* [PATCH] tty: vt: Fix slab-out-of-bounds write in do_con_write @ 2026-03-21 6:23 yuhaocheng035 2026-03-21 6:32 ` Greg Kroah-Hartman 0 siblings, 1 reply; 4+ messages in thread From: yuhaocheng035 @ 2026-03-21 6:23 UTC (permalink / raw) To: Greg Kroah-Hartman, Jiri Slaby Cc: Nicolas Pitre, linux-kernel, linux-serial, Calixte Pernot From: Haocheng Yu <yuhaocheng035@gmail.com> A KASAN: slab-out-of-bounds Write in do_con_write issue is reported by a modified Syzkaller-based kernel fuzzing tool that we developed. The report indicates the problem lies in vc_con_write_normal drivers/tty/vt/vt.c:3141(scr_writew(tc, (u16*)vc->vc_pos)), which writes 2 bytes to the right of the allocated region at 2634 bytes. Since it did not provide any repro program or enough information, the cause remains unclear. However, adding a validity check of vc->vc_pos before scr_writew should avoid this issue. Signed-off-by: Haocheng Yu <yuhaocheng035@gmail.com> --- drivers/tty/vt/vt.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c index 6e0089b85c27..95d860f09837 100644 --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -3138,6 +3138,13 @@ static int vc_con_write_normal(struct vc_data *vc, int tc, int c, (tc & 0xff); tc |= (vc_attr << 8) & ~himask; + unsigned long end = vc->vc_origin + vc->vc_screenbuf_size; + + if (WARN_ON_ONCE(vc->vc_screenbuf_size < 2 || + end < vc->vc_origin || + vc->vc_pos < vc->vc_origin || + vc->vc_pos > end - 2)) + return -1; + scr_writew(tc, (u16 *)vc->vc_pos); if (con_should_update(vc) && draw->x < 0) { base-commit: 7d0a66e4bb9081d75c82ec4957c50034cb0ea449 -- 2.51.0 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] tty: vt: Fix slab-out-of-bounds write in do_con_write 2026-03-21 6:23 [PATCH] tty: vt: Fix slab-out-of-bounds write in do_con_write yuhaocheng035 @ 2026-03-21 6:32 ` Greg Kroah-Hartman 2026-03-21 6:37 ` Greg Kroah-Hartman 2026-03-22 7:32 ` Haocheng Yu 0 siblings, 2 replies; 4+ messages in thread From: Greg Kroah-Hartman @ 2026-03-21 6:32 UTC (permalink / raw) To: yuhaocheng035 Cc: Jiri Slaby, Nicolas Pitre, linux-kernel, linux-serial, Calixte Pernot On Sat, Mar 21, 2026 at 02:23:12PM +0800, yuhaocheng035@gmail.com wrote: > From: Haocheng Yu <yuhaocheng035@gmail.com> > > A KASAN: slab-out-of-bounds Write in do_con_write issue is reported by > a modified Syzkaller-based kernel fuzzing tool that we developed. The > report indicates the problem lies in vc_con_write_normal > drivers/tty/vt/vt.c:3141(scr_writew(tc, (u16*)vc->vc_pos)), which writes > 2 bytes to the right of the allocated region at 2634 bytes. > > Since it did not provide any repro program or enough information, > the cause remains unclear. However, adding a validity check of vc->vc_pos > before scr_writew should avoid this issue. > > Signed-off-by: Haocheng Yu <yuhaocheng035@gmail.com> What commit caused this problem to show up? And without more information, or a reproducer, I'm a bit loath to take this change. > --- > drivers/tty/vt/vt.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c > index 6e0089b85c27..95d860f09837 100644 > --- a/drivers/tty/vt/vt.c > +++ b/drivers/tty/vt/vt.c > @@ -3138,6 +3138,13 @@ static int vc_con_write_normal(struct vc_data *vc, int tc, int c, > (tc & 0xff); > tc |= (vc_attr << 8) & ~himask; > > + unsigned long end = vc->vc_origin + vc->vc_screenbuf_size; Ideally do not create new variables in the middle of a function, checkpatch should have warned about this. > + > + if (WARN_ON_ONCE(vc->vc_screenbuf_size < 2 || > + end < vc->vc_origin || > + vc->vc_pos < vc->vc_origin || > + vc->vc_pos > end - 2)) That's not good, if panic-on-warn is enabled, as it is in a few billion Linux systems, you just rebooted the machine, turning a simple overwrite into a denial-of-service, not fixing anything