Gh0st
/
linux
mirror of https://github.com/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Linux kernel source tree
935,072 Commits 1 Branch 912 Tags 8.4 GiB
C 97.1%
Assembly 1%
Shell 0.6%
Rust 0.4%
Python 0.4%
Other 0.3%
Go to file
Yunhai Zhang ebfdfeeae8 vgacon: Fix for missing check in scrollback handling 
vgacon_scrollback_update() always leaves enbough room in the scrollback
buffer for the next call, but if the console size changed that room
might not actually be enough, and so we need to re-check.

The check should be in the loop since vgacon_scrollback_cur->tail is
updated in the loop and count may be more than 1 when triggered by CSI M,
as Jiri's PoC:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <fcntl.h>

int main(int argc, char** argv)
{
        int fd = open("/dev/tty1", O_RDWR);
        unsigned short size[3] = {25, 200, 0};
        ioctl(fd, 0x5609, size); // VT_RESIZE

        write(fd, "\e[1;1H", 6);
        for (int i = 0; i < 30; i++)
                write(fd, "\e[10M", 5);
}

It leads to various crashes as vgacon_scrollback_update writes out of
the buffer:
 BUG: unable to handle page fault for address: ffffc900001752a0
 #PF: supervisor write access in kernel mode
 #PF: error_code(0x0002) - not-present page
 RIP: 0010:mutex_unlock+0x13/0x30
...
 Call Trace:
  n_tty_write+0x1a0/0x4d0
  tty_write+0x1a0/0x2e0

Or to KASAN reports:
BUG: KASAN: slab-out-of-bounds in vgacon_scroll+0x57a/0x8ed

This fixes CVE-2020-14331.

Reported-by: 张云海 <zhangyunhai@nsfocus.com>
Reported-by: Yang Yingliang <yangyingliang@huawei.com>
Reported-by: Kyungtae Kim <kt0755@gmail.com>
Fixes: 15bdab959c ([PATCH] vgacon: Add support for soft scrollback)
Cc: stable@vger.kernel.org
Cc: linux-fbdev@vger.kernel.org
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Solar Designer <solar@openwall.com>
Cc: "Srivatsa S. Bhat" <srivatsa@csail.mit.edu>
Cc: Anthony Liguori <aliguori@amazon.com>
Cc: Yang Yingliang <yangyingliang@huawei.com>
Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Cc: Jiri Slaby <jirislaby@kernel.org>
Signed-off-by: Yunhai Zhang <zhangyunhai@nsfocus.com>
Link: https://lore.kernel.org/r/9fb43895-ca91-9b07-ebfd-808cf854ca95@nsfocus.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2020-08-04 09:40:35 +02:00
Documentation Linux 5.8-rc7 2020-07-27 12:40:56 +02:00
LICENSES LICENSES: Rename other to deprecated 2019-05-03 06:34:32 -06:00
arch Linux 5.8-rc7 2020-07-27 12:40:56 +02:00
block block-5.8-2020-07-10 2020-07-10 09:55:46 -07:00
certs .gitignore: add SPDX License Identifier 2020-03-25 11:50:48 +01:00
crypto keys: asymmetric: fix error return code in software_key_query() 2020-07-15 15:49:04 -07:00
drivers vgacon: Fix for missing check in scrollback handling 2020-08-04 09:40:35 +02:00
fs Various EFI fixes: 2020-07-25 13:18:42 -07:00
include serial: 8250: Add 8250 port clock update method 2020-07-29 17:14:38 +02:00
init kbuild: fix CONFIG_CC_CAN_LINK(_STATIC) for cross-compilation with Clang 2020-07-02 00:57:45 +09:00
ipc mmap locking API: use coccinelle to convert mmap_sem rwsem call sites 2020-06-09 09:39:14 -07:00
kernel Fix a interaction/regression between uprobes based shared library tracing & GDB. 2020-07-25 13:55:38 -07:00
lib RISC-V Fixes for 5.8-rc5 (ideally) 2020-07-11 19:22:46 -07:00
mm khugepaged: fix null-pointer dereference due to race 2020-07-24 12:42:41 -07:00
net Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net into master 2020-07-25 11:50:59 -07:00
samples samples/vfs: avoid warning in statx override 2020-07-03 16:15:25 -07:00
scripts Kbuild fixes for v5.8 (3rd) 2020-07-26 13:46:57 -07:00
security integrity/ima: switch to using __kernel_read 2020-07-08 08:27:57 +02:00
sound sound fixes for 5.8-rc7 2020-07-21 08:06:45 -07:00
tools Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net into master 2020-07-25 11:50:59 -07:00
usr bpfilter: match bit size of bpfilter_umh to that of the kernel 2020-05-17 18:52:01 +09:00
virt kvm: use more precise cast and do not drop __user 2020-07-02 05:39:31 -04:00
.clang-format block: add bio_for_each_bvec_all() 2020-05-25 11:25:24 +02:00
.cocciconfig
.get_maintainer.ignore Opt out of scripts/get_maintainer.pl 2019-05-16 10:53:40 -07:00
.gitattributes .gitattributes: use 'dts' diff driver for dts files 2019-12-04 19:44:11 -08:00
.gitignore .gitignore: Do not track `defconfig` from `make savedefconfig` 2020-07-05 16:15:46 +09:00
.mailmap mailmap: add entry for Mike Rapoport 2020-07-24 12:42:41 -07:00
COPYING COPYING: state that all contributions really are covered by this file 2020-02-10 13:32:20 -08:00
CREDITS mailmap: change email for Ricardo Ribalda 2020-05-25 18:59:59 -06:00
Kbuild kbuild: rename hostprogs-y/always to hostprogs/always-y 2020-02-04 01:53:07 +09:00
Kconfig kbuild: ensure full rebuild when the compiler is updated 2020-05-12 13:28:33 +09:00
MAINTAINERS Merge branch 'akpm' into master (patches from Andrew) 2020-07-24 14:24:35 -07:00
Makefile Linux 5.8-rc7 2020-07-26 14:14:06 -07:00
README Drop all 00-INDEX files from Documentation/ 2018-09-09 15:08:58 -06:00

README 

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.