LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* [PATCH 4.19] fbmem: add margin check to fb_check_caps()
@ 2021-09-02  6:02 Dongliang Mu
  2021-09-02  6:05 ` Dongliang Mu
  2021-09-02 13:15 ` Geert Uytterhoeven
  0 siblings, 2 replies; 7+ messages in thread
From: Dongliang Mu @ 2021-09-02  6:02 UTC (permalink / raw)
  To: Bartlomiej Zolnierkiewicz
  Cc: Dongliang Mu, George Kennedy, syzbot+e5fd3e65515b48c02a30,
	Dan Carpenter, Dhaval Giani, Sasha Levin, dri-devel, linux-fbdev,
	linux-kernel

[ Upstream commit a49145acfb975d921464b84fe00279f99827d816 ]

A fb_ioctl() FBIOPUT_VSCREENINFO call with invalid xres setting
or yres setting in struct fb_var_screeninfo will result in a
KASAN: vmalloc-out-of-bounds failure in bitfill_aligned() as
the margins are being cleared. The margins are cleared in
chunks and if the xres setting or yres setting is a value of
zero upto the chunk size, the failure will occur.

Add a margin check to validate xres and yres settings.

Note that, this patch needs special handling to backport it to linux
kernel 4.19, 4.14, 4.9, 4.4.

Signed-off-by: George Kennedy <george.kennedy@oracle.com>
Reported-by: syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Dhaval Giani <dhaval.giani@oracle.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Link: https://patchwork.freedesktop.org/patch/msgid/1594149963-13801-1-git-send-email-george.kennedy@oracle.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/video/fbdev/core/fbmem.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
index 84845275dbef..de04c097d67c 100644
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -991,6 +991,10 @@ fb_set_var(struct fb_info *info, struct fb_var_screeninfo *var)
 			goto done;
 		}
 
+		/* bitfill_aligned() assumes that it's at least 8x8 */
+		if (var->xres < 8 || var->yres < 8)
+			return -EINVAL;
+
 		ret = info->fbops->fb_check_var(var, info);
 
 		if (ret)
-- 
2.25.1


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH 4.19] fbmem: add margin check to fb_check_caps()
  2021-09-02  6:02 [PATCH 4.19] fbmem: add margin check to fb_check_caps() Dongliang Mu
@ 2021-09-02  6:05 ` Dongliang Mu
  2021-09-02 13:15 ` Geert Uytterhoeven
  1 sibling, 0 replies; 7+ messages in thread
From: Dongliang Mu @ 2021-09-02  6:05 UTC (permalink / raw)
  To: Bartlomiej Zolnierkiewicz
  Cc: George Kennedy, syzbot+e5fd3e65515b48c02a30, Dan Carpenter,
	Dhaval Giani, Sasha Levin, dri-devel, linux-fbdev, linux-kernel

On Thu, Sep 2, 2021 at 2:02 PM Dongliang Mu <mudongliangabcd@gmail.com> wrote:
>
> [ Upstream commit a49145acfb975d921464b84fe00279f99827d816 ]
>
> A fb_ioctl() FBIOPUT_VSCREENINFO call with invalid xres setting
> or yres setting in struct fb_var_screeninfo will result in a
> KASAN: vmalloc-out-of-bounds failure in bitfill_aligned() as
> the margins are being cleared. The margins are cleared in
> chunks and if the xres setting or yres setting is a value of
> zero upto the chunk size, the failure will occur.
>
> Add a margin check to validate xres and yres settings.
>
> Note that, this patch needs special handling to backport it to linux
> kernel 4.19, 4.14, 4.9, 4.4.

I have tested that, this patch can be applied to the branches:
linux-4.19.y/linux-4.14.y/linux-4.9.y/linux-4.4.y.

