From patchwork Sun Aug 27 13:56:46 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Jan_H=2E_Sch=C3=B6nherr?=
 <jschoenh@amazon.de>
X-Patchwork-Id: 9923879
Return-Path: <linux-fbdev-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	681A7603B4 for <patchwork-linux-fbdev@patchwork.kernel.org>;
	Sun, 27 Aug 2017 13:57:39 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5A69628614
	for <patchwork-linux-fbdev@patchwork.kernel.org>;
	Sun, 27 Aug 2017 13:57:39 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 492792863C; Sun, 27 Aug 2017 13:57:39 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.0 required=2.0 tests=BAYES_00,DKIM_ADSP_ALL,
	DKIM_SIGNED, RCVD_IN_DNSWL_HI,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C1D0328639
	for <patchwork-linux-fbdev@patchwork.kernel.org>;
	Sun, 27 Aug 2017 13:57:38 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751612AbdH0N5B (ORCPT
	<rfc822;patchwork-linux-fbdev@patchwork.kernel.org>);
	Sun, 27 Aug 2017 09:57:01 -0400
Received: from smtp-fw-6002.amazon.com ([52.95.49.90]:20745 "EHLO
	smtp-fw-6002.amazon.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751609AbdH0N5A (ORCPT
	<rfc822;linux-fbdev@vger.kernel.org>);
	Sun, 27 Aug 2017 09:57:00 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=amazon.de; i=@amazon.de; q=dns/txt; s=amazon201209;
	t=1503842220; x=1535378220;
	h=from:to:cc:subject:date:message-id:mime-version:
	content-transfer-encoding;
	bh=4ZAju2sZsxxWGk1m0e8tW8zvOVSFVEdCT/JkqDeeJg4=;
	b=MkqqyhuDR9dA3kVycC7oIfKwTl+sHSOjmBBXCUB4DHBtN5+VhktEPlsG
	BUy4Jga+RwkB917ht019greWrYaHxJmsuIpJuksy6nUFEQgbg+9+r2JAA
	IilKb86v+mIxDuNGorb8taNLlh2jb8ntF2i0wNEhS8gzdE6ym8imt0N1b c=;
X-IronPort-AV: E=Sophos;i="5.41,436,1498521600"; d="scan'208";a="302901509"
Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO
	email-inbound-relay-1e-27fb8269.us-east-1.amazon.com) ([10.43.8.6])
	by smtp-border-fw-out-6002.iad6.amazon.com with
	ESMTP/TLS/DHE-RSA-AES256-SHA; 27 Aug 2017 13:56:59 +0000
Received: from u28d244cd5724546b2f74.ant.amazon.com
	(iad7-ws-svc-lb50-vlan3.amazon.com [10.0.93.214])
	by email-inbound-relay-1e-27fb8269.us-east-1.amazon.com
	(8.14.7/8.14.7) with ESMTP id v7RDus6c001930
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Sun, 27 Aug 2017 13:56:56 GMT
Received: from u28d244cd5724546b2f74.ant.amazon.com (localhost [127.0.0.1])
	by u28d244cd5724546b2f74.ant.amazon.com
	(8.14.4/8.14.4/Debian-2ubuntu2.1) with ESMTP id v7RDutCX030100;
	Sun, 27 Aug 2017 15:56:55 +0200
Received: (from jschoenh@localhost)
	by u28d244cd5724546b2f74.ant.amazon.com (8.14.4/8.14.4/Submit) id
	v7RDusBM030096; Sun, 27 Aug 2017 15:56:54 +0200
From: =?UTF-8?q?Jan=20H=2E=20Sch=C3=B6nherr?= <jschoenh@amazon.de>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jiri Slaby <jslaby@suse.cz>, "H. Peter Anvin" <hpa@zytor.com>,
	linux-fbdev@vger.kernel.org,
	=?UTF-8?q?Jan=20H=2E=20Sch=C3=B6nherr?= <jschoenh@amazon.de>
Subject: [PATCH] vgacon,
	x86/boot: Prevent faulty bootparams.screeninfo from causing harm
Date: Sun, 27 Aug 2017 15:56:46 +0200
Message-Id: <1503842206-30039-1-git-send-email-jschoenh@amazon.de>
X-Mailer: git-send-email 2.3.1.dirty
MIME-Version: 1.0
Sender: linux-fbdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-fbdev.vger.kernel.org>
X-Mailing-List: linux-fbdev@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

If a zero for the number of colums or rows manages to slip through,
gotoxy() will underflow vc->vc_pos, causing the next action on the
referenced memory to end with a page fault.

Make the check in vgacon more pessimistic to prevent that. Also change
a similar check in the x86 boot code with a similar problem.

Signed-off-by: Jan H. Schönherr <jschoenh@amazon.de>
---
Let me know, if I should split this into two patches.

 arch/x86/boot/compressed/misc.c | 3 +--
 drivers/video/console/vgacon.c  | 5 ++---
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c
index a0838ab..c14217c 100644
--- a/arch/x86/boot/compressed/misc.c
+++ b/arch/x86/boot/compressed/misc.c
@@ -116,8 +116,7 @@ void __putstr(const char *s)
 		}
 	}
 
-	if (boot_params->screen_info.orig_video_mode == 0 &&
-	    lines == 0 && cols == 0)
+	if (lines == 0 || cols == 0)
 		return;
 
 	x = boot_params->screen_info.orig_x;
diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c
index dc06cb6..445b1dc 100644
--- a/drivers/video/console/vgacon.c
+++ b/drivers/video/console/vgacon.c
@@ -398,9 +398,8 @@ static const char *vgacon_startup(void)
 #endif
 	}
 
-	/* boot_params.screen_info initialized? */
-	if ((screen_info.orig_video_mode  == 0) &&
-	    (screen_info.orig_video_lines == 0) &&
+	/* boot_params.screen_info reasonably initialized? */
+	if ((screen_info.orig_video_lines == 0) ||
 	    (screen_info.orig_video_cols  == 0))
 		goto no_vga;