lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 31 Mar 2020 10:01:23 +0200
From:   Daniel Vetter <daniel@...ll.ch>
To:     Sam Ravnborg <sam@...nborg.org>
Cc:     Qiujun Huang <hqjagain@...il.com>,
        Bartlomiej Zolnierkiewicz <b.zolnierkie@...sung.com>,
        daniel.vetter@...ll.ch, maarten.lankhorst@...ux.intel.com,
        daniel.thompson@...aro.org, ghalat@...hat.com,
        dri-devel@...ts.freedesktop.org, linux-fbdev@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] fbcon: fix null-ptr-deref in fbcon_switch

On Mon, Mar 30, 2020 at 09:16:19PM +0200, Sam Ravnborg wrote:
> Hi Qiujun
> 
> On Sun, Mar 29, 2020 at 04:56:47PM +0800, Qiujun Huang wrote:
> > Set logo_shown to FBCON_LOGO_CANSHOW when the vc was deallocated.
> > 
> > syzkaller report: https://lkml.org/lkml/2020/3/27/403
> > general protection fault, probably for non-canonical address
> > 0xdffffc000000006c: 0000 [#1] SMP KASAN
> > KASAN: null-ptr-deref in range [0x0000000000000360-0x0000000000000367]
> > RIP: 0010:fbcon_switch+0x28f/0x1740
> > drivers/video/fbdev/core/fbcon.c:2260
> > 
> > Call Trace:
> > redraw_screen+0x2a8/0x770 drivers/tty/vt/vt.c:1008
> > vc_do_resize+0xfe7/0x1360 drivers/tty/vt/vt.c:1295
> > fbcon_init+0x1221/0x1ab0 drivers/video/fbdev/core/fbcon.c:1219
> > visual_init+0x305/0x5c0 drivers/tty/vt/vt.c:1062
> > do_bind_con_driver+0x536/0x890 drivers/tty/vt/vt.c:3542
> > do_take_over_console+0x453/0x5b0 drivers/tty/vt/vt.c:4122
> > do_fbcon_takeover+0x10b/0x210 drivers/video/fbdev/core/fbcon.c:588
> > fbcon_fb_registered+0x26b/0x340 drivers/video/fbdev/core/fbcon.c:3259
> > do_register_framebuffer drivers/video/fbdev/core/fbmem.c:1664 [inline]
> > register_framebuffer+0x56e/0x980 drivers/video/fbdev/core/fbmem.c:1832
> > dlfb_usb_probe.cold+0x1743/0x1ba3 drivers/video/fbdev/udlfb.c:1735
> > usb_probe_interface+0x310/0x800 drivers/usb/core/driver.c:374
> > 
> > accessing vc_cons[logo_shown].d->vc_top causes the bug.
> > 
> > Reported-by: syzbot+732528bae351682f1f27@...kaller.appspotmail.com
> > Signed-off-by: Qiujun Huang <hqjagain@...il.com>
> > ---
> >  drivers/video/fbdev/core/fbcon.c | 3 +++
> >  1 file changed, 3 insertions(+)
> > 
> > diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> > index bb6ae995c2e5..5eb3fc90f9f6 100644
> > --- a/drivers/video/fbdev/core/fbcon.c
> > +++ b/drivers/video/fbdev/core/fbcon.c
> > @@ -1283,6 +1283,9 @@ static void fbcon_deinit(struct vc_data *vc)
> >  	if (!con_is_bound(&fb_con))
> >  		fbcon_exit();
> >  
> > +	if (vc->vc_num == logo_shown)
> > +		logo_shown = FBCON_LOGO_CANSHOW;
> > +
> >  	return;
> >  }
> 
> Looks much better than the previous version.
> Acked-by: Sam Ravnborg <sam@...nborg.org>
> 
> I expect Bartlomiej to review/apply.

Especially for bugfixes I think better to push quicker than wait for
others to ... the point with drm-misc is real group maintainership and
benefitting from the flexibility, not reflecting the same strict hierarchy
but in a flat tree to make it look like it doesn't exist :-)

Applied to drm-misc-next-fixes with a cc: stable.
-Daniel
-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