lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAMhUBjnf6T=eJAhkOW=TOKBTjQojCmNwMB0ekOss8yf65aRBTg@mail.gmail.com>
Date:   Fri, 5 Aug 2022 10:48:16 +0800
From:   Zheyu Ma <zheyuma97@...il.com>
To:     Ondrej Zajicek <santiago@...reenet.org>
Cc:     Helge Deller <deller@....de>, adaplas@...il.com,
        akpm@...ux-foundation.org,
        Linux Fbdev development list <linux-fbdev@...r.kernel.org>,
        DRI Development <dri-devel@...ts.freedesktop.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 0/3] Fix bugs in *_set_par() caused by user input

Hello,

On Thu, Aug 4, 2022 at 10:43 PM Ondrej Zajicek <santiago@...reenet.org> wrote:
>
> On Thu, Aug 04, 2022 at 08:41:22PM +0800, Zheyu Ma wrote:
> > In the function *_set_par(), the value of 'screen_size' is
> > calculated by the user input. If the user provides the improper value,
> > the value of 'screen_size' may larger than 'info->screen_size', which
> > may cause a bug in the memset_io().
>
> Hi
>
> I did not saw fbdev code in years, but should not this be already checked
> by *_check_var() ?
>
> arkfb_check_var():
>
>         ...
>         /* Check whether have enough memory */
>         mem = ((var->bits_per_pixel * var->xres_virtual) >> 3) * var->yres_virtual;
>         if (mem > info->screen_size)
>         ...

Thanks for the reminder. But since the user can control all the
parameters of the ioctl system call, it is possible to assign
'var->bits_per_pixel' to be 0 and thus 'mem' will be 0, bypassing this
check. And in *_set_par(), when 'var->bits_per_pixel' is 0,
'screen_size' will be calculated as follows:

    u32 bpp = info->var.bits_per_pixel;
    if (bpp != 0) {
        ...
    } else {
        ...
        screen_size = (info->var.xres_virtual * info->var.yres_virtual) / 64;
    }

resulting in a very large value.

regards,

Zheyu Ma

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