From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 5 Sep 2022 15:53:29 +0000 (+0200)
Subject: 4.14-stable patches
X-Git-Tag: v5.10.142~73
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d890077da1e2d111b29bf65dc67e935ace6973b9;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	vt-clear-selection-before-changing-the-font.patch
---

diff --git a/queue-4.14/series b/queue-4.14/series
index 08bf1bb33ad..aa774fac3b2 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -5,3 +5,4 @@ ethernet-rocker-fix-sleep-in-atomic-context-bug-in-n.patch
 kcm-fix-strp_init-order-and-cleanup.patch
 serial-fsl_lpuart-rs485-rts-polariy-is-inverse.patch
 staging-rtl8712-fix-use-after-free-bugs.patch
+vt-clear-selection-before-changing-the-font.patch
diff --git a/queue-4.14/vt-clear-selection-before-changing-the-font.patch b/queue-4.14/vt-clear-selection-before-changing-the-font.patch
new file mode 100644
index 00000000000..9507cf08f19
--- /dev/null
+++ b/queue-4.14/vt-clear-selection-before-changing-the-font.patch
@@ -0,0 +1,58 @@
+From 566f9c9f89337792070b5a6062dff448b3e7977f Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sat, 30 Jul 2022 20:50:18 +0200
+Subject: vt: Clear selection before changing the font
+
+From: Helge Deller <deller@gmx.de>
+
+commit 566f9c9f89337792070b5a6062dff448b3e7977f upstream.
+
+When changing the console font with ioctl(KDFONTOP) the new font size
+can be bigger than the previous font. A previous selection may thus now
+be outside of the new screen size and thus trigger out-of-bounds
+accesses to graphics memory if the selection is removed in
+vc_do_resize().
+
+Prevent such out-of-memory accesses by dropping the selection before the
+various con_font_set() console handlers are called.
+
+Reported-by: syzbot+14b0e8f3fd1612e35350@syzkaller.appspotmail.com
+Cc: stable <stable@kernel.org>
+Tested-by: Khalid Masum <khalid.masum.92@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Link: https://lore.kernel.org/r/YuV9apZGNmGfjcor@p100
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/vt/vt.c |   12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/tty/vt/vt.c
++++ b/drivers/tty/vt/vt.c
+@@ -4175,9 +4175,11 @@ static int con_font_set(struct vc_data *
+ 	console_lock();
+ 	if (vc->vc_mode != KD_TEXT)
+ 		rc = -EINVAL;
+-	else if (vc->vc_sw->con_font_set)
++	else if (vc->vc_sw->con_font_set) {
++		if (vc_is_sel(vc))
++			clear_selection();
+ 		rc = vc->vc_sw->con_font_set(vc, &font, op->flags);
+-	else
++	} else
+ 		rc = -ENOSYS;
+ 	console_unlock();
+ 	kfree(font.data);
+@@ -4204,9 +4206,11 @@ static int con_font_default(struct vc_da
+ 		console_unlock();
+ 		return -EINVAL;
+ 	}
+-	if (vc->vc_sw->con_font_default)
++	if (vc->vc_sw->con_font_default) {
++		if (vc_is_sel(vc))
++			clear_selection();
+ 		rc = vc->vc_sw->con_font_default(vc, &font, s);
+-	else
++	} else
+ 		rc = -ENOSYS;
+ 	console_unlock();
+ 	if (!rc) {