linux/drivers
Yunhai Zhang ebfdfeeae8 vgacon: Fix for missing check in scrollback handling
vgacon_scrollback_update() always leaves enbough room in the scrollback
buffer for the next call, but if the console size changed that room
might not actually be enough, and so we need to re-check.

The check should be in the loop since vgacon_scrollback_cur->tail is
updated in the loop and count may be more than 1 when triggered by CSI M,
as Jiri's PoC:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <fcntl.h>

int main(int argc, char** argv)
{
        int fd = open("/dev/tty1", O_RDWR);
        unsigned short size[3] = {25, 200, 0};
        ioctl(fd, 0x5609, size); // VT_RESIZE

        write(fd, "\e[1;1H", 6);
        for (int i = 0; i < 30; i++)
                write(fd, "\e[10M", 5);
}

It leads to various crashes as vgacon_scrollback_update writes out of
the buffer:
 BUG: unable to handle page fault for address: ffffc900001752a0
 #PF: supervisor write access in kernel mode
 #PF: error_code(0x0002) - not-present page
 RIP: 0010:mutex_unlock+0x13/0x30
...
 Call Trace:
  n_tty_write+0x1a0/0x4d0
  tty_write+0x1a0/0x2e0

Or to KASAN reports:
BUG: KASAN: slab-out-of-bounds in vgacon_scroll+0x57a/0x8ed

This fixes CVE-2020-14331.

