From: Peilin Ye <yepeilin.cs@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Cc: linux-fbdev@vger.kernel.org,
Daniel Vetter <daniel.vetter@ffwll.ch>,
syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org,
dri-devel@lists.freedesktop.org,
Jiri Slaby <jirislaby@kernel.org>,
Peilin Ye <yepeilin.cs@gmail.com>,
linux-kernel-mentees@lists.linuxfoundation.org
Subject: [PATCH 0/3] Prevent out-of-bounds access for built-in font data buffers
Date: Thu, 24 Sep 2020 13:38:22 +0000 [thread overview]
Message-ID: <cover.1600953813.git.yepeilin.cs@gmail.com> (raw)
In-Reply-To: <0000000000006b9e8d059952095e@google.com>
Hi all,
syzbot has reported [1] a global out-of-bounds read issue in
fbcon_get_font(). A malicious user may resize `vc_font.height` to a large
value in vt_ioctl(), causing fbcon_get_font() to overflow our built-in
font data buffers, declared in lib/fonts/font_*.c:
(e.g. lib/fonts/font_8x8.c)
#define FONTDATAMAX 2048
static const unsigned char fontdata_8x8[FONTDATAMAX] = {
/* 0 0x00 '^@' */
0x00, /* 00000000 */
0x00, /* 00000000 */
0x00, /* 00000000 */
0x00, /* 00000000 */
0x00, /* 00000000 */
0x00, /* 00000000 */
0x00, /* 00000000 */
0x00, /* 00000000 */
[...]
In order to perform a reliable range check, fbcon_get_font() needs to know
`FONTDATAMAX` for each built-in font under lib/fonts/. Unfortunately, we
do not keep that information in our font descriptor,
`struct console_font`:
(include/uapi/linux/kd.h)
struct console_font {
unsigned int width, height; /* font size */
unsigned int charcount;
unsigned char *data; /* font data with height fixed to 32 */
};
To make things worse, `struct console_font` is part of the UAPI, so we
cannot add a new field to keep track of `FONTDATAMAX`.
Fortunately, the framebuffer layer itself gives us a hint of how to
resolve this issue without changing UAPI. When allocating a buffer for a
user-provided font, fbcon_set_font() reserves four "extra words" at the
beginning of the buffer:
(drivers/video/fbdev/core/fbcon.c)
new_data = kmalloc(FONT_EXTRA_WORDS * sizeof(int) + size, GFP_USER);
[...]
new_data += FONT_EXTRA_WORDS * sizeof(int);
FNTSIZE(new_data) = size;
FNTCHARCNT(new_data) = charcount;
REFCOUNT(new_data) = 0; /* usage counter */
[...]
FNTSUM(new_data) = csum;
Later, to get the size of a data buffer, the framebuffer layer simply
calls FNTSIZE() on it:
(drivers/video/fbdev/core/fbcon.h)
/* Font */
#define REFCOUNT(fd) (((int *)(fd))[-1])
#define FNTSIZE(fd) (((int *)(fd))[-2])
#define FNTCHARCNT(fd) (((int *)(fd))[-3])
#define FNTSUM(fd) (((int *)(fd))[-4])
#define FONT_EXTRA_WORDS 4
Currently, this is only done for user-provided fonts. Let us do the same
thing for built-in fonts, prepend these "extra words" (including
`FONTDATAMAX`) to their data buffers, so that other subsystems, like the
framebuffer layer, can use these macros on all fonts, no matter built-in
or user-provided. As an example, this series fixes the syzbot issue in
fbcon_get_font():
(drivers/video/fbdev/core/fbcon.c)
if (font->width <= 8) {
j = vc->vc_font.height;
+ if (font->charcount * j > FNTSIZE(fontdata))
+ return -EINVAL;
[...]
