* Text mode VGA-console scrolling is broken in upstream & stable trees @ 2025-07-30 14:06 Jari Ruusu 2025-07-30 14:26 ` Greg Kroah-Hartman 2025-07-31 7:22 ` Jiri Slaby 0 siblings, 2 replies; 6+ messages in thread From: Jari Ruusu @ 2025-07-30 14:06 UTC (permalink / raw) To: Yi Yang, GONG Ruiqi, Helge Deller, Greg Kroah-Hartman, Sasha Levin, Linus Torvalds Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org The patch that broke text mode VGA-console scrolling is this one: "vgacon: Add check for vc_origin address range in vgacon_scroll()" commit 864f9963ec6b4b76d104d595ba28110b87158003 upstream. How to preproduce: (1) boot a kernel that is configured to use text mode VGA-console (2) type commands: ls -l /usr/bin | less -S (3) scroll up/down with cursor-down/up keys Above mentioned patch seems to have landed in upstream and all kernel.org stable trees with zero testing. Even minimal testing would have shown that it breaks text mode VGA-console scrolling. Greg, Sasha, Linus, Please consider reverting that buggy patch from all affected trees. -- Jari Ruusu 4096R/8132F189 12D6 4C3A DCDA 0AA4 27BD ACDF F073 3C80 8132 F189 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Text mode VGA-console scrolling is broken in upstream & stable trees 2025-07-30 14:06 Text mode VGA-console scrolling is broken in upstream & stable trees Jari Ruusu @ 2025-07-30 14:26 ` Greg Kroah-Hartman 2025-07-30 15:20 ` Salvatore Bonaccorso 2025-07-31 7:22 ` Jiri Slaby 1 sibling, 1 reply; 6+ messages in thread From: Greg Kroah-Hartman @ 2025-07-30 14:26 UTC (permalink / raw) To: Jari Ruusu Cc: Yi Yang, GONG Ruiqi, Helge Deller, Sasha Levin, Linus Torvalds, stable@vger.kernel.org, linux-kernel@vger.kernel.org On Wed, Jul 30, 2025 at 02:06:27PM +0000, Jari Ruusu wrote: > The patch that broke text mode VGA-console scrolling is this one: > "vgacon: Add check for vc_origin address range in vgacon_scroll()" > commit 864f9963ec6b4b76d104d595ba28110b87158003 upstream. > > How to preproduce: > (1) boot a kernel that is configured to use text mode VGA-console > (2) type commands: ls -l /usr/bin | less -S > (3) scroll up/down with cursor-down/up keys > > Above mentioned patch seems to have landed in upstream and all > kernel.org stable trees with zero testing. Even minimal testing > would have shown that it breaks text mode VGA-console scrolling. > > Greg, Sasha, Linus, > Please consider reverting that buggy patch from all affected trees. Please work to fix it in Linus's tree first and then we will be glad to backport the needed fix. thanks, greg k-h ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Text mode VGA-console scrolling is broken in upstream & stable trees 2025-07-30 14:26 ` Greg Kroah-Hartman @ 2025-07-30 15:20 ` Salvatore Bonaccorso 0 siblings, 0 replies; 6+ messages in thread From: Salvatore Bonaccorso @ 2025-07-30 15:20 UTC (permalink / raw) To: Greg Kroah-Hartman Cc: Jari Ruusu, Yi Yang, GONG Ruiqi, Helge Deller, Sasha Levin, Linus Torvalds, stable@vger.kernel.org, linux-kernel@vger.kernel.org Hi, On Wed, Jul 30, 2025 at 04:26:44PM +0200, Greg Kroah-Hartman wrote: > On Wed, Jul 30, 2025 at 02:06:27PM +0000, Jari Ruusu wrote: > > The patch that broke text mode VGA-console scrolling is this one: > > "vgacon: Add check for vc_origin address range in vgacon_scroll()" > > commit 864f9963ec6b4b76d104d595ba28110b87158003 upstream. > > > > How to preproduce: > > (1) boot a kernel that is configured to use text mode VGA-console > > (2) type commands: ls -l /usr/bin | less -S > > (3) scroll up/down with cursor-down/up keys > > > > Above mentioned patch seems to have landed in upstream and all > > kernel.org stable trees with zero testing. Even minimal testing > > would have shown that it breaks text mode VGA-console scrolling. > > > > Greg, Sasha, Linus, > > Please consider reverting that buggy patch from all affected trees. > > Please work to fix it in Linus's tree first and then we will be glad to > backport the needed fix. FWIW, and maybe just an interesting side node: if it ever get considered to revert the commit, this will re-introduce/re-open CVE-2025-38213. Cf. https://lore.kernel.org/linux-cve-announce/2025070422-CVE-2025-38213-c3e3@gregkh/T/#u Regards, Salvatore ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Text mode VGA-console scrolling is broken in upstream & stable trees 2025-07-30 14:06 Text mode VGA-console scrolling is broken in upstream & stable trees Jari Ruusu 2025-07-30 14:26 ` Greg Kroah-Hartman @ 2025-07-31 7:22 ` Jiri Slaby 2025-07-31 16:12 ` Jari Ruusu 1 sibling, 1 reply; 6+ messages in thread From: Jiri Slaby @ 2025-07-31 7:22 UTC (permalink / raw) To: Jari Ruusu, Yi Yang, GONG Ruiqi, Helge Deller, Greg Kroah-Hartman, Sasha Levin, Linus Torvalds Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org On 30. 