From: Sam Ravnborg <sam@ravnborg.org>
To: "tcs_kernel(腾讯云内核开发者)" <tcs_kernel@tencent.com>
Cc: "linux-fbdev@vger.kernel.org" <linux-fbdev@vger.kernel.org>,
"ducheng2@gmail.com" <ducheng2@gmail.com>,
"penguin-kernel@I-love.SAKURA.ne.jp"
<penguin-kernel@i-love.sakura.ne.jp>,
"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"dri-devel@lists.freedesktop.org"
<dri-devel@lists.freedesktop.org>,
"george.kennedy@oracle.com" <george.kennedy@oracle.com>,
"tzimmermann@suse.de" <tzimmermann@suse.de>,
"daniel.vetter@ffwll.ch" <daniel.vetter@ffwll.ch>,
"yepeilin.cs@gmail.com" <yepeilin.cs@gmail.com>
Subject: Re: [PATCH] fbcon: Out-Of-Bounds write in sys_imageblit, add range check
Date: Mon, 26 Jul 2021 15:45:21 +0200 [thread overview]
Message-ID: <YP68cQ4WVVusCv0N@ravnborg.org> (raw)
In-Reply-To: <D5DF8A1C-5FA2-426B-AAB4-3199AEA0A02E@tencent.com>
Hi,
On Mon, Jul 26, 2021 at 11:32:37AM +0000, tcs_kernel(腾讯云内核开发者) wrote:
> yres and vyres can be controlled by user mode paramaters, and cause p->vrows to become a negative value. While this value be passed to real_y function, the ypos will be out of screen range.
> This is an out-of-bounds write bug.
Please investigate if you can validate the user-supplied values for yres
and vyres earlier so the code never reaches the below statements.
This would also make it much more explicit what is going on.
Sam
>
>
> diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> index 22bb3892f6bd..0970de46782f 100644
> --- a/drivers/video/fbdev/core/fbcon.c
> +++ b/drivers/video/fbdev/core/fbcon.c
> @@ -1956,11 +1956,12 @@ static void updatescrollmode(struct fbcon_display *p,
> int yres = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres);
> int vyres = FBCON_SWAP(ops->rotate, info->var.yres_virtual,
> info->var.xres_virtual);
> + int rows = vc->vc_rows;
>
> p->vrows = vyres/fh;
> - if (yres > (fh * (vc->vc_rows + 1)))
> - p->vrows -= (yres - (fh * vc->vc_rows)) / fh;
> - if ((yres % fh) && (vyres % fh < yres % fh))
> + if ((yres > (fh * (rows + 1))) && (vyres >= (yres - (fh * rows))) && p->vrows)
> + p->vrows -= (yres - (fh * rows)) / fh;
> + if ((yres % fh) && (vyres % fh < yres % fh) && p->vrows)
> p->vrows--;
> }
>
next prev parent reply other threads:[~2021-07-26 13:45 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-26 11:32 [PATCH] fbcon: Out-Of-Bounds write in sys_imageblit, add range check tcs_kernel(腾讯云内核开发者)
2021-07-26 11:32 ` tcs_kernel(腾讯云内核开发者)
2021-07-26 13:00 ` gregkh
2021-07-26 13:00 ` gregkh
2021-07-26 13:45 ` Sam Ravnborg [this message]
2021-07-27 1:53 ` [Internet]Re: " tcs_kernel(腾讯云内核开发者)
2021-07-27 1:53 ` tcs_kernel(腾讯云内核开发者)
2021-07-27 5:35 ` gregkh
2021-07-27 5:35 ` gregkh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YP68cQ4WVVusCv0N@ravnborg.org \
--to=sam@ravnborg.org \
--cc=daniel.vetter@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=ducheng2@gmail.com \
--cc=george.kennedy@oracle.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=tcs_kernel@tencent.com \
--cc=tzimmermann@suse.de \
--cc=yepeilin.cs@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.