lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 28 Jun 2022 10:08:12 +0200 From: Jiri Slaby <jirislaby@...nel.org> To: Yangxi Xiang <xyangxi5@...il.com>, linux-kernel@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Johan Hovold <johan@...nel.org>, Igor Matheus Andrade Torrente <igormtorrente@...il.com>, Christian Borntraeger <borntraeger@...ux.ibm.com>, nick black <dankamongmen@...il.com> Subject: Re: [PATCH v2] vt: fix memory overlapping when deleting chars in the buffer On 27. 06. 22, 14:54, Yangxi Xiang wrote: > A memory overlapping copy occurs when deleting a long line. This memory > overlapping copy can cause data corruption when scr_memcpyw is optimized > to memcpy because memcpy does not ensure its behavior if the destination > buffer overlaps with the source buffer. The line buffer is not always > broken, because the memcpy utilizes the hardware acceleration, whose > result is not deterministic. > > Fix this problem by using replacing the scr_memcpyw with scr_memmovew, and > preserving the memcpy optimization when the buffers are not overlapping. > > Fixes: 81732c3b2fed ("Fix line garbage in virtual console"). > Signed-off-by: Yangxi Xiang <xyangxi5@...il.com> > --- > drivers/tty/vt/vt.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c > index f8c87c4d7399..d87bff9d8ed5 100644 > --- a/drivers/tty/vt/vt.c > +++ b/drivers/tty/vt/vt.c > @@ -853,9 +853,13 @@ static void insert_char(struct vc_data *vc, unsigned int nr) > static void delete_char(struct vc_data *vc, unsigned int nr) > { > unsigned short *p = (unsigned short *) vc->vc_pos; > + unsigned short cp = (vc->vc_cols - vc->state.x - nr) * 2; > > vc_uniscr_delete(vc, nr); > - scr_memcpyw(p, p + nr, (vc->vc_cols - vc->state.x - nr) * 2); > + if (cp > nr) > + scr_memmovew(p, p + nr, cp); > + else > + scr_memcpyw(p, p + nr, cp); Why not to use memmove in both cases? I.e. simply switch scr_memcpyw to scr_memmovew? thanks, -- js suse labs
Powered by blists - more mailing lists