OpenCloudOS-Kernel/drivers/tty
Igor Matheus Andrade Torrente 3b0c406124 tty: Fix out-of-bound vmalloc access in imageblit
This issue happens when a userspace program does an ioctl
FBIOPUT_VSCREENINFO passing the fb_var_screeninfo struct
containing only the fields xres, yres, and bits_per_pixel
with values.

If this struct is the same as the previous ioctl, the
vc_resize() detects it and doesn't call the resize_screen(),
leaving the fb_var_screeninfo incomplete. And this leads to
the updatescrollmode() calculates a wrong value to
fbcon_display->vrows, which makes the real_y() return a
wrong value of y, and that value, eventually, causes
the imageblit to access an out-of-bound address value.

To solve this issue I made the resize_screen() be called
even if the screen does not need any resizing, so it will
"fix and fill" the fb_var_screeninfo independently.

Cc: stable <stable@vger.kernel.org> # after 5.15-rc2 is out, give it time to bake
Reported-and-tested-by: syzbot+858dc7a2f7ef07c2c219@syzkaller.appspotmail.com
Signed-off-by: Igor Matheus Andrade Torrente <igormtorrente@gmail.com>
Link: https://lore.kernel.org/r/20210628134509.15895-1-igormtorrente@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-07-21 12:41:28 +02:00
..
hvc TTY / Serial patches for 5.14-rc1 2021-07-05 14:08:24 -07:00
ipwireless ipwireless: remove unused ipw_tty::closing 2021-06-15 14:02:43 +02:00
serdev tty: serdev: core: Fix misspelled function name __serdev_device_driver_register() 2021-05-20 17:05:34 +02:00
serial serial: samsung: use dma_ops of DMA if attached 2021-07-21 12:40:33 +02:00
vt tty: Fix out-of-bound vmalloc access in imageblit 2021-07-21 12:41:28 +02:00
Kconfig This pull request contains the following changes for UML: 2021-07-09 10:19:13 -07:00
Makefile tty: remove broken r3964 line discipline 2021-05-13 16:57:15 +02:00
amiserial.c tty: make tty_operations::chars_in_buffer return uint 2021-05-13 18:29:11 +02:00
ehv_bytechan.c tty: make tty_operations::write_room return uint 2021-05-13 17:03:20 +02:00
goldfish.c tty: make tty_operations::chars_in_buffer return uint 2021-05-13 18:29:11 +02:00
mips_ejtag_fdc.c tty: make tty_operations::chars_in_buffer return uint 2021-05-13 18:29:11 +02:00
moxa.c tty: make tty_operations::chars_in_buffer return uint 2021-05-13 18:29:11 +02:00
moxa.h tty: fix spelling mistake 2020-06-27 16:21:20 +02:00
mxser.c mxser: introduce mxser_16550A_or_MUST helper 2021-06-18 13:10:03 +02:00
n_gsm.c tty: n_gsm: Fix function naming and provide missing param descriptions 2021-05-20 17:06:17 +02:00
n_hdlc.c tty: n_hdlc: Fix a little doc-rot in n_hdlc_tty_read() 2021-05-20 17:06:17 +02:00
n_null.c tty: make tty_ldisc_ops a param in tty_unregister_ldisc 2021-05-13 16:57:16 +02:00
n_tty.c tty: drop tty_ldisc_ops::refcount 2021-05-13 16:57:17 +02:00
nozomi.c tty: nozomi: Fix the error handling path of 'nozomi_card_init()' 2021-05-27 15:20:02 +02:00
pty.c tty: pty: correct function name pty_resize() 2021-05-20 16:33:06 +02:00
synclink_gt.c tty: make use of tty_get_{char,frame}_size 2021-06-15 14:03:27 +02:00
sysrq.c tty/sysrq: Fix issues of code indent should use tabs 2021-04-10 10:33:00 +02:00
tty.h tty: clean include/linux/tty.h up 2021-04-15 10:32:17 +02:00
tty_audit.c tty: audit: move some local functions out of tty.h 2021-04-15 10:24:58 +02:00
tty_baudrate.c tty: tty_baudrate: Fix coding style issues of block comments 2021-05-13 18:29:12 +02:00
tty_buffer.c tty: tty_buffer: Fix incorrectly documented function __tty_buffer_request_room() 2021-05-20 17:06:15 +02:00
tty_io.c tty: fix kernel-doc for {start,stop}_tty 2021-05-20 16:59:14 +02:00
tty_ioctl.c tty: make tty_get_{char,frame}_size available 2021-06-15 14:03:26 +02:00
tty_jobctrl.c tty: tty_jobctrl: Fix 2 incorrectly documented functions 2021-05-20 17:06:15 +02:00
tty_ldisc.c tty: tty_ldisc: fix doc warnings in tty_ldisc.c 2021-06-09 14:43:23 +02:00
tty_ldsem.c locking/lockdep: Remove unused @nested argument from lock_release() 2019-10-09 12:46:10 +02:00
tty_mutex.c tty: move some internal tty lock enums and functions out of tty.h 2021-04-15 10:26:58 +02:00
tty_port.c tty: tty_port: Fix coding style issues of block comments 2021-05-13 18:29:13 +02:00
ttynull.c tty: make tty_operations::write_room return uint 2021-05-13 17:03:20 +02:00
vcc.c TTY / Serial patches for 5.14-rc1 2021-07-05 14:08:24 -07:00