From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5DB73C6FA99
	for <linux-mm@archiver.kernel.org>; Sun,  5 Mar 2023 17:55:06 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 54FCC6B0071; Sun,  5 Mar 2023 12:55:05 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 4D9116B0073; Sun,  5 Mar 2023 12:55:05 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 3520C6B0074; Sun,  5 Mar 2023 12:55:05 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14])
	by kanga.kvack.org (Postfix) with ESMTP id 1EB6D6B0071
	for <linux-mm@kvack.org>; Sun,  5 Mar 2023 12:55:05 -0500 (EST)
Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay05.hostedemail.com (Postfix) with ESMTP id E28FC40461
	for <linux-mm@kvack.org>; Sun,  5 Mar 2023 17:55:04 +0000 (UTC)
X-FDA: 80535595728.05.9B956D3
Received: from sonata.ens-lyon.org (sonata.ens-lyon.org [140.77.166.138])
	by imf01.hostedemail.com (Postfix) with ESMTP id E33984000F
	for <linux-mm@kvack.org>; Sun,  5 Mar 2023 17:55:00 +0000 (UTC)
Authentication-Results: imf01.hostedemail.com;
	dkim=none;
	spf=pass (imf01.hostedemail.com: domain of "SRS0=SX5U=65=ens-lyon.org=samuel.thibault@bounce.ens-lyon.org" designates 140.77.166.138 as permitted sender) smtp.mailfrom="SRS0=SX5U=65=ens-lyon.org=samuel.thibault@bounce.ens-lyon.org";
	dmarc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1678038901;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=BbKN1zDsKPjMxEqwv4Jh0TzbL7IMrE6xyi4rwk+36js=;
	b=v/MeytLMBbQTg4O0wH8ckO8jEzknGykTVwQhgF3J3ExZKDs7QarvRA/n7ZCq/WLFNNqV6q
	esKkeTz6Ip63Pfzr14fgMG7+g81WD81ZRx/zxNyS44rUxKC7J+IOu6WMLwuJ7mSeDFmp/a
	ggbxct/6qVC7eNx47pQ0P2cXtdBa79s=
ARC-Authentication-Results: i=1;
	imf01.hostedemail.com;
	dkim=none;
	spf=pass (imf01.hostedemail.com: domain of "SRS0=SX5U=65=ens-lyon.org=samuel.thibault@bounce.ens-lyon.org" designates 140.77.166.138 as permitted sender) smtp.mailfrom="SRS0=SX5U=65=ens-lyon.org=samuel.thibault@bounce.ens-lyon.org";
	dmarc=none
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1678038901; a=rsa-sha256;
	cv=none;
	b=vR6cmIVQBdKGSc6RRnSoiCroIyJIgbA0xH4J6mzMOZSfndh1NKgOW0A5Qrs4er0SEdUIBv
	1weX7J5utoO2ZOpG5ylIwAp1ZbjSXvBD+TW2MmMnHCwFoQZTkX99ZRbAr5WMa/QKAVnXQt
	rJXLCKu1L0jysC983EKnZyzAiyl89Ls=
Received: from localhost (localhost [127.0.0.1])
	by sonata.ens-lyon.org (Postfix) with ESMTP id 36F1E2014B;
	Sun,  5 Mar 2023 18:54:58 +0100 (CET)
Received: from sonata.ens-lyon.org ([127.0.0.1])
	by localhost (sonata.ens-lyon.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id qwdomEwogYZd; Sun,  5 Mar 2023 18:54:58 +0100 (CET)
Received: from begin (lfbn-bor-1-1163-184.w92-158.abo.wanadoo.fr [92.158.138.184])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by sonata.ens-lyon.org (Postfix) with ESMTPSA id CD3CB20148;
	Sun,  5 Mar 2023 18:54:57 +0100 (CET)
Received: from samy by begin with local (Exim 4.96)
	(envelope-from <samuel.thibault@ens-lyon.org>)
	id 1pYsZV-009vau-1B;
	Sun, 05 Mar 2023 18:54:57 +0100
Date: Sun, 5 Mar 2023 18:54:57 +0100
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
