RE: [PATCH 0/3] Prevent out-of-bounds access for built-in font data buffers

From: David Laight
Date: Thu Sep 24 2020 - 10:42:25 EST

Next message: Jan Kara: "Re: [PATCH 1/5] mm: Introduce mm_struct.has_pinned"
Previous message: Sean Christopherson: "Re: [PATCH] KVM: x86/mmu: Stash 'kvm' in a local variable in kvm_mmu_free_roots()"
In reply to: Peilin Ye: "Re: [PATCH 0/3] Prevent out-of-bounds access for built-in font data buffers"
Next in thread: Peilin Ye: "Re: [PATCH 0/3] Prevent out-of-bounds access for built-in font data buffers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Thu, Sep 24, 2020 at 09:38:22AM -0400, Peilin Ye wrote:
> > Hi all,
> >
> > syzbot has reported [1] a global out-of-bounds read issue in
> > fbcon_get_font(). A malicious user may resize `vc_font.height` to a large
> > value in vt_ioctl(), causing fbcon_get_font() to overflow our built-in
> > font data buffers, declared in lib/fonts/font_*.c:
...
> > (drivers/video/fbdev/core/fbcon.c)
> > if (font->width <= 8) {
> > j = vc->vc_font.height;
> > + if (font->charcount * j > FNTSIZE(fontdata))
> > + return -EINVAL;

Can that still go wrong because the multiply wraps?

David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Next message: Jan Kara: "Re: [PATCH 1/5] mm: Introduce mm_struct.has_pinned"
Previous message: Sean Christopherson: "Re: [PATCH] KVM: x86/mmu: Stash 'kvm' in a local variable in kvm_mmu_free_roots()"
In reply to: Peilin Ye: "Re: [PATCH 0/3] Prevent out-of-bounds access for built-in font data buffers"
Next in thread: Peilin Ye: "Re: [PATCH 0/3] Prevent out-of-bounds access for built-in font data buffers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]