Revision 513dc792d6060d5ef572e43852683097a8420f56 authored by Zhang Xiaoxu on 04 March 2020, 02:24:29 UTC, committed by Daniel Vetter on 06 March 2020, 20:06:34 UTC
When syzkaller tests, there is a UAF:
BUG: KASan: use after free in vgacon_invert_region+0x9d/0x110 at addr
ffff880000100000
Read of size 2 by task syz-executor.1/16489
page:ffffea0000004000 count:0 mapcount:-127 mapping: (null)
index:0x0
page flags: 0xfffff00000000()
page dumped because: kasan: bad access detected
CPU: 1 PID: 16489 Comm: syz-executor.1 Not tainted
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
Call Trace:
[<ffffffffb119f309>] dump_stack+0x1e/0x20
[<ffffffffb04af957>] kasan_report+0x577/0x950
[<ffffffffb04ae652>] __asan_load2+0x62/0x80
[<ffffffffb090f26d>] vgacon_invert_region+0x9d/0x110
[<ffffffffb0a39d95>] invert_screen+0xe5/0x470
[<ffffffffb0a21dcb>] set_selection+0x44b/0x12f0
[<ffffffffb0a3bfae>] tioclinux+0xee/0x490
[<ffffffffb0a1d114>] vt_ioctl+0xff4/0x2670
[<ffffffffb0a0089a>] tty_ioctl+0x46a/0x1a10
[<ffffffffb052db3d>] do_vfs_ioctl+0x5bd/0xc40
[<ffffffffb052e2f2>] SyS_ioctl+0x132/0x170
[<ffffffffb11c9b1b>] system_call_fastpath+0x22/0x27
Memory state around the buggy address:
ffff8800000fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00
ffff8800000fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00
>ffff880000100000: ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff
It can be reproduce in the linux mainline by the program:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <linux/vt.h>
struct tiocl_selection {
unsigned short xs; /* X start */
unsigned short ys; /* Y start */
unsigned short xe; /* X end */
unsigned short ye; /* Y end */
unsigned short sel_mode; /* selection mode */
};
#define TIOCL_SETSEL 2
struct tiocl {
unsigned char type;
unsigned char pad;
struct tiocl_selection sel;
};
int main()
{
int fd = 0;
const char *dev = "/dev/char/4:1";
struct vt_consize v = {0};
struct tiocl tioc = {0};
fd = open(dev, O_RDWR, 0);
v.v_rows = 3346;
ioctl(fd, VT_RESIZEX, &v);
tioc.type = TIOCL_SETSEL;
ioctl(fd, TIOCLINUX, &tioc);
return 0;
}
When resize the screen, update the 'vc->vc_size_row' to the new_row_size,
but when 'set_origin' in 'vgacon_set_origin', vgacon use 'vga_vram_base'
for 'vc_origin' and 'vc_visible_origin', not 'vc_screenbuf'. It maybe
smaller than 'vc_screenbuf'. When TIOCLINUX, use the new_row_size to calc
the offset, it maybe larger than the vga_vram_size in vgacon driver, then
bad access.
Also, if set an larger screenbuf firstly, then set an more larger
screenbuf, when copy old_origin to new_origin, a bad access may happen.
So, If the screen size larger than vga_vram, resize screen should be
failed. This alse fix CVE-2020-8649 and CVE-2020-8647.
Linus pointed out that overflow checking seems absent. We're saved by
the existing bounds checks in vc_do_resize() with rather strict
limits:
if (cols > VC_RESIZE_MAXCOL || lines > VC_RESIZE_MAXROW)
return -EINVAL;
Fixes: 0aec4867dca14 ("[PATCH] SVGATextMode fix")
Reference: CVE-2020-8647 and CVE-2020-8649
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
[danvet: augment commit message to point out overflow safety]
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20200304022429.37738-1-zhangxiaoxu5@huawei.com
1 parent 2ac4853
rtc-pcap.c
// SPDX-License-Identifier: GPL-2.0
/*
* pcap rtc code for Motorola EZX phones
*
* Copyright (c) 2008 guiming zhuo <gmzhuo@gmail.com>
* Copyright (c) 2009 Daniel Ribeiro <drwyrm@gmail.com>
*
* Based on Motorola's rtc.c Copyright (c) 2003-2005 Motorola
*/
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/init.h>
#include <linux/mfd/ezx-pcap.h>
#include <linux/rtc.h>
#include <linux/slab.h>
#include <linux/platform_device.h>
struct pcap_rtc {
struct pcap_chip *pcap;
struct rtc_device *rtc;
};
static irqreturn_t pcap_rtc_irq(int irq, void *_pcap_rtc)
{
struct pcap_rtc *pcap_rtc = _pcap_rtc;
unsigned long rtc_events;
if (irq == pcap_to_irq(pcap_rtc->pcap, PCAP_IRQ_1HZ))
rtc_events = RTC_IRQF | RTC_UF;
else if (irq == pcap_to_irq(pcap_rtc->pcap, PCAP_IRQ_TODA))
rtc_events = RTC_IRQF | RTC_AF;
else
rtc_events = 0;
rtc_update_irq(pcap_rtc->rtc, 1, rtc_events);
return IRQ_HANDLED;
}
static int pcap_rtc_read_alarm(struct device *dev, struct rtc_wkalrm *alrm)
{
struct pcap_rtc *pcap_rtc = dev_get_drvdata(dev);
struct rtc_time *tm = &alrm->time;
unsigned long secs;
u32 tod; /* time of day, seconds since midnight */
u32 days; /* days since 1/1/1970 */
ezx_pcap_read(pcap_rtc->pcap, PCAP_REG_RTC_TODA, &tod);
secs = tod & PCAP_RTC_TOD_MASK;
ezx_pcap_read(pcap_rtc->pcap, PCAP_REG_RTC_DAYA, &days);
secs += (days & PCAP_RTC_DAY_MASK) * SEC_PER_DAY;
rtc_time64_to_tm(secs, tm);
return 0;
}
static int pcap_rtc_set_alarm(struct device *dev, struct rtc_wkalrm *alrm)
{
struct pcap_rtc *pcap_rtc = dev_get_drvdata(dev);
unsigned long secs = rtc_tm_to_time64(&alrm->time);
u32 tod, days;
tod = secs % SEC_PER_DAY;
ezx_pcap_write(pcap_rtc->pcap, PCAP_REG_RTC_TODA, tod);
days = secs / SEC_PER_DAY;
ezx_pcap_write(pcap_rtc->pcap, PCAP_REG_RTC_DAYA, days);
return 0;
}
static int pcap_rtc_read_time(struct device *dev, struct rtc_time *tm)
{
struct pcap_rtc *pcap_rtc = dev_get_drvdata(dev);
unsigned long secs;
u32 tod, days;
ezx_pcap_read(pcap_rtc->pcap, PCAP_REG_RTC_TOD, &tod);
secs = tod & PCAP_RTC_TOD_MASK;
ezx_pcap_read(pcap_rtc->pcap, PCAP_REG_RTC_DAY, &days);
secs += (days & PCAP_RTC_DAY_MASK) * SEC_PER_DAY;
rtc_time64_to_tm(secs, tm);
return 0;
}
static int pcap_rtc_set_time(struct device *dev, struct rtc_time *tm)
{
struct pcap_rtc *pcap_rtc = dev_get_drvdata(dev);
unsigned long secs = rtc_tm_to_time64(tm);
u32 tod, days;
tod = secs % SEC_PER_DAY;
ezx_pcap_write(pcap_rtc->pcap, PCAP_REG_RTC_TOD, tod);
days = secs / SEC_PER_DAY;
ezx_pcap_write(pcap_rtc->pcap, PCAP_REG_RTC_DAY, days);
return 0;
}
static int pcap_rtc_irq_enable(struct device *dev, int pirq, unsigned int en)
{
struct pcap_rtc *pcap_rtc = dev_get_drvdata(dev);
if (en)
enable_irq(pcap_to_irq(pcap_rtc->pcap, pirq));
else
disable_irq(pcap_to_irq(pcap_rtc->pcap, pirq));
return 0;
}
static int pcap_rtc_alarm_irq_enable(struct device *dev, unsigned int en)
{
return pcap_rtc_irq_enable(dev, PCAP_IRQ_TODA, en);
}
static const struct rtc_class_ops pcap_rtc_ops = {
.read_time = pcap_rtc_read_time,
.set_time = pcap_rtc_set_time,
.read_alarm = pcap_rtc_read_alarm,
.set_alarm = pcap_rtc_set_alarm,
.alarm_irq_enable = pcap_rtc_alarm_irq_enable,
};
static int __init pcap_rtc_probe(struct platform_device *pdev)
{
struct pcap_rtc *pcap_rtc;
int timer_irq, alarm_irq;
int err = -ENOMEM;
pcap_rtc = devm_kzalloc(&pdev->dev, sizeof(struct pcap_rtc),
GFP_KERNEL);
if (!pcap_rtc)
return err;
pcap_rtc->pcap = dev_get_drvdata(pdev->dev.parent);
platform_set_drvdata(pdev, pcap_rtc);
pcap_rtc->rtc = devm_rtc_allocate_device(&pdev->dev);
if (IS_ERR(pcap_rtc->rtc))
return PTR_ERR(pcap_rtc->rtc);
pcap_rtc->rtc->ops = &pcap_rtc_ops;
pcap_rtc->rtc->range_max = (1 << 14) * 86400ULL - 1;
timer_irq = pcap_to_irq(pcap_rtc->pcap, PCAP_IRQ_1HZ);
alarm_irq = pcap_to_irq(pcap_rtc->pcap, PCAP_IRQ_TODA);
err = devm_request_irq(&pdev->dev, timer_irq, pcap_rtc_irq, 0,
"RTC Timer", pcap_rtc);
if (err)
return err;
err = devm_request_irq(&pdev->dev, alarm_irq, pcap_rtc_irq, 0,
"RTC Alarm", pcap_rtc);
if (err)
return err;
return rtc_register_device(pcap_rtc->rtc);
}
static int __exit pcap_rtc_remove(struct platform_device *pdev)
{
return 0;
}
static struct platform_driver pcap_rtc_driver = {
.remove = __exit_p(pcap_rtc_remove),
.driver = {
.name = "pcap-rtc",
},
};
module_platform_driver_probe(pcap_rtc_driver, pcap_rtc_probe);
MODULE_DESCRIPTION("Motorola pcap rtc driver");
MODULE_AUTHOR("guiming zhuo <gmzhuo@gmail.com>");
MODULE_LICENSE("GPL");
Computing file changes ...
