refer to https://lore.kernel.org/all/20220706150253.2186-1-deller@gmx.de/ 3 patches are provided to fix CVE-2021-3365 (When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds. https://nvd.nist.gov/vuln/detail/CVE-2021-33655) in mainline.
But only commit 65a01e601dbb ("fbcon: Disallow setting font bigger than screen size") was backported to stable (4.19,4.14).
without other two commit commit e64242caef18 ("fbcon: Prevent that screen size is smaller than font size") commit 6c11df58fd1a ("fbmem: Check virtual screen sizes in fb_set_var()") The problem still exists.
static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, unsigned long arg) fb_set_var(info, &var); fb_notifier_call_chain(evnt, &event); // evnt = FB_EVENT_MODE_CHANGE
static int fbcon_event_notify(struct notifier_block *self, unsigned long action, void *data) fbcon_modechanged(info); updatescrollmode(p, info, vc); ... p->vrows = vyres/fh; if (yres > (fh * (vc->vc_rows + 1))) p->vrows -= (yres - (fh * vc->vc_rows)) / fh; if ((yres % fh) && (vyres % fh < yres % fh)) p->vrows--; [1] [1]: p->vrows could be -1, like what CVE-2021-3365 described.
I think, the two commits should be backported to 4.19 and 4.14.
Helge Deller (2): fbcon: Prevent that screen size is smaller than font size fbmem: Check virtual screen sizes in fb_set_var()
drivers/video/fbdev/core/fbcon.c | 28 ++++++++++++++++++++++++++++ drivers/video/fbdev/core/fbmem.c | 20 +++++++++++++++++--- include/linux/fbcon.h | 4 ++++ 3 files changed, 49 insertions(+), 3 deletions(-)
From: Helge Deller deller@gmx.de
commit e64242caef18b4a5840b0e7a9bff37abd4f4f933 upstream
We need to prevent that users configure a screen size which is smaller than the currently selected font size. Otherwise rendering chars on the screen will access memory outside the graphics memory region.
This patch adds a new function fbcon_modechange_possible() which implements this check and which later may be extended with other checks if necessary. The new function is called from the FBIOPUT_VSCREENINFO ioctl handler in fbmem.c, which will return -EINVAL if userspace asked for a too small screen size.
Signed-off-by: Helge Deller deller@gmx.de Reviewed-by: Geert Uytterhoeven geert@linux-m68k.org Link: https://lore.kernel.org/all/20220706150253.2186-1-deller@gmx.de/ [sudip: adjust context] Signed-off-by: Chen Jun chenjun102@huawei.com --- drivers/video/fbdev/core/fbcon.c | 28 ++++++++++++++++++++++++++++ drivers/video/fbdev/core/fbmem.c | 10 +++++++--- include/linux/fbcon.h | 4 ++++ 3 files changed, 39 insertions(+), 3 deletions(-)
diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c index 17ed20a73c2d..a55b3688b632 100644 --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -2729,6 +2729,34 @@ static void fbcon_set_all_vcs(struct fb_info *info) fbcon_modechanged(info); }