Similarly, newport_con also use these macros. It only uses three of them:
(drivers/video/console/newport_con.c)
/* borrowed from fbcon.c */
#define REFCOUNT(fd) (((int *)(fd))[-1])
#define FNTSIZE(fd) (((int *)(fd))[-2])
#define FNTCHARCNT(fd) (((int *)(fd))[-3])
#define FONT_EXTRA_WORDS 3
To keep things simple, move all these macro definitions to <linux/font.h>,
use four words instead of three, and initialize the fourth word in
newport_set_font() properly.
Many thanks to Greg Kroah-Hartman <gregkh@linuxfoundation.org>, who
reviewed and improved this series!
[1]: KASAN: global-out-of-bounds Read in fbcon_get_font
https://syzkaller.appspot.com/bug?id\bb8be45afea11888776f897895aef9ad1c3ecfd
Peilin Ye (3):
fbdev, newport_con: Move FONT_EXTRA_WORDS macros into linux/font.h
Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts
fbcon: Fix global-out-of-bounds read in fbcon_get_font()
drivers/video/console/newport_con.c | 7 +------
drivers/video/fbdev/core/fbcon.c | 12 ++++++++++++
drivers/video/fbdev/core/fbcon.h | 7 -------
drivers/video/fbdev/core/fbcon_rotate.c | 1 +
drivers/video/fbdev/core/tileblit.c | 1 +
include/linux/font.h | 13 +++++++++++++
lib/fonts/font_10x18.c | 9 ++++-----
lib/fonts/font_6x10.c | 9 +++++----
lib/fonts/font_6x11.c | 9 ++++-----
lib/fonts/font_7x14.c | 9 ++++-----
lib/fonts/font_8x16.c | 9 ++++-----
lib/fonts/font_8x8.c | 9 ++++-----
lib/fonts/font_acorn_8x8.c | 9 ++++++---
lib/fonts/font_mini_4x6.c | 8 ++++----
lib/fonts/font_pearl_8x8.c | 9 ++++-----
lib/fonts/font_sun12x22.c | 9 ++++-----
lib/fonts/font_sun8x16.c | 7 ++++---
lib/fonts/font_ter16x32.c | 9 ++++-----
18 files changed, 79 insertions(+), 67 deletions(-)
--
2.25.1
WARNING: multiple messages have this Message-ID (diff)
From: Peilin Ye <yepeilin.cs@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Cc: linux-fbdev@vger.kernel.org,
Daniel Vetter <daniel.vetter@ffwll.ch>,
syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org,
dri-devel@lists.freedesktop.org,
Jiri Slaby <jirislaby@kernel.org>,
Peilin Ye <yepeilin.cs@gmail.com>,
linux-kernel-mentees@lists.linuxfoundation.org
Subject: [Linux-kernel-mentees] [PATCH 0/3] Prevent out-of-bounds access for built-in font data buffers
Date: Thu, 24 Sep 2020 09:38:22 -0400 [thread overview]
Message-ID: <cover.1600953813.git.yepeilin.cs@gmail.com> (raw)
In-Reply-To: <0000000000006b9e8d059952095e@google.com>
Hi all,
syzbot has reported [1] a global out-of-bounds read issue in
fbcon_get_font(). A malicious user may resize `vc_font.height` to a large
value in vt_ioctl(), causing fbcon_get_font() to overflow our built-in
font data buffers, declared in lib/fonts/font_*.c:
(e.g. lib/fonts/font_8x8.c)
#define FONTDATAMAX 2048
static const unsigned char fontdata_8x8[FONTDATAMAX] = {
/* 0 0x00 '^@' */
0x00, /* 00000000 */
0x00, /* 00000000 */
0x00, /* 00000000 */
0x00, /* 00000000 */
0x00, /* 00000000 */
0x00, /* 00000000 */
0x00, /* 00000000 */
0x00, /* 00000000 */
[...]
In order to perform a reliable range check, fbcon_get_font() needs to know
`FONTDATAMAX` for each built-in font under lib/fonts/. Unfortunately, we
do not keep that information in our font descriptor,
`struct console_font`:
(include/uapi/linux/kd.h)
struct console_font {
unsigned int width, height; /* font size */
unsigned int charcount;
unsigned char *data; /* font data with height fixed to 32 */
};
To make things worse, `struct console_font` is part of the UAPI, so we
cannot add a new field to keep track of `FONTDATAMAX`.
Fortunately, the framebuffer layer itself gives us a hint of how to
resolve this issue without changing UAPI. When allocating a buffer for a
user-provided font, fbcon_set_font() reserves four "extra words" at the
beginning of the buffer:
(drivers/video/fbdev/core/fbcon.c)
new_data = kmalloc(FONT_EXTRA_WORDS * sizeof(int) + size, GFP_USER);
[...]
new_data += FONT_EXTRA_WORDS * sizeof(int);
FNTSIZE(new_data) = size;
FNTCHARCNT(new_data) = charcount;
REFCOUNT(new_data) = 0; /* usage counter */
[...]
FNTSUM(new_data) = csum;
Later, to get the size of a data buffer, the framebuffer layer simply
calls FNTSIZE() on it:
(drivers/video/fbdev/core/fbcon.h)
/* Font */
#define REFCOUNT(fd) (((int *)(fd))[-1])
#define FNTSIZE(fd) (((int *)(fd))[-2])
#define FNTCHARCNT(fd) (((int *)(fd))[-3])
#define FNTSUM(fd) (((int *)(fd))[-4])
#define FONT_EXTRA_WORDS 4
Currently, this is only done for user-provided fonts. Let us do the same
thing for built-in fonts, prepend these "extra words" (including
`FONTDATAMAX`) to their data buffers, so that other subsystems, like the
framebuffer layer, can use these macros on all fonts, no matter built-in
or user-provided. As an example, this series fixes the syzbot issue in
fbcon_get_font():
(drivers/video/fbdev/core/fbcon.c)
if (font->width <= 8) {
j = vc->vc_font.height;
+ if (font->charcount * j > FNTSIZE(fontdata))
+ return -EINVAL;
[...]
Similarly, newport_con also use these macros. It only uses three of them:
(drivers/video/console/newport_con.c)
/* borrowed from fbcon.c */
#define REFCOUNT(fd) (((int *)(fd))[-1])
#define FNTSIZE(fd) (((int *)(fd))[-2])
#define FNTCHARCNT(fd) (((int *)(fd))[-3])
#define FONT_EXTRA_WORDS 3
To keep things simple, move all these macro definitions to <linux/font.h>,
use four words instead of three, and initialize the fourth word in
newport_set_font() properly.
Many thanks to Greg Kroah-Hartman <gregkh@linuxfoundation.org>, who
reviewed and improved this series!
[1]: KASAN: global-out-of-bounds Read in fbcon_get_font
https://syzkaller.appspot.com/bug?id=08b8be45afea11888776f897895aef9ad1c3ecfd
Peilin Ye (3):
fbdev, newport_con: Move FONT_EXTRA_WORDS macros into linux/font.h
Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts
fbcon: Fix global-out-of-bounds read in fbcon_get_font()
drivers/video/console/newport_con.c | 7 +------
drivers/video/fbdev/core/fbcon.c | 12 ++++++++++++
drivers/video/fbdev/core/fbcon.h | 7 -------
drivers/video/fbdev/core/fbcon_rotate.c | 1 +
drivers/video/fbdev/core/tileblit.c | 1 +
include/linux/font.h | 13 +++++++++++++
lib/fonts/font_10x18.c | 9 ++++-----
lib/fonts/font_6x10.c | 9 +++++----
lib/fonts/font_6x11.c | 9 ++++-----
lib/fonts/font_7x14.c | 9 ++++-----
lib/fonts/font_8x16.c | 9 ++++-----
lib/fonts/font_8x8.c | 9 ++++-----
lib/fonts/font_acorn_8x8.c | 9 ++++++---
lib/fonts/font_mini_4x6.c | 8 ++++----
lib/fonts/font_pearl_8x8.c | 9 ++++-----
