[PATCH] vgacon: Fix a UAF in vgacon_invert_region
Ville Syrjälä
ville.syrjala at linux.intel.com
Tue Mar 3 14:46:49 UTC 2020
On Tue, Mar 03, 2020 at 10:30:14PM +0800, zhangxiaoxu (A) wrote:
>
>
> 在 2020/3/3 21:59, Ville Syrjälä 写道:
> > That doesn't match how vc_screenbuf_size is computed elsewhere. Also
> > a lot of places seem to assume that the screenbuf can be larger than
> > vga_vram_size (eg. all the memcpy()s pick the smaller size of the
> > two).
> Yes, in the vga source code, we also pick the smaller size of two. But
> in other place, eg: vc_do_resize, copy the old_origin to new_origin, we
> not do that. It also make bad access happen. it maybe CVE-2020-8647.
>
> I think we should just assume the width/height maybe larger than the
> default, not the screenbuf larger than vga_vram_size.
>
> If not, any useful of the larger screenbuf?
Maybe used for scrolling?
>
> >
> > And you're changing the behaviour of the code when
> > 'width % 2 && user' is true
--
Ville Syrjälä
Intel
More information about the dri-devel
mailing list