lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 11 Jun 2010 08:19:07 +0800
From:	qiaochong <qiaochong@...ngson.cn>
To:	akpm@...ux-foundation.org
Cc:	linux-kernel@...r.kernel.org, jsimmons@...radead.org,
	qiaochong@...ngson.cn
Subject: [PATCH 1/2] fix vc->vc_origin on take_over_console.

kernel will die on some platform when switch from vga mode to framebuffer mode.
The reason of this bug is that bind_con_driver reset vc->vc_origin to (unsigned long)vc->vc_screenbuf.
On vgacon vc->vc_origin is not releated to  vc->vc_screenbuf,if set
vc->vc_origin to vc->vc_screenbuf,kernel will die on vc_do_resize.

static int vc_do_resize(struct tty_struct *tty, struct tty_struct *real_tty,
        struct vc_data *vc, unsigned int cols, unsigned int lines)
{
    unsigned long old_origin, new_origin, new_scr_end, rlth, rrem, err = 0;
    unsigned int old_cols, old_rows, old_row_size, old_screen_size;
    unsigned int new_cols, new_rows, new_row_size, new_screen_size;
    unsigned int end, user;
...
        end = (old_rows > new_rows) ? old_origin +
            (old_row_size * new_rows) :
            vc->vc_scr_end;

...
/*
here for a test from vgacon to framebuffer:
old_origin=0x810814a0,end=0xb00b8fa0,vc->vc_origin=0x810814a0
the code bellow will copy memory from 0x810814a0 to 0xb00b8fa0,
this will cover kernel code,kernel died here.
*/

    while (old_origin < end) {

        scr_memcpyw((unsigned short *) new_origin,
                (unsigned short *) old_origin, rlth);
        if (rrem)
            scr_memsetw((void *)(new_origin + rlth),
                    vc->vc_video_erase_char, rrem);
        old_origin += old_row_size;
        new_origin += new_row_size;
    }

...
}

Signed-off-by: qiaochong <qiaochong@...ngson.cn>
---
 drivers/char/vt.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/drivers/char/vt.c b/drivers/char/vt.c
index 50faa1f..6a22f87 100644
--- a/drivers/char/vt.c
+++ b/drivers/char/vt.c
@@ -3063,6 +3063,7 @@ static int bind_con_driver(const struct consw *csw, int first, int last,
 
 		old_was_color = vc->vc_can_do_color;
 		vc->vc_sw->con_deinit(vc);
+		if(!vc->vc_origin)
 		vc->vc_origin = (unsigned long)vc->vc_screenbuf;
 		visual_init(vc, i, 0);
 		set_origin(vc);
-- 
1.7.0.3.254.g4503b.dirty

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