AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2024-11-24 05:40:55 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity
a14ca25d4f
linux_dsm_epyc7002/drivers/tty
History
Maciej W. Rozycki a14ca25d4f vt: Fix character height handling with VT_RESIZEX 
commit 860dafa902595fb5f1d23bbcce1215188c3341e6 upstream.

Restore the original intent of the VT_RESIZEX ioctl's `v_clin' parameter
which is the number of pixel rows per character (cell) rather than the
height of the font used.

For framebuffer devices the two values are always the same, because the
former is inferred from the latter one.  For VGA used as a true text
mode device these two parameters are independent from each other: the
number of pixel rows per character is set in the CRT controller, while
font height is in fact hardwired to 32 pixel rows and fonts of heights
below that value are handled by padding their data with blanks when
loaded to hardware for use by the character generator.  One can change
the setting in the CRT controller and it will update the screen contents
accordingly regardless of the font loaded.

The `v_clin' parameter is used by the `vgacon' driver to set the height
of the character cell and then the cursor position within.  Make the
parameter explicit then, by defining a new `vc_cell_height' struct
member of `vc_data', set it instead of `vc_font.height' from `v_clin' in
the VT_RESIZEX ioctl, and then use it throughout the `vgacon' driver
except where actual font data is accessed which as noted above is
independent from the CRTC setting.

This way the framebuffer console driver is free to ignore the `v_clin'
parameter as irrelevant, as it always should have, avoiding any issues
attempts to give the parameter a meaning there could have caused, such
as one that has led to commit 988d076336 ("vt_ioctl: make VT_RESIZEX
behave like VT_RESIZE"):

 "syzbot is reporting UAF/OOB read at bit_putcs()/soft_cursor() [1][2],
  for vt_resizex() from ioctl(VT_RESIZEX) allows setting font height
  larger than actual font height calculated by con_font_set() from
  ioctl(PIO_FONT). Since fbcon_set_font() from con_font_set() allocates
  minimal amount of memory based on actual font height calculated by
  con_font_set(), use of vt_resizex() can cause UAF/OOB read for font
  data."

The problem first appeared around Linux 2.5.66 which predates our repo
history, but the origin could be identified with the old MIPS/Linux repo
also at: <git://git.kernel.org/pub/scm/linux/kernel/git/ralf/linux.git>
as commit 9736a3546de7 ("Merge with Linux 2.5.66."), where VT_RESIZEX
code in `vt_ioctl' was updated as follows:

 		if (clin)
-			video_font_height = clin;
+			vc->vc_font.height = clin;

making the parameter apply to framebuffer devices as well, perhaps due
to the use of "font" in the name of the original `video_font_height'
variable.  Use "cell" in the new struct member then to avoid ambiguity.

References:

[1] https://syzkaller.appspot.com/bug?id=32577e96d88447ded2d3b76d71254fb855245837
[2] https://syzkaller.appspot.com/bug?id=6b8355d27b2b94fb5cedf4655e3a59162d9e48e3

Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org # v2.6.12+
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-05-26 12:06:56 +02:00
..
hvc tty: hvc: fix link error with CONFIG_SERIAL_CORE_CONSOLE=n 2020-09-27 14:17:43 +02:00
ipwireless tty: ipwireless: fix error handling 2020-09-04 18:08:16 +02:00
serdev
serial Revert "serial: mvebu-uart: Fix to avoid a potential NULL pointer dereference" 2021-05-26 12:06:52 +02:00
vt vt: Fix character height handling with VT_RESIZEX 2021-05-26 12:06:56 +02:00
amiserial.c tty: amiserial: fix TIOCSSERIAL permission check 2021-05-14 09:49:55 +02:00
cyclades.c treewide: Remove uninitialized_var() usage 2020-07-16 12:35:15 -07:00
ehv_bytechan.c
goldfish.c
isicom.c treewide: Remove uninitialized_var() usage 2020-07-16 12:35:15 -07:00
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
Makefile
mips_ejtag_fdc.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
moxa.c tty: moxa: fix TIOCSSERIAL permission check 2021-05-14 09:49:56 +02:00
moxa.h tty: fix spelling mistake 2020-06-27 16:21:20 +02:00
mxser.c
mxser.h
n_gsm.c tty: n_gsm: check error while registering tty devices 2021-05-11 14:47:21 +02:00
n_hdlc.c tty: convert tty_ldisc_ops 'read()' function to take a kernel pointer 2021-03-04 11:37:36 +01:00
n_null.c tty: convert tty_ldisc_ops 'read()' function to take a kernel pointer 2021-03-04 11:37:36 +01:00
n_r3964.c tty: convert tty_ldisc_ops 'read()' function to take a kernel pointer 2021-03-04 11:37:36 +01:00
n_tracerouter.c tty: convert tty_ldisc_ops 'read()' function to take a kernel pointer 2021-03-04 11:37:36 +01:00
n_tracesink.c tty: convert tty_ldisc_ops 'read()' function to take a kernel pointer 2021-03-04 11:37:36 +01:00
n_tracesink.h
n_tty.c tty: teach the n_tty ICANON case about the new "cookie continuations" too 2021-03-07 12:34:16 +01:00
nozomi.c
pty.c pty: do tty_flip_buffer_push without port->lock in pty_write 2020-09-04 18:10:30 +02:00
rocket_int.h
rocket.c
rocket.h
synclink_gt.c tty: synclink_gt: switch from 'pci_' to 'dma_' API 2020-09-04 18:07:22 +02:00
synclink.c tty: synclink, fix kernel-doc 2020-08-18 13:51:18 +02:00
synclinkmp.c tty: synclink, fix kernel-doc 2020-08-18 13:51:18 +02:00
sysrq.c tty/sysrq: Extend the sysrq_key_table to cover capital letters 2020-10-02 14:56:06 +02:00
tty_audit.c
tty_baudrate.c tty: fix kernel-doc 2020-08-18 13:51:18 +02:00
tty_buffer.c tty: fix kernel-doc 2020-08-18 13:51:18 +02:00
tty_io.c tty: fix return value for unsupported ioctls 2021-05-14 09:50:18 +02:00
tty_ioctl.c tty: fix return value for unsupported termiox ioctls 2021-05-14 09:50:19 +02:00
tty_jobctrl.c tty: Fix ->session locking 2020-12-04 17:39:58 +01:00
tty_ldisc.c tty: fix kernel-doc 2020-08-18 13:51:18 +02:00
tty_ldsem.c
tty_mutex.c
tty_port.c
ttynull.c
vcc.c