* [PATCH] fbcon: Fix a NULL pointer dereference issue in fbcon_putcs
@ 2024-09-16 1:10 Qianqiang Liu
2024-09-17 6:25 ` Helge Deller
0 siblings, 1 reply; 4+ messages in thread
From: Qianqiang Liu @ 2024-09-16 1:10 UTC (permalink / raw)
To: aniel, deller, gregkh, linux-kernel
Cc: linux-fbdev, dri-devel, Qianqiang Liu, stable,
syzbot+3d613ae53c031502687a
syzbot has found a NULL pointer dereference bug in fbcon [1].
This issue is caused by ops->putcs being a NULL pointer.
We need to check the pointer before using it.
[1] https://syzkaller.appspot.com/bug?extid=3d613ae53c031502687a
Cc: stable@vger.kernel.org
Reported-and-tested-by: syzbot+3d613ae53c031502687a@syzkaller.appspotmail.com
Signed-off-by: Qianqiang Liu <qianqiang.liu@163.com>
---
drivers/video/fbdev/core/fbcon.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index 3f7333dca508..96c1262cc981 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -1284,7 +1284,7 @@ static void fbcon_putcs(struct vc_data *vc, const u16 *s, unsigned int count,
struct fbcon_display *p = &fb_display[vc->vc_num];
struct fbcon_ops *ops = info->fbcon_par;
- if (!fbcon_is_inactive(vc, info))
+ if (!fbcon_is_inactive(vc, info) && ops->putcs)
ops->putcs(vc, info, s, count, real_y(p, ypos), xpos,
get_color(vc, info, scr_readw(s), 1),
get_color(vc, info, scr_readw(s), 0));
--
2.39.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] fbcon: Fix a NULL pointer dereference issue in fbcon_putcs
2024-09-16 1:10 Qianqiang Liu
@ 2024-09-17 6:25 ` Helge Deller
2024-09-20 15:30 ` Qianqiang Liu
0 siblings, 1 reply; 4+ messages in thread
From: Helge Deller @ 2024-09-17 6:25 UTC (permalink / raw)
To: Qianqiang Liu, aniel, gregkh, linux-kernel
Cc: linux-fbdev, dri-devel, stable, syzbot+3d613ae53c031502687a
On 9/16/24 03:10, Qianqiang Liu wrote:
> syzbot has found a NULL pointer dereference bug in fbcon [1].
>
> This issue is caused by ops->putcs being a NULL pointer.
> We need to check the pointer before using it.
>
> [1] https://syzkaller.appspot.com/bug?extid=3d613ae53c031502687a
>
> Cc: stable@vger.kernel.org
> Reported-and-tested-by: syzbot+3d613ae53c031502687a@syzkaller.appspotmail.com
> Signed-off-by: Qianqiang Liu <qianqiang.liu@163.com>
> ---
> drivers/video/fbdev/core/fbcon.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> index 3f7333dca508..96c1262cc981 100644
> --- a/drivers/video/fbdev/core/fbcon.c
> +++ b/drivers/video/fbdev/core/fbcon.c
> @@ -1284,7 +1284,7 @@ static void fbcon_putcs(struct vc_data *vc, const u16 *s, unsigned int count,
> struct fbcon_display *p = &fb_display[vc->vc_num];
> struct fbcon_ops *ops = info->fbcon_par;
>
> - if (!fbcon_is_inactive(vc, info))
> + if (!fbcon_is_inactive(vc, info) && ops->putcs)
I think this patch just hides the real problem.
How could putcs have become NULL ?
Helge
> ops->putcs(vc, info, s, count, real_y(p, ypos), xpos,
> get_color(vc, info, scr_readw(s), 1),
> get_color(vc, info, scr_readw(s), 0));
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH] fbcon: Fix a NULL pointer dereference issue in fbcon_putcs
@ 2024-09-17 7:28 Qianqiang Liu
0 siblings, 0 replies; 4+ messages in thread
From: Qianqiang Liu @ 2024-09-17 7:28 UTC (permalink / raw)
To: Helge Deller
Cc: linux-fbdev, linux-kernel, dri-devel, stable,
syzbot+3d613ae53c031502687a
> I think this patch just hides the real problem.
> How could putcs have become NULL ?
>
> Helge
Oh, you are right!
I will figure it out.
Best,
Qianqiang Liu
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] fbcon: Fix a NULL pointer dereference issue in fbcon_putcs
2024-09-17 6:25 ` Helge Deller
@ 2024-09-20 15:30 ` Qianqiang Liu
0 siblings, 0 replies; 4+ messages in thread
From: Qianqiang Liu @ 2024-09-20 15:30 UTC (permalink / raw)
To: Helge Deller
Cc: aniel, gregkh, linux-kernel, linux-fbdev, dri-devel, stable,
syzbot+3d613ae53c031502687a
Hi,
I simplified the C reproducer as follows:
#include <stdint.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <linux/fb.h>
#include <linux/tiocl.h>
#include <sys/ioctl.h>
struct param {
uint8_t type;
struct tiocl_selection ts;
};
int main()
{
write(1, "executing program\n", sizeof("executing program\n") - 1);
int fd = open("/dev/fb1", 0, 0);
struct fb_con2fbmap con2fb;
con2fb.console = 0x19;
con2fb.framebuffer = 0;
ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb);
int fd1 = open("/dev/tty1", O_RDWR, 0);
struct param param;
param.type = 2;
param.ts.xs = 0;
param.ts.ys = 0;
param.ts.xe = 0;
param.ts.ye = 0;
param.ts.sel_mode = 0;
ioctl(fd1, TIOCLINUX, ¶m);
con2fb.console = 1;
con2fb.framebuffer = 0;
ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb);
return 0;
}
But I still need time to debug the kernel code..
--
Best,
Qianqiang Liu
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-09-20 15:31 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-09-17 7:28 [PATCH] fbcon: Fix a NULL pointer dereference issue in fbcon_putcs Qianqiang Liu
-- strict thread matches above, loose matches on Subject: below --
2024-09-16 1:10 Qianqiang Liu
2024-09-17 6:25 ` Helge Deller
2024-09-20 15:30 ` Qianqiang Liu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).