lib/fonts/font_sun12x22.c | 9 ++++-----
lib/fonts/font_sun8x16.c | 7 ++++---
lib/fonts/font_ter16x32.c | 9 ++++-----
18 files changed, 79 insertions(+), 67 deletions(-)
--
2.25.1
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
WARNING: multiple messages have this Message-ID (diff)
From: Peilin Ye <yepeilin.cs@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Cc: linux-fbdev@vger.kernel.org,
Daniel Vetter <daniel.vetter@ffwll.ch>,
syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org,
dri-devel@lists.freedesktop.org,
Jiri Slaby <jirislaby@kernel.org>,
Peilin Ye <yepeilin.cs@gmail.com>,
linux-kernel-mentees@lists.linuxfoundation.org
Subject: [PATCH 0/3] Prevent out-of-bounds access for built-in font data buffers
Date: Thu, 24 Sep 2020 09:38:22 -0400 [thread overview]
Message-ID: <cover.1600953813.git.yepeilin.cs@gmail.com> (raw)
In-Reply-To: <0000000000006b9e8d059952095e@google.com>
Hi all,
syzbot has reported [1] a global out-of-bounds read issue in
fbcon_get_font(). A malicious user may resize `vc_font.height` to a large
value in vt_ioctl(), causing fbcon_get_font() to overflow our built-in
font data buffers, declared in lib/fonts/font_*.c:
(e.g. lib/fonts/font_8x8.c)
#define FONTDATAMAX 2048
static const unsigned char fontdata_8x8[FONTDATAMAX] = {
/* 0 0x00 '^@' */
0x00, /* 00000000 */
0x00, /* 00000000 */
0x00, /* 00000000 */
0x00, /* 00000000 */
0x00, /* 00000000 */
0x00, /* 00000000 */
0x00, /* 00000000 */
0x00, /* 00000000 */
[...]
In order to perform a reliable range check, fbcon_get_font() needs to know
`FONTDATAMAX` for each built-in font under lib/fonts/. Unfortunately, we
do not keep that information in our font descriptor,
`struct console_font`:
(include/uapi/linux/kd.h)
struct console_font {
unsigned int width, height; /* font size */
unsigned int charcount;
unsigned char *data; /* font data with height fixed to 32 */
};
To make things worse, `struct console_font` is part of the UAPI, so we
cannot add a new field to keep track of `FONTDATAMAX`.
Fortunately, the framebuffer layer itself gives us a hint of how to
resolve this issue without changing UAPI. When allocating a buffer for a
user-provided font, fbcon_set_font() reserves four "extra words" at the
beginning of the buffer:
(drivers/video/fbdev/core/fbcon.c)
new_data = kmalloc(FONT_EXTRA_WORDS * sizeof(int) + size, GFP_USER);
[...]
new_data += FONT_EXTRA_WORDS * sizeof(int);
FNTSIZE(new_data) = size;
FNTCHARCNT(new_data) = charcount;
REFCOUNT(new_data) = 0; /* usage counter */
[...]
FNTSUM(new_data) = csum;
Later, to get the size of a data buffer, the framebuffer layer simply
calls FNTSIZE() on it:
(drivers/video/fbdev/core/fbcon.h)
/* Font */
#define REFCOUNT(fd) (((int *)(fd))[-1])
#define FNTSIZE(fd) (((int *)(fd))[-2])
#define FNTCHARCNT(fd) (((int *)(fd))[-3])
#define FNTSUM(fd) (((int *)(fd))[-4])
#define FONT_EXTRA_WORDS 4
Currently, this is only done for user-provided fonts. Let us do the same
thing for built-in fonts, prepend these "extra words" (including
`FONTDATAMAX`) to their data buffers, so that other subsystems, like the
framebuffer layer, can use these macros on all fonts, no matter built-in
or user-provided. As an example, this series fixes the syzbot issue in
fbcon_get_font():
(drivers/video/fbdev/core/fbcon.c)
if (font->width <= 8) {
j = vc->vc_font.height;
+ if (font->charcount * j > FNTSIZE(fontdata))
+ return -EINVAL;
[...]
