Revision 513dc792d6060d5ef572e43852683097a8420f56 authored by Zhang Xiaoxu on 04 March 2020, 02:24:29 UTC, committed by Daniel Vetter on 06 March 2020, 20:06:34 UTC
When syzkaller tests, there is a UAF:
BUG: KASan: use after free in vgacon_invert_region+0x9d/0x110 at addr
ffff880000100000
Read of size 2 by task syz-executor.1/16489
page:ffffea0000004000 count:0 mapcount:-127 mapping: (null)
index:0x0
page flags: 0xfffff00000000()
page dumped because: kasan: bad access detected
CPU: 1 PID: 16489 Comm: syz-executor.1 Not tainted
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
Call Trace:
[<ffffffffb119f309>] dump_stack+0x1e/0x20
[<ffffffffb04af957>] kasan_report+0x577/0x950
[<ffffffffb04ae652>] __asan_load2+0x62/0x80
[<ffffffffb090f26d>] vgacon_invert_region+0x9d/0x110
[<ffffffffb0a39d95>] invert_screen+0xe5/0x470
[<ffffffffb0a21dcb>] set_selection+0x44b/0x12f0
[<ffffffffb0a3bfae>] tioclinux+0xee/0x490
[<ffffffffb0a1d114>] vt_ioctl+0xff4/0x2670
[<ffffffffb0a0089a>] tty_ioctl+0x46a/0x1a10
[<ffffffffb052db3d>] do_vfs_ioctl+0x5bd/0xc40
[<ffffffffb052e2f2>] SyS_ioctl+0x132/0x170
[<ffffffffb11c9b1b>] system_call_fastpath+0x22/0x27
Memory state around the buggy address:
ffff8800000fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00
ffff8800000fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00
>ffff880000100000: ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff
It can be reproduce in the linux mainline by the program:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <linux/vt.h>
struct tiocl_selection {
unsigned short xs; /* X start */
unsigned short ys; /* Y start */
unsigned short xe; /* X end */
unsigned short ye; /* Y end */
unsigned short sel_mode; /* selection mode */
};
#define TIOCL_SETSEL 2
struct tiocl {
unsigned char type;
unsigned char pad;
struct tiocl_selection sel;
};
int main()
{
int fd = 0;
const char *dev = "/dev/char/4:1";
struct vt_consize v = {0};
struct tiocl tioc = {0};
fd = open(dev, O_RDWR, 0);
v.v_rows = 3346;
ioctl(fd, VT_RESIZEX, &v);
tioc.type = TIOCL_SETSEL;
ioctl(fd, TIOCLINUX, &tioc);
return 0;
}
When resize the screen, update the 'vc->vc_size_row' to the new_row_size,
but when 'set_origin' in 'vgacon_set_origin', vgacon use 'vga_vram_base'
for 'vc_origin' and 'vc_visible_origin', not 'vc_screenbuf'. It maybe
smaller than 'vc_screenbuf'. When TIOCLINUX, use the new_row_size to calc
the offset, it maybe larger than the vga_vram_size in vgacon driver, then
bad access.
Also, if set an larger screenbuf firstly, then set an more larger
screenbuf, when copy old_origin to new_origin, a bad access may happen.
So, If the screen size larger than vga_vram, resize screen should be
failed. This alse fix CVE-2020-8649 and CVE-2020-8647.
Linus pointed out that overflow checking seems absent. We're saved by
the existing bounds checks in vc_do_resize() with rather strict
limits:
if (cols > VC_RESIZE_MAXCOL || lines > VC_RESIZE_MAXROW)
return -EINVAL;
Fixes: 0aec4867dca14 ("[PATCH] SVGATextMode fix")
Reference: CVE-2020-8647 and CVE-2020-8649
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
[danvet: augment commit message to point out overflow safety]
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20200304022429.37738-1-zhangxiaoxu5@huawei.com
1 parent 2ac4853
device.c
// SPDX-License-Identifier: GPL-2.0
/*
* Copyright (C) 2018 Cadence Design Systems Inc.
