Re: [PATCH] tty vt: fix character insertion overflow

From: Jean-Francois Moine
Date: Mon Feb 25 2013 - 03:50:25 EST

Next message: Vivek Gautam: "Re: [PATCH RFC] usb: dwc3: Set GCTL.PrtCapDir based on selected mode."
Previous message: Andrew Cooks: "Re: [RFC PATCH] Fix Intel IOMMU support for Marvell 88SE91xx SATA controllers."
In reply to: Nicolas Pitre: "[PATCH] tty vt: fix character insertion overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 24 Feb 2013 20:06:09 -0500 (EST)
Nicolas Pitre <nicolas.pitre@xxxxxxxxxx> wrote:

> Commit 81732c3b2f (tty vt: Fix line garbage in virtual console on
> command line edition) broke insert_char() in multiple ways. Then
> commit b1a925f44a (tty vt: Fix a regression in command line edition)
> partially fixed it. However, the buffer being moved is still too large
> and overflowing beyond the end of the current line, corrupting existing
> characters on the next line.

and

> One detail I didn't mention explicitly is that the cursor can be moved
> to the last screen line, and then the sequence ESC [ <n> @ is all that
> is needed to shovel 2*n bytes from that bottom screen line into adjacent
> memory which could potentially be exploited in some way.

You are right, this bug is critical. Sorry.

Acked-by: Jean-FranÃois Moine <moinejf@xxxxxxx>

--
Ken ar c'hentaÃ | ** Breizh ha Linux atav! **
Jef | http://moinejf.free.fr/
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Vivek Gautam: "Re: [PATCH RFC] usb: dwc3: Set GCTL.PrtCapDir based on selected mode."
Previous message: Andrew Cooks: "Re: [RFC PATCH] Fix Intel IOMMU support for Marvell 88SE91xx SATA controllers."
In reply to: Nicolas Pitre: "[PATCH] tty vt: fix character insertion overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]