at all, but making it worse :( > + return -1; Do not make up error numbers :( thanks, greg k-h ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] tty: vt: Fix slab-out-of-bounds write in do_con_write 2026-03-21 6:32 ` Greg Kroah-Hartman @ 2026-03-21 6:37 ` Greg Kroah-Hartman 2026-03-22 7:32 ` Haocheng Yu 1 sibling, 0 replies; 4+ messages in thread From: Greg Kroah-Hartman @ 2026-03-21 6:37 UTC (permalink / raw) To: yuhaocheng035 Cc: Jiri Slaby, Nicolas Pitre, linux-kernel, linux-serial, Calixte Pernot On Sat, Mar 21, 2026 at 07:32:34AM +0100, Greg Kroah-Hartman wrote: > > + return -1; > > Do not make up error numbers :( Ah, I see this value being returned elsewhere in this function, nevermind, my fault. But really, it should be an -ERROR value, not just -1. thanks, greg k-h ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] tty: vt: Fix slab-out-of-bounds write in do_con_write 2026-03-21 6:32 ` Greg Kroah-Hartman 2026-03-21 6:37 ` Greg Kroah-Hartman @ 2026-03-22 7:32 ` Haocheng Yu 1 sibling, 0 replies; 4+ messages in thread From: Haocheng Yu @ 2026-03-22 7:32 UTC (permalink / raw) To: Greg Kroah-Hartman Cc: Jiri Slaby, Nicolas Pitre, linux-kernel, linux-serial, Calixte Pernot I only ran my fuzzer on v6.18, so I'm unsure what commit caused the issue. I tried analyzing the cause, but the crash report provided limited information. I tried directly analyzing the code, but a possible race condition with vc_do_resize() is unlikely due to the console_lock, and the state.x out-of-bounds issue is invalidated by the restrictions in gotoxy(). Furthermore, no reproducer were provided, making it difficult to verify some of my hypotheses. My initial thought was that although the specific cause was uncertain, since scr_writew() causes slab-out-of-bounds writes, adding a check before scr_writew() would solve the problem. After reading your explanation, I realize my thinking was quite naive. Therefore, I think I may not be able to provide a better patch at the moment. Please ignore this patch. BTW, I ran `./scripts/checkpatch.pl --strict` indeed, but it didn't warn me about the variable created. I'll pay attention next time. Anyway, thanks for reviewing my patch. Best regards, Haocheng > What commit caused this problem to show up? > > And without more information, or a reproducer, I'm a bit loath to take > this change. > > > --- > > drivers/tty/vt/vt.c | 7 +++++++ > > 1 file changed, 7 insertions(+) > > > > diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c > > index 6e0089b85c27..95d860f09837 100644 > > --- a/drivers/tty/vt/vt.c > > +++ b/drivers/tty/vt/vt.c > > @@ -3138,6 +3138,13 @@ static int vc_con_write_normal(struct vc_data *vc, int tc, int c, > > (tc & 0xff); > > tc |= (vc_attr << 8) & ~himask; > > > > + unsigned long end = vc->vc_origin + vc->vc_screenbuf_size; > > Ideally do not create new variables in the middle of a function, > checkpatch should have warned about this. > > > + > > + if (WARN_ON_ONCE(vc->vc_screenbuf_size < 2 || > > + end < vc->vc_origin || > > + vc->vc_pos < vc->vc_origin || > > + vc->vc_pos > end - 2)) > > That's not good, if panic-on-warn is enabled, as it is in a few billion > Linux systems, you just rebooted the machine, turning a simple overwrite > into a denial-of-service, not fixing anything at all, but making it > worse :( > > > + return -1; > > Do not make up error numbers :( > > thanks, > > greg k-h ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-03-22 7:32 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-03-21 6:23 [PATCH] tty: vt: Fix slab-out-of-bounds write in do_con_write yuhaocheng035 2026-03-21 6:32 ` Greg Kroah-Hartman 2026-03-21 6:37 ` Greg Kroah-Hartman 2026-03-22 7:32 ` Haocheng Yu
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox