From: Sasha Levin Date: Fri, 1 Oct 2021 14:16:22 +0000 (-0400) Subject: Fixes for 4.4 X-Git-Tag: v4.4.286~60 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c12bb97273db6092426ec7de4651f26b6836727c;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/series b/queue-4.4/series index ae715fe23b7..21a7e8520d0 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -22,3 +22,4 @@ alpha-declare-virt_to_phys-and-virt_to_bus-parameter.patch net-6pack-fix-tx-timeout-and-slot-time.patch spi-fix-tegra20-build-with-config_pm-n.patch qnx4-work-around-gcc-false-positive-warning-bug.patch +tty-fix-out-of-bound-vmalloc-access-in-imageblit.patch diff --git a/queue-4.4/tty-fix-out-of-bound-vmalloc-access-in-imageblit.patch b/queue-4.4/tty-fix-out-of-bound-vmalloc-access-in-imageblit.patch new file mode 100644 index 00000000000..8175a123e9b --- /dev/null +++ b/queue-4.4/tty-fix-out-of-bound-vmalloc-access-in-imageblit.patch @@ -0,0 +1,71 @@ +From 3e77912d932c1be2c56626ca6eba1892044f82af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Jun 2021 10:45:09 -0300 +Subject: tty: Fix out-of-bound vmalloc access in imageblit + +From: Igor Matheus Andrade Torrente + +[ Upstream commit 3b0c406124719b625b1aba431659f5cdc24a982c ] + +This issue happens when a userspace program does an ioctl +FBIOPUT_VSCREENINFO passing the fb_var_screeninfo struct +containing only the fields xres, yres, and bits_per_pixel +with values. + +If this struct is the same as the previous ioctl, the +vc_resize() detects it and doesn't call the resize_screen(), +leaving the fb_var_screeninfo incomplete. And this leads to +the updatescrollmode() calculates a wrong value to +fbcon_display->vrows, which makes the real_y() return a +wrong value of y, and that value, eventually, causes +the imageblit to access an out-of-bound address value. + +To solve this issue I made the resize_screen() be called +even if the screen does not need any resizing, so it will +"fix and fill" the fb_var_screeninfo independently. + +Cc: stable # after 5.15-rc2 is out, give it time to bake +Reported-and-tested-by: syzbot+858dc7a2f7ef07c2c219@syzkaller.appspotmail.com +Signed-off-by: Igor Matheus Andrade Torrente +Link: https://lore.kernel.org/r/20210628134509.15895-1-igormtorrente@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/vt/vt.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c +index 9f479b4c6491..0fab196a1d90 100644 +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -882,8 +882,25 @@ static int vc_do_resize(struct tty_struct *tty, struct vc_data *vc, + new_row_size = new_cols << 1; + new_screen_size = new_row_size * new_rows; + +- if (new_cols == vc->vc_cols && new_rows == vc->vc_rows) +- return 0; ++ if (new_cols == vc->vc_cols && new_rows == vc->vc_rows) { ++ /* ++ * This function is being called here to cover the case ++ * where the userspace calls the FBIOPUT_VSCREENINFO twice, ++ * passing the same fb_var_screeninfo containing the fields ++ * yres/xres equal to a number non-multiple of vc_font.height ++ * and yres_virtual/xres_virtual equal to number lesser than the ++ * vc_font.height and yres/xres. ++ * In the second call, the struct fb_var_screeninfo isn't ++ * being modified by the underlying driver because of the ++ * if above, and this causes the fbcon_display->vrows to become ++ * negative and it eventually leads to out-of-bound ++ * access by the imageblit function. ++ * To give the correct values to the struct and to not have ++ * to deal with possible errors from the code below, we call ++ * the resize_screen here as well. ++ */ ++ return resize_screen(vc, new_cols, new_rows, user); ++ } + + if (new_screen_size > (4 << 20)) + return -EINVAL; +-- +2.33.0 +