| Message ID | 20200713105730.550334-1-yangyingliang@huawei.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | vgacon: Fix an out-of-bounds in vgacon_scrollback_update() | expand |
On 13. 07. 20, 12:57, Yang Yingliang wrote: > I got a slab-out-of-bounds report when I doing fuzz test. > > [ 334.989515] ================================================================== > [ 334.989577] BUG: KASAN: slab-out-of-bounds in vgacon_scroll+0x57a/0x8ed > [ 334.989588] Write of size 1766 at addr ffff8883de69ff3e by task test/2658 > [ 334.989593] > [ 334.989608] CPU: 3 PID: 2658 Comm: test Not tainted 5.7.0-rc5-00005-g152036d1379f #789 > [ 334.989617] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 > [ 334.989624] Call Trace: > [ 334.989646] dump_stack+0xe4/0x14e > [ 334.989676] print_address_description.constprop.5+0x3f/0x60 > [ 334.989699] ? vgacon_scroll+0x57a/0x8ed > [ 334.989710] __kasan_report.cold.8+0x92/0xaf > [ 334.989735] ? vgacon_scroll+0x57a/0x8ed > [ 334.989761] kasan_report+0x37/0x50 > [ 334.989789] check_memory_region+0x1c1/0x1e0 > [ 334.989806] memcpy+0x38/0x60 > [ 334.989824] vgacon_scroll+0x57a/0x8ed > [ 334.989876] con_scroll+0x4ef/0x5e0 ... > Because vgacon_scrollback_cur->tail plus memcpy size is greater than > vgacon_scrollback_cur->size. Fix this by checking the memcpy size. > > Reported-by: Hulk Robot <hulkci@huawei.com> > Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> > --- > drivers/video/console/vgacon.c | 11 ++++++++--- > 1 file changed, 8 insertions(+), 3 deletions(-) > > diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c > index 998b0de1812f..b51ffb9a208d 100644 > --- a/drivers/video/console/vgacon.c > +++ b/drivers/video/console/vgacon.c > @@ -243,6 +243,7 @@ static void vgacon_scrollback_startup(void) > static void vgacon_scrollback_update(struct vc_data *c, int t, int count) > { > void *p; > + int size; > > if (!vgacon_scrollback_cur->data || !vgacon_scrollback_cur->size || > c->vc_num != fg_console) > @@ -251,13 +252,17 @@ static void vgacon_scrollback_update(struct vc_data *c, int t, int count) > p = (void *) (c->vc_origin + t * c->vc_size_row); > > while (count--) { > + size = vgacon_scrollback_cur->size - vgacon_scrollback_cur->tail; > + if (size > c->vc_size_row) > + size = c->vc_size_row; > + > scr_memcpyw(vgacon_scrollback_cur->data + > vgacon_scrollback_cur->tail, > - p, c->vc_size_row); > + p, size); Are you sure the consumer can handle split lines? As vgacon_scrolldelta (soff in particular) looks to me like it doesn't. Have you tested you patch? I mean with soft scrollback on the vga console? > vgacon_scrollback_cur->cnt++; > - p += c->vc_size_row; > - vgacon_scrollback_cur->tail += c->vc_size_row; > + p += size; > + vgacon_scrollback_cur->tail += size; > > if (vgacon_scrollback_cur->tail >= vgacon_scrollback_cur->size) > vgacon_scrollback_cur->tail = 0; > thanks,
