Revision - 513dc79 - vgacon: Fix a UAF in vgacon_invert_region

Revision 513dc792d6060d5ef572e43852683097a8420f56 authored by Zhang Xiaoxu on 04 March 2020, 02:24:29 UTC, committed by Daniel Vetter on 06 March 2020, 20:06:34 UTC

vgacon: Fix a UAF in vgacon_invert_region

When syzkaller tests, there is a UAF:
  BUG: KASan: use after free in vgacon_invert_region+0x9d/0x110 at addr
    ffff880000100000
  Read of size 2 by task syz-executor.1/16489
  page:ffffea0000004000 count:0 mapcount:-127 mapping:          (null)
  index:0x0
  page flags: 0xfffff00000000()
  page dumped because: kasan: bad access detected
  CPU: 1 PID: 16489 Comm: syz-executor.1 Not tainted
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
  rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
  Call Trace:
    [<ffffffffb119f309>] dump_stack+0x1e/0x20
    [<ffffffffb04af957>] kasan_report+0x577/0x950
    [<ffffffffb04ae652>] __asan_load2+0x62/0x80
    [<ffffffffb090f26d>] vgacon_invert_region+0x9d/0x110
    [<ffffffffb0a39d95>] invert_screen+0xe5/0x470
    [<ffffffffb0a21dcb>] set_selection+0x44b/0x12f0
    [<ffffffffb0a3bfae>] tioclinux+0xee/0x490
    [<ffffffffb0a1d114>] vt_ioctl+0xff4/0x2670
    [<ffffffffb0a0089a>] tty_ioctl+0x46a/0x1a10
    [<ffffffffb052db3d>] do_vfs_ioctl+0x5bd/0xc40
    [<ffffffffb052e2f2>] SyS_ioctl+0x132/0x170
    [<ffffffffb11c9b1b>] system_call_fastpath+0x22/0x27
    Memory state around the buggy address:
     ffff8800000fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     00 00
     ffff8800000fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00
     00 00 00
    >ffff880000100000: ff ff ff ff ff ff ff ff ff ff ff ff ff
     ff ff ff

It can be reproduce in the linux mainline by the program:
  #include <stdio.h>
  #include <stdlib.h>
  #include <unistd.h>
  #include <fcntl.h>
  #include <sys/types.h>
  #include <sys/stat.h>
  #include <sys/ioctl.h>
  #include <linux/vt.h>

  struct tiocl_selection {
    unsigned short xs;      /* X start */
    unsigned short ys;      /* Y start */
    unsigned short xe;      /* X end */
    unsigned short ye;      /* Y end */
    unsigned short sel_mode; /* selection mode */
  };

  #define TIOCL_SETSEL    2
  struct tiocl {
    unsigned char type;
    unsigned char pad;
    struct tiocl_selection sel;
  };

  int main()
  {
    int fd = 0;
    const char *dev = "/dev/char/4:1";

    struct vt_consize v = {0};
    struct tiocl tioc = {0};

    fd = open(dev, O_RDWR, 0);

    v.v_rows = 3346;
    ioctl(fd, VT_RESIZEX, &v);

    tioc.type = TIOCL_SETSEL;
    ioctl(fd, TIOCLINUX, &tioc);

    return 0;
  }

When resize the screen, update the 'vc->vc_size_row' to the new_row_size,
but when 'set_origin' in 'vgacon_set_origin', vgacon use 'vga_vram_base'
for 'vc_origin' and 'vc_visible_origin', not 'vc_screenbuf'. It maybe
smaller than 'vc_screenbuf'. When TIOCLINUX, use the new_row_size to calc
the offset, it maybe larger than the vga_vram_size in vgacon driver, then
bad access.
Also, if set an larger screenbuf firstly, then set an more larger
screenbuf, when copy old_origin to new_origin, a bad access may happen.

So, If the screen size larger than vga_vram, resize screen should be
failed. This alse fix CVE-2020-8649 and CVE-2020-8647.