To: Kees Cook <keescook@chromium.org>
Cc: syzbot <syzbot+3af17071816b61e807ed@syzkaller.appspotmail.com>,
	akpm@linux-foundation.org, linux-hardening@vger.kernel.org,
	linux-kernel@vger.kernel.org, linux-mm@kvack.org,
	syzkaller-bugs@googlegroups.com, Jiri Slaby <jirislaby@kernel.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: [syzbot] [hardening?] [mm?] BUG: bad usercopy in con_font_op
Message-ID: <20230305175457.kp6b5lmwwdxw4ii6@begin>
Mail-Followup-To: Samuel Thibault <samuel.thibault@ens-lyon.org>,
	Kees Cook <keescook@chromium.org>,
	syzbot <syzbot+3af17071816b61e807ed@syzkaller.appspotmail.com>,
	akpm@linux-foundation.org, linux-hardening@vger.kernel.org,
	linux-kernel@vger.kernel.org, linux-mm@kvack.org,
	syzkaller-bugs@googlegroups.com, Jiri Slaby <jirislaby@kernel.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
References: <0000000000001d1fb505f605c295@google.com>
 <64026f89.170a0220.7940.49ff@mx.google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <64026f89.170a0220.7940.49ff@mx.google.com>
Organization: I am not organized
User-Agent: NeoMutt/20170609 (1.8.3)
X-Rspam-User: 
X-Rspamd-Server: rspam03
X-Stat-Signature: sk4ro4q9i8rdahg3pqz36axrg8fkduzg
X-Rspamd-Queue-Id: E33984000F
X-HE-Tag: 1678038900-388109
X-HE-Meta: U2FsdGVkX1+Rogj0uXVuGHGKULXnG7OJ4Pv46T9aSx5n51drPKR+EZ3YNz9iokpNiPxJSP82WQ8ZsfoKPlbCI1I7ikGhSYoH5HjMfOFuFCIw+o2vXhRjiQCL7uQ8msgDHpNBsMOGfqXhxxzm8Lo7Dnibm+9bpAQN7fthYEPvjkGNPNmA2JamXdShC1NQYdzI/3gur6dUNySg5fT2E5kjaNCr+QXbpQjWGluq4ghXxY3+D66qlvE+OccyWC/C0jMfI44UtTgPW6KRmyfxnj/PnIUH5Qx+SSk01TmAFAnZikgmB6dwzEklMomcNKQF+uDBpbag7IxHpSSG0yv0kbquPUW2lin3jSxECsQG3y0UqJU/lIwy71eEYRF807eGfllbIbDkUgJXzZZKwwzJQyXw/3eNFTaoCXpbW3F3RcH4CngKwE6vGhlcNAFs9muco/XAe/txVhUo/YjR+fVV5+KQDwvjGHMHomNg9FfJfV4CV+PrGjB+sZAuILUXOiC8TvT0t8Qpou4z82+oOuatipD3cLpEcBC3mImIxA1E9DBRXjUobkauzyevxevtM+5dHeFo+dJSrueg5MOJp8ljlDYznSxhPWiYZUyeGV488+QX+lspPAy72bi4tmxZ4xXfgoZuip6RGx0jPSruhpMfYzIrPnefaEjoQTg3eDVbasFtHHeUdHBrCzmexy8gABTRPSHfHTtHtYYvkHB9H8ERjO2mN2wmK7Pjegl8yIcuU9kGNQ9CddBDCOy4pjeJupWLYf/l8dJDd3P/ToF5HMIl3afBHo3dEz/S0uUqy0VtaiUGPqqkmo7KzOxp9jbZVw4d90GwTJ2OwHWyOQNmr21VkLu33/ftwcnZlG3YOkDQlWnsXVpUo1Eqx20ed6FBDs4wnH40J4wiY7NZxlEiKuZ3LbAsJtVXM82S7unbDAPeZrt8Cs/ChQq9XNZ8ewEhpiPjUE2pOcuJxcjcxQ6SzvqUpfu
 8V+hHoCl
 7WxR5SY1Z/f1D1DtOPpL3CnduCVgy0cCUM0/dmm7ln8CkS7TCZ4UXetRQxVPWlz9NZJDJw58nJk6ocxOQ/j6tpr2gIJK0t9sCHlNnVxzRt1NbKoLowBJPKjXCn7xd58yApNXiK3P9qREMtiWPPXcCwyd+Vyl6d0uRE9y1S6oUoU2zGIc/nm+9YeHBjzqWQz30rB1eV0nIBlVXS/RSCmSgd+wCqdTGWR9umjULPj5EjLabzRbMk549t3PcBEAALzYKwEN+XxZE2ZvMRKfxHFnzggpjN4skdesLSokqot2rjMm9ULU95Qp8pnoQfe8MqFmFCJZgV/Ye6RwN/SvS6suPfo+jfVsOhFqbtFy6Ub5ZDv29CFug6kJfMGGIMoUra1abkznXrxX6UsYlOeu3Ka8w304d+RFMLGr5ztuo21yv+1k+KuJCHSVX/6H+9YdvqU5cXLNzN1v1dFvCXAGd1sZNOosyNJ2D90dzFb8GJLGPqePmEk20Z+/dNZlxPLG/ii3/5QmqDmsxvzXR875KthlmZIiZ8sqom54kHY4xQhX6I26iLJPnblPjFmEFgt1qpnH1DZ32JNKQvxf/RrmcL18PldAaqUFLwbhz+QxaYc5E6sLlnPsZRzGYJNEHgnP1Q0OlbP2phIdt59C9Mv+MS4BWAmKHrVBHfqjW2Amf
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