On 2020/7/30 19:04, Jiri Slaby wrote: > On 13. 07. 20, 12:57, Yang Yingliang wrote: >> I got a slab-out-of-bounds report when I doing fuzz test. >> >> [ 334.989515] ================================================================== >> [ 334.989577] BUG: KASAN: slab-out-of-bounds in vgacon_scroll+0x57a/0x8ed >> [ 334.989588] Write of size 1766 at addr ffff8883de69ff3e by task test/2658 >> [ 334.989593] >> [ 334.989608] CPU: 3 PID: 2658 Comm: test Not tainted 5.7.0-rc5-00005-g152036d1379f #789 >> [ 334.989617] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 >> [ 334.989624] Call Trace: >> [ 334.989646] dump_stack+0xe4/0x14e >> [ 334.989676] print_address_description.constprop.5+0x3f/0x60 >> [ 334.989699] ? vgacon_scroll+0x57a/0x8ed >> [ 334.989710] __kasan_report.cold.8+0x92/0xaf >> [ 334.989735] ? vgacon_scroll+0x57a/0x8ed >> [ 334.989761] kasan_report+0x37/0x50 >> [ 334.989789] check_memory_region+0x1c1/0x1e0 >> [ 334.989806] memcpy+0x38/0x60 >> [ 334.989824] vgacon_scroll+0x57a/0x8ed >> [ 334.989876] con_scroll+0x4ef/0x5e0 > ... >> Because vgacon_scrollback_cur->tail plus memcpy size is greater than >> vgacon_scrollback_cur->size. Fix this by checking the memcpy size. >> >> Reported-by: Hulk Robot <hulkci@huawei.com> >> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> >> --- >> drivers/video/console/vgacon.c | 11 ++++++++--- >> 1 file changed, 8 insertions(+), 3 deletions(-) >> >> diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c >> index 998b0de1812f..b51ffb9a208d 100644 >> --- a/drivers/video/console/vgacon.c >> +++ b/drivers/video/console/vgacon.c >> @@ -243,6 +243,7 @@ static void vgacon_scrollback_startup(void) >> static void vgacon_scrollback_update(struct vc_data *c, int t, int count) >> { >> void *p; >> + int size; >> >> if (!vgacon_scrollback_cur->data || !vgacon_scrollback_cur->size || >> c->vc_num != fg_console) >> @@ -251,13 +252,17 @@ static void vgacon_scrollback_update(struct vc_data *c, int t, int count) >> p = (void *) (c->vc_origin + t * c->vc_size_row); >> >> while (count--) { >> + size = vgacon_scrollback_cur->size - vgacon_scrollback_cur->tail; >> + if (size > c->vc_size_row) >> + size = c->vc_size_row; >> + >> scr_memcpyw(vgacon_scrollback_cur->data + >> vgacon_scrollback_cur->tail, >> - p, c->vc_size_row); >> + p, size); > Are you sure the consumer can handle split lines? As vgacon_scrolldelta > (soff in particular) looks to me like it doesn't. > > Have you tested you patch? I mean with soft scrollback on the vga console? I only test the patch with the reproduce program. Thanks, Yang > >> vgacon_scrollback_cur->cnt++; >> - p += c->vc_size_row; >> - vgacon_scrollback_cur->tail += c->vc_size_row; >> + p += size; >> + vgacon_scrollback_cur->tail += size; >> >> if (vgacon_scrollback_cur->tail >= vgacon_scrollback_cur->size) >> vgacon_scrollback_cur->tail = 0; >> > thanks,
On 30. 07. 20, 15:24, Yang Yingliang wrote: > > On 2020/7/30 19:04, Jiri Slaby wrote: >> On 13. 07. 20, 12:57, Yang Yingliang wrote: >>> I got a slab-out-of-bounds report when I doing fuzz test. >>> >>> [ 334.989515] >>> ================================================================== >>> [ 334.989577] BUG: KASAN: slab-out-of-bounds in >>> vgacon_scroll+0x57a/0x8ed >>> [ 334.989588] Write of size 1766 at addr ffff8883de69ff3e by task >>> test/2658 >>> [ 334.989593] >>> [ 334.989608] CPU: 3 PID: 2658 Comm: test Not tainted >>> 5.7.0-rc5-00005-g152036d1379f #789 >>> [ 