Re: [PATCH] vgacon: Fix an out-of-bounds in vgacon_scrollback_update()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 2020/7/30 21:38, Jiri Slaby wrote:
On 30. 07. 20, 15:24, Yang Yingliang wrote:
On 2020/7/30 19:04, Jiri Slaby wrote:
On 13. 07. 20, 12:57, Yang Yingliang wrote:
I got a slab-out-of-bounds report when I doing fuzz test.

[  334.989515]
==================================================================
[  334.989577] BUG: KASAN: slab-out-of-bounds in
vgacon_scroll+0x57a/0x8ed
[  334.989588] Write of size 1766 at addr ffff8883de69ff3e by task
test/2658
[  334.989593]
[  334.989608] CPU: 3 PID: 2658 Comm: test Not tainted
5.7.0-rc5-00005-g152036d1379f #789
[  334.989617] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
[  334.989624] Call Trace:
[  334.989646]  dump_stack+0xe4/0x14e
[  334.989676]  print_address_description.constprop.5+0x3f/0x60
[  334.989699]  ? vgacon_scroll+0x57a/0x8ed
[  334.989710]  __kasan_report.cold.8+0x92/0xaf
[  334.989735]  ? vgacon_scroll+0x57a/0x8ed
[  334.989761]  kasan_report+0x37/0x50
[  334.989789]  check_memory_region+0x1c1/0x1e0
[  334.989806]  memcpy+0x38/0x60
[  334.989824]  vgacon_scroll+0x57a/0x8ed
[  334.989876]  con_scroll+0x4ef/0x5e0
...
Because vgacon_scrollback_cur->tail plus memcpy size is greater than
vgacon_scrollback_cur->size. Fix this by checking the memcpy size.

Reported-by: Hulk Robot <hulkci@xxxxxxxxxx>
Signed-off-by: Yang Yingliang <yangyingliang@xxxxxxxxxx>
---
  drivers/video/console/vgacon.c | 11 ++++++++---
  1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/video/console/vgacon.c
b/drivers/video/console/vgacon.c
index 998b0de1812f..b51ffb9a208d 100644
--- a/drivers/video/console/vgacon.c
+++ b/drivers/video/console/vgacon.c
@@ -243,6 +243,7 @@ static void vgacon_scrollback_startup(void)
  static void vgacon_scrollback_update(struct vc_data *c, int t, int
count)
  {
      void *p;
+    int size;
        if (!vgacon_scrollback_cur->data ||
!vgacon_scrollback_cur->size ||
          c->vc_num != fg_console)
@@ -251,13 +252,17 @@ static void vgacon_scrollback_update(struct
vc_data *c, int t, int count)
      p = (void *) (c->vc_origin + t * c->vc_size_row);
        while (count--) {
+        size = vgacon_scrollback_cur->size -
vgacon_scrollback_cur->tail;
+        if (size > c->vc_size_row)
+            size = c->vc_size_row;
+
          scr_memcpyw(vgacon_scrollback_cur->data +
                  vgacon_scrollback_cur->tail,
-                p, c->vc_size_row);
+                p, size);
Are you sure the consumer can handle split lines? As vgacon_scrolldelta
(soff in particular) looks to me like it doesn't.

Have you tested you patch? I mean with soft scrollback on the vga
console?
I only test the patch with the reproduce program.
Out of curiosity, what is it doing? Resize and then scroll by \n (line
feed)? Can you share it?

// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE 

#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

static void sleep_ms(uint64_t ms)
{
	usleep(ms * 1000);
}

static uint64_t current_time_ms(void)
{
	struct timespec ts;
	if (clock_gettime(CLOCK_MONOTONIC, &ts))
	exit(1);
	return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}

static bool write_file(const char* file, const char* what, ...)
{
	char buf[1024];
	va_list args;
	va_start(args, what);
	vsnprintf(buf, sizeof(buf), what, args);
	va_end(args);
	buf[sizeof(buf) - 1] = 0;
	int len = strlen(buf);
	int fd = open(file, O_WRONLY | O_CLOEXEC);
	if (fd == -1)
		return false;
	if (write(fd, buf, len) != len) {
		int err = errno;
		close(fd);
		errno = err;
		return false;
	}
	close(fd);
	return true;
}

static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2)
{
	if (a0 == 0xc || a0 == 0xb) {
		char buf[128];
		sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2);
		return open(buf, O_RDWR, 0);
	} else {
		char buf[1024];
		char* hash;
strncpy(buf, (char*)a0, sizeof(buf) - 1);
		buf[sizeof(buf) - 1] = 0;
		while ((hash = strchr(buf, '#'))) {
			*hash = '0' + (char)(a1 % 10);
			a1 /= 10;
		}
		return open(buf, a2, 0);
	}
}

