| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 5 Aug 2022 10:48:16 +0800
From: Zheyu Ma <zheyuma97@...il.com>
To: Ondrej Zajicek <santiago@...reenet.org>
Cc: Helge Deller <deller@....de>, adaplas@...il.com,
akpm@...ux-foundation.org,
Linux Fbdev development list <linux-fbdev@...r.kernel.org>,
DRI Development <dri-devel@...ts.freedesktop.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 0/3] Fix bugs in *_set_par() caused by user input
Hello,
On Thu, Aug 4, 2022 at 10:43 PM Ondrej Zajicek <santiago@...reenet.org> wrote:
>
> On Thu, Aug 04, 2022 at 08:41:22PM +0800, Zheyu Ma wrote:
> > In the function *_set_par(), the value of 'screen_size' is
> > calculated by the user input. If the user provides the improper value,
> > the value of 'screen_size' may larger than 'info->screen_size', which
> > may cause a bug in the memset_io().
>
> Hi
>
> I did not saw fbdev code in years, but should not this be already checked
> by *_check_var() ?
>
> arkfb_check_var():
>
> ...
> /* Check whether have enough memory */
> mem = ((var->bits_per_pixel * var->xres_virtual) >> 3) * var->yres_virtual;
> if (mem > info->screen_size)
> ...
Thanks for the reminder. But since the user can control all the
parameters of the ioctl system call, it is possible to assign
'var->bits_per_pixel' to be 0 and thus 'mem' will be 0, bypassing this
check. And in *_set_par(), when 'var->bits_per_pixel' is 0,
'screen_size' will be calculated as follows:
u32 bpp = info->var.bits_per_pixel;
if (bpp != 0) {
...
} else {
...
screen_size = (info->var.xres_virtual * info->var.yres_virtual) / 64;
}
resulting in a very large value.
regards,
Zheyu Ma
Powered by blists - more mailing lists