Similarly, newport_con also use these macros. It only uses three of them:
(drivers/video/console/newport_con.c)
/* borrowed from fbcon.c */
#define REFCOUNT(fd) (((int *)(fd))[-1])
#define FNTSIZE(fd) (((int *)(fd))[-2])
#define FNTCHARCNT(fd) (((int *)(fd))[-3])
#define FONT_EXTRA_WORDS 3
To keep things simple, move all these macro definitions to <linux/font.h>,
use four words instead of three, and initialize the fourth word in
newport_set_font() properly.
Many thanks to Greg Kroah-Hartman <gregkh@linuxfoundation.org>, who
reviewed and improved this series!
[1]: KASAN: global-out-of-bounds Read in fbcon_get_font
https://syzkaller.appspot.com/bug?id=08b8be45afea11888776f897895aef9ad1c3ecfd
Peilin Ye (3):
fbdev, newport_con: Move FONT_EXTRA_WORDS macros into linux/font.h
Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts
fbcon: Fix global-out-of-bounds read in fbcon_get_font()
drivers/video/console/newport_con.c | 7 +------
drivers/video/fbdev/core/fbcon.c | 12 ++++++++++++
drivers/video/fbdev/core/fbcon.h | 7 -------
drivers/video/fbdev/core/fbcon_rotate.c | 1 +
drivers/video/fbdev/core/tileblit.c | 1 +
include/linux/font.h | 13 +++++++++++++
lib/fonts/font_10x18.c | 9 ++++-----
lib/fonts/font_6x10.c | 9 +++++----
lib/fonts/font_6x11.c | 9 ++++-----
lib/fonts/font_7x14.c | 9 ++++-----
lib/fonts/font_8x16.c | 9 ++++-----
lib/fonts/font_8x8.c | 9 ++++-----
lib/fonts/font_acorn_8x8.c | 9 ++++++---
lib/fonts/font_mini_4x6.c | 8 ++++----
lib/fonts/font_pearl_8x8.c | 9 ++++-----
lib/fonts/font_sun12x22.c | 9 ++++-----
lib/fonts/font_sun8x16.c | 7 ++++---
lib/fonts/font_ter16x32.c | 9 ++++-----
18 files changed, 79 insertions(+), 67 deletions(-)
--
2.25.1
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
WARNING: multiple messages have this Message-ID (diff)
From: Peilin Ye <yepeilin.cs@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Cc: Peilin Ye <yepeilin.cs@gmail.com>,
Jiri Slaby <jirislaby@kernel.org>,
Daniel Vetter <daniel.vetter@ffwll.ch>,
dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org,
linux-kernel-mentees@lists.linuxfoundation.org,
syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org
Subject: [PATCH 0/3] Prevent out-of-bounds access for built-in font data buffers
Date: Thu, 24 Sep 2020 09:38:22 -0400 [thread overview]
Message-ID: <cover.1600953813.git.yepeilin.cs@gmail.com> (raw)
In-Reply-To: <0000000000006b9e8d059952095e@google.com>
Hi all,
syzbot has reported [1] a global out-of-bounds read issue in
fbcon_get_font(). A malicious user may resize `vc_font.height` to a large
value in vt_ioctl(), causing fbcon_get_font() to overflow our built-in
font data buffers, declared in lib/fonts/font_*.c:
(e.g. lib/fonts/font_8x8.c)
#define FONTDATAMAX 2048
static const unsigned char fontdata_8x8[FONTDATAMAX] = {
/* 0 0x00 '^@' */
0x00, /* 00000000 */
0x00, /* 00000000 */
0x00, /* 00000000 */
0x00, /* 00000000 */
0x00, /* 00000000 */
0x00, /* 00000000 */
0x00, /* 00000000 */
0x00, /* 00000000 */
[...]
