfYnnAzYBa9+NkfW0w5W9Uy7kW/v7SffH/2yFiK 9HKkJqkN9xYEYaxtfl5pelF8idoxMZpTvCZY7jhnl2IemZCBMs6s338wS12Qro5WEAxV6cjD VSdmcD5l9plhKGLmgVNCTe8DPv81oDn9s0cIRLg9wNnDtj8aIiH8lBHwfUkpn32iv0uMV6Ae sLxhDWfOR4N+wu1gzXWgLel4drkCJcuYK5IL1qaZDcuGR8RPo3jbFO7Y Message-ID: <659f8dcf-7802-1ca1-1372-eb7fefd4d8f4@kernel.org> Date: Thu, 30 Jul 2020 08:46:31 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=gbk Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, OTOH, you should have CCed all the (public) lists. On 30. 07. 20, 4:50, ÕÅÔƺ£ wrote: > Zhang Xiao points out that the check should use > instead of >=, > otherwise the last line will be skip. > I agree with that, so I modify the patch. > Could you please verify that it is still correct and sufficient? IMO, yes, correct -- I was thinking about this yesterday too. Just an example: hypothetically, if we had: size_row = 1 tail = 29 size = 30 data[29] would be the last accessible member. Writing to data + tail (as "29 + 1 > 30" doesn't hold, so the modified check would pass), i.e. data[29] is still OK. So yes, > is OK, >= would waste space and would be actually incorrect. > BTW, Zhang Xiao also points out that the check after the memcpy can be > remove. > I also think that was right, but vgacon_scrollback_cur->tail may keep > the value vgacon_scrollback_cur->size in some case. That is not a > problem in vgacon_scrollback_update because of the check before the > memcpy. However, that may break some other code which assumes that > vgacon_scrollback_cur->tail won't be vgacon_scrollback_cur->size. I do > not know if there are such code, and if it is the code actually should > check it too. But I still not remove the check in the patch to make sure > it won't breaks other code. As I wrote about this yesterday: === I am also not sure the test I was pointing out on the top of this message would be of any use after the change. But maybe leave the code rest in peace. === I would let it as is in this particular code. Especially because vgacon_scrolldelta takes ->tail into consideration and I was too lazy to study the code there. But if you are willing to study the code there and confirm the check is superfluous, feel free to remove it. Perhaps in a separate patch. I was actually testing with the check removed and didn't hit any issue (which means, in fact, exactly nothing). > From ad143ede24ff4e61292cc9c96000100aacd97259 Mon Sep 17 00:00:00 2001 > From: Yunhai Zhang > Date: Tue, 28 Jul 2020 09:58:03 +0800 > Subject: [PATCH] Fix for missing check in vgacon scrollback handling > > vgacon_scrollback_update() always left enbough room in the scrollback "leaves enough" > buffer for the next call, but if the console size changed that room > might not actually be enough, and so we need to re-check. Also, could you add reasoning why you are adding the check to the loop and not outside (for instance, use your reasoning with numbers or CSI M as an example). Could you add a sample output here, something like I had: === This leads to random crashes or KASAN reports like: BUG: KASAN: slab-out-of-bounds in vgacon_scroll+0x57a/0x8ed === It's then easier to google for when this happens to someone who runs non-patched kernels. > This fixes CVE-2020-14331. > > Reported-and-debugged-by: ÕÅÔƺ£ > Reported-and-debugged-by: Yang Yingliang > Reported-by: Kyungtae Kim > Fixes: 15bdab959c9b ([PATCH] vgacon: Add support for soft scrollback) > Cc: Linus Torvalds > Cc: Greg KH > Cc: Solar Designer > Cc: "Srivatsa S. Bhat" > Cc: Anthony Liguori > Cc: Yang Yingliang > Cc: Bartlomiej Zolnierkiewicz Oh, and we should: Cc: stable@vger.kernel.org > Signed-off-by: Yunhai Zhang > --- > drivers/video/console/vgacon.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c > index 998b0de1812f..37b5711cd958 100644 > --- a/drivers/video/console/vgacon.c > +++ b/drivers/video/console/vgacon.c > @@ -251,6 +251,10 @@ static void vgacon_scrollback_update(struct vc_data *c, int t, int count) > p = (void *) (c->vc_origin + t * c->vc_size_row); > > while (count--) { > + if ((vgacon_scrollback_cur->tail + c->vc_size_row) > > + vgacon_scrollback_cur->size) > + vgacon_scrollback_cur->tail = 0; > + > scr_memcpyw(vgacon_scrollback_cur->data + > vgacon_scrollback_cur->tail, > p, c->vc_size_row); thanks, -- js suse labs