lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <7_oOa5sZXTsEK5rGL7HpT4HfjvhfpGa8r69NDAZWuKTxWP1ONLD9yDbrfJ3nzfducuK8TpC-fF1llnfVjpGHzdmhdzDq7FvvoOYU9eEX9Uc=@protonmail.com>
Date: Thu, 31 Jul 2025 16:12:52 +0000
From: Jari Ruusu <jariruusu@...tonmail.com>
To: Jiri Slaby <jirislaby@...nel.org>
Cc: Yi Yang <yiyang13@...wei.com>, GONG Ruiqi <gongruiqi1@...wei.com>, Helge Deller <deller@....de>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Sasha Levin <sashal@...nel.org>, Linus Torvalds <torvalds@...ux-foundation.org>, "stable@...r.kernel.org" <stable@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: Text mode VGA-console scrolling is broken in upstream & stable trees

On Thursday, July 31st, 2025 at 10:22, Jiri Slaby <jirislaby@...nel.org> wrote:
> At the time this was posted (privately and on security@), I commented:
> =====
>  > --- a/drivers/video/console/vgacon.c
>  > +++ b/drivers/video/console/vgacon.c
>  > @@ -1168,7 +1168,7 @@ static bool vgacon_scroll(struct vc_data *c, unsigned int t, unsigned int b,
>  >                                    c->vc_screenbuf_size - delta);
>  >                       c->vc_origin = vga_vram_end - c->vc_screenbuf_size;
>  >                       vga_rolled_over = 0;
>  > -             } else
>  > +             } else if (oldo - delta >= (unsigned long)c->vc_screenbuf)
>  >                       c->vc_origin -= delta;
> 
> IMO you should also add:
>     else
>       c->vc_origin = c->vc_screenbuf;
> 
> Or clamp 'delta' beforehand and don't add the 'if'.
> =====
> That did not happen, AFAICS. Care to test the above suggestion?

My reading of the code in vgacon_scroll() is that it directly
bit-bangs video-RAM and checks that scroll read/write accesses
stay in range vga_vram_base...vga_vram_end-1.

Checking that c->vc_origin end up being >= c->vc_screenbuf is
wrong because in text mode it should be index to video-RAM.

Quote from original "messed up" patch, fix for CVE-2025-38213:
> By analyzing the vmcore, we found that vc->vc_origin was somehow placed
> one line prior to vc->vc_screenbuf when vc was in KD_TEXT mode, and
> further writings to /dev/vcs caused out-of-bounds reads (and writes
> right after) in vcs_write_buf_noattr().
> 
> Our further experiments show that in most cases, vc->vc_origin equals to
> vga_vram_base when the console is in KD_TEXT mode, and it's around
> vc->vc_screenbuf for the KD_GRAPHICS mode. But via triggerring a
> TIOCL_SETVESABLANK ioctl beforehand, we can make vc->vc_origin be around
> vc->vc_screenbuf while the console is in KD_TEXT mode, and then by
> writing the special 'ESC M' control sequence to the tty certain times
> (depends on the value of `vc->state.y - vc->vc_top`), we can eventually
> move vc->vc_origin prior to vc->vc_screenbuf. Here's the PoC, tested on
> QEMU:

To me that sounds like the bug is in TIOCL_SETVESABLANK ioctl().
It should not be changing c->vc_origin to point elsewhere
other than video-RAM when the console is in text mode.

How about adding a check to begining of vgacon_scroll() that
bails out early if c->vc_origin is not a valid index to video-RAM?

--
Jari Ruusu  4096R/8132F189 12D6 4C3A DCDA 0AA4 27BD  ACDF F073 3C80 8132 F189

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