[PATCH] vgacon: Fix a UAF in vgacon_invert_region
zhangxiaoxu (A)
zhangxiaoxu5 at huawei.com
Wed Mar 4 01:31:20 UTC 2020
在 2020/3/3 22:46, Ville Syrjälä 写道:
> On Tue, Mar 03, 2020 at 10:30:14PM +0800, zhangxiaoxu (A) wrote:
>>
>>
>> 在 2020/3/3 21:59, Ville Syrjälä 写道:
>>> That doesn't match how vc_screenbuf_size is computed elsewhere. Also
>>> a lot of places seem to assume that the screenbuf can be larger than
>>> vga_vram_size (eg. all the memcpy()s pick the smaller size of the
>>> two).
>> Yes, in the vga source code, we also pick the smaller size of two. But
>> in other place, eg: vc_do_resize, copy the old_origin to new_origin, we
>> not do that. It also make bad access happen. it maybe CVE-2020-8647.
>>
>> I think we should just assume the width/height maybe larger than the
>> default, not the screenbuf larger than vga_vram_size.
>>
>> If not, any useful of the larger screenbuf?
>
> Maybe used for scrolling?
The screenbuf just allocated with cols and rows, it can be save just one
screen?
vc_do_resize is the largest size which one screen can be shown?
If so, we can't set the screen to the resolution which more than it's
capability?
>
>>
>>>
>>> And you're changing the behaviour of the code when
>>> 'width % 2 && user' is true
>
More information about the dri-devel
mailing list