refer to https://lore.kernel.org/all/20220706150253.2186-1-deller@gmx.de/
3 patches are provided to fix CVE-2021-3365 (When sending malicous data
to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out
of bounds. https://nvd.nist.gov/vuln/detail/CVE-2021-33655) in mainline.
But only
commit 65a01e601dbb ("fbcon: Disallow setting font bigger than screen size")
was backported to stable (4.19,4.14).
without other two commit
commit e64242caef18 ("fbcon: Prevent that screen size is smaller than font size")
commit 6c11df58fd1a ("fbmem: Check virtual screen sizes in fb_set_var()")
The problem still exists.
static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, unsigned long arg)
fb_set_var(info, &var);
fb_notifier_call_chain(evnt, &event); // evnt = FB_EVENT_MODE_CHANGE
static int fbcon_event_notify(struct notifier_block *self,
unsigned long action, void *data)
fbcon_modechanged(info);
updatescrollmode(p, info, vc);
...
p->vrows = vyres/fh;
if (yres > (fh * (vc->vc_rows + 1)))
p->vrows -= (yres - (fh * vc->vc_rows)) / fh;
if ((yres % fh) && (vyres % fh < yres % fh))
p->vrows--; [1]
[1]: p->vrows could be -1, like what CVE-2021-3365 described.
I think, the two commits should be backported to 4.19 and 4.14.
Helge Deller (2):
fbcon: Prevent that screen size is smaller than font size
fbmem: Check virtual screen sizes in fb_set_var()
drivers/video/fbdev/core/fbcon.c | 28 ++++++++++++++++++++++++++++
drivers/video/fbdev/core/fbmem.c | 20 +++++++++++++++++---
include/linux/fbcon.h | 4 ++++
3 files changed, 49 insertions(+), 3 deletions(-)
--
2.17.1
From: Yu Kuai <yukuai3(a)huawei.com>
One of our product reported a io hung problem, turns out the problem
can be fixed by the patch.
I'm not sure why this patch is not backported yet, however, please
consider it in 4.19 lts.
Ming Lei (1):
scsi: core: Fix race between handling STS_RESOURCE and completion
drivers/scsi/scsi_lib.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--
2.31.1