+/* let fbcon check if it supports a new screen resolution */ +int fbcon_modechange_possible(struct fb_info *info, struct fb_var_screeninfo *var) +{ + struct fbcon_ops *ops = info->fbcon_par; + struct vc_data *vc; + unsigned int i; + + WARN_CONSOLE_UNLOCKED(); + + if (!ops) + return 0; + + /* prevent setting a screen size which is smaller than font size */ + for (i = first_fb_vc; i <= last_fb_vc; i++) { + vc = vc_cons[i].d; + if (!vc || vc->vc_mode != KD_TEXT || + registered_fb[con2fb_map[i]] != info) + continue; + + if (vc->vc_font.width > FBCON_SWAP(var->rotate, var->xres, var->yres) || + vc->vc_font.height > FBCON_SWAP(var->rotate, var->yres, var->xres)) + return -EINVAL; + } + + return 0; +} +EXPORT_SYMBOL_GPL(fbcon_modechange_possible); + static int fbcon_mode_deleted(struct fb_info *info, struct fb_videomode *mode) { diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c index 2297dfb494d6..b1733a2e0002 100644 --- a/drivers/video/fbdev/core/fbmem.c +++ b/drivers/video/fbdev/core/fbmem.c @@ -1121,9 +1121,13 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, console_unlock(); return -ENODEV; } - info->flags |= FBINFO_MISC_USEREVENT; - ret = fb_set_var(info, &var); - info->flags &= ~FBINFO_MISC_USEREVENT; + ret = fbcon_modechange_possible(info, &var); + if (!ret) { + info->flags |= FBINFO_MISC_USEREVENT; + ret = fb_set_var(info, &var); + info->flags &= ~FBINFO_MISC_USEREVENT; + } + lock_fb_info(info); unlock_fb_info(info); console_unlock(); if (!ret && copy_to_user(argp, &var, sizeof(var))) diff --git a/include/linux/fbcon.h b/include/linux/fbcon.h index f68a7db14165..39939d55c834 100644 --- a/include/linux/fbcon.h +++ b/include/linux/fbcon.h @@ -4,9 +4,13 @@ #ifdef CONFIG_FRAMEBUFFER_CONSOLE void __init fb_console_init(void); void __exit fb_console_exit(void); +int fbcon_modechange_possible(struct fb_info *info, + struct fb_var_screeninfo *var); #else static inline void fb_console_init(void) {} static inline void fb_console_exit(void) {} +static inline int fbcon_modechange_possible(struct fb_info *info, + struct fb_var_screeninfo *var) { return 0; } #endif
#endif /* _LINUX_FBCON_H */
From: Helge Deller deller@gmx.de
commit 6c11df58fd1ac0aefcb3b227f72769272b939e56 upstream
Verify that the fbdev or drm driver correctly adjusted the virtual screen sizes. On failure report the failing driver and reject the screen size change.
Signed-off-by: Helge Deller deller@gmx.de Reviewed-by: Geert Uytterhoeven geert@linux-m68k.org Link: https://lore.kernel.org/all/20220706150253.2186-1-deller@gmx.de/ [sudip: adjust context] Signed-off-by: Chen Jun chenjun102@huawei.com --- drivers/video/fbdev/core/fbmem.c | 10 ++++++++++ 1 file changed, 10 insertions(+)
diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c index b1733a2e0002..a8574a2a466e 100644 --- a/drivers/video/fbdev/core/fbmem.c +++ b/drivers/video/fbdev/core/fbmem.c @@ -1006,6 +1006,16 @@ fb_set_var(struct fb_info *info, struct fb_var_screeninfo *var) if (ret) goto done;
+ /* verify that virtual resolution >= physical resolution */ + if (var->xres_virtual < var->xres || + var->yres_virtual < var->yres) { + pr_warn("WARNING: fbcon: Driver '%s' missed to adjust virtual screen size (%ux%u vs. %ux%u)\n", + info->fix.id, + var->xres_virtual, var->yres_virtual, + var->xres, var->yres); + return -EINVAL; + } + if ((var->activate & FB_ACTIVATE_MASK) == FB_ACTIVATE_NOW) { struct fb_var_screeninfo old_var; struct fb_videomode mode;
On Fri, Jul 29, 2022 at 03:11:38AM +0000, Chen Jun wrote:
refer to https://lore.kernel.org/all/20220706150253.2186-1-deller@gmx.de/ 3 patches are provided to fix CVE-2021-3365 (When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds. https://nvd.nist.gov/vuln/detail/CVE-2021-33655) in mainline.