*
* Author: Boris Brezillon <boris.brezillon@bootlin.com>
*/
#include <linux/atomic.h>
#include <linux/bug.h>
#include <linux/completion.h>
#include <linux/device.h>
#include <linux/mutex.h>
#include <linux/slab.h>
#include "internals.h"
/**
* i3c_device_do_priv_xfers() - do I3C SDR private transfers directed to a
* specific device
*
* @dev: device with which the transfers should be done
* @xfers: array of transfers
* @nxfers: number of transfers
*
* Initiate one or several private SDR transfers with @dev.
*
* This function can sleep and thus cannot be called in atomic context.
*
* Return: 0 in case of success, a negative error core otherwise.
*/
int i3c_device_do_priv_xfers(struct i3c_device *dev,
struct i3c_priv_xfer *xfers,
int nxfers)
{
int ret, i;
if (nxfers < 1)
return 0;
for (i = 0; i < nxfers; i++) {
if (!xfers[i].len || !xfers[i].data.in)
return -EINVAL;
}
i3c_bus_normaluse_lock(dev->bus);
ret = i3c_dev_do_priv_xfers_locked(dev->desc, xfers, nxfers);
i3c_bus_normaluse_unlock(dev->bus);
return ret;
}
EXPORT_SYMBOL_GPL(i3c_device_do_priv_xfers);
/**
* i3c_device_get_info() - get I3C device information
*
* @dev: device we want information on
* @info: the information object to fill in
*
* Retrieve I3C dev info.
*/
void i3c_device_get_info(struct i3c_device *dev,
struct i3c_device_info *info)
{
if (!info)
return;
i3c_bus_normaluse_lock(dev->bus);
if (dev->desc)
*info = dev->desc->info;
i3c_bus_normaluse_unlock(dev->bus);
}
EXPORT_SYMBOL_GPL(i3c_device_get_info);
/**
* i3c_device_disable_ibi() - Disable IBIs coming from a specific device
* @dev: device on which IBIs should be disabled
*
* This function disable IBIs coming from a specific device and wait for
* all pending IBIs to be processed.
*
* Return: 0 in case of success, a negative error core otherwise.
*/
int i3c_device_disable_ibi(struct i3c_device *dev)
{
int ret = -ENOENT;
i3c_bus_normaluse_lock(dev->bus);
if (dev->desc) {
mutex_lock(&dev->desc->ibi_lock);
ret = i3c_dev_disable_ibi_locked(dev->desc);
mutex_unlock(&dev->desc->ibi_lock);
}
i3c_bus_normaluse_unlock(dev->bus);
return ret;
}
EXPORT_SYMBOL_GPL(i3c_device_disable_ibi);
/**
* i3c_device_enable_ibi() - Enable IBIs coming from a specific device
* @dev: device on which IBIs should be enabled
*
* This function enable IBIs coming from a specific device and wait for
* all pending IBIs to be processed. This should be called on a device
* where i3c_device_request_ibi() has succeeded.
*
* Note that IBIs from this device might be received before this function
* returns to its caller.
*
* Return: 0 in case of success, a negative error core otherwise.
*/
int i3c_device_enable_ibi(struct i3c_device *dev)
{
int ret = -ENOENT;
i3c_bus_normaluse_lock(dev->bus);
if (dev->desc) {
mutex_lock(&dev->desc->ibi_lock);
ret = i3c_dev_enable_ibi_locked(dev->desc);
mutex_unlock(&dev->desc->ibi_lock);
}
i3c_bus_normaluse_unlock(dev->bus);
return ret;
}
EXPORT_SYMBOL_GPL(i3c_device_enable_ibi);
/**
* i3c_device_request_ibi() - Request an IBI
* @dev: device for which we should enable IBIs
* @req: setup requested for this IBI
*
* This function is responsible for pre-allocating all resources needed to
* process IBIs coming from @dev. When this function returns, the IBI is not
* enabled until i3c_device_enable_ibi() is called.
*
* Return: 0 in case of success, a negative error core otherwise.