Reported-by: 张云海 <zhangyunhai@nsfocus.com>
Reported-by: Yang Yingliang <yangyingliang@huawei.com>
Reported-by: Kyungtae Kim <kt0755@gmail.com>
Fixes: 15bdab959c ([PATCH] vgacon: Add support for soft scrollback)
Cc: stable@vger.kernel.org
Cc: linux-fbdev@vger.kernel.org
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Solar Designer <solar@openwall.com>
Cc: "Srivatsa S. Bhat" <srivatsa@csail.mit.edu>
Cc: Anthony Liguori <aliguori@amazon.com>
Cc: Yang Yingliang <yangyingliang@huawei.com>
Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Cc: Jiri Slaby <jirislaby@kernel.org>
Signed-off-by: Yunhai Zhang <zhangyunhai@nsfocus.com>
Link: https://lore.kernel.org/r/9fb43895-ca91-9b07-ebfd-808cf854ca95@nsfocus.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-04 09:40:35 +02:00
..
accessibility vc: separate state 2020-06-24 17:08:30 +02:00
acpi Merge branch 'acpi-fan' 2020-07-03 16:15:31 +02:00
amba ARM: tegra: Replace zero-length array with flexible-array 2020-06-15 23:08:28 -05:00
android binder: Don't use mmput() from shrinker function. 2020-07-23 09:47:12 +02:00
ata libata-5.8-2020-06-19 2020-06-19 13:09:40 -07:00
atm treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
auxdisplay treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
base device property: Avoid NULL pointer dereference in device_get_next_child_node() 2020-07-23 17:04:28 +02:00
bcma
block Char/Misc fixes for 5.8-rc6 2020-07-16 11:26:40 -07:00
bluetooth Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-06-03 16:27:18 -07:00
bus Fix a suspend/resume regression (crash) on TI AM3/AM4 SoC's. 2020-07-25 13:27:12 -07:00
cdrom Merge branch 'work.sysctl' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2020-06-10 16:05:54 -07:00
char /dev/mem: Add missing memory barriers for devmem_inode 2020-07-23 09:47:13 +02:00
clk A couple build fixes for issues exposed this merge window and a fix for 2020-07-15 19:00:12 -07:00
clocksource Fix a suspend/resume regression (crash) on TI AM3/AM4 SoC's. 2020-07-25 13:27:12 -07:00
connector treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
counter counter: 104-quad-8: Add lock guards - filter clock prescaler 2020-06-14 14:46:52 +01:00
cpufreq cpufreq: intel_pstate: Fix active mode setting from command line 2020-07-13 17:55:57 +02:00
cpuidle cpuidle: Rearrange s2idle-specific idle state entry code 2020-06-25 13:52:53 +02:00
crypto crypto/chtls: correct net_device reference count 2020-07-20 18:28:04 -07:00
dax device-dax: add memory via add_memory_driver_managed() 2020-06-04 19:06:23 -07:00
dca
devfreq PM / devfreq: Use lockdep asserts instead of manual checks for locked mutex 2020-05-28 18:02:40 +09:00
dio maccess: rename probe_kernel_{read,write} to copy_{from,to}_kernel_nofault 2020-06-17 10:57:41 -07:00
dma dmaengine fixes for v5.5-rc6 2020-07-15 15:58:11 -07:00
dma-buf dmabuf: use spinlock to access dmabuf->name 2020-07-10 15:39:29 +05:30
edac EDAC/amd64: Read back the scrub rate PCI register on F15h 2020-06-18 20:25:25 +02:00
eisa treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
extcon extcon: arizona: Fix runtime PM imbalance on error 2020-05-29 17:36:02 +09:00
firewire firewire: ohci: Replace zero-length array with flexible-array 2020-06-15 23:08:31 -05:00
firmware Various EFI fixes: 2020-07-25 13:18:42 -07:00
fpga fpga: dfl: fix bug in port reset handshake 2020-07-13 22:11:17 -07:00
fsi treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
gnss treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
gpio gpio fixes for v5.8-rc3 2020-06-26 23:53:25 +02:00
gpu Merge tag 'amd-drm-fixes-5.8-2020-07-22' of git://people.freedesktop.org/~agd5f/linux into drm-fixes 2020-07-23 14:06:16 +10:00
greybus treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid into master 2020-07-17 09:43:13 -07:00
hsi treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
hv Drivers: hv: Change flag to write log level in panic msg to false 2020-06-29 10:30:35 +00:00
hwmon hwmon: (drivetemp) Avoid SCT usage on Toshiba DT01ACA family drives 2020-07-18 08:11:44 -07:00
hwspinlock
hwtracing intel_th: Fix a NULL dereference when hub driver is not loaded 2020-07-10 15:12:48 +02:00
i2c i2c: i2c-qcom-geni: Fix DMA transfer race 2020-07-23 22:26:44 +02:00
i3c
ide treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
idle
iio First set of IIO and counter fixes in the 5.8 cycle. 2020-07-08 09:20:50 +02:00
infiniband RDMA/mlx5: Prevent prefetch from racing with implicit destruction 2020-07-21 13:51:35 -03:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2020-07-13 18:31:15 -07:00
interconnect interconnect: msm8916: Fix buswidth of pcnoc_s nodes 2020-07-23 10:45:24 +02:00
iommu iommu/qcom: Use domain rather than dev as tlb cookie 2020-07-22 17:29:28 +02:00
ipack treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
irqchip Bugfixes and a one-liner patch to silence sparse. 2020-07-06 12:48:04 -07:00
isdn treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
leds LEDs pull request for 5.8-rc1. 2020-06-04 11:03:45 -07:00
