[PATCH 1/4] vt: Fix a read-past-array in vc_t416_color().

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This makes it show up on UBSAN:
perl -e 'for (0..15) {my @x=("0")x$_;push @x,qw(38 2 64 128 192 4);printf
"\e[%smAfter %d zeroes.\e[0m\n", join(";",@x[0..($_+5<15?$_+5:15)]), $_}'

Seems harmless: if you can programmatically read attributes of a vt
character (/dev/vcsa*), multiple probes can obtain parts of vt_mode then
lowest byte (5th on 64-bit big-endian) of a pointer.

Signed-off-by: Adam Borowski <kilobyte@xxxxxxxxxx>
---
 drivers/tty/vt/vt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 2705ca9..b51586f 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -1316,7 +1316,7 @@ static int vc_t416_color(struct vc_data *vc, int i,
 		/* 256 colours -- ubiquitous */
 		i++;
 		rgb_from_256(vc->vc_par[i], &c);
-	} else if (vc->vc_par[i] == 2 && i <= vc->vc_npar + 3) {
+	} else if (vc->vc_par[i] == 2 && i + 3 <= vc->vc_npar) {
 		/* 24 bit -- extremely rare */
 		c.r = vc->vc_par[i + 1];
 		c.g = vc->vc_par[i + 2];
-- 
2.9.3

--
To unsubscribe from this list: send the line "unsubscribe linux-serial" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux PPP]     [Linux FS]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Linmodem]     [Device Mapper]     [Linux Kernel for ARM]

  Powered by Linux