On Fri, Jul 29, 2022 at 03:11:38AM +0000, Chen Jun wrote: > refer to https://lore.kernel.org/all/20220706150253.2186-1-deller@xxxxxx/ > 3 patches are provided to fix CVE-2021-3365 (When sending malicous data > to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out > of bounds. https://nvd.nist.gov/vuln/detail/CVE-2021-33655) in mainline. > > But only > commit 65a01e601dbb ("fbcon: Disallow setting font bigger than screen size") > was backported to stable (4.19,4.14). > > without other two commit > commit e64242caef18 ("fbcon: Prevent that screen size is smaller than font size") > commit 6c11df58fd1a ("fbmem: Check virtual screen sizes in fb_set_var()") > The problem still exists. > > static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, unsigned long arg) > fb_set_var(info, &var); > fb_notifier_call_chain(evnt, &event); // evnt = FB_EVENT_MODE_CHANGE > > static int fbcon_event_notify(struct notifier_block *self, > unsigned long action, void *data) > fbcon_modechanged(info); > updatescrollmode(p, info, vc); > ... > p->vrows = vyres/fh; > if (yres > (fh * (vc->vc_rows + 1))) > p->vrows -= (yres - (fh * vc->vc_rows)) / fh; > if ((yres % fh) && (vyres % fh < yres % fh)) > p->vrows--; [1] > [1]: p->vrows could be -1, like what CVE-2021-3365 described. > > I think, the two commits should be backported to 4.19 and 4.14. > > Helge Deller (2): > fbcon: Prevent that screen size is smaller than font size > fbmem: Check virtual screen sizes in fb_set_var() > > drivers/video/fbdev/core/fbcon.c | 28 ++++++++++++++++++++++++++++ > drivers/video/fbdev/core/fbmem.c | 20 +++++++++++++++++--- > include/linux/fbcon.h | 4 ++++ > 3 files changed, 49 insertions(+), 3 deletions(-) > > -- > 2.17.1 > This breaks the build on 4.14.y, did you test it there? The error is: ERROR: "is_console_locked" [drivers/video/fbdev/core/fb.ko] undefined! Can you please fix this up and also do a 4.9.y version? thanks, greg k-h
