[PATCH] vgacon: Fix a UAF in vgacon_invert_region
zhangxiaoxu (A)
zhangxiaoxu5 at huawei.com
Tue Mar 3 14:30:14 UTC 2020
在 2020/3/3 21:59, Ville Syrjälä 写道:
> That doesn't match how vc_screenbuf_size is computed elsewhere. Also
> a lot of places seem to assume that the screenbuf can be larger than
> vga_vram_size (eg. all the memcpy()s pick the smaller size of the
> two).
Yes, in the vga source code, we also pick the smaller size of two. But
in other place, eg: vc_do_resize, copy the old_origin to new_origin, we
not do that. It also make bad access happen. it maybe CVE-2020-8647.
I think we should just assume the width/height maybe larger than the
default, not the screenbuf larger than vga_vram_size.
If not, any useful of the larger screenbuf?
>
> And you're changing the behaviour of the code when
> 'width % 2 && user' is true
More information about the dri-devel
mailing list