Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v6.3 2023-03-09T16:56:56Z 2023-03-09T16:56:56Z Samuel Thibault samuel.thibault@ens-lyon.org 2023-03-06T09:49:21Z urn:sha1:18365ebf23f3e713e5dd8e295c9a639295250f3c In ioctl(KD_FONT_OP_GET_TALL), userland tells through op->height which vpitch should be used to copy over the font. In con_font_get, we were not checking that it is within the maximum height value, and thus userland could make the vc->vc_sw->con_font_get(vc, &font, vpitch); call possibly overflow the allocated max_font_size bytes, and the copy_to_user(op->data, font.data, c) call possibly read out of that allocated buffer. By checking vpitch against max_font_height, the max_font_size buffer will always be large enough for the vc->vc_sw->con_font_get(vc, &font, vpitch) call (since we already prevent loading a font larger than that), and c = (font.width+7)/8 * vpitch * font.charcount will always remain below max_font_size. Fixes: 24d69384bcd3 ("VT: Add KD_FONT_OP_SET/GET_TALL operations") Reported-by: syzbot+3af17071816b61e807ed@syzkaller.appspotmail.com Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Jiri Slaby <jirislaby@kernel.org> Link: https://lore.kernel.org/r/20230306094921.tik5ewne4ft6mfpo@begin Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-02-28T02:35:28Z Thomas Weißschuh linux@weissschuh.net 2023-02-20T06:46:12Z urn:sha1:ae3419fbac845b4d3f3a9fae4cc80c68d82cdf6e Commit 226fae124b2d ("vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF") moved the call to vcs_vc() into the loop. While doing this it also moved the unconditional assignment of ret = -ENXIO; This unconditional assignment was valid outside the loop but within it it clobbers the actual value of ret. To avoid this only assign "ret = -ENXIO" when actually needed. [ Also, the 'goto unlock_out" needs to be just a "break", so that it does the right thing when it exits on later iterations when partial success has happened - Linus ] Reported-by: Storm Dragon <stormdragon2976@gmail.com> Link: https://lore.kernel.org/lkml/Y%2FKS6vdql2pIsCiI@hotmail.com/ Fixes: 226fae124b2d ("vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF") Signed-off-by: Thomas Weißschuh <linux@weissschuh.net> Link: https://lore.kernel.org/lkml/64981d94-d00c-4b31-9063-43ad0a384bde@t-8ch.de/ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2023-02-28T00:10:38Z George Kennedy george.kennedy@oracle.com 2023-02-27T20:21:41Z urn:sha1:46d733d0efc79bc8430d63b57ab88011806d5180 Restore the vcs_size() handling in vcs_read() to what it had been in previous version. Fixes: 226fae124b2d ("vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF") Suggested-by: Jiri Slaby <jirislaby@kernel.org> Signed-off-by: George Kennedy <george.kennedy@oracle.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2023-02-06T09:48:49Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2023-02-06T09:48:49Z urn:sha1:f6b2ce79b5fbbb330f56262f0f4373d6af60b602 We need the tty/serial fixes in here as well. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-01-31T14:51:52Z George Kennedy george.kennedy@oracle.com 2023-01-24T16:16:54Z urn:sha1:226fae124b2dac217ea5436060d623ff3385bc34 After a call to console_unlock() in vcs_read() the vc_data struct can be freed by vc_deallocate(). Because of that, the struct vc_data pointer load must be done at the top of while loop in vcs_read() to avoid a UAF when vcs_size() is called. Syzkaller reported a UAF in vcs_size(). BUG: KASAN: use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215) Read of size 4 at addr ffff8881137479a8 by task 4a005ed81e27e65/1537 CPU: 0 PID: 1537 Comm: 4a005ed81e27e65 Not tainted 6.2.0-rc5 #1 Hardware name: Red Hat KVM, BIOS 1.15.0-2.module Call Trace: <TASK> __asan_report_load4_noabort (mm/kasan/report_generic.c:350) vcs_size (drivers/tty/vt/vc_screen.c:215) vcs_read (drivers/tty/vt/vc_screen.c:415) vfs_read (fs/read_write.c:468 fs/read_write.c:450) ... </TASK> Allocated by task 1191: ... kmalloc_trace (mm/slab_common.c:1069) vc_allocate (./include/linux/slab.h:580 ./include/linux/slab.h:720 drivers/tty/vt/vt.c:1128 drivers/tty/vt/vt.c:1108) con_install (drivers/tty/vt/vt.c:3383) tty_init_dev (drivers/tty/tty_io.c:1301 drivers/tty/tty_io.c:1413 drivers/tty/tty_io.c:1390) tty_open (drivers/tty/tty_io.c:2080 drivers/tty/tty_io.c:2126) chrdev_open (fs/char_dev.c:415) do_dentry_open (fs/open.c:883) vfs_open (fs/open.c:1014) ... Freed by task 1548: ... kfree (mm/slab_common.c:1021) vc_port_destruct (drivers/tty/vt/vt.c:1094) tty_port_destructor (drivers/tty/tty_port.c:296) tty_port_put (drivers/tty/tty_port.c:312) vt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2)) vt_ioctl (drivers/tty/vt/vt_ioctl.c:903) tty_ioctl (drivers/tty/tty_io.c:2776) ... The buggy address belongs to the object at ffff888113747800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 424 bytes inside of 1024-byte region [ffff888113747800, ffff888113747c00) The buggy address belongs to the physical page: page:00000000b3fe6c7c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x113740 head:00000000b3fe6c7c order:3 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0 anon flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff) raw: 0017ffffc0010200 ffff888100042dc0 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888113747880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888113747900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff888113747980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888113747a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888113747a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Disabling lock debugging due to kernel taint Fixes: ac751efa6a0d ("console: rename acquire/release_console_sem() to console_lock/unlock()") Reported-by: syzkaller <syzkaller@googlegroups.com> Suggested-by: Jiri Slaby <jirislaby@kernel.org> Signed-off-by: George Kennedy <george.kennedy@oracle.com> Link: https://lore.kernel.org/r/1674577014-12374-1-git-send-email-george.kennedy@oracle.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-01-19T15:29:01Z Samuel Thibault samuel.thibault@ens-lyon.org 2023-01-19T15:19:17Z urn:sha1:05e2600cb0a4d73b0779cf29512819616252aeeb This moves 32x32 font size limitation checking down to drivers, so that fbcon can allow large fonts. We still keep a limitation to 64x128 pixels so as to have a simple bounded allocation for con_font_get and in the userland kbd tool. That glyph size will however be enough to have 128x36 characters on a "16/9 8K display". Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Link: https://lore.kernel.org/r/20230119151935.112415738@ens-lyon.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-01-19T15:28:57Z Samuel Thibault samuel.thibault@ens-lyon.org 2023-01-19T15:19:16Z urn:sha1:24d69384bcd34b9dcaf5dab744bf7096e84d1abd The KD_FONT_OP_SET/GET operations hardcode vpitch to be 32 pixels, which only dates from the old VGA hardware which as asserting this. Drivers such as fbcon however do not have such limitation, so this introduces KD_FONT_OP_SET/GET_TALL operations, which userland can try to use to avoid this limitation, thus opening the patch to >32 pixels font height. Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Link: https://lore.kernel.org/r/20230119151935.013597162@ens-lyon.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-01-19T15:28:56Z Samuel Thibault samuel.thibault@ens-lyon.org 2023-01-19T15:19:15Z urn:sha1:ffc1e089725e3f8a15ddfdce283db42f7d0fa147 The current con_font_get/set API currently hardcodes a 32-pixel-tall limitation, which only dates from the old VGA hardware which could not handle taller fonts than that. This change just adds a vpitch parameter to release this constraint. Drivers which do not support vpitch != 32 can just return EINVAL when it is not 32, font loading tools will revert to trying 32 and succeed. This change makes the fbcon driver consider vpitch appropriately, thus making it able to load large fonts. Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Link: https://lore.kernel.org/r/20230119151934.932642243@ens-lyon.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-01-19T14:06:42Z Jiri Slaby (SUSE) jirislaby@kernel.org 2023-01-12T08:01:36Z urn:sha1:bf8baa00668dbc4fcfca5ac49ae8a3059c795e4e It's used on few places, so make the code easier to follow by caching the subtraction result. Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org> Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Link: https://lore.kernel.org/r/20230112080136.4929-11-jirislaby@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-01-19T14:06:42Z Jiri Slaby (SUSE) jirislaby@kernel.org 2023-01-12T08:01:35Z urn:sha1:424c82af26b1b8ca6c0be06987a4e6d18c9a92dd Rename more variables (t, b, s, d) -> (top, bottom, src, dst) to make them more obvious. Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org> Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Link: https://lore.kernel.org/r/20230112080136.4929-10-jirislaby@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>