>
> Signed-off-by: George Kennedy <george.kennedy@oracle.com>
> Reported-by: syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com
> Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
> Cc: Dhaval Giani <dhaval.giani@oracle.com>
> Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
> Link: https://patchwork.freedesktop.org/patch/msgid/1594149963-13801-1-git-send-email-george.kennedy@oracle.com
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
>  drivers/video/fbdev/core/fbmem.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
> index 84845275dbef..de04c097d67c 100644
> --- a/drivers/video/fbdev/core/fbmem.c
> +++ b/drivers/video/fbdev/core/fbmem.c
> @@ -991,6 +991,10 @@ fb_set_var(struct fb_info *info, struct fb_var_screeninfo *var)
>                         goto done;
>                 }
>
> +               /* bitfill_aligned() assumes that it's at least 8x8 */
> +               if (var->xres < 8 || var->yres < 8)
> +                       return -EINVAL;
> +
>                 ret = info->fbops->fb_check_var(var, info);
>
>                 if (ret)
> --
> 2.25.1
>

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH 4.19] fbmem: add margin check to fb_check_caps()
  2021-09-02  6:02 [PATCH 4.19] fbmem: add margin check to fb_check_caps() Dongliang Mu
  2021-09-02  6:05 ` Dongliang Mu
@ 2021-09-02 13:15 ` Geert Uytterhoeven
  2021-09-03  1:09   ` Dongliang Mu
  1 sibling, 1 reply; 7+ messages in thread
From: Geert Uytterhoeven @ 2021-09-02 13:15 UTC (permalink / raw)
  To: Dongliang Mu
  Cc: Bartlomiej Zolnierkiewicz, George Kennedy,
	syzbot+e5fd3e65515b48c02a30, Dan Carpenter, Dhaval Giani,
	Sasha Levin, DRI Development, Linux Fbdev development list,
	Linux Kernel Mailing List

Hi Dongliang,

On Thu, Sep 2, 2021 at 8:04 AM Dongliang Mu <mudongliangabcd@gmail.com> wrote:
> [ Upstream commit a49145acfb975d921464b84fe00279f99827d816 ]

Oops, looks like I missed when that one was submitted for review...

> A fb_ioctl() FBIOPUT_VSCREENINFO call with invalid xres setting
> or yres setting in struct fb_var_screeninfo will result in a
> KASAN: vmalloc-out-of-bounds failure in bitfill_aligned() as
> the margins are being cleared. The margins are cleared in
> chunks and if the xres setting or yres setting is a value of
> zero upto the chunk size, the failure will occur.
>
> Add a margin check to validate xres and yres settings.

Shouldn't (the caller of) bitfill_aligned() be fixed instead?
Can this be triggered by e.g. using the mini_4x6 font?

> Note that, this patch needs special handling to backport it to linux
> kernel 4.19, 4.14, 4.9, 4.4.
>
> Signed-off-by: George Kennedy <george.kennedy@oracle.com>
> Reported-by: syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com
> Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
> Cc: Dhaval Giani <dhaval.giani@oracle.com>
> Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
> Link: https://patchwork.freedesktop.org/patch/msgid/1594149963-13801-1-git-send-email-george.kennedy@oracle.com
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
>  drivers/video/fbdev/core/fbmem.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
> index 84845275dbef..de04c097d67c 100644
> --- a/drivers/video/fbdev/core/fbmem.c
> +++ b/drivers/video/fbdev/core/fbmem.c
> @@ -991,6 +991,10 @@ fb_set_var(struct fb_info *info, struct fb_var_screeninfo *var)
>                         goto done;
>                 }
>
> +               /* bitfill_aligned() assumes that it's at least 8x8 */
> +               if (var->xres < 8 || var->yres < 8)
> +                       return -EINVAL;

Are you sure there don't exist such small displays (e.g. OLED)?

> +
>                 ret = info->fbops->fb_check_var(var, info);
>
>                 if (ret)

Gr{oetje,eeting}s,

                        Geert

-- 
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH 4.19] fbmem: add margin check to fb_check_caps()
  2021-09-02 13:15 ` Geert Uytterhoeven
@ 2021-09-03  1:09   ` Dongliang Mu
  0 siblings, 0 replies; 7+ messages in thread
From: Dongliang Mu @ 2021-09-03  1:09 UTC (permalink / raw)
  To: Geert Uytterhoeven
  Cc: Bartlomiej Zolnierkiewicz, George Kennedy,
	syzbot+e5fd3e65515b48c02a30, Dan Carpenter, Dhaval Giani,
	Sasha Levin, DRI Development, Linux Fbdev development list,
	Linux Kernel Mailing List

On Thu, Sep 2, 2021 at 9:15 PM Geert Uytterhoeven <geert@linux-m68k.org> wrote:
>
> Hi Dongliang,
>
> On Thu, Sep 2, 2021 at 8:04 AM Dongliang Mu <mudongliangabcd@gmail.com> wrote:
> > [ Upstream commit a49145acfb975d921464b84fe00279f99827d816 ]
>
> Oops, looks like I missed when that one was submitted for review...