static void kill_and_wait(int pid, int* status)
{
	kill(-pid, SIGKILL);
	kill(pid, SIGKILL);
	int i;
	for (i = 0; i < 100; i++) {
		if (waitpid(-1, status, WNOHANG | __WALL) == pid)
			return;
		usleep(1000);
	}
	DIR* dir = opendir("/sys/fs/fuse/connections");
	if (dir) {
		for (;;) {
			struct dirent* ent = readdir(dir);
			if (!ent)
				break;
			if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
				continue;
			char abort[300];
			snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name);
			int fd = open(abort, O_WRONLY);
			if (fd == -1) {
				continue;
			}
			if (write(fd, abort, 1) < 0) {
			}
			close(fd);
		}
		closedir(dir);
	} else {
	}
	while (waitpid(-1, status, __WALL) != pid) {
	}
}

static void setup_test()
{
	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
	setpgrp();
	write_file("/proc/self/oom_score_adj", "1000");
}

static void execute_one(void);

#define WAIT_FLAGS __WALL

static void loop(void)
{
	int iter;
	for (iter = 0;; iter++) {
		int pid = fork();
		if (pid < 0)
	exit(1);
		if (pid == 0) {
			setup_test();
			execute_one();
			exit(0);
		}
		int status = 0;
		uint64_t start = current_time_ms();
		for (;;) {
			if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
				break;
			sleep_ms(1);
			if (current_time_ms() - start < 5 * 1000)
				continue;
			kill_and_wait(pid, &status);
			break;
		}
	}
}

uint64_t r[1] = {0xffffffffffffffff};