Linus pointed out that overflow checking seems absent. We're saved by
the existing bounds checks in vc_do_resize() with rather strict
limits:

	if (cols > VC_RESIZE_MAXCOL || lines > VC_RESIZE_MAXROW)
		return -EINVAL;

Fixes: 0aec4867dca14 ("[PATCH] SVGATextMode fix")
Reference: CVE-2020-8647 and CVE-2020-8649
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
[danvet: augment commit message to point out overflow safety]
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20200304022429.37738-1-zhangxiaoxu5@huawei.com

1 parent 2ac4853

Files
Changes

Permalinks

File	Mode	Size
Kconfig	-rw-r--r--	55.2 KB
Makefile	-rw-r--r--	7.9 KB
class.c	-rw-r--r--	11.0 KB
dev.c	-rw-r--r--	11.6 KB
hctosys.c	-rw-r--r--	1.6 KB
interface.c	-rw-r--r--	26.2 KB
lib.c	-rw-r--r--	3.3 KB
nvmem.c	-rw-r--r--	2.3 KB
proc.c	-rw-r--r--	2.1 KB
rtc-88pm80x.c	-rw-r--r--	9.2 KB
rtc-88pm860x.c	-rw-r--r--	12.5 KB
rtc-ab-b5ze-s3.c	-rw-r--r--	28.3 KB
rtc-ab-eoz9.c	-rw-r--r--	10.9 KB
rtc-ab3100.c	-rw-r--r--	6.5 KB
rtc-ab8500.c	-rw-r--r--	10.9 KB
rtc-abx80x.c	-rw-r--r--	21.3 KB
rtc-ac100.c	-rw-r--r--	16.9 KB
rtc-armada38x.c	-rw-r--r--	15.8 KB
rtc-as3722.c	-rw-r--r--	6.6 KB
rtc-asm9260.c	-rw-r--r--	9.0 KB
rtc-aspeed.c	-rw-r--r--	3.1 KB
rtc-at91rm9200.c	-rw-r--r--	14.8 KB
rtc-at91sam9.c	-rw-r--r--	13.2 KB
rtc-au1xxx.c	-rw-r--r--	3.1 KB
rtc-bd70528.c	-rw-r--r--	15.1 KB
rtc-bq32k.c	-rw-r--r--	7.7 KB
rtc-bq4802.c	-rw-r--r--	4.2 KB
rtc-brcmstb-waketimer.c	-rw-r--r--	7.4 KB
rtc-cadence.c	-rw-r--r--	10.4 KB
rtc-cmos.c	-rw-r--r--	36.5 KB
rtc-coh901331.c	-rw-r--r--	7.2 KB
rtc-core.h	-rw-r--r--	866 bytes
rtc-cpcap.c	-rw-r--r--	7.9 KB
rtc-cros-ec.c	-rw-r--r--	9.8 KB
rtc-da9052.c	-rw-r--r--	7.6 KB
rtc-da9055.c	-rw-r--r--	9.1 KB
rtc-da9063.c	-rw-r--r--	14.6 KB
rtc-davinci.c	-rw-r--r--	13.9 KB
rtc-digicolor.c	-rw-r--r--	5.1 KB
rtc-dm355evm.c	-rw-r--r--	3.5 KB
rtc-ds1216.c	-rw-r--r--	3.8 KB
rtc-ds1286.c	-rw-r--r--	9.0 KB
rtc-ds1302.c	-rw-r--r--	5.7 KB
rtc-ds1305.c	-rw-r--r--	19.5 KB
rtc-ds1307.c	-rw-r--r--	46.2 KB
rtc-ds1343.c	-rw-r--r--	11.2 KB
rtc-ds1347.c	-rw-r--r--	4.2 KB
rtc-ds1374.c	-rw-r--r--	16.8 KB
