Skip to main content

Browse the archive

Revision 513dc792d6060d5ef572e43852683097a8420f56 authored by Zhang Xiaoxu on 04 March 2020, 02:24:29 UTC, committed by Daniel Vetter on 06 March 2020, 20:06:34 UTC 
vgacon: Fix a UAF in vgacon_invert_region
 
When syzkaller tests, there is a UAF:
  BUG: KASan: use after free in vgacon_invert_region+0x9d/0x110 at addr
    ffff880000100000
  Read of size 2 by task syz-executor.1/16489
  page:ffffea0000004000 count:0 mapcount:-127 mapping:          (null)
  index:0x0
  page flags: 0xfffff00000000()
  page dumped because: kasan: bad access detected
  CPU: 1 PID: 16489 Comm: syz-executor.1 Not tainted
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
  rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
  Call Trace:
    [<ffffffffb119f309>] dump_stack+0x1e/0x20
    [<ffffffffb04af957>] kasan_report+0x577/0x950
    [<ffffffffb04ae652>] __asan_load2+0x62/0x80
    [<ffffffffb090f26d>] vgacon_invert_region+0x9d/0x110
    [<ffffffffb0a39d95>] invert_screen+0xe5/0x470
    [<ffffffffb0a21dcb>] set_selection+0x44b/0x12f0
    [<ffffffffb0a3bfae>] tioclinux+0xee/0x490
    [<ffffffffb0a1d114>] vt_ioctl+0xff4/0x2670
    [<ffffffffb0a0089a>] tty_ioctl+0x46a/0x1a10
    [<ffffffffb052db3d>] do_vfs_ioctl+0x5bd/0xc40
    [<ffffffffb052e2f2>] SyS_ioctl+0x132/0x170
    [<ffffffffb11c9b1b>] system_call_fastpath+0x22/0x27
    Memory state around the buggy address:
     ffff8800000fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     00 00
     ffff8800000fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00
     00 00 00
    >ffff880000100000: ff ff ff ff ff ff ff ff ff ff ff ff ff
     ff ff ff

It can be reproduce in the linux mainline by the program:
  #include <stdio.h>
  #include <stdlib.h>
  #include <unistd.h>
  #include <fcntl.h>
  #include <sys/types.h>
  #include <sys/stat.h>
  #include <sys/ioctl.h>
  #include <linux/vt.h>

  struct tiocl_selection {
    unsigned short xs;      /* X start */
    unsigned short ys;      /* Y start */
    unsigned short xe;      /* X end */
    unsigned short ye;      /* Y end */
    unsigned short sel_mode; /* selection mode */
  };

  #define TIOCL_SETSEL    2
  struct tiocl {
    unsigned char type;
    unsigned char pad;
    struct tiocl_selection sel;
  };

  int main()
  {
    int fd = 0;
    const char *dev = "/dev/char/4:1";

    struct vt_consize v = {0};
    struct tiocl tioc = {0};

    fd = open(dev, O_RDWR, 0);

    v.v_rows = 3346;
    ioctl(fd, VT_RESIZEX, &v);

    tioc.type = TIOCL_SETSEL;
    ioctl(fd, TIOCLINUX, &tioc);

    return 0;
  }

When resize the screen, update the 'vc->vc_size_row' to the new_row_size,
but when 'set_origin' in 'vgacon_set_origin', vgacon use 'vga_vram_base'
for 'vc_origin' and 'vc_visible_origin', not 'vc_screenbuf'. It maybe
smaller than 'vc_screenbuf'. When TIOCLINUX, use the new_row_size to calc
the offset, it maybe larger than the vga_vram_size in vgacon driver, then
bad access.
Also, if set an larger screenbuf firstly, then set an more larger
screenbuf, when copy old_origin to new_origin, a bad access may happen.

So, If the screen size larger than vga_vram, resize screen should be
failed. This alse fix CVE-2020-8649 and CVE-2020-8647.

Linus pointed out that overflow checking seems absent. We're saved by
the existing bounds checks in vc_do_resize() with rather strict
limits:

	if (cols > VC_RESIZE_MAXCOL || lines > VC_RESIZE_MAXROW)
		return -EINVAL;

Fixes: 0aec4867dca14 ("[PATCH] SVGATextMode fix")
Reference: CVE-2020-8647 and CVE-2020-8649
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
[danvet: augment commit message to point out overflow safety]
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20200304022429.37738-1-zhangxiaoxu5@huawei.com
1 parent 2ac4853
Raw File
umem.h 
/* SPDX-License-Identifier: GPL-2.0-only */

/*
 * This file contains defines for the
 *   Micro Memory MM5415
 * family PCI Memory Module with Battery Backup.
 *
 * Copyright Micro Memory INC 2001.  All rights reserved.
 */

#ifndef _DRIVERS_BLOCK_MM_H
#define _DRIVERS_BLOCK_MM_H


#define IRQ_TIMEOUT (1 * HZ)

/* CSR register definition */
#define MEMCTRLSTATUS_MAGIC	0x00
#define  MM_MAGIC_VALUE		(unsigned char)0x59

#define MEMCTRLSTATUS_BATTERY	0x04
#define  BATTERY_1_DISABLED	0x01
#define  BATTERY_1_FAILURE	0x02
#define  BATTERY_2_DISABLED	0x04
#define  BATTERY_2_FAILURE	0x08

#define MEMCTRLSTATUS_MEMORY	0x07
#define  MEM_128_MB		0xfe
#define  MEM_256_MB		0xfc
#define  MEM_512_MB		0xf8
#define  MEM_1_GB		0xf0
#define  MEM_2_GB		0xe0

#define MEMCTRLCMD_LEDCTRL	0x08
#define  LED_REMOVE		2
#define  LED_FAULT		4
#define  LED_POWER		6
#define	 LED_FLIP		255
#define  LED_OFF		0x00
#define  LED_ON			0x01
#define  LED_FLASH_3_5		0x02
#define  LED_FLASH_7_0		0x03
#define  LED_POWER_ON		0x00
#define  LED_POWER_OFF		0x01
#define  USER_BIT1		0x01
#define  USER_BIT2		0x02

#define MEMORY_INITIALIZED	USER_BIT1

#define MEMCTRLCMD_ERRCTRL	0x0C
#define  EDC_NONE_DEFAULT	0x00
#define  EDC_NONE		0x01
#define  EDC_STORE_READ		0x02
#define  EDC_STORE_CORRECT	0x03

#define MEMCTRLCMD_ERRCNT	0x0D
#define MEMCTRLCMD_ERRSTATUS	0x0E

#define ERROR_DATA_LOG		0x20
#define ERROR_ADDR_LOG		0x28
#define ERROR_COUNT		0x3D
#define ERROR_SYNDROME		0x3E
#define ERROR_CHECK		0x3F

#define DMA_PCI_ADDR		0x40
#define DMA_LOCAL_ADDR		0x48
#define DMA_TRANSFER_SIZE	0x50
#define DMA_DESCRIPTOR_ADDR	0x58
#define DMA_SEMAPHORE_ADDR	0x60
#define DMA_STATUS_CTRL		0x68
#define  DMASCR_GO		0x00001
#define  DMASCR_TRANSFER_READ	0x00002
#define  DMASCR_CHAIN_EN	0x00004
#define  DMASCR_SEM_EN		0x00010
#define  DMASCR_DMA_COMP_EN	0x00020
#define  DMASCR_CHAIN_COMP_EN	0x00040
#define  DMASCR_ERR_INT_EN	0x00080
#define  DMASCR_PARITY_INT_EN	0x00100
#define  DMASCR_ANY_ERR		0x00800
#define  DMASCR_MBE_ERR		0x01000
#define  DMASCR_PARITY_ERR_REP	0x02000
#define  DMASCR_PARITY_ERR_DET	0x04000
#define  DMASCR_SYSTEM_ERR_SIG	0x08000
#define  DMASCR_TARGET_ABT	0x10000
#define  DMASCR_MASTER_ABT	0x20000
#define  DMASCR_DMA_COMPLETE	0x40000
#define  DMASCR_CHAIN_COMPLETE	0x80000

/*
3.SOME PCs HAVE HOST BRIDGES WHICH APPARENTLY DO NOT CORRECTLY HANDLE
READ-LINE (0xE) OR READ-MULTIPLE (0xC) PCI COMMAND CODES DURING DMA
TRANSFERS. IN OTHER SYSTEMS THESE COMMAND CODES WILL CAUSE THE HOST BRIDGE
TO ALLOW LONGER BURSTS DURING DMA READ OPERATIONS. THE UPPER FOUR BITS
(31..28) OF THE DMA CSR HAVE BEEN MADE PROGRAMMABLE, SO THAT EITHER A 0x6,
AN 0xE OR A 0xC CAN BE WRITTEN TO THEM TO SET THE COMMAND CODE USED DURING
DMA READ OPERATIONS.
*/
#define        DMASCR_READ   0x60000000
#define        DMASCR_READLINE   0xE0000000
#define        DMASCR_READMULTI   0xC0000000


#define DMASCR_ERROR_MASK	(DMASCR_MASTER_ABT | DMASCR_TARGET_ABT | DMASCR_SYSTEM_ERR_SIG | DMASCR_PARITY_ERR_DET | DMASCR_MBE_ERR | DMASCR_ANY_ERR)
#define DMASCR_HARD_ERROR	(DMASCR_MASTER_ABT | DMASCR_TARGET_ABT | DMASCR_SYSTEM_ERR_SIG | DMASCR_PARITY_ERR_DET | DMASCR_MBE_ERR)

#define WINDOWMAP_WINNUM	0x7B

#define DMA_READ_FROM_HOST 0
#define DMA_WRITE_TO_HOST 1

struct mm_dma_desc {
	__le64	pci_addr;
	__le64	local_addr;
	__le32	transfer_size;
	u32	zero1;
	__le64	next_desc_addr;
	__le64	sem_addr;
	__le32	control_bits;
	u32	zero2;

	dma_addr_t data_dma_handle;

	/* Copy of the bits */
	__le64	sem_control_bits;
} __attribute__((aligned(8)));

/* bits for card->flags */
#define UM_FLAG_DMA_IN_REGS		1
#define UM_FLAG_NO_BYTE_STATUS		2
#define UM_FLAG_NO_BATTREG		4
#define	UM_FLAG_NO_BATT			8
#endif
back to top