On 09/14/2016, 08:28 AM, Adam Borowski wrote:
> This makes it show up on UBSAN:
> perl -e 'for (0..15) {my @x=("0")x$_;push @x,qw(38 2 64 128 192 4);printf
> "\e[%smAfter %d zeroes.\e[0m\n", join(";",@x[0..($_+5<15?$_+5:15)]), $_}'
>
> Seems harmless: if you can programmatically read attributes of a vt
> character (/dev/vcsa*), multiple probes can obtain parts of vt_mode then
> lowest byte (5th on 64-bit big-endian) of a pointer.
>
> Signed-off-by: Adam Borowski <kilobyte@xxxxxxxxxx>
> ---
> drivers/tty/vt/vt.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
> index 2705ca9..b51586f 100644
> --- a/drivers/tty/vt/vt.c
> +++ b/drivers/tty/vt/vt.c
> @@ -1316,7 +1316,7 @@ static int vc_t416_color(struct vc_data *vc, int i,
> /* 256 colours -- ubiquitous */
> i++;
> rgb_from_256(vc->vc_par[i], &c);
> - } else if (vc->vc_par[i] == 2 && i <= vc->vc_npar + 3) {
> + } else if (vc->vc_par[i] == 2 && i + 3 <= vc->vc_npar) {
Definitely makes sense. But we are still off-by-one, if I am looking
correctly. It should be "i + 3 < npar", right?
thanks,
--
js
suse labs
--
To unsubscribe from this list: send the line "unsubscribe linux-serial" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
