lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAKMK7uH-22rmncSn0iP2qdeUNEsmOQgG5xHcOPTLwnwqANtvYQ@mail.gmail.com>
Date: Mon, 26 Feb 2024 16:51:49 +0100
From: Daniel Vetter <daniel@...ll.ch>
To: "Jiri Slaby (SUSE)" <jirislaby@...nel.org>
Cc: linux-fbdev@...r.kernel.org, dri-devel@...ts.freedesktop.org, 
	linux-kernel@...r.kernel.org, Ubisectech Sirius <bugreport@...sectech.com>, 
	Helge Deller <deller@....de>
Subject: Re: [PATCH] fbcon: always restore the old font data in fbcon_do_set_font()

On Thu, 8 Feb 2024 at 12:44, Jiri Slaby (SUSE) <jirislaby@...nel.org> wrote:
>
> Commit a5a923038d70 (fbdev: fbcon: Properly revert changes when
> vc_resize() failed) started restoring old font data upon failure (of
> vc_resize()). But it performs so only for user fonts. It means that the
> "system"/internal fonts are not restored at all. So in result, the very
> first call to fbcon_do_set_font() performs no restore at all upon
> failing vc_resize().
>
> This can be reproduced by Syzkaller to crash the system on the next
> invocation of font_get(). It's rather hard to hit the allocation failure
> in vc_resize() on the first font_set(), but not impossible. Esp. if
> fault injection is used to aid the execution/failure. It was
> demonstrated by Sirius:
>   BUG: unable to handle page fault for address: fffffffffffffff8
>   #PF: supervisor read access in kernel mode
>   #PF: error_code(0x0000) - not-present page
>   PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0
>   Oops: 0000 [#1] PREEMPT SMP KASAN
>   CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20
>   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
>   RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286
>   Call Trace:
>    <TASK>
>    con_font_get drivers/tty/vt/vt.c:4558 [inline]
>    con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673
>    vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline]
>    vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752
>    tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803
>    vfs_ioctl fs/ioctl.c:51 [inline]
>   ...
>
> So restore the font data in any case, not only for user fonts. Note the
> later 'if' is now protected by 'old_userfont' and not 'old_data' as the
> latter is always set now. (And it is supposed to be non-NULL. Otherwise
> we would see the bug above again.)
>
> Signed-off-by: Jiri Slaby (SUSE) <jirislaby@...nel.org>
> Fixes: a5a923038d70 ("fbdev: fbcon: Properly revert changes when vc_resize() failed")
> Cc: Ubisectech Sirius <bugreport@...sectech.com>
> Cc: Daniel Vetter <daniel@...ll.ch>
> Cc: Helge Deller <deller@....de>
> Cc: linux-fbdev@...r.kernel.org
> Cc: dri-devel@...ts.freedesktop.org

Reviewing patches to code where assignments in if conditions are still
cool is a pain :-/

Merged to drm-misc-fixes with reported/tested-by credit tag for sirius added.

Thanks a lot!
-Sima

> ---
>  drivers/video/fbdev/core/fbcon.c | 8 +++-----
>  1 file changed, 3 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> index 17a9fc80b4e4..98d0e2dbcd2f 100644
> --- a/drivers/video/fbdev/core/fbcon.c
> +++ b/drivers/video/fbdev/core/fbcon.c
> @@ -2395,11 +2395,9 @@ static int fbcon_do_set_font(struct vc_data *vc, int w, int h, int charcount,
>         struct fbcon_ops *ops = info->fbcon_par;
>         struct fbcon_display *p = &fb_display[vc->vc_num];
>         int resize, ret, old_userfont, old_width, old_height, old_charcount;
> -       char *old_data = NULL;
> +       u8 *old_data = vc->vc_font.data;
>
>         resize = (w != vc->vc_font.width) || (h != vc->vc_font.height);
> -       if (p->userfont)
> -               old_data = vc->vc_font.data;
>         vc->vc_font.data = (void *)(p->fontdata = data);
>         old_userfont = p->userfont;
>         if ((p->userfont = userfont))
> @@ -2433,13 +2431,13 @@ static int fbcon_do_set_font(struct vc_data *vc, int w, int h, int charcount,
>                 update_screen(vc);
>         }
>
> -       if (old_data && (--REFCOUNT(old_data) == 0))
> +       if (old_userfont && (--REFCOUNT(old_data) == 0))
>                 kfree(old_data - FONT_EXTRA_WORDS * sizeof(int));
>         return 0;
>
>  err_out:
>         p->fontdata = old_data;
> -       vc->vc_font.data = (void *)old_data;
> +       vc->vc_font.data = old_data;
>
>         if (userfont) {
>                 p->userfont = old_userfont;
> --
> 2.43.0
>


-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