334.989617] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), >>> BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 >>> [ 334.989624] Call Trace: >>> [ 334.989646] dump_stack+0xe4/0x14e >>> [ 334.989676] print_address_description.constprop.5+0x3f/0x60 >>> [ 334.989699] ? vgacon_scroll+0x57a/0x8ed >>> [ 334.989710] __kasan_report.cold.8+0x92/0xaf >>> [ 334.989735] ? vgacon_scroll+0x57a/0x8ed >>> [ 334.989761] kasan_report+0x37/0x50 >>> [ 334.989789] check_memory_region+0x1c1/0x1e0 >>> [ 334.989806] memcpy+0x38/0x60 >>> [ 334.989824] vgacon_scroll+0x57a/0x8ed >>> [ 334.989876] con_scroll+0x4ef/0x5e0 >> ... >>> Because vgacon_scrollback_cur->tail plus memcpy size is greater than >>> vgacon_scrollback_cur->size. Fix this by checking the memcpy size. >>> >>> Reported-by: Hulk Robot <hulkci@huawei.com> >>> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> >>> --- >>> drivers/video/console/vgacon.c | 11 ++++++++--- >>> 1 file changed, 8 insertions(+), 3 deletions(-) >>> >>> diff --git a/drivers/video/console/vgacon.c >>> b/drivers/video/console/vgacon.c >>> index 998b0de1812f..b51ffb9a208d 100644 >>> --- a/drivers/video/console/vgacon.c >>> +++ b/drivers/video/console/vgacon.c >>> @@ -243,6 +243,7 @@ static void vgacon_scrollback_startup(void) >>> static void vgacon_scrollback_update(struct vc_data *c, int t, int >>> count) >>> { >>> void *p; >>> + int size; >>> if (!vgacon_scrollback_cur->data || >>> !vgacon_scrollback_cur->size || >>> c->vc_num != fg_console) >>> @@ -251,13 +252,17 @@ static void vgacon_scrollback_update(struct >>> vc_data *c, int t, int count) >>> p = (void *) (c->vc_origin + t * c->vc_size_row); >>> while (count--) { >>> + size = vgacon_scrollback_cur->size - >>> vgacon_scrollback_cur->tail; >>> + if (size > c->vc_size_row) >>> + size = c->vc_size_row; >>> + >>> scr_memcpyw(vgacon_scrollback_cur->data + >>> vgacon_scrollback_cur->tail, >>> - p, c->vc_size_row); >>> + p, size); >> Are you sure the consumer can handle split lines? As vgacon_scrolldelta >> (soff in particular) looks to me like it doesn't. >> >> Have you tested you patch? I mean with soft scrollback on the vga >> console? > > I only test the patch with the reproduce program. Out of curiosity, what is it doing? Resize and then scroll by \n (line feed)? Can you share it? thanks,
On 2020/7/30 21:38, Jiri Slaby wrote: > On 30. 07. 20, 15:24, Yang Yingliang wrote: >> On 2020/7/30 19:04, Jiri Slaby wrote: >>> On 13. 07. 20, 12:57, Yang Yingliang wrote: >>>> I got a slab-out-of-bounds report when I doing fuzz test. >>>> >>>> [ 334.989515] >>>> ================================================================== >>>> [ 334.989577] BUG: KASAN: slab-out-of-bounds in >>>> vgacon_scroll+0x57a/0x8ed >>>> [ 334.989588] Write of size 1766 at addr ffff8883de69ff3e by task >>>> test/2658 >>>> [ 334.989593] >>>> [ 334.989608] CPU: 3 PID: 2658 Comm: test Not tainted >>>> 5.7.0-rc5-00005-g152036d1379f #789 >>>> [ 334.989617] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), >>>> BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 >>>> [ 334.989624] Call Trace: >>>> [ 334.989646] dump_stack+0xe4/0x14e >>>> [ 