lightnvm for-5.8/block-2020-06-01 2020-06-02 15:29:19 -07:00
macintosh treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
mailbox mailbox: qcom: Add ipq6018 apcs compatible 2020-06-10 22:43:57 -05:00
mcb
md dm integrity: fix integrity recalculation that is improperly skipped 2020-07-23 14:39:37 -04:00
media media: omap3isp: remove cacheflush.h 2020-06-26 00:27:37 -07:00
memory Merge branch 'baikal/drivers' into arm/drivers 2020-05-28 14:18:11 +02:00
memstick
message scsi: mptfusion: Don't use GFP_ATOMIC for larger DMA allocations 2020-06-26 22:51:53 -04:00
mfd irqdomain/treewide: Keep firmware node unconditionally allocated 2020-07-14 17:44:42 +02:00
misc habanalabs: prevent possible out-of-bounds array access 2020-07-19 08:15:36 +03:00
mmc mmc: sdhci-of-aspeed: Fix clock divider calculation 2020-07-13 12:17:34 +02:00
most
mtd mtd: rawnand: xway: Fix build issue 2020-07-07 21:04:38 +02:00
mux
net drivers/net/wan: lapb: Corrected the usage of skb_cow 2020-07-24 20:17:42 -07:00
nfc nfc: s3fwrn5: add missing release on skb in s3fwrn5_recv_frame 2020-07-20 18:31:33 -07:00
ntb NTB: perf: Fix race condition when run with ntb_test 2020-06-05 20:02:09 -04:00
nubus
nvdimm libnvdimm/security: Fix key lookup permissions 2020-07-08 17:08:01 -07:00
nvme nvme: explicitly update mpath disk capacity on revalidation 2020-07-16 16:40:27 +02:00
nvmem nvmem: qfprom: remove incorrect write support 2020-05-27 11:09:26 +02:00
of of: of_mdio: Correct loop scanning logic 2020-06-19 13:39:00 -07:00
opp opp: Increase parsed_static_opps in _of_add_opp_table_v1() 2020-07-16 08:50:54 +05:30
oprofile oprofile: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
parisc
parport treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
pci pci-v5.8-fixes-2 2020-07-24 18:30:24 -07:00
pcmcia treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
perf drivers/perf: Prevent forced unbinding of PMU drivers 2020-07-17 10:51:44 +01:00
phy phy: fixes for 5.8 2020-07-08 18:00:07 +02:00
pinctrl intel-pinctrl for v5.8-2 2020-06-28 01:08:21 +02:00
platform platform/x86: asus-wmi: allow BAT1 battery name 2020-07-15 12:47:04 +03:00
pnp treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
power power supply and reset changes for the v5.8 series 2020-06-10 11:28:35 -07:00
powercap Kbuild updates for v5.8 (2nd) 2020-06-13 13:29:16 -07:00
pps treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
ps3
ptp treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
pwm pwm: Add missing "CONFIG_" prefix 2020-06-04 19:09:28 +02:00
rapidio rapidio: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
ras
regulator regulator: rename da903x to da903x-regulator 2020-06-25 15:29:21 +01:00
remoteproc remoteproc updates for v5.8 2020-06-08 13:01:08 -07:00
reset Char/Misc driver patches for 5.8-rc1 2020-06-07 10:59:32 -07:00
rpmsg remoteproc updates for v5.8 2020-06-08 13:01:08 -07:00
rtc RTC for 5.8 2020-06-07 16:11:23 -07:00
s390 vfio-ccw: Fix a build error due to missing include of linux/slab.h 2020-07-03 11:41:31 +02:00
sbus treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
scsi scsi: core: Run queue in case of I/O resource contention failure 2020-07-20 21:38:20 -04:00
sfi treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
sh
siox
slimbus
soc i.MX fixes for 5.8, round 2: 2020-07-16 22:08:07 +02:00
soundwire soundwire: intel: fix memory leak with devm_kasprintf 2020-06-22 17:15:20 +05:30
spi spi: Fixes for v5.8 2020-07-17 10:24:09 -07:00
spmi
ssb
staging Linux 5.8-rc7 2020-07-27 12:40:56 +02:00
target Kbuild updates for v5.8 (2nd) 2020-06-13 13:29:16 -07:00
tc
tee mmap locking API: use coccinelle to convert mmap_sem rwsem call sites 2020-06-09 09:39:14 -07:00
thermal - Fix invalid index array access on int340x_thermal leading to a 2020-07-16 11:08:54 -07:00
thunderbolt thunderbolt: Fix path indices used in USB3 tunnel discovery 2020-06-25 15:45:30 +03:00
tty Revert "serial: 8250: Let serial core initialise spin lock" 2020-08-02 13:24:30 +02:00
uio uio_pdrv_genirq: fix use without device tree and no interrupt 2020-07-03 10:52:02 +02:00
usb Linux 5.8-rc7 2020-07-27 12:40:56 +02:00
vdpa vdpa: fix typos in the comments for __vdpa_alloc_device() 2020-06-22 12:34:21 -04:00
vfio vfio/pci: fix racy on error and request eventfd ctx 2020-07-17 08:28:40 -06:00
vhost tools/virtio: Add --reset 2020-06-22 12:34:21 -04:00
video vgacon: Fix for missing check in scrollback handling 2020-08-04 09:40:35 +02:00
virt virt: vbox: Fix guest capabilities mask check 2020-07-10 13:40:19 +02:00
virtio pci-v5.8-fixes-2 2020-07-24 18:30:24 -07:00
visorbus treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
vlynq
vme treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
w1 w1: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
watchdog treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
xen xen: branch for v5.8-rc5 2020-07-11 11:16:46 -07:00
zorro treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
Kconfig
Makefile