[PATCH 4.19 0/2] Fix CVE-2021-33655

Linux kernel -stable discussions
 help / color / mirror / Atom feed

* [PATCH 4.19 0/2] Fix CVE-2021-33655
@ 2024-08-29 16:14 hsimeliere.opensource
  2024-08-29 16:14 ` [PATCH 4.19 1/2] fbcon: Prevent that screen size is smaller than font size hsimeliere.opensource
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: hsimeliere.opensource @ 2024-08-29 16:14 UTC (permalink / raw)
  To: stable


https://nvd.nist.gov/vuln/detail/CVE-2021-33655

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH 4.19 1/2] fbcon: Prevent that screen size is smaller than font size
  2024-08-29 16:14 [PATCH 4.19 0/2] Fix CVE-2021-33655 hsimeliere.opensource
@ 2024-08-29 16:14 ` hsimeliere.opensource
  2024-08-29 16:14 ` [PATCH 4.19 2/2] fbmem: Check virtual screen sizes in fb_set_var() hsimeliere.opensource
  2024-08-30 13:01 ` [PATCH 4.19 0/2] Fix CVE-2021-33655 Greg KH
  2 siblings, 0 replies; 4+ messages in thread
From: hsimeliere.opensource @ 2024-08-29 16:14 UTC (permalink / raw)
  To: stable; +Cc: Helge Deller, Geert Uytterhoeven, Hugo SIMELIERE

From: Helge Deller <deller@gmx.de>

commit e64242caef18b4a5840b0e7a9bff37abd4f4f933 upstream.

We need to prevent that users configure a screen size which is smaller than the
currently selected font size. Otherwise rendering chars on the screen will
access memory outside the graphics memory region.

This patch adds a new function fbcon_modechange_possible() which
implements this check and which later may be extended with other checks
if necessary.  The new function is called from the FBIOPUT_VSCREENINFO
ioctl handler in fbmem.c, which will return -EINVAL if userspace asked
for a too small screen size.

Signed-off-by: Helge Deller <deller@gmx.de>
Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: stable@vger.kernel.org # v5.4+
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
---
 drivers/video/fbdev/core/fbcon.c | 28 ++++++++++++++++++++++++++++
 drivers/video/fbdev/core/fbmem.c |  9 ++++++---
 include/linux/fbcon.h            |  4 ++++
 3 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index dea5275254ef..402020776a3c 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -2734,6 +2734,34 @@ static void fbcon_set_all_vcs(struct fb_info *info)
 		fbcon_modechanged(info);
 }
 
+/* let fbcon check if it supports a new screen resolution */
+int fbcon_modechange_possible(struct fb_info *info, struct fb_var_screeninfo *var)
+{
+	struct fbcon_ops *ops = info->fbcon_par;
+	struct vc_data *vc;
+	unsigned int i;
+
+	WARN_CONSOLE_UNLOCKED();
+
+	if (!ops)
+		return 0;
+
+	/* prevent setting a screen size which is smaller than font size */
+	for (i = first_fb_vc; i <= last_fb_vc; i++) {
+		vc = vc_cons[i].d;
+		if (!vc || vc->vc_mode != KD_TEXT ||
+			   registered_fb[con2fb_map[i]] != info)
+			continue;
+
+		if (vc->vc_font.width  > FBCON_SWAP(var->rotate, var->xres, var->yres) ||
+		    vc->vc_font.height > FBCON_SWAP(var->rotate, var->yres, var->xres))
+			return -EINVAL;
+	}
+
+	return 0;
+}
+EXPORT_SYMBOL_GPL(fbcon_modechange_possible);
+
 static int fbcon_mode_deleted(struct fb_info *info,
 			      struct fb_videomode *mode)
 {
diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
index 2297dfb494d6..4449c1fa9f76 100644
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -1121,9 +1121,12 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd,
 			console_unlock();
 			return -ENODEV;
 		}
-		info->flags |= FBINFO_MISC_USEREVENT;
-		ret = fb_set_var(info, &var);
-		info->flags &= ~FBINFO_MISC_USEREVENT;
+		ret = fbcon_modechange_possible(info, &var);
+		if (!ret) {
+			info->flags |= FBINFO_MISC_USEREVENT;
+			ret = fb_set_var(info, &var);
+			info->flags &= ~FBINFO_MISC_USEREVENT;
+		}
 		unlock_fb_info(info);
 		console_unlock();
 		if (!ret && copy_to_user(argp, &var, sizeof(var)))
diff --git a/include/linux/fbcon.h b/include/linux/fbcon.h
index f68a7db14165..39939d55c834 100644
--- a/include/linux/fbcon.h
+++ b/include/linux/fbcon.h
@@ -4,9 +4,13 @@
 #ifdef CONFIG_FRAMEBUFFER_CONSOLE
 void __init fb_console_init(void);
 void __exit fb_console_exit(void);
+int  fbcon_modechange_possible(struct fb_info *info,
+			       struct fb_var_screeninfo *var);
 #else
 static inline void fb_console_init(void) {}
 static inline void fb_console_exit(void) {}
+static inline int  fbcon_modechange_possible(struct fb_info *info,
+				struct fb_var_screeninfo *var) { return 0; }
 #endif
 
