| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 2 Mar 2020 10:35:53 +0800
From: Ye Bin <yebin10@...wei.com>
To: <gregkh@...uxfoundation.org>, <jslaby@...e.com>
CC: <linux-serial@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
<yebin10@...wei.com>
Subject: [PATCH] vt: fix CVE-2020-8647
We must calculate origin buffer end before update "old_origin", or it
will lead to access illegal memory.
BUG: KASan: use after free in vc_do_resize+0x49e/0xb30 at addr ffff88000016b9c0
Read of size 2 by task syz-executor.3/24164
page:ffffea0000005ac0 count:0 mapcount:0 mapping: (null) index:0x0
page flags: 0xfffff00000000()
page dumped because: kasan: bad access detected
CPU: 0 PID: 24164 Comm: syz-executor.3 Not tainted 3.10.0-862.14.2.1.x86_64+ #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
Call Trace:
[<ffffffffb059f309>] dump_stack+0x1e/0x20
[<ffffffffaf8af957>] kasan_report+0x577/0x950
[<ffffffffaf8ae652>] __asan_load2+0x62/0x80
[<ffffffffafe3728e>] vc_do_resize+0x49e/0xb30
[<ffffffffafe3795c>] vc_resize+0x3c/0x60
[<ffffffffafe1d80d>] vt_ioctl+0x16ed/0x2670
[<ffffffffafe0089a>] tty_ioctl+0x46a/0x1a10
[<ffffffffaf92db3d>] do_vfs_ioctl+0x5bd/0xc40
[<ffffffffaf92e2f2>] SyS_ioctl+0x132/0x170
[<ffffffffb05c9b1b>] system_call_fastpath+0x22/0x27
Signed-off-by: Ye Bin <yebin10@...wei.com>
---
drivers/tty/vt/vt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 8fa059ec6cc8..1d7217bef678 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -1231,6 +1231,7 @@ static int vc_do_resize(struct tty_struct *tty, struct vc_data *vc,
old_origin = vc->vc_origin;
new_origin = (long) newscreen;
new_scr_end = new_origin + new_screen_size;
+ end = old_origin + old_row_size * min(old_rows, new_rows);
if (vc->vc_y > new_rows) {
if (old_rows - vc->vc_y < new_rows) {
@@ -1249,7 +1250,6 @@ static int vc_do_resize(struct tty_struct *tty, struct vc_data *vc,
old_origin += first_copied_row * old_row_size;
} else
first_copied_row = 0;
- end = old_origin + old_row_size * min(old_rows, new_rows);
vc_uniscr_copy_area(new_uniscr, new_cols, new_rows,
get_vc_uniscr(vc), rlth/2, first_copied_row,
--
2.17.2
Powered by blists - more mailing lists