[v4] vgacon: Fix a UAF in vgacon_invert_region
Daniel Vetter
daniel at ffwll.ch
Fri Mar 6 13:12:16 UTC 2020
On Fri, Mar 6, 2020 at 1:55 PM Linus Torvalds
<torvalds at linux-foundation.org> wrote:
>
> On Fri, Mar 6, 2020 at 4:38 AM Daniel Vetter <daniel at ffwll.ch> wrote:
> >
> > Linus, since this missed the -fixes pull from Dave maybe double check I'm
> > not grossly wrong here and apply directly?
>
> Hmm. I don't have the original email, mind just sending it to me (with
> the proper added sign-off chain)?
I'll stuff it into a pull and throw that your way, that's simplest.
btw we did add dri-devel to lore a while back, so should be there:
Message-ID: <20200304022429.37738-1-zhangxiaoxu5 at huawei.com>
https://lore.kernel.org/dri-devel/20200304022429.37738-1-zhangxiaoxu5@huawei.com/
> It does strike me that there's nothing that seems to check for
> overflow in the "(width << 1) * height" calculation. Hmm?
Indeed I failed to hunt for that :-/ But I think we're good, in
vc_do_resize() we have
if (cols > VC_RESIZE_MAXCOL || lines > VC_RESIZE_MAXROW)
return -EINVAL;
And they're both (1<<15)-1 so I think should be good enough even on
32bit - I quickly checked and we're short of UINT_MAX:
$ echo $(((((1<<15)-1) << 1)*((1<<15)-1)))
2147352578
Cheers, Daniel
--
Daniel Vetter
Software Engineer, Intel Corporation
+41 (0) 79 365 57 48 - http://blog.ffwll.ch
More information about the dri-devel
mailing list