In order to perform a reliable range check, fbcon_get_font() needs to know
`FONTDATAMAX` for each built-in font under lib/fonts/. Unfortunately, we
do not keep that information in our font descriptor,
`struct console_font`:
(include/uapi/linux/kd.h)
struct console_font {
unsigned int width, height; /* font size */
unsigned int charcount;
unsigned char *data; /* font data with height fixed to 32 */
};
To make things worse, `struct console_font` is part of the UAPI, so we
cannot add a new field to keep track of `FONTDATAMAX`.
Fortunately, the framebuffer layer itself gives us a hint of how to
resolve this issue without changing UAPI. When allocating a buffer for a
user-provided font, fbcon_set_font() reserves four "extra words" at the
beginning of the buffer:
(drivers/video/fbdev/core/fbcon.c)
new_data = kmalloc(FONT_EXTRA_WORDS * sizeof(int) + size, GFP_USER);
[...]
new_data += FONT_EXTRA_WORDS * sizeof(int);
FNTSIZE(new_data) = size;
FNTCHARCNT(new_data) = charcount;
REFCOUNT(new_data) = 0; /* usage counter */
[...]
FNTSUM(new_data) = csum;
Later, to get the size of a data buffer, the framebuffer layer simply
calls FNTSIZE() on it:
(drivers/video/fbdev/core/fbcon.h)
/* Font */
#define REFCOUNT(fd) (((int *)(fd))[-1])
#define FNTSIZE(fd) (((int *)(fd))[-2])
#define FNTCHARCNT(fd) (((int *)(fd))[-3])
#define FNTSUM(fd) (((int *)(fd))[-4])
#define FONT_EXTRA_WORDS 4
Currently, this is only done for user-provided fonts. Let us do the same
thing for built-in fonts, prepend these "extra words" (including
`FONTDATAMAX`) to their data buffers, so that other subsystems, like the
framebuffer layer, can use these macros on all fonts, no matter built-in
or user-provided. As an example, this series fixes the syzbot issue in
fbcon_get_font():
(drivers/video/fbdev/core/fbcon.c)
if (font->width <= 8) {
j = vc->vc_font.height;
+ if (font->charcount * j > FNTSIZE(fontdata))
+ return -EINVAL;
[...]
Similarly, newport_con also use these macros. It only uses three of them:
(drivers/video/console/newport_con.c)
/* borrowed from fbcon.c */
#define REFCOUNT(fd) (((int *)(fd))[-1])
#define FNTSIZE(fd) (((int *)(fd))[-2])
#define FNTCHARCNT(fd) (((int *)(fd))[-3])
#define FONT_EXTRA_WORDS 3
To keep things simple, move all these macro definitions to <linux/font.h>,
use four words instead of three, and initialize the fourth word in
newport_set_font() properly.
Many thanks to Greg Kroah-Hartman <gregkh@linuxfoundation.org>, who
reviewed and improved this series!
