lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 29 Jul 2020 09:02:49 +0200
From:   Jiri Slaby <>
Cc:, Jiri Slaby <>,
        张云海 <>,
        Yang Yingliang <>,
        Kyungtae Kim <>,
        Linus Torvalds <>,
        Greg KH <>, Solar Designer <>,
        "Srivatsa S. Bhat" <>,
        Anthony Liguori <>,
        Security Officers <>,,,
Subject: [PATCH] vgacon: fix out of bounds write to the scrollback buffer

The current vgacon's scroll up implementation uses a circural buffer
in vgacon_scrollback_cur. It always advances tail to prepare it for the
next write and caps it to zero if the next ->vc_size_row bytes won't fit.

But when we change the VT size (e.g. by VT_RESIZE) in the meantime, the new
line might not fit to the end of the scrollback buffer in the next
attempt to scroll. This leads to various crashes as
vgacon_scrollback_update writes out of the buffer:
 BUG: unable to handle page fault for address: ffffc900001752a0
 #PF: supervisor write access in kernel mode
 #PF: error_code(0x0002) - not-present page
 RIP: 0010:mutex_unlock+0x13/0x30
 Call Trace:

Or to KASAN reports:
BUG: KASAN: slab-out-of-bounds in vgacon_scroll+0x57a/0x8ed

So check whether the line fits in the buffer and wrap if needed. Do it
before the loop as console_sem is held and ->vc_size_row cannot change
during the execution of vgacon_scrollback_cur. If it does change, we
need to ensure it does not change elsewhere, not here.

Also, we do not split the write of a line into chunks as that would
break the consumers of the buffer. They expect ->cnt, ->tail and ->size
to be in harmony and advanced by ->vc_size_row.

I found few reports of this in the past, some with patches included,
some even 2 years old:

This fixes CVE-2020-14331.

Big thanks to guys mentioned in the Reported-and-debugged-by lines below
who actually found the root cause.

Signed-off-by: Jiri Slaby <>
Reported-and-debugged-by: 张云海 <>
Reported-and-debugged-by: Yang Yingliang <>
Reported-by: Kyungtae Kim <>
Fixes: 15bdab959c9b ([PATCH] vgacon: Add support for soft scrollback)
Cc: Linus Torvalds <>
Cc: Greg KH <>
Cc: Solar Designer <>
Cc: "Srivatsa S. Bhat" <>
Cc: Anthony Liguori <>
Cc: Security Officers <>
Cc: Yang Yingliang <>
Cc: Bartlomiej Zolnierkiewicz <>
 drivers/video/console/vgacon.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c
index f0f3d573f848..13194bb246f8 100644
--- a/drivers/video/console/vgacon.c
+++ b/drivers/video/console/vgacon.c
@@ -250,6 +250,11 @@ static void vgacon_scrollback_update(struct vc_data *c, int t, int count)
 	p = (void *) (c->vc_origin + t * c->vc_size_row);
+	/* vc_size_row might have changed by VT_RESIZE in the meantime */
+	if ((vgacon_scrollback_cur->tail + c->vc_size_row) >=
+			vgacon_scrollback_cur->size)
+		vgacon_scrollback_cur->tail = 0;
 	while (count--) {
 		scr_memcpyw(vgacon_scrollback_cur->data +

Powered by blists - more mailing lists