But only commit 65a01e601dbb ("fbcon: Disallow setting font bigger than screen size") was backported to stable (4.19,4.14).
without other two commit commit e64242caef18 ("fbcon: Prevent that screen size is smaller than font size") commit 6c11df58fd1a ("fbmem: Check virtual screen sizes in fb_set_var()") The problem still exists.
static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, unsigned long arg) fb_set_var(info, &var); fb_notifier_call_chain(evnt, &event); // evnt = FB_EVENT_MODE_CHANGE
static int fbcon_event_notify(struct notifier_block *self, unsigned long action, void *data) fbcon_modechanged(info); updatescrollmode(p, info, vc); ... p->vrows = vyres/fh; if (yres > (fh * (vc->vc_rows + 1))) p->vrows -= (yres - (fh * vc->vc_rows)) / fh; if ((yres % fh) && (vyres % fh < yres % fh)) p->vrows--; [1] [1]: p->vrows could be -1, like what CVE-2021-3365 described.
I think, the two commits should be backported to 4.19 and 4.14.
Helge Deller (2): fbcon: Prevent that screen size is smaller than font size fbmem: Check virtual screen sizes in fb_set_var()
drivers/video/fbdev/core/fbcon.c | 28 ++++++++++++++++++++++++++++ drivers/video/fbdev/core/fbmem.c | 20 +++++++++++++++++--- include/linux/fbcon.h | 4 ++++ 3 files changed, 49 insertions(+), 3 deletions(-)
-- 2.17.1
This breaks the build on 4.14.y, did you test it there?
The error is: ERROR: "is_console_locked" [drivers/video/fbdev/core/fb.ko] undefined!
Can you please fix this up and also do a 4.9.y version?
thanks,
greg k-h
在 2022/7/31 20:37, Greg KH 写道:
On Fri, Jul 29, 2022 at 03:11:38AM +0000, Chen Jun wrote:
refer to https://lore.kernel.org/all/20220706150253.2186-1-deller@gmx.de/ 3 patches are provided to fix CVE-2021-3365 (When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds. https://nvd.nist.gov/vuln/detail/CVE-2021-33655) in mainline.
But only commit 65a01e601dbb ("fbcon: Disallow setting font bigger than screen size") was backported to stable (4.19,4.14).
without other two commit commit e64242caef18 ("fbcon: Prevent that screen size is smaller than font size") commit 6c11df58fd1a ("fbmem: Check virtual screen sizes in fb_set_var()") The problem still exists.
static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, unsigned long arg) fb_set_var(info, &var); fb_notifier_call_chain(evnt, &event); // evnt = FB_EVENT_MODE_CHANGE
static int fbcon_event_notify(struct notifier_block *self, unsigned long action, void *data) fbcon_modechanged(info); updatescrollmode(p, info, vc); ... p->vrows = vyres/fh; if (yres > (fh * (vc->vc_rows + 1))) p->vrows -= (yres - (fh * vc->vc_rows)) / fh; if ((yres % fh) && (vyres % fh < yres % fh)) p->vrows--; [1] [1]: p->vrows could be -1, like what CVE-2021-3365 described.
I think, the two commits should be backported to 4.19 and 4.14.
Helge Deller (2): fbcon: Prevent that screen size is smaller than font size fbmem: Check virtual screen sizes in fb_set_var()
drivers/video/fbdev/core/fbcon.c | 28 ++++++++++++++++++++++++++++ drivers/video/fbdev/core/fbmem.c | 20 +++++++++++++++++--- include/linux/fbcon.h | 4 ++++ 3 files changed, 49 insertions(+), 3 deletions(-)
-- 2.17.1
This breaks the build on 4.14.y, did you test it there?
The error is: ERROR: "is_console_locked" [drivers/video/fbdev/core/fb.ko] undefined!
if CONFIG_FRAMEBUFFER_CONSOLE = M, "d48de54a9dab printk: Export is_console_locked" is needed, which merged in 4.19.
I will sent the patch.
Can you please fix this up and also do a 4.9.y version?
ok, I will do it.
thanks,
greg k-h
linux-stable-mirror@lists.linaro.org
-
Chen Jun -
chenjun (AM)
-
Greg KH