On 2020/7/30 21:38, Jiri Slaby wrote:
On 30. 07. 20, 15:24, Yang Yingliang wrote:On 2020/7/30 19:04, Jiri Slaby wrote:On 13. 07. 20, 12:57, Yang Yingliang wrote:I got a slab-out-of-bounds report when I doing fuzz test. [ 334.989515] ================================================================== [ 334.989577] BUG: KASAN: slab-out-of-bounds in vgacon_scroll+0x57a/0x8ed [ 334.989588] Write of size 1766 at addr ffff8883de69ff3e by task test/2658 [ 334.989593] [ 334.989608] CPU: 3 PID: 2658 Comm: test Not tainted 5.7.0-rc5-00005-g152036d1379f #789 [ 334.989617] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 [ 334.989624] Call Trace: [ 334.989646] dump_stack+0xe4/0x14e [ 334.989676] print_address_description.constprop.5+0x3f/0x60 [ 334.989699] ? vgacon_scroll+0x57a/0x8ed [ 334.989710] __kasan_report.cold.8+0x92/0xaf [ 334.989735] ? vgacon_scroll+0x57a/0x8ed [ 334.989761] kasan_report+0x37/0x50 [ 334.989789] check_memory_region+0x1c1/0x1e0 [ 334.989806] memcpy+0x38/0x60 [ 334.989824] vgacon_scroll+0x57a/0x8ed [ 334.989876] con_scroll+0x4ef/0x5e0...Because vgacon_scrollback_cur->tail plus memcpy size is greater than vgacon_scrollback_cur->size. Fix this by checking the memcpy size. Reported-by: Hulk Robot <hulkci@xxxxxxxxxx> Signed-off-by: Yang Yingliang <yangyingliang@xxxxxxxxxx> --- drivers/video/console/vgacon.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c index 998b0de1812f..b51ffb9a208d 100644 --- a/drivers/video/console/vgacon.c +++ b/drivers/video/console/vgacon.c @@ -243,6 +243,7 @@ static void vgacon_scrollback_startup(void) static void vgacon_scrollback_update(struct vc_data *c, int t, int count) { void *p; + int size; if (!vgacon_scrollback_cur->data || !vgacon_scrollback_cur->size || c->vc_num != fg_console) @@ -251,13 +252,17 @@ static void vgacon_scrollback_update(struct vc_data *c, int t, int count) p = (void *) (c->vc_origin + t * c->vc_size_row); while (count--) { + size = vgacon_scrollback_cur->size - vgacon_scrollback_cur->tail; + if (size > c->vc_size_row) + size = c->vc_size_row; + scr_memcpyw(vgacon_scrollback_cur->data + vgacon_scrollback_cur->tail, - p, c->vc_size_row); + p, size);Are you sure the consumer can handle split lines? As vgacon_scrolldelta (soff in particular) looks to me like it doesn't. Have you tested you patch? I mean with soft scrollback on the vga console?I only test the patch with the reproduce program.Out of curiosity, what is it doing? Resize and then scroll by \n (line feed)? Can you share it?
// autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include <dirent.h> #include <endian.h> #include <errno.h> #include <fcntl.h> #include <signal.h> #include <stdarg.h> #include <stdbool.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/prctl.h> #include <sys/stat.h> #include <sys/syscall.h> #include <sys/types.h> #include <sys/wait.h> #include <time.h> #include <unistd.h> static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[1] = {0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; res = syz_open_dev(0xc, 4, 1); if (res != -1) r[0] = res; *(uint16_t*)0x20000000 = 0xc; *(uint16_t*)0x20000002 = 0x373; *(uint16_t*)0x20000004 = 0x1442; syscall(__NR_ioctl, r[0], 0x5609ul, 