Kees Cook, le ven. 03 mars 2023 14:07:04 -0800, a ecrit:
> #define max_font_width  64
> #define max_font_height 128
> #define max_font_glyphs 512
> #define max_font_size   (max_font_glyphs*max_font_width*max_font_height)
> 	...
>         font.data = kvmalloc(max_font_size, GFP_KERNEL);
> 	...
>         if (op->data && copy_to_user(op->data, font.data, c))
>                 rc = -EFAULT;
> 
> it is correctly seeing "c" (4194560 in the report) as larger than
> "max_font_size" (4194304, seen reported by "folio_size(folio)"). The
> "c" calculation comes from:
> 
>         unsigned int vpitch = op->op == KD_FONT_OP_GET_TALL ? op->height : 32;
> 	...
>                 rc = vc->vc_sw->con_font_get(vc, &font, vpitch);
> 	...
>         c = (font.width+7)/8 * vpitch * font.charcount;
> 
> So yes, 4194560 is larger than 4194304, and a memory exposure was,
> in fact, blocked here.
> 
> Given the recent work in this area, I'm not sure which calculation is
> wrong, max_font_size or c. Samuel?

They are not wrong. It's the vpitch value (coming from userland's
op.height) which is out of bound and missing a check.

The patch below should be fixing it, could you check?

I don't know how I am supposed to properly reference the syzbot report
etc., could somebody used to the process handle submitting the fix?

Samuel


VT: Protect KD_FONT_OP_GET_TALL from unbound access

In ioctl(KD_FONT_OP_GET_TALL), userland tells through op->height which
vpitch should be used to copy over the font. In con_font_get, we were
not checking that it is within the maximum height value, and thus
userland could make the vc->vc_sw->con_font_get(vc, &font, vpitch);
call possibly overflow the allocated max_font_size bytes, and the
copy_to_user(op->data, font.data, c) call possibly read out of that
allocated buffer.

By checking vpitch against max_font_height, the max_font_size buffer
will always be large enough for the vc->vc_sw->con_font_get(vc, &font,
vpitch) call (since we already prevent loading a font larger than that),
and c = (font.width+7)/8 * vpitch * font.charcount will always remain
below max_font_size.

Fixes: 24d69384bcd3 ("VT: Add KD_FONT_OP_SET/GET_TALL operations")
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>

diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 57a5c23b51d4..3c2ea9c098f7 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -4545,6 +4545,9 @@ static int con_font_get(struct vc_data *vc, struct console_font_op *op)
 	int c;
 	unsigned int vpitch = op->op == KD_FONT_OP_GET_TALL ? op->height : 32;
 
+	if (vpitch > max_font_height)
+		return -EINVAL;
+
 	if (op->data) {
 		font.data = kvmalloc(max_font_size, GFP_KERNEL);
 		if (!font.data)