unimore/kernel-hacking-2024-linux-steffo
unimore/kernel-hacking-2024-linux-steffo
1
Fork 0
Code Pull requests 5 Wiki Activity
kernel-hacking-2024-linux-s.../drivers/tty
History
Tetsuo Handa 988d076336 vt_ioctl: make VT_RESIZEX behave like VT_RESIZE 
syzbot is reporting UAF/OOB read at bit_putcs()/soft_cursor() [1][2], for
vt_resizex() from ioctl(VT_RESIZEX) allows setting font height larger than
actual font height calculated by con_font_set() from ioctl(PIO_FONT).
Since fbcon_set_font() from con_font_set() allocates minimal amount of
memory based on actual font height calculated by con_font_set(),
use of vt_resizex() can cause UAF/OOB read for font data.

VT_RESIZEX was introduced in Linux 1.3.3, but it is unclear that what
comes to the "+ more" part, and I couldn't find a user of VT_RESIZEX.

  #define VT_RESIZE   0x5609 /* set kernel's idea of screensize */
  #define VT_RESIZEX  0x560A /* set kernel's idea of screensize + more */

So far we are not aware of syzbot reports caused by setting non-zero value
to v_vlin parameter. But given that it is possible that nobody is using
VT_RESIZEX, we can try removing support for v_clin and v_vlin parameters.

Therefore, this patch effectively makes VT_RESIZEX behave like VT_RESIZE,
with emitting a message if somebody is still using v_clin and/or v_vlin
parameters.

[1] https://syzkaller.appspot.com/bug?id=32577e96d88447ded2d3b76d71254fb855245837
[2] https://syzkaller.appspot.com/bug?id=6b8355d27b2b94fb5cedf4655e3a59162d9e48e3

Reported-by: syzbot <syzbot+b308f5fd049fbbc6e74f@syzkaller.appspotmail.com>
Reported-by: syzbot <syzbot+16469b5e8e5a72e9131e@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/4933b81b-9b1a-355b-df0e-9b31e8280ab9@i-love.sakura.ne.jp
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-09-27 14:17:43 +02:00
..
hvc tty: hvc: fix link error with CONFIG_SERIAL_CORE_CONSOLE=n 2020-09-27 14:17:43 +02:00
ipwireless tty: ipwireless: fix error handling 2020-09-04 18:08:16 +02:00
serdev
serial serial: mvebu-uart: simplify the return expression of mvebu_uart_probe() 2020-09-27 14:17:43 +02:00
vt vt_ioctl: make VT_RESIZEX behave like VT_RESIZE 2020-09-27 14:17:43 +02:00
amiserial.c
cyclades.c
ehv_bytechan.c
goldfish.c
isicom.c
Kconfig
Makefile
mips_ejtag_fdc.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
moxa.c
moxa.h
mxser.c
mxser.h
n_gsm.c Linux 5.9-rc3 2020-08-31 07:19:25 +02:00
n_hdlc.c Linux 5.9-rc3 2020-08-31 07:19:25 +02:00
n_null.c
n_r3964.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
n_tracerouter.c
n_tracesink.c
n_tracesink.h
n_tty.c tty: ldiscs, fix kernel-doc 2020-08-18 13:51:18 +02:00
nozomi.c
pty.c pty: do tty_flip_buffer_push without port->lock in pty_write 2020-09-04 18:10:30 +02:00
rocket.c
rocket.h
rocket_int.h
synclink.c tty: synclink, fix kernel-doc 2020-08-18 13:51:18 +02:00
synclink_gt.c tty: synclink_gt: switch from 'pci_' to 'dma_' API 2020-09-04 18:07:22 +02:00
synclinkmp.c tty: synclink, fix kernel-doc 2020-08-18 13:51:18 +02:00
sysrq.c
tty_audit.c
tty_baudrate.c tty: fix kernel-doc 2020-08-18 13:51:18 +02:00
tty_buffer.c tty: fix kernel-doc 2020-08-18 13:51:18 +02:00
tty_io.c tty: fix kernel-doc 2020-08-18 13:51:18 +02:00
tty_ioctl.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
tty_jobctrl.c tty: fix kernel-doc 2020-08-18 13:51:18 +02:00
tty_ldisc.c tty: fix kernel-doc 2020-08-18 13:51:18 +02:00
tty_ldsem.c
tty_mutex.c
tty_port.c
ttynull.c
vcc.c