| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 30 Mar 2020 21:16:19 +0200
From: Sam Ravnborg <sam@...nborg.org>
To: Qiujun Huang <hqjagain@...il.com>,
Bartlomiej Zolnierkiewicz <b.zolnierkie@...sung.com>
Cc: b.zolnierkie@...sung.com, daniel.vetter@...ll.ch,
maarten.lankhorst@...ux.intel.com, daniel.thompson@...aro.org,
ghalat@...hat.com, dri-devel@...ts.freedesktop.org,
linux-fbdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] fbcon: fix null-ptr-deref in fbcon_switch
Hi Qiujun
On Sun, Mar 29, 2020 at 04:56:47PM +0800, Qiujun Huang wrote:
> Set logo_shown to FBCON_LOGO_CANSHOW when the vc was deallocated.
>
> syzkaller report: https://lkml.org/lkml/2020/3/27/403
> general protection fault, probably for non-canonical address
> 0xdffffc000000006c: 0000 [#1] SMP KASAN
> KASAN: null-ptr-deref in range [0x0000000000000360-0x0000000000000367]
> RIP: 0010:fbcon_switch+0x28f/0x1740
> drivers/video/fbdev/core/fbcon.c:2260
>
> Call Trace:
> redraw_screen+0x2a8/0x770 drivers/tty/vt/vt.c:1008
> vc_do_resize+0xfe7/0x1360 drivers/tty/vt/vt.c:1295
> fbcon_init+0x1221/0x1ab0 drivers/video/fbdev/core/fbcon.c:1219
> visual_init+0x305/0x5c0 drivers/tty/vt/vt.c:1062
> do_bind_con_driver+0x536/0x890 drivers/tty/vt/vt.c:3542
> do_take_over_console+0x453/0x5b0 drivers/tty/vt/vt.c:4122
> do_fbcon_takeover+0x10b/0x210 drivers/video/fbdev/core/fbcon.c:588
> fbcon_fb_registered+0x26b/0x340 drivers/video/fbdev/core/fbcon.c:3259
> do_register_framebuffer drivers/video/fbdev/core/fbmem.c:1664 [inline]
> register_framebuffer+0x56e/0x980 drivers/video/fbdev/core/fbmem.c:1832
> dlfb_usb_probe.cold+0x1743/0x1ba3 drivers/video/fbdev/udlfb.c:1735
> usb_probe_interface+0x310/0x800 drivers/usb/core/driver.c:374
>
> accessing vc_cons[logo_shown].d->vc_top causes the bug.
>
> Reported-by: syzbot+732528bae351682f1f27@...kaller.appspotmail.com
> Signed-off-by: Qiujun Huang <hqjagain@...il.com>
> ---
> drivers/video/fbdev/core/fbcon.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> index bb6ae995c2e5..5eb3fc90f9f6 100644
> --- a/drivers/video/fbdev/core/fbcon.c
> +++ b/drivers/video/fbdev/core/fbcon.c
> @@ -1283,6 +1283,9 @@ static void fbcon_deinit(struct vc_data *vc)
> if (!con_is_bound(&fb_con))
> fbcon_exit();
>
> + if (vc->vc_num == logo_shown)
> + logo_shown = FBCON_LOGO_CANSHOW;
> +
> return;
> }
Looks much better than the previous version.
Acked-by: Sam Ravnborg <sam@...nborg.org>
I expect Bartlomiej to review/apply.
Sam
Powered by blists - more mailing lists