From: Wang ShaoBo <bobo.shaobowang@huawei.com> Offering: HULK hulk inclusion category: bugfix bugzilla: NA CVE: NA ---------------------------------------------------------------------- I got some KASAN report as below: BUG: KASAN: slab-use-after-free in fbcon_prepare_logo+0x61e/0xc90 Read of size 14 at addr ffff88812c9a4c38 by task syz.0.3549/19016 CPU: 0 PID: 19016 Comm: syz.0.3549 Not tainted 6.6.0+ #80 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x72/0xa0 print_address_description.constprop.0+0x6b/0x3d0 ? fbcon_prepare_logo+0x61e/0xc90 print_report+0xba/0x280 ? fbcon_prepare_logo+0x61e/0xc90 ? kasan_addr_to_slab+0xd/0xa0 ? fbcon_prepare_logo+0x61e/0xc90 kasan_report+0xaf/0xe0 ? fbcon_prepare_logo+0x61e/0xc90 kasan_check_range+0x100/0x1c0 __asan_memcpy+0x23/0x60 fbcon_prepare_logo+0x61e/0xc90 fbcon_init+0xeb9/0x1db0 ? __pfx_drm_fb_helper_set_par+0x10/0x10 visual_init+0x310/0x5c0 do_bind_con_driver.isra.0+0x627/0xbd0 store_bind+0x60b/0x710 ? __pfx_store_bind+0x10/0x10 dev_attr_store+0x5a/0x90 ? __pfx_dev_attr_store+0x10/0x10 sysfs_kf_write+0x145/0x1b0 kernfs_fop_write_iter+0x367/0x580 ? __pfx_sysfs_kf_write+0x10/0x10 new_sync_write+0x1b1/0x2d0 ? __pfx_new_sync_write+0x10/0x10 ? rb_commit+0x121/0x910 ? avc_policy_seqno+0xe/0x20 ? selinux_file_permission+0x129/0x5d0 ? security_file_permission+0xa8/0x700 vfs_write+0x71a/0x960 ksys_write+0x12e/0x260 fbcon_init() -> vc_resize() //success resize vc_origin buffer size=224=7(cols)*2*16(rows) -> bcon_prepare_logo(vc, info, old_cols, old_rows, new_cols, new_rows) //old_cols=256，old_rows=4，new_cols=7，new_rows=16 There happened to be a vc_origin buffer copy overflow error in fbcon_prepare_logo(), scrolling screen down when using old cols after vc resize would trigger out of lower bound of vc_origin buffer. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Wang ShaoBo <bobo.shaobowang@huawei.com> Acked-by: Thomas Zimmermann <tzimmermann@suse.de> --- drivers/video/fbdev/core/fbcon.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c index f5178eefec64..83a4949e2497 100644 --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -592,6 +592,8 @@ static void fbcon_prepare_logo(struct vc_data *vc, struct fb_info *info, /* We can scroll screen down */ r = q - step - cols; for (cnt = rows - logo_lines; cnt > 0; cnt--) { + if (r < (unsigned short *) vc->vc_origin) + break; scr_memcpyw(r + step, r, vc->vc_size_row); r -= cols; } -- 2.22.0