334.989676] print_address_description.constprop.5+0x3f/0x60 >>>> [ 334.989699] ? vgacon_scroll+0x57a/0x8ed >>>> [ 334.989710] __kasan_report.cold.8+0x92/0xaf >>>> [ 334.989735] ? vgacon_scroll+0x57a/0x8ed >>>> [ 334.989761] kasan_report+0x37/0x50 >>>> [ 334.989789] check_memory_region+0x1c1/0x1e0 >>>> [ 334.989806] memcpy+0x38/0x60 >>>> [ 334.989824] vgacon_scroll+0x57a/0x8ed >>>> [ 334.989876] con_scroll+0x4ef/0x5e0 >>> ... >>>> Because vgacon_scrollback_cur->tail plus memcpy size is greater than >>>> vgacon_scrollback_cur->size. Fix this by checking the memcpy size. >>>> >>>> Reported-by: Hulk Robot <hulkci@huawei.com> >>>> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> >>>> --- >>>> drivers/video/console/vgacon.c | 11 ++++++++--- >>>> 1 file changed, 8 insertions(+), 3 deletions(-) >>>> >>>> diff --git a/drivers/video/console/vgacon.c >>>> b/drivers/video/console/vgacon.c >>>> index 998b0de1812f..b51ffb9a208d 100644 >>>> --- a/drivers/video/console/vgacon.c >>>> +++ b/drivers/video/console/vgacon.c >>>> @@ -243,6 +243,7 @@ static void vgacon_scrollback_startup(void) >>>> static void vgacon_scrollback_update(struct vc_data *c, int t, int >>>> count) >>>> { >>>> void *p; >>>> + int size; >>>> if (!vgacon_scrollback_cur->data || >>>> !vgacon_scrollback_cur->size || >>>> c->vc_num != fg_console) >>>> @@ -251,13 +252,17 @@ static void vgacon_scrollback_update(struct >>>> vc_data *c, int t, int count) >>>> p = (void *) (c->vc_origin + t * c->vc_size_row); >>>> while (count--) { >>>> + size = vgacon_scrollback_cur->size - >>>> vgacon_scrollback_cur->tail; >>>> + if (size > c->vc_size_row) >>>> + size = c->vc_size_row; >>>> + >>>> scr_memcpyw(vgacon_scrollback_cur->data + >>>> vgacon_scrollback_cur->tail, >>>> - p, c->vc_size_row); >>>> + p, size); >>> Are you sure the consumer can handle split lines? As vgacon_scrolldelta >>> (soff in particular) looks to me like it doesn't. >>> >>> Have you tested you patch? I mean with soft scrollback on the vga >>> console? >> I only test the patch with the reproduce program. > Out of curiosity, what is it doing? Resize and then scroll by \n (line > feed)? Can you share it? // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include <dirent.h> #include <endian.h> #include <errno.h> #include <fcntl.h> #include <signal.h> #include <stdarg.h> #include <stdbool.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/prctl.h> #include <sys/stat.h> #include <sys/syscall.h> #include <sys/types.h> #include <sys/wait.h> #include <time.h> #include <unistd.h> static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); int i; for (i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter; for (iter = 0;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); if (current_time_ms() - start < 5 * 1000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[1] = {0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; res = syz_open_dev(0xc, 4, 1); if (res != -1) r[0] = res; *(uint16_t*)0x20000000 = 0xc; *(uint16_t*)0x20000002 = 0x373; *(uint16_t*)0x20000004 = 0x1442; syscall(__NR_ioctl, r[0], 0x5609ul, 