From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+14b0e8f3fd1612e35350@syzkaller.appspotmail.com,
stable <stable@kernel.org>,
Khalid Masum <khalid.masum.92@gmail.com>,
Helge Deller <deller@gmx.de>
Subject: [PATCH 4.19 22/79] vt: Clear selection before changing the font
Date: Tue, 13 Sep 2022 16:06:40 +0200 [thread overview]
Message-ID: <20220913140349.970511449@linuxfoundation.org> (raw)
In-Reply-To: <20220913140348.835121645@linuxfoundation.org>
From: Helge Deller <deller@gmx.de>
commit 566f9c9f89337792070b5a6062dff448b3e7977f upstream.
When changing the console font with ioctl(KDFONTOP) the new font size
can be bigger than the previous font. A previous selection may thus now
be outside of the new screen size and thus trigger out-of-bounds
accesses to graphics memory if the selection is removed in
vc_do_resize().
Prevent such out-of-memory accesses by dropping the selection before the
various con_font_set() console handlers are called.
Reported-by: syzbot+14b0e8f3fd1612e35350@syzkaller.appspotmail.com
Cc: stable <stable@kernel.org>
Tested-by: Khalid Masum <khalid.masum.92@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Link: https://lore.kernel.org/r/YuV9apZGNmGfjcor@p100
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/vt/vt.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -4518,9 +4518,11 @@ static int con_font_set(struct vc_data *
console_lock();
if (vc->vc_mode != KD_TEXT)
rc = -EINVAL;
- else if (vc->vc_sw->con_font_set)
+ else if (vc->vc_sw->con_font_set) {
+ if (vc_is_sel(vc))
+ clear_selection();
rc = vc->vc_sw->con_font_set(vc, &font, op->flags);
- else
+ } else
rc = -ENOSYS;
console_unlock();
kfree(font.data);
@@ -4547,9 +4549,11 @@ static int con_font_default(struct vc_da
console_unlock();
return -EINVAL;
}
- if (vc->vc_sw->con_font_default)
+ if (vc->vc_sw->con_font_default) {
+ if (vc_is_sel(vc))
+ clear_selection();
rc = vc->vc_sw->con_font_default(vc, &font, s);
- else
+ } else
rc = -ENOSYS;
console_unlock();
if (!rc) {
next prev parent reply other threads:[~2022-09-13 15:07 UTC|newest]
Thread overview: 88+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-13 14:06 [PATCH 4.19 00/79] 4.19.257-rc1 review Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 01/79] driver core: Dont probe devices after bus_type.match() probe deferral Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 02/79] efi: capsule-loader: Fix use-after-free in efi_capsule_write Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 03/79] wifi: iwlegacy: 4965: corrected fix for potential off-by-one overflow in il4965_rs_fill_link_cmd() Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 04/79] net: mvpp2: debugfs: fix memory leak when using debugfs_lookup() Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 05/79] fs: only do a memory barrier for the first set_buffer_uptodate() Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 06/79] Revert "mm: kmemleak: take a full lowmem check in kmemleak_*_phys()" Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 07/79] net: dp83822: disable false carrier interrupt Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 08/79] drm/msm/dsi: fix the inconsistent indenting Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 09/79] drm/msm/dsi: Fix number of regulators for msm8996_dsi_cfg Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 10/79] platform/x86: pmc_atom: Fix SLP_TYPx bitfield mask Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 11/79] ieee802154/adf7242: defer destroy_workqueue call Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 12/79] wifi: cfg80211: debugfs: fix return type in ht40allow_map_read() Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 13/79] Revert "xhci: turn off port power in shutdown" Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 14/79] ethernet: rocker: fix sleep in atomic context bug in neigh_timer_handler Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 15/79] kcm: fix strp_init() order and cleanup Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 16/79] sch_cake: Return __NET_XMIT_STOLEN when consuming enqueued skb Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 17/79] tcp: annotate data-race around challenge_timestamp Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 18/79] Revert "sch_cake: Return __NET_XMIT_STOLEN when consuming enqueued skb" Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 19/79] net/smc: Remove redundant refcount increase Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 20/79] serial: fsl_lpuart: RS485 RTS polariy is inverse Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 21/79] staging: rtl8712: fix use after free bugs Greg Kroah-Hartman
2022-09-13 14:06 ` Greg Kroah-Hartman [this message]
2022-09-13 14:06 ` [PATCH 4.19 23/79] USB: serial: ftdi_sio: add Omron CS1W-CIF31 device id Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 24/79] binder: fix UAF of ref->proc caused by race condition Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 25/79] drm/i915/reg: Fix spelling mistake "Unsupport" -> "Unsupported" Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 26/79] clk: core: Honor CLK_OPS_PARENT_ENABLE for clk gate ops Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 27/79] Revert "clk: core: Honor CLK_OPS_PARENT_ENABLE for clk gate ops" Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 28/79] clk: core: Fix runtime PM sequence in clk_core_unprepare() Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 29/79] Input: rk805-pwrkey - fix module autoloading Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 30/79] hwmon: (gpio-fan) Fix array out of bounds access Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 31/79] thunderbolt: Use the actual buffer in tb_async_error() Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 32/79] xhci: Add grace period after xHC start to prevent premature runtime suspend Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 