rtc-ds1390.c	-rw-r--r--	5.8 KB
rtc-ds1511.c	-rw-r--r--	11.9 KB
rtc-ds1553.c	-rw-r--r--	9.2 KB
rtc-ds1672.c	-rw-r--r--	3.6 KB
rtc-ds1685.c	-rw-r--r--	41.2 KB
rtc-ds1742.c	-rw-r--r--	5.9 KB
rtc-ds2404.c	-rw-r--r--	5.8 KB
rtc-ds3232.c	-rw-r--r--	17.1 KB
rtc-efi-platform.c	-rw-r--r--	879 bytes
rtc-efi.c	-rw-r--r--	6.3 KB
rtc-em3027.c	-rw-r--r--	3.7 KB
rtc-ep93xx.c	-rw-r--r--	4.0 KB
rtc-fm3130.c	-rw-r--r--	15.1 KB
rtc-fsl-ftm-alarm.c	-rw-r--r--	7.9 KB
rtc-ftrtc010.c	-rw-r--r--	5.3 KB
rtc-generic.c	-rw-r--r--	952 bytes
rtc-goldfish.c	-rw-r--r--	4.9 KB
rtc-hid-sensor-time.c	-rw-r--r--	9.0 KB
rtc-hym8563.c	-rw-r--r--	13.8 KB
rtc-imx-sc.c	-rw-r--r--	4.5 KB
rtc-imxdi.c	-rw-r--r--	24.1 KB
rtc-isl12022.c	-rw-r--r--	6.8 KB
rtc-isl12026.c	-rw-r--r--	11.0 KB
rtc-isl1208.c	-rw-r--r--	23.0 KB
rtc-jz4740.c	-rw-r--r--	10.0 KB
rtc-lp8788.c	-rw-r--r--	7.6 KB
rtc-lpc24xx.c	-rw-r--r--	8.1 KB
rtc-lpc32xx.c	-rw-r--r--	8.6 KB
rtc-ls1x.c	-rw-r--r--	5.0 KB
rtc-m41t80.c	-rw-r--r--	25.5 KB
rtc-m41t93.c	-rw-r--r--	5.3 KB
rtc-m41t94.c	-rw-r--r--	3.7 KB
rtc-m48t35.c	-rw-r--r--	4.5 KB
rtc-m48t59.c	-rw-r--r--	12.5 KB
rtc-m48t86.c	-rw-r--r--	7.4 KB
rtc-max6900.c	-rw-r--r--	6.2 KB
rtc-max6902.c	-rw-r--r--	3.7 KB
rtc-max6916.c	-rw-r--r--	4.0 KB
rtc-max77686.c	-rw-r--r--	21.0 KB
rtc-max8907.c	-rw-r--r--	5.1 KB
rtc-max8925.c	-rw-r--r--	8.0 KB
rtc-max8997.c	-rw-r--r--	12.2 KB
rtc-max8998.c	-rw-r--r--	7.6 KB
rtc-mc13xxx.c	-rw-r--r--	7.9 KB
rtc-mc146818-lib.c	-rw-r--r--	5.0 KB
rtc-mcp795.c	-rw-r--r--	11.0 KB
rtc-meson-vrtc.c	-rw-r--r--	3.5 KB
rtc-meson.c	-rw-r--r--	10.3 KB
rtc-moxart.c	-rw-r--r--	8.6 KB
rtc-mpc5121.c	-rw-r--r--	10.1 KB
rtc-mrst.c	-rw-r--r--	12.0 KB
rtc-msm6242.c	-rw-r--r--	6.6 KB
rtc-mt6397.c	-rw-r--r--	8.7 KB
rtc-mt7622.c	-rw-r--r--	9.8 KB
rtc-mv.c	-rw-r--r--	8.5 KB
rtc-mxc.c	-rw-r--r--	11.5 KB
rtc-mxc_v2.c	-rw-r--r--	9.9 KB
rtc-omap.c	-rw-r--r--	26.7 KB
rtc-opal.c	-rw-r--r--	6.7 KB
rtc-palmas.c	-rw-r--r--	10.2 KB
rtc-pcap.c	-rw-r--r--	4.5 KB
rtc-pcf2123.c	-rw-r--r--	12.3 KB
rtc-pcf2127.c	-rw-r--r--	19.4 KB
rtc-pcf50633.c	-rw-r--r--	7.2 KB
rtc-pcf85063.c	-rw-r--r--	12.4 KB
rtc-pcf8523.c	-rw-r--r--	8.4 KB
rtc-pcf85363.c	-rw-r--r--	10.5 KB
rtc-pcf8563.c	-rw-r--r--	15.8 KB
rtc-pcf8583.c	-rw-r--r--	6.5 KB
rtc-pic32.c	-rw-r--r--	9.6 KB
rtc-pl030.c	-rw-r--r--	3.7 KB
rtc-pl031.c	-rw-r--r--	12.3 KB
rtc-pm8xxx.c	-rw-r--r--	13.6 KB
rtc-ps3.c	-rw-r--r--	1.4 KB
rtc-puv3.c	-rw-r--r--	6.3 KB
rtc-pxa.c	-rw-r--r--	10.5 KB
rtc-r7301.c	-rw-r--r--	11.0 KB
rtc-r9701.c	-rw-r--r--	4.3 KB
rtc-rc5t583.c	-rw-r--r--	7.9 KB
rtc-rk808.c	-rw-r--r--	13.0 KB
rtc-rp5c01.c	-rw-r--r--	7.4 KB
rtc-rs5c313.c	-rw-r--r--	10.5 KB
rtc-rs5c348.c	-rw-r--r--	6.1 KB
rtc-rs5c372.c	-rw-r--r--	18.3 KB
rtc-rtd119x.c	-rw-r--r--	5.6 KB
rtc-rv3028.c	-rw-r--r--	20.4 KB
rtc-rv3029c2.c	-rw-r--r--	22.3 KB
rtc-rv8803.c	-rw-r--r--	15.0 KB
rtc-rx4581.c	-rw-r--r--	7.6 KB
rtc-rx6110.c	-rw-r--r--	9.7 KB
rtc-rx8010.c	-rw-r--r--	11.8 KB
rtc-rx8025.c	-rw-r--r--	13.9 KB
rtc-rx8581.c	-rw-r--r--	8.9 KB
rtc-s35390a.c	-rw-r--r--	12.8 KB
rtc-s3c.c	-rw-r--r--	19.8 KB
rtc-s3c.h	-rw-r--r--	2.1 KB
rtc-s5m.c	-rw-r--r--	20.6 KB
rtc-sa1100.c	-rw-r--r--	9.8 KB
rtc-sa1100.h	-rw-r--r--	447 bytes
rtc-sc27xx.c	-rw-r--r--	17.5 KB
rtc-sd3078.c	-rw-r--r--	5.8 KB
rtc-sh.c	-rw-r--r--	17.0 KB
rtc-sirfsoc.c	-rw-r--r--	11.2 KB
rtc-snvs.c	-rw-r--r--	9.9 KB
rtc-spear.c	-rw-r--r--	12.6 KB
rtc-st-lpc.c	-rw-r--r--	7.4 KB
rtc-starfire.c	-rw-r--r--	1.2 KB
rtc-stk17ta8.c	-rw-r--r--	9.2 KB
rtc-stm32.c	-rw-r--r--	24.4 KB
rtc-stmp3xxx.c	-rw-r--r--	12.3 KB
rtc-sun4v.c	-rw-r--r--	1.9 KB
rtc-sun6i.c	-rw-r--r--	19.9 KB
rtc-sunxi.c	-rw-r--r--	12.5 KB
rtc-tegra.c	-rw-r--r--	10.7 KB
rtc-test.c	-rw-r--r--	4.2 KB
rtc-tps6586x.c	-rw-r--r--	8.3 KB
rtc-tps65910.c	-rw-r--r--	12.0 KB
rtc-tps80031.c	-rw-r--r--	8.8 KB
rtc-twl.c	-rw-r--r--	16.8 KB
rtc-tx4939.c	-rw-r--r--	7.9 KB
rtc-v3020.c	-rw-r--r--	8.8 KB
rtc-vr41xx.c	-rw-r--r--	8.0 KB
rtc-vt8500.c	-rw-r--r--	7.4 KB
rtc-wilco-ec.c	-rw-r--r--	4.6 KB
rtc-wm831x.c	-rw-r--r--	12.3 KB
rtc-wm8350.c	-rw-r--r--	11.3 KB
rtc-x1205.c	-rw-r--r--	15.9 KB
rtc-xgene.c	-rw-r--r--	6.6 KB
rtc-zynqmp.c	-rw-r--r--	7.7 KB
sysfs.c	-rw-r--r--	8.3 KB
systohc.c	-rw-r--r--	1.6 KB

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...