0x20000000ul); memcpy((void*)0x20003500, "\x7f\x45\x4c\x46\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x38\x00\x00\x00\x00\x00\x00\x00\x01\x04\x00\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x69\x2e\x77\x3d\x64\xf5\xe4\xb9\xaf\x86\xb6\xcb\x74\x6e\xe0\x71\x3a\xfb\x18\x4e\xb2\xb9\x99\x36\xd4\x71\x6d\xbf\xfc\x0d\xfb\xec\x4b\x82\x2d\xde\xa8\xb8\x79\x34\xcc\xe8\x11\x28\x49\x27\xb5\xe6\xeb\x37\x33\x73\xad\x27\x6b\xfd\x68\x18\x46\x9e\x3a\x35\xd0\x5b\x6f\x2f\xd5\x8a\x88\x96\xd0\x65\x16\x70\x95\x10\x0f\x97\xb8\xe6\x71\x60\x87\xcb\xf2\x92\x60\x4b\x89\x8a\xb8\xcf\x95\x85\x67\xef\x4e\xf3\xa8\x8e\xd4\x9f\x81\x83\x0a\x85\x54\x45\xff\x6c\xbd\xa4\xca\x4e\xae\x3d\x65\xef\x15\x76\xa2\x90\x16\xdb\xe3\xc9\x9c\x78\x30\x1e\x04\x8c\x17\x17\x06\xb3\x06\xc4\x87\x12\xc3\xe2\x5a\xb5\x83\x8a\xe3\x1e\x7d\xe1\xf1\xdc\x95\x79\xa7\x1c\xcb\x39\xf6\x05\x1e\xed\xd7\xf0\xb5\xa7\xc8\xb6\xfc\x41\xf4\x2d\x3e\x67\xba\xe8\xe4\x86\xa6\x31\x1e\xf2\x49\xda\x11\x41\xab\xfd\xc1\x0a\xe5\x69\x6b\xdb\xad\x95\xe4\x53\xb9\x37\xce\x6d\xad\x22\x39\xab\xd7\x9f\xcf\xa1\xdc\x84\xd7\x3b\xc2\xa3\xc6\xc3\x73\xa9\xd5\x3e\xf0\x01\xff\x18\x76\xe6\x47\xf4\x1b\x6a\x96\x8d\xc4\x9f\xe7\xc2\x93\x8a\x3d\xf9\x9b\xfd\x79\x5b\x7d\x2d\xb4\x82\x78\x38\x0f\x6b\xd0\xdc\xd2\x8b\x8e\xfe\xc1\xcf\xd5\x03\x98\x86\x7e\xf3\x29\xee\x1c\xb7\x34\xc1\x2f\xce\x5b\x51\x29\x2b\xe4\xef\xe7\x5e\x0d\x3f\x57\x8c\xc9\x89\xea\x55\xa0\x65\x00\x00\x00\x00\x00\x00\x00\x6f\x7e\x76\xa2\x37\x0e\x3e\x0b\x83\xa2\x6a\x88\x95\xa6\xac\x75\x4b\xee\xc4\x42\x87\xfa\xfd\x91\x3d\x6a\x4d\x92\x10\x71\x7c\xec\xaa\x58\x90\xbf\xa7\x5c\x72\xfd\x89\x6d\xb3\x07\x0f\xd2\x35\xd3\xdf\x78\x32\x51\x2f\x88\x03\x0e\x1d\x1c\xd5\xf3\x27\xa0\xe1\xd4\xc1\x05\xf7\x2d\xd1\x31\x87\x40\x7e\x92\x11\x28\xc5\x54\xb8\x49\x16\x6d\xdc\x79\xed\x21\xa4\x33\x7d\xdf\x56\x94\xad\xcf\x69\xd0\xb9\xb4\x6b\x6a\x67\x5c\x9d\x23\x1a\xec\xf2\x73\x03\xd2\x13\xf1\xdb\xe8\xb4\x79\x18\xd1\x50\x49\xc1\xd5\x85\xec\x84\xcd\x37\x0b\xed\x7b\xce\x6b\x31\x36\x1e\xfb\x69\x9d\xa8\xc2\x66\x65\x86\x9b\x25\x97\x1d\x59\x7c\x9c\x82\xe5\xe4\x1b\xd7\xe7\xb7\xda\xd8\x2a\x64\x96\xaf\xa7\x84\x40\x33\x97\x7a\x5a\xc0\x1f\x8c\xca\x91\x12\x94\x74\xb2\x5f\x25\xd1\xf1\xa2\x17\x87\x52\x89\x30\x2b\x3f\xf6\x45\x58\x31\x6e\x68\xa3\x5e\xd2\xa3\x80\xf7\xf0\xaf\x03\x9d\x1b\x33\xe8\x4e\x11\xf4\x19\x69\x8f\xc3\x0d\x0a\x72\xa3\xab\xb7\x66\xb1\x3b\xc4\x29\x58\x22\x0f\xae\xfc\x68\xcc\x66\x9b\x62\x4c\xc8\xce\x7e\xdc\xe5\x65\xbc\xc3\xde\xdc\x6f\xe4\x81\xd4\x4a\xd7\x0f\x37\xb7\x8f\x36\x89\x85\x6b\x0d\xb9\xe5\x4c\xc1\xfd\xd7\x1a\xa6\xc7\x0d\xf3\x8d\xcb\x5a\x9a\x6a\xea\x39\xf5\xe1\x42\xc7\x8a\xdc\x2e\x61\xb1\x4f\xea\x20\xd0\x0d\x50\x08\xc2\xbe\x36\xe5\xc0\x67\xe2\x43\x1d\x39\xbd\xda\x47\xa4\xb3\x59\xb3\x2d\x6a\x7e\x3a\xbc\xa7\x53\xf0\x46\x61\xe6\x9c\xef\xcf\xad\x50\x79\x5b\xb0\xd9\x40\xba\xb3\x5e\xf9\x39\xee\x9e\xe0\xfe\xfc\x59\x14\xac\x60\xcf\xcb\x9e\x7a\x47\x6f\xda\x4c\x09\x9e\xa1\x15\x24\x9a\x40\xf2\xe5\x34\xf4\x80\x03\x63\x08\x13\xe1\xab\xa9\xc2\x59\x15\x00\xe3\xc3\xe2\xa9\x0d\x5f\x0f\xa4\x53\x63\xbd\x72\xdc\xc9\xc2\x13\xc0\x0a\xbd\x7c\xec\xa8\x2d\x16\xac\x65\xf3\x58\xca\x62\x6c\x07\xba\x01\x72\xfa\x5a\xbe\x68\xfe\x92\xbe\xa2\xc7\xdc\xc6\xcd\xab\x10\x58\x4a\x9d\x2e\x61\x85\x56\x9f\x0e\x74\x6c\x49\xf8\x3d\x43\x43\x4f\xd3\x93\xf3\x1d\xcb\x31\x4c\xf6\x78\xed\x4b\x76\x1f\x46\x58\x58\x05\x9a\x59\x7d\xf9\x28\x0c\x7a\x49\x04\x6c\xda\x7e\x96\xe0\x22\x90\x64\x0d\xfa\x8f\xbd\xf1\xdb\x74\x75\x2d\x79\xe5\x20\x38\x8f\x0a\x20\xe8\x09\x31\xd6\x7a\x5b\xbb\x86\x9b\x38\x6d", 897); syscall(__NR_write, r[0], 0x20003500ul, 0x381ul); } int main(void) { syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 3ul, 0x32ul, -1, 0); loop(); return 0; } > > thanks,