This patch cannot directly apply to old stable trees. Maybe that's the reason.

>
> > A fb_ioctl() FBIOPUT_VSCREENINFO call with invalid xres setting
> > or yres setting in struct fb_var_screeninfo will result in a
> > KASAN: vmalloc-out-of-bounds failure in bitfill_aligned() as
> > the margins are being cleared. The margins are cleared in
> > chunks and if the xres setting or yres setting is a value of
> > zero upto the chunk size, the failure will occur.
> >
> > Add a margin check to validate xres and yres settings.
>
> Shouldn't (the caller of) bitfill_aligned() be fixed instead?
> Can this be triggered by e.g. using the mini_4x6 font?

I am sorry. I don't know much detail about this subsystem. I just
found syzkaller can still trigger this bug in linux-4.19.

Combined with the bug information, I found this patch is not merged
into the old kernel trees. So I send this patch rebased on linux-4.19.
Also I have tested it on linux-4.14 and below.

>
> > Note that, this patch needs special handling to backport it to linux
> > kernel 4.19, 4.14, 4.9, 4.4.
> >
> > Signed-off-by: George Kennedy <george.kennedy@oracle.com>
> > Reported-by: syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com
> > Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
> > Cc: Dhaval Giani <dhaval.giani@oracle.com>
> > Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
> > Link: https://patchwork.freedesktop.org/patch/msgid/1594149963-13801-1-git-send-email-george.kennedy@oracle.com
> > Signed-off-by: Sasha Levin <sashal@kernel.org>
> > ---
> >  drivers/video/fbdev/core/fbmem.c | 4 ++++
> >  1 file changed, 4 insertions(+)
> >
> > diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
> > index 84845275dbef..de04c097d67c 100644
> > --- a/drivers/video/fbdev/core/fbmem.c
> > +++ b/drivers/video/fbdev/core/fbmem.c
> > @@ -991,6 +991,10 @@ fb_set_var(struct fb_info *info, struct fb_var_screeninfo *var)
> >                         goto done;
> >                 }
> >
> > +               /* bitfill_aligned() assumes that it's at least 8x8 */
> > +               if (var->xres < 8 || var->yres < 8)
> > +                       return -EINVAL;
>
> Are you sure there don't exist such small displays (e.g. OLED)?
>
> > +
> >                 ret = info->fbops->fb_check_var(var, info);
> >
> >                 if (ret)
>
> Gr{oetje,eeting}s,
>
>                         Geert
>
> --
> Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org
>
> In personal conversations with technical people, I call myself a hacker. But
> when I'm talking to journalists I just say "programmer" or something like that.
>                                 -- Linus Torvalds

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH 4.19] fbmem: add margin check to fb_check_caps()
  2021-09-03 13:55 ` Greg KH
@ 2021-09-04  2:12   ` Dongliang Mu
  0 siblings, 0 replies; 7+ messages in thread
From: Dongliang Mu @ 2021-09-04  2:12 UTC (permalink / raw)
  To: Greg KH
  Cc: stable, Bartlomiej Zolnierkiewicz, George Kennedy,
	syzbot+e5fd3e65515b48c02a30, Dan Carpenter, Dhaval Giani,
	Sasha Levin, DRI Development, Linux Fbdev development list,
	linux-kernel

On Fri, Sep 3, 2021 at 9:55 PM Greg KH <gregkh@linuxfoundation.org> wrote:
>
> On Thu, Sep 02, 2021 at 02:10:48PM +0800, Dongliang Mu wrote:
> > [ Upstream commit a49145acfb975d921464b84fe00279f99827d816 ]
> >
> > A fb_ioctl() FBIOPUT_VSCREENINFO call with invalid xres setting
> > or yres setting in struct fb_var_screeninfo will result in a
> > KASAN: vmalloc-out-of-bounds failure in bitfill_aligned() as
> > the margins are being cleared. The margins are cleared in
> > chunks and if the xres setting or yres setting is a value of
> > zero upto the chunk size, the failure will occur.
> >
> > Add a margin check to validate xres and yres settings.
> >
> > Note that, this patch needs special handling to backport it to linux
> > kernel 4.19, 4.14, 4.9, 4.4.
>
> Looks like this is already in the 4.4.283, 4.9.282, 4.14.246, and
> 4.19.206 kernel releases.  Can you check them to verify that it matches
> your backport as well?

