Re: Text mode VGA-console scrolling is broken in upstream & stable trees

[Helge Deller <deller@gmx.de>]

On 7/31/25 18:12, Jari Ruusu wrote:
> On Thursday, July 31st, 2025 at 10:22, Jiri Slaby <jirislaby@kernel.org> wrote:
>> At the time this was posted (privately and on security@), I commented:
>> =====
>>   > --- a/drivers/video/console/vgacon.c
>>   > +++ b/drivers/video/console/vgacon.c
>>   > @@ -1168,7 +1168,7 @@ static bool vgacon_scroll(struct vc_data *c, unsigned int t, unsigned int b,
>>   >                                    c->vc_screenbuf_size - delta);
>>   >                       c->vc_origin = vga_vram_end - c->vc_screenbuf_size;
>>   >                       vga_rolled_over = 0;
>>   > -             } else
>>   > +             } else if (oldo - delta >= (unsigned long)c->vc_screenbuf)
>>   >                       c->vc_origin -= delta;
>>
>> IMO you should also add:
>>      else
>>        c->vc_origin = c->vc_screenbuf;
>>
>> Or clamp 'delta' beforehand and don't add the 'if'.
>> =====
>> That did not happen, AFAICS. Care to test the above suggestion?
> 
> My reading of the code in vgacon_scroll() is that it directly
> bit-bangs video-RAM and checks that scroll read/write accesses
> stay in range vga_vram_base...vga_vram_end-1.
> 
> Checking that c->vc_origin end up being >= c->vc_screenbuf is
> wrong because in text mode it should be index to video-RAM.

Yes, correct.

  
> Quote from original "messed up" patch, fix for CVE-2025-38213:
>> By analyzing the vmcore, we found that vc->vc_origin was somehow placed
>> one line prior to vc->vc_screenbuf when vc was in KD_TEXT mode, and
>> further writings to /dev/vcs caused out-of-bounds reads (and writes
>> right after) in vcs_write_buf_noattr().
>>
>> Our further experiments show that in most cases, vc->vc_origin equals to
>> vga_vram_base when the console is in KD_TEXT mode, and it's around
>> vc->vc_screenbuf for the KD_GRAPHICS mode. But via triggerring a
>> TIOCL_SETVESABLANK ioctl beforehand, we can make vc->vc_origin be around
>> vc->vc_screenbuf while the console is in KD_TEXT mode, and then by
>> writing the special 'ESC M' control sequence to the tty certain times
>> (depends on the value of `vc->state.y - vc->vc_top`), we can eventually
>> move vc->vc_origin prior to vc->vc_screenbuf. Here's the PoC, tested on
>> QEMU:
> 
> To me that sounds like the bug is in TIOCL_SETVESABLANK ioctl().
> It should not be changing c->vc_origin to point elsewhere
> other than video-RAM when the console is in text mode.

Yes, agreed.
  
> How about adding a check to begining of vgacon_scroll() that
> bails out early if c->vc_origin is not a valid index to video-RAM?

Possible, but that's more of a work-around.
It would be nice to find and fix the real problem.

I tried to reproduce the issue with the provided testcase from
the original patch, but so far I failed.

For now I've added a Revert of the original patch to the fbdev git tree,
so that VGA backward scrolling works again. This gives some time to
fix the KASAN report.

Helge