void execute_one(void)
{
		intptr_t res = 0;
	res = syz_open_dev(0xc, 4, 1);
	if (res != -1)
		r[0] = res;
*(uint16_t*)0x20000000 = 0xc;
*(uint16_t*)0x20000002 = 0x373;
*(uint16_t*)0x20000004 = 0x1442;
	syscall(__NR_ioctl, r[0], 0x5609ul, 0x20000000ul);
memcpy((void*)0x20003500, "\x7f\x45\x4c\x46\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x38\x00\x00\x00\x00\x00\x00\x00\x01\x04\x00\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x69\x2e\x77\x3d\x64\xf5\xe4\xb9\xaf\x86\xb6\xcb\x74\x6e\xe0\x71\x3a\xfb\x18\x4e\xb2\xb9\x99\x36\xd4\x71\x6d\xbf\xfc\x0d\xfb\xec\x4b\x82\x2d\xde\xa8\xb8\x79\x34\xcc\xe8\x11\x28\x49\x27\xb5\xe6\xeb\x37\x33\x73\xad\x27\x6b\xfd\x68\x18\x46\x9e\x3a\x35\xd0\x5b\x6f\x2f\xd5\x8a\x88\x96\xd0\x65\x16\x70\x95\x10\x0f\x97\xb8\xe6\x71\x60\x87\xcb\xf2\x92\x60\x4b\x89\x8a\xb8\xcf\x95\x85\x67\xef\x4e\xf3\xa8\x8e\xd4\x9f\x81\x83\x0a\x85\x54\x45\xff\x6c\xbd\xa4\xca\x4e\xae\x3d\x65\xef\x15\x76\xa2\x90\x16\xdb\xe3\xc9\x9c\x78\x30\x1e\x04\x8c\x17\x17\x06\xb3\x06\xc4\x87\x12\xc3\xe2\x5a\xb5\x83\x8a\xe3\x1e\x7d\xe1\xf1\xdc\x95\x79\xa7\x1c\xcb\x39\xf6\x05\x1e\xed\xd7\xf0\xb5\xa7\xc8\xb6\xfc\x41\xf4\x2d\x3e\x67\xba\xe8\xe4\x86\xa6\x31\x1e\xf2\x49\xda\x11\x41\xab\xfd\xc1\x0a\xe5\x69\x6b\xdb\xad\x95\xe4\x53\xb9\x37\xce\x6d\xad\x22\x39\xab\xd7\x9f\xcf\xa1\xdc\x84\xd7\x3b\xc2\xa3\xc6\xc3\x73\xa9\xd5\x3e\xf0\x01\xff\x18\x76\xe6\x47\xf4\x1b\x6a\x96\x8d\xc4\x9f\xe7\xc2\x93\x8a\x3d\xf9\x9b\xfd\x79\x5b\x7d\x2d\xb4\x82\x78\x38\x0f\x6b\xd0\xdc\xd2\x8b\x8e\xfe\xc1\xcf\xd5\x03\x98\x86\x7e\xf3\x29\xee\x1c\xb7\x34\xc1\x2f\xce\x5b\x51\x29\x2b\xe4\xef\xe7\x5e\x0d\x3f\x57\x8c\xc9\x89\xea\x55\xa0\x65\x00\x00\x00\x00\x00\x00\x00\x6f\x7e\x76\xa2\x37\x0e\x3e\x0b\x83\xa2\x6a\x88\x95\xa6\xac\x75\x4b\xee\xc4\x42\x87\xfa\xfd\x91\x3d\x6a\x4d\x92\x10\x71\x7c\xec\xaa\x58\x90\xbf\xa7\x5c\x72\xfd\x89\x6d\xb3\x07\x0f\xd2\x35\xd3\xdf\x78\x32\x51\x2f\x88\x03\x0e\x1d\x1c\xd5\xf3\x27\xa0\xe1\xd4\xc1\x05\xf7\x2d\xd1\x31\x87\x40\x7e\x92\x11\x28\xc5\x54\xb8\x49\x16\x6d\xdc\x79\xed\x21\xa4\x33\x7d\xdf\x56\x94\xad\xcf\x69\xd0\xb9\xb4\x6b\x6a\x67\x5c\x9d\x23\x1a\xec\xf2\x73\x03\xd2\x13\xf1\xdb\xe8\xb4\x79\x18\xd1\x50\x49\xc1\xd5\x85\xec\x84\xcd\x37\x0b\xed\x7b\xce\x6b\x31\x36\x1e\xfb\x69\x9d\xa8\xc2\x66\x65\x86\x9b\x25\x97\x1d\x59\x7c\x9c\x82\xe5\xe4\x1b\xd7\xe7\xb7\xda\xd8\x2a\x64\x96\xaf\xa7\x84\x40\x33\x97\x7a\x5a\xc0\x1f\x8c\xca\x91\x12\x94\x74\xb2\x5f\x25\xd1\xf1\xa2\x17\x87\x52\x89\x30\x2b\x3f\xf6\x45\x58\x31\x6e\x68\xa3\x5e\xd2\xa3\x80\xf7\xf0\xaf\x03\x9d\x1b\x33\xe8\x4e\x11\xf4\x19\x69\x8f\xc3\x0d\x0a\x72\xa3\xab\xb7\x66\xb1\x3b\xc4\x29\x58\x22\x0f\xae\xfc\x68\xcc\x66\x9b\x62\x4c\xc8\xce\x7e\xdc\xe5\x65\xbc\xc3\xde\xdc\x6f\xe4\x81\xd4\x4a\xd7\x0f\x37\xb7\x8f\x36\x89\x85\x6b\x0d\xb9\xe5\x4c\xc1\xfd\xd7\x1a\xa6\xc7\x0d\xf3\x8d\xcb\x5a\x9a\x6a\xea\x39\xf5\xe1\x42\xc7\x8a\xdc\x2e\x61\xb1\x4f\xea\x20\xd0\x0d\x50\x08\xc2\xbe\x36\xe5\xc0\x67\xe2\x43\x1d\x39\xbd\xda\x47\xa4\xb3\x59\xb3\x2d\x6a\x7e\x3a\xbc\xa7\x53\xf0\x46\x61\xe6\x9c\xef\xcf\xad\x50\x79\x5b\xb0\xd9\x40\xba\xb3\x5e\xf9\x39\xee\x9e\xe0\xfe\xfc\x59\x14\xac\x60\xcf\xcb\x9e\x7a\x47\x6f\xda\x4c\x09\x9e\xa1\x15\x24\x9a\x40\xf2\xe5\x34\xf4\x80\x03\x63\x08\x13\xe1\xab\xa9\xc2\x59\x15\x00\xe3\xc3\xe2\xa9\x0d\x5f\x0f\xa4\x53\x63\xbd\x72\xdc\xc9\xc2\x13\xc0\x0a\xbd\x7c\xec\xa8\x2d\x16\xac\x65\xf3\x58\xca\x62\x6c\x07\xba\x01\x72\xfa\x5a\xbe\x68\xfe\x92\xbe\xa2\xc7\xdc\xc6\xcd\xab\x10\x58\x4a\x9d\x2e\x61\x85\x56\x9f\x0e\x74\x6c\x49\xf8\x3d\x43\x43\x4f\xd3\x93\xf3\x1d\xcb\x31\x4c\xf6\x78\xed\x4b\x76\x1f\x46\x58\x58\x05\x9a\x59\x7d\xf9\x28\x0c\x7a\x49\x04\x6c\xda\x7e\x96\xe0\x22\x90\x64\x0d\xfa\x8f\xbd\xf1\xdb\x74\x75\x2d\x79\xe5\x20\x38\x8f\x0a\x20\xe8\x09\x31\xd6\x7a\x5b\xbb\x86\x9b\x38\x6d", 897);
	syscall(__NR_write, r[0], 0x20003500ul, 0x381ul);

}
int main(void)
{
		syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x32ul, -1, 0);
			loop();
	return 0;
}

thanks,
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/dri-devel

[Index of Archives]     [Linux DRI Users]     [Linux Intel Graphics]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [XFree86]
  Powered by Linux