 #endif /* _LINUX_FBCON_H */
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH 4.19 2/2] fbmem: Check virtual screen sizes in fb_set_var()
  2024-08-29 16:14 [PATCH 4.19 0/2] Fix CVE-2021-33655 hsimeliere.opensource
  2024-08-29 16:14 ` [PATCH 4.19 1/2] fbcon: Prevent that screen size is smaller than font size hsimeliere.opensource
@ 2024-08-29 16:14 ` hsimeliere.opensource
  2024-08-30 13:01 ` [PATCH 4.19 0/2] Fix CVE-2021-33655 Greg KH
  2 siblings, 0 replies; 4+ messages in thread
From: hsimeliere.opensource @ 2024-08-29 16:14 UTC (permalink / raw)
  To: stable; +Cc: Helge Deller, Geert Uytterhoeven, Hugo SIMELIERE

From: Helge Deller <deller@gmx.de>

commit 6c11df58fd1ac0aefcb3b227f72769272b939e56 upstream.

Verify that the fbdev or drm driver correctly adjusted the virtual
screen sizes. On failure report the failing driver and reject the screen
size change.

Signed-off-by: Helge Deller <deller@gmx.de>
Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: stable@vger.kernel.org # v5.4+
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
---
 drivers/video/fbdev/core/fbmem.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
index 4449c1fa9f76..114a8c534406 100644
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -1006,6 +1006,17 @@ fb_set_var(struct fb_info *info, struct fb_var_screeninfo *var)
 		if (ret)
 			goto done;
 
+		/* verify that virtual resolution >= physical resolution */
+		if (var->xres_virtual < var->xres ||
+		    var->yres_virtual < var->yres) {
+			pr_warn("WARNING: fbcon: Driver '%s' missed to adjust virtual screen size (%ux%u vs. %ux%u)\n",
+				info->fix.id,
+				var->xres_virtual, var->yres_virtual,
+				var->xres, var->yres);
+			ret = -EINVAL;
+			goto done;
+		}
+
 		if ((var->activate & FB_ACTIVATE_MASK) == FB_ACTIVATE_NOW) {
 			struct fb_var_screeninfo old_var;
 			struct fb_videomode mode;
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH 4.19 0/2] Fix CVE-2021-33655
  2024-08-29 16:14 [PATCH 4.19 0/2] Fix CVE-2021-33655 hsimeliere.opensource
  2024-08-29 16:14 ` [PATCH 4.19 1/2] fbcon: Prevent that screen size is smaller than font size hsimeliere.opensource
  2024-08-29 16:14 ` [PATCH 4.19 2/2] fbmem: Check virtual screen sizes in fb_set_var() hsimeliere.opensource
@ 2024-08-30 13:01 ` Greg KH
  2 siblings, 0 replies; 4+ messages in thread
From: Greg KH @ 2024-08-30 13:01 UTC (permalink / raw)
  To: hsimeliere.opensource; +Cc: stable

On Thu, Aug 29, 2024 at 06:14:02PM +0200, hsimeliere.opensource@witekio.com wrote:
> 
> https://nvd.nist.gov/vuln/detail/CVE-2021-33655
> 

Now queued up, thanks.

greg k-h

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2024-08-30 13:01 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-08-29 16:14 [PATCH 4.19 0/2] Fix CVE-2021-33655 hsimeliere.opensource
2024-08-29 16:14 ` [PATCH 4.19 1/2] fbcon: Prevent that screen size is smaller than font size hsimeliere.opensource
2024-08-29 16:14 ` [PATCH 4.19 2/2] fbmem: Check virtual screen sizes in fb_set_var() hsimeliere.opensource
2024-08-30 13:01 ` [PATCH 4.19 0/2] Fix CVE-2021-33655 Greg KH

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox