| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <201912050159.xB51xuco020972@www262.sakura.ne.jp>
Date: Thu, 05 Dec 2019 10:59:56 +0900
From: Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>
To: Bartlomiej Zolnierkiewicz <b.zolnierkie@...sung.com>,
Daniel Vetter <daniel.vetter@...ll.ch>,
Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>,
Sam Ravnborg <sam@...nborg.org>,
Grzegorz Halat <ghalat@...hat.com>
Cc: syzbot <syzbot+4455ca3b3291de891abc@...kaller.appspotmail.com>,
aryabinin@...tuozzo.com, daniel.thompson@...aro.org,
dri-devel@...ts.freedesktop.org, dvyukov@...gle.com,
gleb@...nel.org, gwshan@...ux.vnet.ibm.com, hpa@...or.com,
jmorris@...ei.org, kasan-dev@...glegroups.com, kvm@...r.kernel.org,
linux-fbdev@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org, mingo@...hat.com,
mpe@...erman.id.au, pbonzini@...hat.com, ruscur@...sell.cc,
serge@...lyn.com, stewart@...ux.vnet.ibm.com,
syzkaller-bugs@...glegroups.com, takedakn@...data.co.jp,
tglx@...utronix.de, x86@...nel.org
Subject: Re: KASAN: slab-out-of-bounds Read in fbcon_get_font
Hello.
syzbot is reporting that memory allocation size at fbcon_set_font() is too small
because font's height is rounded up from 10 to 16 after memory allocation.
----------
diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index c9235a2f42f8..68fe66e435d3 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -2461,6 +2461,7 @@ static int fbcon_get_font(struct vc_data *vc, struct console_font *font)
if (font->width <= 8) {
j = vc->vc_font.height;
+ printk("ksize(fontdata)=%lu font->charcount=%d vc->vc_font.height=%d font->width=%u\n", ksize(fontdata), font->charcount, j, font->width);
for (i = 0; i < font->charcount; i++) {
memcpy(data, fontdata, j);
memset(data + j, 0, 32 - j);
@@ -2661,6 +2662,8 @@ static int fbcon_set_font(struct vc_data *vc, struct console_font *font,
size = h * pitch * charcount;
new_data = kmalloc(FONT_EXTRA_WORDS * sizeof(int) + size, GFP_USER);
+ if (new_data)
+ printk("ksize(new_data)=%lu h=%u pitch=%u charcount=%u font->width=%u\n", ksize(new_data), h, pitch, charcount, font->width);
if (!new_data)
return -ENOMEM;
----------
Normal usage:
[ 27.305293] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[ 27.328527] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[ 27.362551] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[ 27.385084] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[ 27.387653] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[ 27.417562] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[ 27.437808] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[ 27.440738] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[ 27.461157] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[ 27.495346] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[ 27.607372] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[ 27.655674] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[ 27.675310] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
[ 27.702193] ksize(new_data)=8192 h=16 pitch=1 charcount=256 font->width=8
syzbot's testcase:
[ 115.784893] ksize(new_data)=4096 h=10 pitch=1 charcount=256 font->width=8
[ 115.790269] ksize(fontdata)=4096 font->charcount=256 vc->vc_font.height=16 font->width=8
Powered by blists - more mailing lists