Hi, On 31. 07. 20, 5:23, Yang Yingliang wrote: > void execute_one(void) > { > intptr_t res = 0; > res = syz_open_dev(0xc, 4, 1); open(/dev/tty1) > if (res != -1) > r[0] = res; > *(uint16_t*)0x20000000 = 0xc; > *(uint16_t*)0x20000002 = 0x373; > *(uint16_t*)0x20000004 = 0x1442; > syscall(__NR_ioctl, r[0], 0x5609ul, 0x20000000ul); VT_RESIZE(12, 883) > memcpy((void*)0x20003500, "\x7f\x45\x4c\x46\x00\x00\x00... > syscall(__NR_write, r[0], 0x20003500ul, 0x381ul); Write 381 bytes of some ELF to the tty. OK, that's it. Thanks.
diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c index 998b0de1812f..b51ffb9a208d 100644 --- a/drivers/video/console/vgacon.c +++ b/drivers/video/console/vgacon.c @@ -243,6 +243,7 @@ static void vgacon_scrollback_startup(void) static void vgacon_scrollback_update(struct vc_data *c, int t, int count) { void *p; + int size; if (!vgacon_scrollback_cur->data || !vgacon_scrollback_cur->size || c->vc_num != fg_console) @@ -251,13 +252,17 @@ static void vgacon_scrollback_update(struct vc_data *c, int t, int count) p = (void *) (c->vc_origin + t * c->vc_size_row); while (count--) { + size = vgacon_scrollback_cur->size - vgacon_scrollback_cur->tail; + if (size > c->vc_size_row) + size = c->vc_size_row; + scr_memcpyw(vgacon_scrollback_cur->data + vgacon_scrollback_cur->tail, - p, c->vc_size_row); + p, size); vgacon_scrollback_cur->cnt++; - p += c->vc_size_row; - vgacon_scrollback_cur->tail += c->vc_size_row; + p += size; + vgacon_scrollback_cur->tail += size; if (vgacon_scrollback_cur->tail >= vgacon_scrollback_cur->size) vgacon_scrollback_cur->tail = 0;
I got a slab-out-of-bounds report when I doing fuzz test. [ 334.989515] ================================================================== [ 334.989577] BUG: KASAN: slab-out-of-bounds in vgacon_scroll+0x57a/0x8ed [ 334.989588] Write of size 1766 at addr ffff8883de69ff3e by task test/2658 [ 334.989593] [ 334.989608] CPU: 3 PID: 2658 Comm: test Not tainted 5.7.0-rc5-00005-g152036d1379f #789 [ 334.989617] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 [ 334.989624] Call Trace: [ 334.989646] dump_stack+0xe4/0x14e [ 334.989676] print_address_description.constprop.5+0x3f/0x60 [ 334.989699] ? vgacon_scroll+0x57a/0x8ed [ 334.989710] __kasan_report.cold.8+0x92/0xaf [ 334.989735] ? vgacon_scroll+0x57a/0x8ed [ 334.989761] kasan_report+0x37/0x50 [ 334.989789] check_memory_region+0x1c1/0x1e0 [ 334.989806] memcpy+0x38/0x60 [ 334.989824] vgacon_scroll+0x57a/0x8ed [ 334.989876] con_scroll+0x4ef/0x5e0 [ 334.989904] ? lockdep_hardirqs_on+0x5e0/0x5e0 [ 334.989934] lf+0x24f/0x2a0 [ 334.989951] ? con_scroll+0x5e0/0x5e0 [ 334.989975] ? find_held_lock+0x33/0x1c0 [ 334.990005] do_con_trol+0x313/0x5ff0 [ 334.990027] ? lock_downgrade+0x730/0x730 [ 334.990045] ? reset_palette+0x440/0x440 [ 334.990070] ? _raw_spin_unlock_irqrestore+0x4b/0x60 [ 334.990095] ? notifier_call_chain+0x120/0x170 [ 334.990132] ? __atomic_notifier_call_chain+0xf0/0x180 [ 334.990160] do_con_write.part.16+0xb2b/0x1b20 [ 334.990238] ? do_con_trol+0x5ff0/0x5ff0 [ 334.990258] ? mutex_lock_io_nested+0x1280/0x1280 [ 334.990269] ? rcu_read_unlock+0x50/0x50 [ 334.990315] ? __mutex_unlock_slowpath+0xd9/0x670 [ 334.990340] ? lockdep_hardirqs_on+0x3a2/0x5e0 [ 334.990368] con_write+0x36/0xc0 [ 334.990389] do_output_char+0x561/0x780 [ 334.990414] n_tty_write+0x58e/0xd30 [ 334.990478] ? n_tty_read+0x1800/0x1800 [ 334.990500] ? prepare_to_wait_exclusive+0x300/0x300 [ 334.990525] ? __might_fault+0x17a/0x1c0 [ 334.990557] tty_write+0x430/0x960 [ 334.990568] ? n_tty_read+0x1800/0x1800 [ 334.990600] ? tty_release+0x1280/0x1280 [ 334.990622] __vfs_write+0x81/0x100 [ 334.990648] vfs_write+0x1ce/0x510 [ 334.990676] ksys_write+0x104/0x200 [ 334.990691] ? __ia32_sys_read+0xb0/0xb0 [ 334.990708] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 334.990725] ? trace_hardirqs_off_caller+0x40/0x1a0 [ 334.990744] ? do_syscall_64+0x3b/0x5e0 [ 334.990775] do_syscall_64+0xc8/0x5e0 [ 334.990798] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 334.990811] RIP: 0033:0x44f369 [ 334.990827] Code: 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 334.990834] RSP: 002b:00007ffe9ace0968 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 334.990848] RAX: ffffffffffffffda RBX: 0000000000400418 RCX: 000000000044f369 [ 334.990856] RDX: 0000000000000381 RSI: 0000000020003500 RDI: 0000000000000003 [ 334.990865] RBP: 00007ffe9ace0980 R08: 0000000020003530 R09: 00007ffe9ace0980 [ 334.990873] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000402110 [ 334.990881] R13: 0000000000000000 R14: 00000000006bf018 R15: 0000000000000000 [ 334.990937] [ 334.990943] The buggy address belongs to the page: [ 334.990962] page:ffffea000f79a400 refcount:1 mapcount:0 mapping:000000002bff47b3 index:0x0 head:ffffea000f79a400 order:4 compound_mapcount:0 compound_pincount:0 [ 334.990973] flags: 0x2fffff80010000(head) [ 334.990992] raw: 002fffff80010000 dead000000000100 dead000000000122 0000000000000000 [ 334.991006] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 334.991013] page dumped because: kasan: bad access detected [ 334.991017] [ 334.991023] Memory state around the buggy address: [ 334.991034] ffff8883de6a0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 334.991044] ffff8883de6a0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 334.991054] >ffff8883de6a0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 334.991061] ^ [ 334.991071] ffff8883de6a0180: fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00 [ 334.991082] ffff8883de6a0200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 334.991088] ================================================================== Because vgacon_scrollback_cur->tail plus memcpy size is greater than vgacon_scrollback_cur->size. Fix this by checking the memcpy size. Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> --- drivers/video/console/vgacon.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-)