0x20000000ul); memcpy((void*)0x20003500, "\x7f\x45\x4c\x46\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x38\x00\x00\x00\x00\x00\x00\x00\x01\x04\x00\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x69\x2e\x77\x3d\x64\xf5\xe4\xb9\xaf\x86\xb6\xcb\x74\x6e\xe0\x71\x3a\xfb\x18\x4e\xb2\xb9\x99\x36\xd4\x71\x6d\xbf\xfc\x0d\xfb\xec\x4b\x82\x2d\xde\xa8\xb8\x79\x34\xcc\xe8\x11\x28\x49\x27\xb5\xe6\xeb\x37\x33\x73\xad\x27\x6b\xfd\x68\x18\x46\x9e\x3a\x35\xd0\x5b\x6f\x2f\xd5\x8a\x88\x96\xd0\x65\x16\x70\x95\x10\x0f\x97\xb8\xe6\x71\x60\x87\xcb\xf2\x92\x60\x4b\x89\x8a\xb8\xcf\x95\x85\x67\xef\x4e\xf3\xa8\x8e\xd4\x9f\x81\x83\x0a\x85\x54\x45\xff\x6c\xbd\xa4\xca\x4e\xae\x3d\x65\xef\x15\x76\xa2\x90\x16\xdb\xe3\xc9\x9c\x78\x30\x1e\x04\x8c\x17\x17\x06\xb3\x06\xc4\x87\x12\xc3\xe2\x5a\xb5\x83\x8a\xe3\x1e\x7d\xe1\xf1\xdc\x95\x79\xa7\x1c\xcb\x39\xf6\x05\x1e\xed\xd7\xf0\xb5\xa7\xc8\xb6\xfc\x41\xf4\x2d\x3e\x67\xba\xe8\xe4\x86\xa6\x31\x1e\xf2\x49\xda\x11\x41\xab\xfd\xc1\x0a\xe5\x69\x6b\xdb\xad\x95\xe4\x53\xb9\x37\xce\x6d\xad\x22\x39\xab\xd7\x9f\xcf\xa1\xdc\x84\xd7\x3b\xc2\xa3\xc6\xc3\x73\xa9\xd5\x3e\xf0\x01\xff\x18\x76\xe6\x47\xf4\x1b\x6a\x96\x8d\xc4\x9f\xe7\xc2\x93\x8a\x3d\xf9\x9b\xfd\x79\x5b\x7d\x2d\xb4\x82\x78\x38\x0f\x6b\xd0\xdc\xd2\x8b\x8e\xfe\xc1\xcf\xd5\x03\x98\x86\x7e\xf3\x29\xee\x1c\xb7\x34\xc1\x2f\xce\x5b\x51\x29\x2b\xe4\xef\xe7\x5e\x0d\x3f\x57\x8c\xc9\x89\xea\x55\xa0\x65\x00\x00\x00\x00\x00\x00\x00\x6f\x7e\x76\xa2\x37\x0e\x3e\x0b\x83\xa2\x6a\x88\x95\xa6\xac\x75\x4b\xee\xc4\x42\x87\xfa\xfd\x91\x3d\x6a\x4d\x92\x10\x71\x7c\xec\xaa\x58\x90\xbf\xa7\x5c\x72\xfd\x89\x6d\xb3\x07\x0f\xd2\x35\xd3\xdf\x78\x32\x51\x2f\x88\x03\x0e\x1d\x1c\xd5\xf3\x27\xa0\xe1\xd4\xc1\x05\xf7\x2d\xd1\x31\x87\x40\x7e\x92\x11\x28\xc5\x54\xb8\x49\x16\x6d\xdc\x79\xed\x21\xa4\x33\x7d\xdf\x56\x94\xad\xcf\x69\xd0\xb9\xb4\x6b\x6a\x67\x5c\x9d\x23\x1a\xec\xf2\x73\x03\xd2\x13\xf1\xdb\xe8\xb4\x79\x18\xd1\x50\x49\xc1\xd5\x85\xec\x84\xcd\x37\x0b\xed\x7b\xce\x6b\x31\x36\x1e\xfb\x69\x9d\xa8\xc2\x66\x65\x86\x9b\x25\x97\x1d\x59\x7c\x9c\x82\xe5\xe4\x1b\xd7\xe7\xb7\xda\xd8\x2a\x64\x96\xaf\xa7\x84\x40\x33\x97\x7a\x5a\xc0\x1f\x8c\xca\x91\x12\x94\x74\xb2\x5f\x25\xd1\xf1\xa2\x17\x87\x52\x89\x30\x2b\x3f\xf6\x45\x58\x31\x6e\x68\xa3\x5e\xd2\xa3\x80\xf7\xf0\xaf\x03\x9d\x1b\x33\xe8\x4e\x11\xf4\x19\x69\x8f\xc3\x0d\x0a\x72\xa3\xab\xb7\x66\xb1\x3b\xc4\x29\x58\x22\x0f\xae\xfc\x68\xcc\x66\x9b\x62\x4c\xc8\xce\x7e\xdc\xe5\x65\xbc\xc3\xde\xdc\x6f\xe4\x81\xd4\x4a\xd7\x0f\x37\xb7\x8f\x36\x89\x85\x6b\x0d\xb9\xe5\x4c\xc1\xfd\xd7\x1a\xa6\xc7\x0d\xf3\x8d\xcb\x5a\x9a\x6a\xea\x39\xf5\xe1\x42\xc7\x8a\xdc\x2e\x61\xb1\x4f\xea\x20\xd0\x0d\x50\x08\xc2\xbe\x36\xe5\xc0\x67\xe2\x43\x1d\x39\xbd\xda\x47\xa4\xb3\x59\xb3\x2d\x6a\x7e\x3a\xbc\xa7\x53\xf0\x46\x61\xe6\x9c\xef\xcf\xad\x50\x79\x5b\xb0\xd9\x40\xba\xb3\x5e\xf9\x39\xee\x9e\xe0\xfe\xfc\x59\x14\xac\x60\xcf\xcb\x9e\x7a\x47\x6f\xda\x4c\x09\x9e\xa1\x15\x24\x9a\x40\xf2\xe5\x34\xf4\x80\x03\x63\x08\x13\xe1\xab\xa9\xc2\x59\x15\x00\xe3\xc3\xe2\xa9\x0d\x5f\x0f\xa4\x53\x63\xbd\x72\xdc\xc9\xc2\x13\xc0\x0a\xbd\x7c\xec\xa8\x2d\x16\xac\x65\xf3\x58\xca\x62\x6c\x07\xba\x01\x72\xfa\x5a\xbe\x68\xfe\x92\xbe\xa2\xc7\xdc\xc6\xcd\xab\x10\x58\x4a\x9d\x2e\x61\x85\x56\x9f\x0e\x74\x6c\x49\xf8\x3d\x43\x43\x4f\xd3\x93\xf3\x1d\xcb\x31\x4c\xf6\x78\xed\x4b\x76\x1f\x46\x58\x58\x05\x9a\x59\x7d\xf9\x28\x0c\x7a\x49\x04\x6c\xda\x7e\x96\xe0\x22\x90\x64\x0d\xfa\x8f\xbd\xf1\xdb\x74\x75\x2d\x79\xe5\x20\x38\x8f\x0a\x20\xe8\x09\x31\xd6\x7a\x5b\xbb\x86\x9b\x38\x6d", 897); syscall(__NR_write, r[0], 0x20003500ul, 0x381ul); } int main(void) { syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x32ul, -1, 0); loop(); return 0; }
thanks,
_______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/dri-devel