[1]: KASAN: global-out-of-bounds Read in fbcon_get_font
https://syzkaller.appspot.com/bug?id=08b8be45afea11888776f897895aef9ad1c3ecfd
Peilin Ye (3):
fbdev, newport_con: Move FONT_EXTRA_WORDS macros into linux/font.h
Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts
fbcon: Fix global-out-of-bounds read in fbcon_get_font()
drivers/video/console/newport_con.c | 7 +------
drivers/video/fbdev/core/fbcon.c | 12 ++++++++++++
drivers/video/fbdev/core/fbcon.h | 7 -------
drivers/video/fbdev/core/fbcon_rotate.c | 1 +
drivers/video/fbdev/core/tileblit.c | 1 +
include/linux/font.h | 13 +++++++++++++
lib/fonts/font_10x18.c | 9 ++++-----
lib/fonts/font_6x10.c | 9 +++++----
lib/fonts/font_6x11.c | 9 ++++-----
lib/fonts/font_7x14.c | 9 ++++-----
lib/fonts/font_8x16.c | 9 ++++-----
lib/fonts/font_8x8.c | 9 ++++-----
lib/fonts/font_acorn_8x8.c | 9 ++++++---
lib/fonts/font_mini_4x6.c | 8 ++++----
lib/fonts/font_pearl_8x8.c | 9 ++++-----
lib/fonts/font_sun12x22.c | 9 ++++-----
lib/fonts/font_sun8x16.c | 7 ++++---
lib/fonts/font_ter16x32.c | 9 ++++-----
18 files changed, 79 insertions(+), 67 deletions(-)
--
2.25.1
next prev parent reply other threads:[~2020-09-24 13:38 UTC|newest]
Thread overview: 114+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-10 4:35 KASAN: global-out-of-bounds Read in fbcon_get_font syzbot
2019-12-10 4:35 ` syzbot
2019-12-10 4:35 ` syzbot
2020-01-01 17:40 ` syzbot
2020-01-01 17:40 ` syzbot
2020-01-01 17:40 ` syzbot
2020-09-24 13:38 ` Peilin Ye [this message]
2020-09-24 13:38 ` [PATCH 0/3] Prevent out-of-bounds access for built-in font data buffers Peilin Ye
2020-09-24 13:38 ` Peilin Ye
2020-09-24 13:38 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-24 13:40 ` [PATCH 1/3] fbdev, newport_con: Move FONT_EXTRA_WORDS macros into linux/font.h Peilin Ye
2020-09-24 13:40 ` Peilin Ye
2020-09-24 13:40 ` Peilin Ye
2020-09-24 13:40 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-24 13:42 ` [PATCH 2/3] Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts Peilin Ye
2020-09-24 13:42 ` Peilin Ye
2020-09-24 13:42 ` Peilin Ye
2020-09-24 13:42 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-24 13:43 ` [PATCH 3/3] fbcon: Fix global-out-of-bounds read in fbcon_get_font() Peilin Ye
2020-09-24 13:43 ` Peilin Ye
2020-09-24 13:43 ` Peilin Ye
2020-09-24 13:43 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-24 14:09 ` [PATCH 0/3] Prevent out-of-bounds access for built-in font data buffers Greg Kroah-Hartman
2020-09-24 14:09 ` Greg Kroah-Hartman
2020-09-24 14:09 ` Greg Kroah-Hartman
2020-09-24 14:09 ` [Linux-kernel-mentees] " Greg Kroah-Hartman
2020-09-24 14:25 ` Peilin Ye
2020-09-24 14:25 ` Peilin Ye
2020-09-24 14:25 ` Peilin Ye
2020-09-24 14:25 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-24 14:42 ` David Laight
2020-09-24 14:42 ` David Laight
2020-09-24 14:42 ` David Laight
2020-09-24 14:42 ` [Linux-kernel-mentees] " David Laight
2020-09-24 15:30 ` Peilin Ye
2020-09-24 15:30 ` Peilin Ye
2020-09-24 15:30 ` Peilin Ye
2020-09-24 15:30 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-24 15:45 ` Dan Carpenter
2020-09-24 15:45 ` Dan Carpenter