33/79] USB: serial: cp210x: add Decagon UCA device id Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 34/79] USB: serial: option: add support for OPPO R11 diag port Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 35/79] USB: serial: option: add Quectel EM060K modem Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 36/79] USB: serial: option: add support for Cinterion MV32-WA/WB RmNet mode Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 37/79] usb: typec: altmodes/displayport: correct pin assignment for UFP receptacles Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 38/79] usb: dwc2: fix wrong order of phy_power_on and phy_init Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 39/79] USB: cdc-acm: Add Icom PMR F3400 support (0c26:0020) Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 40/79] usb-storage: Add ignore-residue quirk for NXP PN7462AU Greg Kroah-Hartman
2022-09-13 14:06 ` [PATCH 4.19 41/79] s390/hugetlb: fix prepare_hugepage_range() check for 2 GB hugepages Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 42/79] s390: fix nospec table alignments Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 43/79] USB: core: Prevent nested device-reset calls Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 44/79] usb: gadget: mass_storage: Fix cdrom data transfers on MAC-OS Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 45/79] wifi: mac80211: Dont finalize CSA in IBSS mode if state is disconnected Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 46/79] net: mac802154: Fix a condition in the receive path Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 47/79] ALSA: seq: oss: Fix data-race for max_midi_devs access Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 48/79] ALSA: seq: Fix data-race at module auto-loading Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 49/79] drm/amdgpu: Check num_gfx_rings for gfx v9_0 rb setup Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 50/79] drm/radeon: add a force flush to delay work when radeon Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 51/79] parisc: ccio-dma: Handle kmalloc failure in ccio_init_resources() Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 52/79] parisc: Add runtime check to prevent PA2.0 kernels on PA1.x machines Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 53/79] arm64: cacheinfo: Fix incorrect assignment of signed error value to unsigned fw_level Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 54/79] arm64/signal: Raise limit on stack frames Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 55/79] fbdev: chipsfb: Add missing pci_disable_device() in chipsfb_pci_init() Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 56/79] drm/amdgpu: mmVM_L2_CNTL3 register not initialized correctly Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 57/79] ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc() Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 58/79] ALSA: aloop: Fix random zeros in capture data when using jiffies timer Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 59/79] ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 60/79] kprobes: Prohibit probes in gate area Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 61/79] debugfs: add debugfs_lookup_and_remove() Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 62/79] scsi: mpt3sas: Fix use-after-free warning Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 63/79] soc: brcmstb: pm-arm: Fix refcount leak and __iomem leak bugs Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 64/79] netfilter: br_netfilter: Drop dst references before setting Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 65/79] netfilter: nf_conntrack_irc: Fix forged IP logic Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 66/79] sch_sfb: Dont assume the skb is still around after enqueueing to child Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 67/79] tipc: fix shift wrapping bug in map_get() Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 68/79] i40e: Fix kernel crash during module removal Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 69/79] ipv6: sr: fix out-of-bounds read when setting HMAC data Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 70/79] RDMA/mlx5: Set local port to one when accessing counters Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 71/79] tcp: fix early ETIMEDOUT after spurious non-SACK RTO Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 72/79] sch_sfb: Also store skb len before calling child enqueue Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 73/79] usb: dwc3: fix PHY disable sequence Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 74/79] USB: serial: ch341: fix lost character on LCR updates Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 75/79] USB: serial: ch341: fix disabled rx timer on older devices Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 76/79] usb: dwc3: qcom: fix use-after-free on runtime-PM wakeup Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 77/79] x86/nospec: Fix i386 RSB stuffing Greg Kroah-Hartman
2022-09-14 18:46 ` Ben Hutchings
2022-09-15 8:35 ` Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 78/79] MIPS: loongson32: ls1c: Fix hang during startup Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.19 79/79] SUNRPC: use _bh spinlocking on ->transport_lock Greg Kroah-Hartman
2022-09-14 9:33 ` [PATCH 4.19 00/79] 4.19.257-rc1 review Sudip Mukherjee
2022-09-14 9:51 ` Pavel Machek
2022-09-14 12:08 ` Naresh Kamboju
2022-09-14 15:32 ` Jon Hunter
2022-09-15 0:14 ` Guenter Roeck
2022-09-17 2:04 ` zhouzhixiu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220913140349.970511449@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=deller@gmx.de \
--cc=khalid.masum.92@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+14b0e8f3fd1612e35350@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).