Yes, I have seen them in these releases and they are fine to me.

>
> thanks,
>
> greg k-h

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH 4.19] fbmem: add margin check to fb_check_caps()
  2021-09-02  6:10 Dongliang Mu
@ 2021-09-03 13:55 ` Greg KH
  2021-09-04  2:12   ` Dongliang Mu
  0 siblings, 1 reply; 7+ messages in thread
From: Greg KH @ 2021-09-03 13:55 UTC (permalink / raw)
  To: Dongliang Mu
  Cc: stable, Bartlomiej Zolnierkiewicz, George Kennedy,
	syzbot+e5fd3e65515b48c02a30, Dan Carpenter, Dhaval Giani,
	Sasha Levin, dri-devel, linux-fbdev, linux-kernel

On Thu, Sep 02, 2021 at 02:10:48PM +0800, Dongliang Mu wrote:
> [ Upstream commit a49145acfb975d921464b84fe00279f99827d816 ]
> 
> A fb_ioctl() FBIOPUT_VSCREENINFO call with invalid xres setting
> or yres setting in struct fb_var_screeninfo will result in a
> KASAN: vmalloc-out-of-bounds failure in bitfill_aligned() as
> the margins are being cleared. The margins are cleared in
> chunks and if the xres setting or yres setting is a value of
> zero upto the chunk size, the failure will occur.
> 
> Add a margin check to validate xres and yres settings.
> 
> Note that, this patch needs special handling to backport it to linux
> kernel 4.19, 4.14, 4.9, 4.4.

Looks like this is already in the 4.4.283, 4.9.282, 4.14.246, and
4.19.206 kernel releases.  Can you check them to verify that it matches
your backport as well?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH 4.19] fbmem: add margin check to fb_check_caps()
@ 2021-09-02  6:10 Dongliang Mu
  2021-09-03 13:55 ` Greg KH
  0 siblings, 1 reply; 7+ messages in thread
From: Dongliang Mu @ 2021-09-02  6:10 UTC (permalink / raw)
  To: stable, gregkh, Bartlomiej Zolnierkiewicz
  Cc: Dongliang Mu, George Kennedy, syzbot+e5fd3e65515b48c02a30,
	Dan Carpenter, Dhaval Giani, Sasha Levin, dri-devel, linux-fbdev,
	linux-kernel

[ Upstream commit a49145acfb975d921464b84fe00279f99827d816 ]

A fb_ioctl() FBIOPUT_VSCREENINFO call with invalid xres setting
or yres setting in struct fb_var_screeninfo will result in a
KASAN: vmalloc-out-of-bounds failure in bitfill_aligned() as
the margins are being cleared. The margins are cleared in
chunks and if the xres setting or yres setting is a value of
zero upto the chunk size, the failure will occur.

Add a margin check to validate xres and yres settings.

Note that, this patch needs special handling to backport it to linux
kernel 4.19, 4.14, 4.9, 4.4.

Signed-off-by: George Kennedy <george.kennedy@oracle.com>
Reported-by: syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Dhaval Giani <dhaval.giani@oracle.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Link: https://patchwork.freedesktop.org/patch/msgid/1594149963-13801-1-git-send-email-george.kennedy@oracle.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/video/fbdev/core/fbmem.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
index 84845275dbef..de04c097d67c 100644
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -991,6 +991,10 @@ fb_set_var(struct fb_info *info, struct fb_var_screeninfo *var)
 			goto done;
 		}
 
+		/* bitfill_aligned() assumes that it's at least 8x8 */
+		if (var->xres < 8 || var->yres < 8)
+			return -EINVAL;
+
 		ret = info->fbops->fb_check_var(var, info);
 
 		if (ret)
-- 
2.25.1


^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2021-09-04  2:13 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-02  6:02 [PATCH 4.19] fbmem: add margin check to fb_check_caps() Dongliang Mu
2021-09-02  6:05 ` Dongliang Mu
2021-09-02 13:15 ` Geert Uytterhoeven
2021-09-03  1:09   ` Dongliang Mu
2021-09-02  6:10 Dongliang Mu
2021-09-03 13:55 ` Greg KH
2021-09-04  2:12   ` Dongliang Mu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).