2020-09-24 15:45 ` Dan Carpenter
2020-09-24 15:45 ` [Linux-kernel-mentees] " Dan Carpenter
2020-09-24 16:59 ` Peilin Ye
2020-09-24 16:59 ` Peilin Ye
2020-09-24 16:59 ` Peilin Ye
2020-09-24 16:59 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-25 8:38 ` Daniel Vetter
2020-09-25 8:38 ` Daniel Vetter
2020-09-25 8:38 ` Daniel Vetter
2020-09-25 8:38 ` [Linux-kernel-mentees] " Daniel Vetter
2020-09-25 6:46 ` Jiri Slaby
2020-09-25 6:46 ` Jiri Slaby
2020-09-25 6:46 ` Jiri Slaby
2020-09-25 6:46 ` [Linux-kernel-mentees] " Jiri Slaby
2020-09-25 10:13 ` Peilin Ye
2020-09-25 10:13 ` Peilin Ye
2020-09-25 10:13 ` Peilin Ye
2020-09-25 10:13 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-25 13:25 ` Daniel Vetter
2020-09-25 13:25 ` Daniel Vetter
2020-09-25 13:25 ` Daniel Vetter
2020-09-25 13:25 ` [Linux-kernel-mentees] " Daniel Vetter
2020-09-25 15:35 ` Peilin Ye
2020-09-25 15:35 ` Peilin Ye
2020-09-25 15:35 ` Peilin Ye
2020-09-25 15:35 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-29 9:09 ` Daniel Vetter
2020-09-29 9:09 ` Daniel Vetter
2020-09-29 9:09 ` Daniel Vetter
2020-09-29 9:09 ` [Linux-kernel-mentees] " Daniel Vetter
2020-09-29 9:44 ` Peilin Ye
2020-09-29 9:44 ` Peilin Ye
2020-09-29 9:44 ` Peilin Ye
2020-09-29 9:44 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-29 12:34 ` Peilin Ye
2020-09-29 12:34 ` Peilin Ye
2020-09-29 12:34 ` Peilin Ye
2020-09-29 12:34 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-29 14:38 ` Daniel Vetter
2020-09-29 14:38 ` Daniel Vetter
2020-09-29 14:38 ` Daniel Vetter
2020-09-29 14:38 ` [Linux-kernel-mentees] " Daniel Vetter
2020-09-30 7:11 ` Peilin Ye
2020-09-30 7:11 ` Peilin Ye
2020-09-30 7:11 ` Peilin Ye
2020-09-30 7:11 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-30 9:53 ` Daniel Vetter
2020-09-30 9:53 ` Daniel Vetter
2020-09-30 9:53 ` Daniel Vetter
2020-09-30 9:53 ` [Linux-kernel-mentees] " Daniel Vetter
2020-09-30 10:55 ` Peilin Ye
2020-09-30 10:55 ` Peilin Ye
2020-09-30 10:55 ` Peilin Ye
2020-09-30 10:55 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-30 11:25 ` Daniel Vetter
2020-09-30 11:25 ` Daniel Vetter
2020-09-30 11:25 ` Daniel Vetter
2020-09-30 11:25 ` [Linux-kernel-mentees] " Daniel Vetter
2020-09-30 11:52 ` Greg Kroah-Hartman
2020-09-30 11:52 ` Greg Kroah-Hartman
2020-09-30 11:52 ` Greg Kroah-Hartman
2020-09-30 11:52 ` [Linux-kernel-mentees] " Greg Kroah-Hartman
2020-09-30 12:58 ` Peilin Ye
2020-09-30 12:58 ` Peilin Ye
2020-09-30 12:58 ` Peilin Ye
2020-09-30 12:58 ` [Linux-kernel-mentees] " Peilin Ye
2020-09-30 5:26 ` Jiri Slaby
2020-09-30 5:26 ` Jiri Slaby
2020-09-30 5:26 ` Jiri Slaby
2020-09-30 5:26 ` [Linux-kernel-mentees] " Jiri Slaby
2020-09-30 7:16 ` Peilin Ye
2020-09-30 7:16 ` Peilin Ye
2020-09-30 7:16 ` Peilin Ye
2020-09-30 7:16 ` [Linux-kernel-mentees] " Peilin Ye
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1600953813.git.yepeilin.cs@gmail.com \
--to=yepeilin.cs@gmail.com \
--cc=b.zolnierkie@samsung.com \
--cc=daniel.vetter@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=gregkh@linuxfoundation.org \
--cc=jirislaby@kernel.org \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.