07. 25, 16:06, Jari Ruusu wrote: > The patch that broke text mode VGA-console scrolling is this one: > "vgacon: Add check for vc_origin address range in vgacon_scroll()" > commit 864f9963ec6b4b76d104d595ba28110b87158003 upstream. > > How to preproduce: > (1) boot a kernel that is configured to use text mode VGA-console > (2) type commands: ls -l /usr/bin | less -S > (3) scroll up/down with cursor-down/up keys > > Above mentioned patch seems to have landed in upstream and all > kernel.org stable trees with zero testing. Even minimal testing > would have shown that it breaks text mode VGA-console scrolling. At the time this was posted (privately and on security@), I commented: ===== > --- a/drivers/video/console/vgacon.c > +++ b/drivers/video/console/vgacon.c > @@ -1168,7 +1168,7 @@ static bool vgacon_scroll(struct vc_data *c, unsigned int t, unsigned int b, > c->vc_screenbuf_size - delta); > c->vc_origin = vga_vram_end - c->vc_screenbuf_size; > vga_rolled_over = 0; > - } else > + } else if (oldo - delta >= (unsigned long)c->vc_screenbuf) > c->vc_origin -= delta; IMO you should also add: else c->vc_origin = c->vc_screenbuf; Or clamp 'delta' beforehand and don't add the 'if'. ===== That did not happen, AFAICS. Care to test the above suggestion? thanks, -- js suse labs ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Text mode VGA-console scrolling is broken in upstream & stable trees 2025-07-31 7:22 ` Jiri Slaby @ 2025-07-31 16:12 ` Jari Ruusu 2025-08-02 19:54 ` Helge Deller 0 siblings, 1 reply; 6+ messages in thread From: Jari Ruusu @ 2025-07-31 16:12 UTC (permalink / raw) To: Jiri Slaby Cc: Yi Yang, GONG Ruiqi, Helge Deller, Greg Kroah-Hartman, Sasha Levin, Linus Torvalds, stable@vger.kernel.org, linux-kernel@vger.kernel.org On Thursday, July 31st, 2025 at 10:22, Jiri Slaby <jirislaby@kernel.org> wrote: > At the time this was posted (privately and on security@), I commented: > ===== > > --- a/drivers/video/console/vgacon.c > > +++ b/drivers/video/console/vgacon.c > > @@ -1168,7 +1168,7 @@ static bool vgacon_scroll(struct vc_data *c, unsigned int t, unsigned int b, > > c->vc_screenbuf_size - delta); > > c->vc_origin = vga_vram_end - c->vc_screenbuf_size; > > vga_rolled_over = 0; > > - } else > > + } else if (oldo - delta >= (unsigned long)c->vc_screenbuf) > > c->vc_origin -= delta; > > IMO you should also add: > else > c->vc_origin = c->vc_screenbuf; > > Or clamp 'delta' beforehand and don't add the 'if'. > ===== > That did not happen, AFAICS. Care to test the above suggestion? My reading of the code in vgacon_scroll() is that it directly bit-bangs video-RAM and checks that scroll read/write accesses stay in range vga_vram_base...vga_vram_end-1. Checking that c->vc_origin end up being >= c->vc_screenbuf is wrong because in text mode it should be index to video-RAM. Quote from original "messed up" patch, fix for CVE-2025-38213: > By analyzing the vmcore, we found that vc->vc_origin was somehow placed > one line prior to vc->vc_screenbuf when vc was in KD_TEXT mode, and > further writings to /dev/vcs caused out-of-bounds reads (and writes > right after) in vcs_write_buf_noattr(). > > Our further experiments show that in most cases, vc->vc_origin equals to > vga_vram_base when the console is in KD_TEXT mode, and it's around > vc->vc_screenbuf for the KD_GRAPHICS mode. But via triggerring a > TIOCL_SETVESABLANK ioctl beforehand, we can make vc->vc_origin be around > vc->vc_screenbuf while the console is in KD_TEXT mode, and then by > writing the special 'ESC M' control sequence to the tty certain times > (depends on the value of `vc->state.y - vc->vc_top`), we can eventually > move vc->vc_origin prior to vc->vc_screenbuf. Here's the PoC, tested on > QEMU: To me that sounds like the bug is in TIOCL_SETVESABLANK ioctl(). It should not be changing c->vc_origin to point elsewhere other than video-RAM when the console is in text mode. How about adding a check to begining of vgacon_scroll() that bails out early if c->vc_origin is not a valid index to video-RAM? -- Jari Ruusu 4096R/8132F189 12D6 4C3A DCDA 0AA4 27BD ACDF F073 3C80 8132 F189 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Text mode VGA-console scrolling is broken in upstream & stable trees 2025-07-31 16:12 ` Jari Ruusu @ 2025-08-02 19:54 ` Helge Deller 0 siblings, 0 replies; 6+ messages in thread From: Helge Deller @ 2025-08-02 19:54 UTC (permalink / raw) To: Jari Ruusu, Jiri Slaby Cc: Yi Yang, GONG Ruiqi, Greg Kroah-Hartman, Sasha Levin, Linus Torvalds, stable@vger.kernel.org, linux-kernel@vger.kernel.org On 7/31/25 18:12, Jari Ruusu wrote: > On Thursday, July 31st, 2025 at 10:22, Jiri Slaby <jirislaby@kernel.org> wrote: >> At the time this was posted (privately and on security@), I commented: >> ===== >> > --- a/drivers/video/console/vgacon.c >> > +++ b/drivers/video/console/vgacon.c >> > @@ -1168,7 +1168,7 @@ static bool vgacon_scroll(struct vc_data *c, unsigned int t, unsigned int b, >> > c->vc_screenbuf_size - delta); >> > c->vc_origin = vga_vram_end - c->vc_screenbuf_size; >> > vga_rolled_over = 0; >> > - } else >> > + } else if (oldo - delta >= (unsigned long)c->vc_screenbuf) >> > c->vc_origin -= delta; >> >> IMO you should also add: >> else >> c->vc_origin = c->vc_screenbuf; >> >> Or clamp 'delta' beforehand and don't add the 'if'. >> ===== >> That did not happen, AFAICS. Care to test the above suggestion? > > My reading of the code in vgacon_scroll() is that it directly > bit-bangs video-RAM and checks that scroll read/write accesses > stay in range vga_vram_base...vga_vram_end-1. > > Checking that c->vc_origin end up being >= c->vc_screenbuf is > wrong because in text mode it should be index to video-RAM. Yes, correct. > Quote from original "messed up" patch, fix for CVE-2025-38213: >> By analyzing the vmcore, we found that vc->vc_origin was somehow placed >> one line prior to vc->vc_screenbuf when vc was in KD_TEXT mode, and >> further writings to /dev/vcs caused out-of-bounds reads (and writes >> right after) in vcs_write_buf_noattr(). >> >> Our further experiments show that in most cases, vc->vc_origin equals to >> vga_vram_base when the console is in KD_TEXT mode, and it's around >> vc->vc_screenbuf for the KD_GRAPHICS mode. But via triggerring a >> TIOCL_SETVESABLANK ioctl beforehand, we can make vc->vc_origin be around >> vc->vc_screenbuf while the console is in KD_TEXT mode, and then by >> writing the special 'ESC M' control sequence to the tty certain times >> (depends on the value of `vc->state.y - vc->vc_top`), we can eventually >> move vc->vc_origin prior to vc->vc_screenbuf. Here's the PoC, tested on >> QEMU: > > To me that sounds like the bug is in TIOCL_SETVESABLANK ioctl(). > It should not be changing c->vc_origin to point elsewhere > other than video-RAM when the console is in text mode. Yes, agreed. > How about adding a check to begining of vgacon_scroll() that > bails out early if c->vc_origin is not a valid index to video-RAM? Possible, but that's more of a work-around. It would be nice to find and fix the real problem. I tried to reproduce the issue with the provided testcase from the original patch, but so far I failed. For now I've added a Revert of the original patch to the fbdev git tree, so that VGA backward scrolling works again. This gives some time to fix the KASAN report. Helge ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-08-02 19:55 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-07-30 14:06 Text mode VGA-console scrolling is broken in upstream & stable trees Jari Ruusu 2025-07-30 14:26 ` Greg Kroah-Hartman 2025-07-30 15:20 ` Salvatore Bonaccorso 2025-07-31 7:22 ` Jiri Slaby 2025-07-31 16:12 ` Jari Ruusu 2025-08-02 19:54 ` Helge Deller
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox