lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200330191619.GF7594@ravnborg.org>
Date:   Mon, 30 Mar 2020 21:16:19 +0200
From:   Sam Ravnborg <sam@...nborg.org>
To:     Qiujun Huang <hqjagain@...il.com>,
        Bartlomiej Zolnierkiewicz <b.zolnierkie@...sung.com>
Cc:     b.zolnierkie@...sung.com, daniel.vetter@...ll.ch,
        maarten.lankhorst@...ux.intel.com, daniel.thompson@...aro.org,
        ghalat@...hat.com, dri-devel@...ts.freedesktop.org,
        linux-fbdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] fbcon: fix null-ptr-deref in fbcon_switch

Hi Qiujun

On Sun, Mar 29, 2020 at 04:56:47PM +0800, Qiujun Huang wrote:
> Set logo_shown to FBCON_LOGO_CANSHOW when the vc was deallocated.
> 
> syzkaller report: https://lkml.org/lkml/2020/3/27/403
> general protection fault, probably for non-canonical address
> 0xdffffc000000006c: 0000 [#1] SMP KASAN
> KASAN: null-ptr-deref in range [0x0000000000000360-0x0000000000000367]
> RIP: 0010:fbcon_switch+0x28f/0x1740
> drivers/video/fbdev/core/fbcon.c:2260
> 
> Call Trace:
> redraw_screen+0x2a8/0x770 drivers/tty/vt/vt.c:1008
> vc_do_resize+0xfe7/0x1360 drivers/tty/vt/vt.c:1295
> fbcon_init+0x1221/0x1ab0 drivers/video/fbdev/core/fbcon.c:1219
> visual_init+0x305/0x5c0 drivers/tty/vt/vt.c:1062
> do_bind_con_driver+0x536/0x890 drivers/tty/vt/vt.c:3542
> do_take_over_console+0x453/0x5b0 drivers/tty/vt/vt.c:4122
> do_fbcon_takeover+0x10b/0x210 drivers/video/fbdev/core/fbcon.c:588
> fbcon_fb_registered+0x26b/0x340 drivers/video/fbdev/core/fbcon.c:3259
> do_register_framebuffer drivers/video/fbdev/core/fbmem.c:1664 [inline]
> register_framebuffer+0x56e/0x980 drivers/video/fbdev/core/fbmem.c:1832
> dlfb_usb_probe.cold+0x1743/0x1ba3 drivers/video/fbdev/udlfb.c:1735
> usb_probe_interface+0x310/0x800 drivers/usb/core/driver.c:374
> 
> accessing vc_cons[logo_shown].d->vc_top causes the bug.
> 
> Reported-by: syzbot+732528bae351682f1f27@...kaller.appspotmail.com
> Signed-off-by: Qiujun Huang <hqjagain@...il.com>
> ---
>  drivers/video/fbdev/core/fbcon.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> index bb6ae995c2e5..5eb3fc90f9f6 100644
> --- a/drivers/video/fbdev/core/fbcon.c
> +++ b/drivers/video/fbdev/core/fbcon.c
> @@ -1283,6 +1283,9 @@ static void fbcon_deinit(struct vc_data *vc)
>  	if (!con_is_bound(&fb_con))
>  		fbcon_exit();
>  
> +	if (vc->vc_num == logo_shown)
> +		logo_shown = FBCON_LOGO_CANSHOW;
> +
>  	return;
>  }

Looks much better than the previous version.
Acked-by: Sam Ravnborg <sam@...nborg.org>

I expect Bartlomiej to review/apply.

	Sam

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