*/
int i3c_device_request_ibi(struct i3c_device *dev,
const struct i3c_ibi_setup *req)
{
int ret = -ENOENT;
if (!req->handler || !req->num_slots)
return -EINVAL;
i3c_bus_normaluse_lock(dev->bus);
if (dev->desc) {
mutex_lock(&dev->desc->ibi_lock);
ret = i3c_dev_request_ibi_locked(dev->desc, req);
mutex_unlock(&dev->desc->ibi_lock);
}
i3c_bus_normaluse_unlock(dev->bus);
return ret;
}
EXPORT_SYMBOL_GPL(i3c_device_request_ibi);
/**
* i3c_device_free_ibi() - Free all resources needed for IBI handling
* @dev: device on which you want to release IBI resources
*
* This function is responsible for de-allocating resources previously
* allocated by i3c_device_request_ibi(). It should be called after disabling
* IBIs with i3c_device_disable_ibi().
*/
void i3c_device_free_ibi(struct i3c_device *dev)
{
i3c_bus_normaluse_lock(dev->bus);
if (dev->desc) {
mutex_lock(&dev->desc->ibi_lock);
i3c_dev_free_ibi_locked(dev->desc);
mutex_unlock(&dev->desc->ibi_lock);
}
i3c_bus_normaluse_unlock(dev->bus);
}
EXPORT_SYMBOL_GPL(i3c_device_free_ibi);
/**
* i3cdev_to_dev() - Returns the device embedded in @i3cdev
* @i3cdev: I3C device
*
* Return: a pointer to a device object.
*/
struct device *i3cdev_to_dev(struct i3c_device *i3cdev)
{
return &i3cdev->dev;
}
EXPORT_SYMBOL_GPL(i3cdev_to_dev);
/**
* dev_to_i3cdev() - Returns the I3C device containing @dev
* @dev: device object
*
* Return: a pointer to an I3C device object.
*/
struct i3c_device *dev_to_i3cdev(struct device *dev)
{
return container_of(dev, struct i3c_device, dev);
}
EXPORT_SYMBOL_GPL(dev_to_i3cdev);
/**
* i3c_device_match_id() - Returns the i3c_device_id entry matching @i3cdev
* @i3cdev: I3C device
* @id_table: I3C device match table
*
* Return: a pointer to an i3c_device_id object or NULL if there's no match.
*/
const struct i3c_device_id *
i3c_device_match_id(struct i3c_device *i3cdev,
const struct i3c_device_id *id_table)
{
struct i3c_device_info devinfo;
const struct i3c_device_id *id;
i3c_device_get_info(i3cdev, &devinfo);
/*
* The lower 32bits of the provisional ID is just filled with a random
* value, try to match using DCR info.
*/
if (!I3C_PID_RND_LOWER_32BITS(devinfo.pid)) {
u16 manuf = I3C_PID_MANUF_ID(devinfo.pid);
u16 part = I3C_PID_PART_ID(devinfo.pid);
u16 ext_info = I3C_PID_EXTRA_INFO(devinfo.pid);
/* First try to match by manufacturer/part ID. */
for (id = id_table; id->match_flags != 0; id++) {
if ((id->match_flags & I3C_MATCH_MANUF_AND_PART) !=
I3C_MATCH_MANUF_AND_PART)
continue;
if (manuf != id->manuf_id || part != id->part_id)
continue;
if ((id->match_flags & I3C_MATCH_EXTRA_INFO) &&
ext_info != id->extra_info)
continue;
return id;
}
}
/* Fallback to DCR match. */
for (id = id_table; id->match_flags != 0; id++) {
if ((id->match_flags & I3C_MATCH_DCR) &&
id->dcr == devinfo.dcr)
return id;
}
return NULL;
}
EXPORT_SYMBOL_GPL(i3c_device_match_id);
/**
* i3c_driver_register_with_owner() - register an I3C device driver
*
* @drv: driver to register
* @owner: module that owns this driver
*
* Register @drv to the core.
*
* Return: 0 in case of success, a negative error core otherwise.
*/
int i3c_driver_register_with_owner(struct i3c_driver *drv, struct module *owner)
{
drv->driver.owner = owner;
drv->driver.bus = &i3c_bus_type;
return driver_register(&drv->driver);
}
EXPORT_SYMBOL_GPL(i3c_driver_register_with_owner);
/**
* i3c_driver_unregister() - unregister an I3C device driver
*
* @drv: driver to unregister
*
* Unregister @drv.
*/
void i3c_driver_unregister(struct i3c_driver *drv)
{
driver_unregister(&drv->driver);
}
EXPORT_SYMBOL_GPL(i3c_driver_unregister);
Computing file changes ...
