[PATCH v3] char: tty3270: fix a missing check on list iterator

public inbox for linux-s390@vger.kernel.org
 help / color / mirror / Atom feed

From: Xiaomeng Tong <xiam0nd.tong@gmail.com>
To: hca@linux.ibm.com, gor@linux.ibm.com, agordeev@linux.ibm.com
Cc: borntraeger@linux.ibm.com, svens@linux.ibm.com,
	gregkh@linuxfoundation.org, jirislaby@kernel.org,
	jcmvbkbc@gmail.com, elder@linaro.org, dsterba@suse.com,
	linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org,
	Xiaomeng Tong <xiam0nd.tong@gmail.com>,
	stable@vger.kernel.org
Subject: [PATCH v3] char: tty3270: fix a missing check on list iterator
Date: Mon, 28 Mar 2022 17:35:05 +0800	[thread overview]
Message-ID: <20220328093505.27902-1-xiam0nd.tong@gmail.com> (raw)

The bug is here:
	if (s->len != flen) {

The list iterator 's' will point to a bogus position containing
HEAD if the list is empty or no element is found. This case must
be checked before any use of the iterator, otherwise it may bpass
the 'if (s->len != flen) {' in theory iif s->len's value is flen,
or/and lead to an invalid memory access.

To fix this bug, use a new variable 'iter' as the list iterator,
while using the origin variable 's' as a dedicated pointer to
point to the found element. And if the list is empty or no element
is found, WARN_ON and return.

Cc: stable@vger.kernel.org
Fixes: ^1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
---
changes since v2:
 - WARN_ON and return (Sven Schnelle)

changes since v1:
 - reallocate s when s == NULL (Sven Schnelle)

v1:https://lore.kernel.org/lkml/20220327064931.7775-1-xiam0nd.tong@gmail.com/
v2:https://lore.kernel.org/lkml/20220328070543.24671-1-xiam0nd.tong@gmail.com/

---
 drivers/s390/char/tty3270.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/s390/char/tty3270.c b/drivers/s390/char/tty3270.c
index 5c83f71c1d0e..9d0952178322 100644
--- a/drivers/s390/char/tty3270.c
+++ b/drivers/s390/char/tty3270.c
@@ -1109,9 +1109,9 @@ static void tty3270_put_character(struct tty3270 *tp, char ch)
 static void
 tty3270_convert_line(struct tty3270 *tp, int line_nr)
 {
+	struct string *s = NULL, *n, *iter;
 	struct tty3270_line *line;
 	struct tty3270_cell *cell;
-	struct string *s, *n;
 	unsigned char highlight;
 	unsigned char f_color;
 	char *cp;
@@ -1142,9 +1142,14 @@ tty3270_convert_line(struct tty3270 *tp, int line_nr)
 
 	/* Find the line in the list. */
 	i = tp->view.rows - 2 - line_nr;
-	list_for_each_entry_reverse(s, &tp->lines, list)
-		if (--i <= 0)
+	list_for_each_entry_reverse(iter, &tp->lines, list)
+		if (--i <= 0) {
+			s = iter;
 			break;
+		 }
+
+	if(WARN_ON(!s))
+		return;
 	/*
 	 * Check if the line needs to get reallocated.
 	 */
-- 
2.17.1

next             reply	other threads:[~2022-03-28  9:35 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-28  9:35 Xiaomeng Tong [this message]
2022-03-28 10:09 ` [PATCH v3] char: tty3270: fix a missing check on list iterator Jiri Slaby
2022-03-28 10:26   ` Sven Schnelle
2022-03-28 10:27   ` Xiaomeng Tong
2022-03-29  6:07     ` Jiri Slaby
  -- strict thread matches above, loose matches on Subject: below --
2022-03-28 12:10 Xiaomeng Tong

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:5c83f71c1d0 dfblob:9d095217832 )
 OR (
bs:"[PATCH v3] char: tty3270: fix a missing check on list iterator" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220328093505.27902-1-xiam0nd.tong@gmail.com \
    --to=xiam0nd.tong@gmail.com \
    --cc=agordeev@linux.ibm.com \
    --cc=borntraeger@linux.ibm.com \
    --cc=dsterba@suse.com \
    --cc=elder@linaro.org \
    --cc=gor@linux.ibm.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=hca@linux.ibm.com \
    --cc=jcmvbkbc@gmail.com \
    --cc=jirislaby@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-s390@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=svens@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox