From patchwork Mon Mar 6 09:49:21 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Samuel Thibault X-Patchwork-Id: 13160767 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1DD03C6FD19 for ; Mon, 6 Mar 2023 09:49:27 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 44ED3280001; Mon, 6 Mar 2023 04:49:27 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 3FF016B0073; Mon, 6 Mar 2023 04:49:27 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2C62B280001; Mon, 6 Mar 2023 04:49:27 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 19F2D6B0072 for ; Mon, 6 Mar 2023 04:49:27 -0500 (EST) Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id DF6F3140899 for ; Mon, 6 Mar 2023 09:49:26 +0000 (UTC) X-FDA: 80538000732.16.64B1412 Received: from sonata.ens-lyon.org (domu-toccata.ens-lyon.fr [140.77.166.138]) by imf02.hostedemail.com (Postfix) with ESMTP id C0FEA80009 for ; Mon, 6 Mar 2023 09:49:24 +0000 (UTC) Authentication-Results: imf02.hostedemail.com; dkim=none; dmarc=none; spf=pass (imf02.hostedemail.com: domain of "SRS0=X19Y=66=ens-lyon.org=samuel.thibault@bounce.ens-lyon.org" designates 140.77.166.138 as permitted sender) smtp.mailfrom="SRS0=X19Y=66=ens-lyon.org=samuel.thibault@bounce.ens-lyon.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1678096165; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references; bh=cLO9vOVakWkBmcJlP4HELJyObY86aBFVngpb/6lEh/I=; b=X6gm4KtpQ9xye+GWb7p4FBq32cWKLy8PxxkluPSze0zrwIx72tWZHQ/vRlLFxxExJwzPdC Hm42t5pC6N7X1f3NOSMHjWUn/3S31IexabvYezdwWOE+IMFV5rqBZD+AWiM1djfQGq3sts /TXhzgVtMSpyzJSQ66ZFi0IG07SFnvI= ARC-Authentication-Results: i=1; imf02.hostedemail.com; dkim=none; dmarc=none; spf=pass (imf02.hostedemail.com: domain of "SRS0=X19Y=66=ens-lyon.org=samuel.thibault@bounce.ens-lyon.org" designates 140.77.166.138 as permitted sender) smtp.mailfrom="SRS0=X19Y=66=ens-lyon.org=samuel.thibault@bounce.ens-lyon.org" ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1678096165; a=rsa-sha256; cv=none; b=XlEQ9GBu8QPuKNYf3137etER1nxmHtlQi/L1oVl5I5AEQzS2Oh+asYHYHKtA5qqr6aGgPE 6tamfk78wyWdTPOcQS/OKepHBkkqUD+6MraKRIYCDZx+HW6t8/VTYWm7LKf7DV8tRn2daQ 7qaHTe15oLBMQUMyjfb9pSikIDxhv3c= Received: from localhost (localhost [127.0.0.1]) by sonata.ens-lyon.org (Postfix) with ESMTP id BFA9E20137; Mon, 6 Mar 2023 10:49:22 +0100 (CET) Received: from sonata.ens-lyon.org ([127.0.0.1]) by localhost (sonata.ens-lyon.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hErAdg_uF3sj; Mon, 6 Mar 2023 10:49:22 +0100 (CET) Received: from begin (nat-inria-interne-52-gw-01-bso.bordeaux.inria.fr [194.199.1.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by sonata.ens-lyon.org (Postfix) with ESMTPSA id 455092012C; Mon, 6 Mar 2023 10:49:22 +0100 (CET) Received: from samy by begin with local (Exim 4.96) (envelope-from ) id 1pZ7T7-0001Rf-1i; Mon, 06 Mar 2023 10:49:21 +0100 Date: Mon, 6 Mar 2023 10:49:21 +0100 From: Samuel Thibault To: gregkh@linuxfoundation.org Cc: linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, Sanan Hasanov , Samuel Thibault , keescook@chromium.org, syzbot+3af17071816b61e807ed@syzkaller.appspotmail.com, akpm@linux-foundation.org, linux-hardening@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, Jiri Slaby Subject: [PATCH] VT: Protect KD_FONT_OP_GET_TALL from unbound access Message-ID: <20230306094921.tik5ewne4ft6mfpo@begin> Mail-Followup-To: Samuel Thibault , gregkh@linuxfoundation.org, linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, Sanan Hasanov , keescook@chromium.org, syzbot+3af17071816b61e807ed@syzkaller.appspotmail.com, akpm@linux-foundation.org, linux-hardening@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, Jiri Slaby MIME-Version: 1.0 Content-Disposition: inline Organization: I am not organized User-Agent: NeoMutt/20170609 (1.8.3) X-Rspamd-Queue-Id: C0FEA80009 X-Stat-Signature: bgtw4ffhjzyu6kfxk35dohxjh16fxt6z X-Rspam-User: X-Rspamd-Server: rspam08 X-HE-Tag: 1678096164-935505 X-HE-Meta: U2FsdGVkX1+IU0Yjd+JzUpMFFsJcJN77rHzsN7RKntvmDqmHtYg5M32hLYR3IaqTca3ZepLtmKprRCxYRTJNpOP7uIShXfPdxqErtwkp3GBj92jLjLUHpka5H/1Kvsb0LW0EyoeUEAaYANCqmVV2heRLsd472YnfY3qEJtUc63I/JIyxGfFJzQcvH+8xVoMPP2ppSE7a9e5ufgfqfq1FQexifu496OSoe9gy5dursuSvWm4rhGl0StEbvFRmf8BO8smPifnaGlVAkgOwYqotS0k4yb7vVLl9fYIZPXMI8g2H2DNN9LFs2DMh+XC236VWmrTgkDYNnjwOZ6PA2W0rvWEVmXB/iquMxt/vV1RsKqd+2sXNk9kPWRyalkhW8qbY7yJ5e6ofXiaiytJ54//87SMWEdNQXC/dnnMyzQrjjKLF3x74Sr6xTyBtRz7wrd/8Z6kHxmWWsaaRBEF8xLWYC9cO6Q3iI1ZuZy9P4z79gFpqK9c8nl+h4oyIovU4P1UcfPdlyAMNcpzdp5fQOZlpHsdyzrlUy/OF/WgGi6E4XfLanb2lI+W1ySM1qHl9i10VXHDWnfYP3OZ+qTO07lLz5e7m7oXIyNiV1ZPjqthekjCAFl6kn9oW1d+FtzibJyRnYH/AKT3ylitdOFraWf2b/n+4OGbhdVXJois/QSMMN87hM2ABtQSV5Sn8On89ef062bOQcdB+NpKv9hk4tWwCmPiLheXMKi+eX8FsV6acScqvo9H0XvN2lUB7Zfn4axP3BseoSKJdVi8J2OXjDG2KJ+sU+Go8/ibG4HKmDNeHyK2ru4WOc7XEYjhb3CdXxX0O83DXtkfUTtq8qMzxxSPCFM2XAg+QY4KiIM/9i78V2MfFB+0u0SJwhJO6nvSExF7g54cBAk7z5q4weLuW6nV7It1J5O/DSy3546VCoYC4bMD6fnwkSTgSB+8m0p9efk95jTlXWPRtzzqRnFgxGyx h273t657 F1MOKdUKEx6CZKHizO8HmBAKgbqi+N8hxPAym8ynJ0dGKYPnrumqc4mPP3q0+D1AWumHtYqu4cKdSkzIcWc6atjlrJOE2aQRBcvK6chGh7+72/f/3IjVAkqbvG6KOIQJgvkcO5J6u5W+FMggtuoiMEloGvHLW4eMfRdVUazQzg43i8UDWMlWwmb2RTvFTYythGH58bIZ6irDQ3sZt9/NBksHYL0i3cKpNgqpCx6fBrJrmyOIsSkvO7+dVhUp7DP758Qh3BcFb5GL7wMGrDjEoqBjXjOyqWIl38nYo5LyBAks21f9Nx1rACjmrPXqSf/0Evt1nQxtZcbIwqrM0WO+i6cmtQFsz+l38MvlMZgHIgu+t0soOaYVrZdVE+NVVAJQ6PiNMJlRND5mv/t41B8uxI2ser5GdKWTSYWNKfYtgbFtrTFjulWTG7gL05pfvRQVd3qq4c28NEkM+3y+v8QS+RUGTNqPMAzgVJK83qmJVUHYYBH0Y2AJaOODJDoY/RTh4DXtUhfgF/8k/o+WGMBFuu/Z9RrW6Nl1Y0DJU+H0nC18qOex7/mut0J2TBeMi8SuIHbOXfTfkdH2C/k4ku4zdzENg59fIgDjU00cA7dp1j0nHX6s7fclZNPLa/H/TXWeCJq0IVXUFQDDZuKO3lDZZII4nJkAef7x/ggxUX/4kd89GUi2ZqbQLo8B0MCkJbey3+sH05n9xm9Jas8lpXIMCQM/bl4XYSVSXh1W+GQoaEbLHW/c= X-Bogosity: Ham, tests=bogofilter, spamicity=0.001271, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: In ioctl(KD_FONT_OP_GET_TALL), userland tells through op->height which vpitch should be used to copy over the font. In con_font_get, we were not checking that it is within the maximum height value, and thus userland could make the vc->vc_sw->con_font_get(vc, &font, vpitch); call possibly overflow the allocated max_font_size bytes, and the copy_to_user(op->data, font.data, c) call possibly read out of that allocated buffer. By checking vpitch against max_font_height, the max_font_size buffer will always be large enough for the vc->vc_sw->con_font_get(vc, &font, vpitch) call (since we already prevent loading a font larger than that), and c = (font.width+7)/8 * vpitch * font.charcount will always remain below max_font_size. Fixes: 24d69384bcd3 ("VT: Add KD_FONT_OP_SET/GET_TALL operations") Reported-by: syzbot+3af17071816b61e807ed@syzkaller.appspotmail.com Signed-off-by: Samuel Thibault Reviewed-by: Jiri Slaby diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c index 57a5c23b51d4..3c2ea9c098f7 100644 --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -4545,6 +4545,9 @@ static int con_font_get(struct vc_data *vc, struct console_font_op *op) int c; unsigned int vpitch = op->op == KD_FONT_OP_GET_TALL ? op->height : 32; + if (vpitch > max_font_height) + return -EINVAL; + if (op->data) { font.data = kvmalloc(max_font_size, GFP_KERNEL); if (!font.data)