)]}'
{
  "commit": "1855aaccd74cb9528c24ceb6bc15358a411f65ff",
  "tree": "c5cce49b32c62a2a10e88c8277ab75e539971cf6",
  "parents": [
    "8389c9d75e0867064eb5699251da3836191d0420"
  ],
  "author": {
    "name": "Zhang Xiaoxu",
    "email": "zhangxiaoxu5@huawei.com",
    "time": "Wed Mar 04 10:24:29 2020 +0800"
  },
  "committer": {
    "name": "Greg Kroah-Hartman",
    "email": "gregkh@linuxfoundation.org",
    "time": "Wed Mar 11 18:03:02 2020 +0100"
  },
  "message": "vgacon: Fix a UAF in vgacon_invert_region\n\ncommit 513dc792d6060d5ef572e43852683097a8420f56 upstream.\n\nWhen syzkaller tests, there is a UAF:\n  BUG: KASan: use after free in vgacon_invert_region+0x9d/0x110 at addr\n    ffff880000100000\n  Read of size 2 by task syz-executor.1/16489\n  page:ffffea0000004000 count:0 mapcount:-127 mapping:          (null)\n  index:0x0\n  page flags: 0xfffff00000000()\n  page dumped because: kasan: bad access detected\n  CPU: 1 PID: 16489 Comm: syz-executor.1 Not tainted\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n  rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014\n  Call Trace:\n    [\u003cffffffffb119f309\u003e] dump_stack+0x1e/0x20\n    [\u003cffffffffb04af957\u003e] kasan_report+0x577/0x950\n    [\u003cffffffffb04ae652\u003e] __asan_load2+0x62/0x80\n    [\u003cffffffffb090f26d\u003e] vgacon_invert_region+0x9d/0x110\n    [\u003cffffffffb0a39d95\u003e] invert_screen+0xe5/0x470\n    [\u003cffffffffb0a21dcb\u003e] set_selection+0x44b/0x12f0\n    [\u003cffffffffb0a3bfae\u003e] tioclinux+0xee/0x490\n    [\u003cffffffffb0a1d114\u003e] vt_ioctl+0xff4/0x2670\n    [\u003cffffffffb0a0089a\u003e] tty_ioctl+0x46a/0x1a10\n    [\u003cffffffffb052db3d\u003e] do_vfs_ioctl+0x5bd/0xc40\n    [\u003cffffffffb052e2f2\u003e] SyS_ioctl+0x132/0x170\n    [\u003cffffffffb11c9b1b\u003e] system_call_fastpath+0x22/0x27\n    Memory state around the buggy address:\n     ffff8800000fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n     00 00\n     ffff8800000fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00\n     00 00 00\n    \u003effff880000100000: ff ff ff ff ff ff ff ff ff ff ff ff ff\n     ff ff ff\n\nIt can be reproduce in the linux mainline by the program:\n  #include \u003cstdio.h\u003e\n  #include \u003cstdlib.h\u003e\n  #include \u003cunistd.h\u003e\n  #include \u003cfcntl.h\u003e\n  #include \u003csys/types.h\u003e\n  #include \u003csys/stat.h\u003e\n  #include \u003csys/ioctl.h\u003e\n  #include \u003clinux/vt.h\u003e\n\n  struct tiocl_selection {\n    unsigned short xs;      /* X start */\n    unsigned short ys;      /* Y start */\n    unsigned short xe;      /* X end */\n    unsigned short ye;      /* Y end */\n    unsigned short sel_mode; /* selection mode */\n  };\n\n  #define TIOCL_SETSEL    2\n  struct tiocl {\n    unsigned char type;\n    unsigned char pad;\n    struct tiocl_selection sel;\n  };\n\n  int main()\n  {\n    int fd \u003d 0;\n    const char *dev \u003d \"/dev/char/4:1\";\n\n    struct vt_consize v \u003d {0};\n    struct tiocl tioc \u003d {0};\n\n    fd \u003d open(dev, O_RDWR, 0);\n\n    v.v_rows \u003d 3346;\n    ioctl(fd, VT_RESIZEX, \u0026v);\n\n    tioc.type \u003d TIOCL_SETSEL;\n    ioctl(fd, TIOCLINUX, \u0026tioc);\n\n    return 0;\n  }\n\nWhen resize the screen, update the \u0027vc-\u003evc_size_row\u0027 to the new_row_size,\nbut when \u0027set_origin\u0027 in \u0027vgacon_set_origin\u0027, vgacon use \u0027vga_vram_base\u0027\nfor \u0027vc_origin\u0027 and \u0027vc_visible_origin\u0027, not \u0027vc_screenbuf\u0027. It maybe\nsmaller than \u0027vc_screenbuf\u0027. When TIOCLINUX, use the new_row_size to calc\nthe offset, it maybe larger than the vga_vram_size in vgacon driver, then\nbad access.\nAlso, if set an larger screenbuf firstly, then set an more larger\nscreenbuf, when copy old_origin to new_origin, a bad access may happen.\n\nSo, If the screen size larger than vga_vram, resize screen should be\nfailed. This alse fix CVE-2020-8649 and CVE-2020-8647.\n\nLinus pointed out that overflow checking seems absent. We\u0027re saved by\nthe existing bounds checks in vc_do_resize() with rather strict\nlimits:\n\n\tif (cols \u003e VC_RESIZE_MAXCOL || lines \u003e VC_RESIZE_MAXROW)\n\t\treturn -EINVAL;\n\nFixes: 0aec4867dca14 (\"[PATCH] SVGATextMode fix\")\nReference: CVE-2020-8647 and CVE-2020-8649\nReported-by: Hulk Robot \u003chulkci@huawei.com\u003e\nSigned-off-by: Zhang Xiaoxu \u003czhangxiaoxu5@huawei.com\u003e\n[danvet: augment commit message to point out overflow safety]\nCc: stable@vger.kernel.org\nSigned-off-by: Daniel Vetter \u003cdaniel.vetter@ffwll.ch\u003e\nLink: https://patchwork.freedesktop.org/patch/msgid/20200304022429.37738-1-zhangxiaoxu5@huawei.com\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "a17ba1465815f919444a83676517dc0f7e2bba16",
      "old_mode": 33188,
      "old_path": "drivers/video/console/vgacon.c",
      "new_id": "ff6612a3ddc8d67045c0d932a109f982bb99b486",
      "new_mode": 33188,
      "new_path": "drivers/video/console/vgacon.c"
    }
  ]
}