From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 97AB3C678D4 for ; Mon, 6 Mar 2023 07:32:18 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id EF2F16B0072; Mon, 6 Mar 2023 02:32:17 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id EA23A6B0073; Mon, 6 Mar 2023 02:32:17 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D6A096B0074; Mon, 6 Mar 2023 02:32:17 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id C7EB96B0072 for ; Mon, 6 Mar 2023 02:32:17 -0500 (EST) Received: from smtpin12.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id A19D880B57 for ; Mon, 6 Mar 2023 07:32:17 +0000 (UTC) X-FDA: 80537655114.12.581611F Received: from mail-ed1-f52.google.com (mail-ed1-f52.google.com [209.85.208.52]) by imf16.hostedemail.com (Postfix) with ESMTP id B1781180013 for ; Mon, 6 Mar 2023 07:32:14 +0000 (UTC) Authentication-Results: imf16.hostedemail.com; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=kernel.org (policy=none); spf=pass (imf16.hostedemail.com: domain of jirislaby@gmail.com designates 209.85.208.52 as permitted sender) smtp.mailfrom=jirislaby@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1678087934; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pm0x4fqlfAeEzJPriOrQAjntt1zRX/Yfaoag++nZIAU=; b=EKqZQ4wEwwoY1DzYh+oXRGQEWi1oEUAQBJBYHV1931bCeUkOQ+vi94j7zIfEN4fGRI8+Ie ysbGa0lSom4IbvyBPm6YZvrxiHfLMdXNVf/7oenXsKVJbMrtx/8xIARKGWSHrvdqOWT6PE f7tOcbBdvuSK+zmguMUB8CDqNdcvI64= ARC-Authentication-Results: i=1; imf16.hostedemail.com; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=kernel.org (policy=none); spf=pass (imf16.hostedemail.com: domain of jirislaby@gmail.com designates 209.85.208.52 as permitted sender) smtp.mailfrom=jirislaby@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1678087934; a=rsa-sha256; cv=none; b=fQpj2p5yyznvU47Nu5Nq/kbEMA5N7IY/6Wlc0t15yE9FqVjP3ixaDrSiZva5Ag4L62ZjGE UHkuVzcfZYuH1GGWwrOw1qkzdGUumlwttjcRWVJBoGl7hRVlwLxc3z3T1uY/2fmboMQNnp xhtWlzKLQF6Vf/CHf5lf2hrBgQJN+Do= Received: by mail-ed1-f52.google.com with SMTP id a25so34793936edb.0 for ; Sun, 05 Mar 2023 23:32:14 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:subject:from:references:to :content-language:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=pm0x4fqlfAeEzJPriOrQAjntt1zRX/Yfaoag++nZIAU=; b=pqUqrkrI2OlVHeDAs7ztGZxVRJv7N72+nLn1Xd69gj8BtJS4VgPiJ8aFAyZMMR393L lj9cOwQvYD7AC0sLPMXX/k5WkZm6ToK3CWFvSxt3WXeuaHzboM50XPqCB5Jdlrqq8asD tvh6DD3vipICOConI3p521kU80Ec1WhmJstQnXfMQpSIF/BeXLumIA0MUBkv6Bh2rO/a MLoK96GyU4+L2E6RLu25ZeO4i+LuRhMgTy0n0gJl7ojSJJJ3MzVZsin4t02A5s8DplI+ XnH2fhmA76jHZjJGCP86goIYxrKzh9H+YCVLWFE7n/6SaLUTDlVgMrq/qDHJ8jxwflsx Xl5A== X-Gm-Message-State: AO0yUKXZVRFPI6EKbL+qC7fj2JUnx0gFPFAcROnXiMqvxmNSVaHz47zH oqpgt19a5Emms/wWX0ZfBCc= X-Google-Smtp-Source: AK7set9dbhyXhawSmKkm+JAltjTchBJ76X1X+ibGzFyFJ9uagZEWW8FUL417SbzurwsRWXQfaYtV5g== X-Received: by 2002:a17:907:6d89:b0:8b1:3f5b:af5f with SMTP id sb9-20020a1709076d8900b008b13f5baf5fmr12613632ejc.73.1678087933060; Sun, 05 Mar 2023 23:32:13 -0800 (PST) Received: from [192.168.1.49] (185-219-167-24-static.vivo.cz. [185.219.167.24]) by smtp.gmail.com with ESMTPSA id l15-20020a170906078f00b008ea8effe947sm4174975ejc.225.2023.03.05.23.32.12 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 05 Mar 2023 23:32:12 -0800 (PST) Message-ID: <5758e4f4-a37b-91c1-0a60-850b4152e7db@kernel.org> Date: Mon, 6 Mar 2023 08:32:11 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0 Content-Language: en-US To: Samuel Thibault , Kees Cook , syzbot , akpm@linux-foundation.org, linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, Greg Kroah-Hartman References: <0000000000001d1fb505f605c295@google.com> <64026f89.170a0220.7940.49ff@mx.google.com> <20230305175457.kp6b5lmwwdxw4ii6@begin> From: Jiri Slaby Subject: Re: [syzbot] [hardening?] [mm?] BUG: bad usercopy in con_font_op In-Reply-To: <20230305175457.kp6b5lmwwdxw4ii6@begin> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspam-User: X-Rspamd-Server: rspam02 X-Rspamd-Queue-Id: B1781180013 X-Stat-Signature: fb77rhoso9ynb7m1cc56pj157n1srdgn X-HE-Tag: 1678087934-757069 X-HE-Meta: U2FsdGVkX18is1DOwxfGCWVThubTTsOeHFyYky+M8FvsUEravE1JK5dvM5HKU2sdk5ibgKHY+xMTpu9MCd5vcDaBSyG0a7Fbh0QAvDAufErBEPnWrxW20rC214Qn+jr/Zkvp68z4MKHnteJbebL+IDfceU/w8QZugV6x/py1MYx9N7CV9aXwL+KTBiFhYFR+a9rAsUguXMgpLhQbvSv2LwFRqDOmyqGTiR1xmukiAclYj337rqhMVs7zvRhQ3I4Oq86G1dpiogWtZlsbEvhj9qdkVdglOag+DtTL7rNvvqhVQFnFFK/tcTMhsUvWFj96XH1XOGCLGFKPA1NUXbX9Bn3CX4KaiwgJ2M8JZawktLW2SYYhT5W/oIDrmtyvYJ75tIHZAKzGAqANBGEjuuRyEhsror8GKR/OVoRmCdNhjTTwAO+1I0UCfY55WtpvfYDzWhhs+6dnSvOiQAn72J4/iEZlqjKk1J/6yCeXNqVmLjnkwz0ZjMd7hymRyEjsXdKt7cbpFPcokr/YGghW4nRqP+tHXYn4FiB49T8DX5ZOmwtOQLgdQ1RR+DXU80MNVTwz4U0LfoVXOLS4bFTTB8/YYTAX3DwSjfyE6Jd4EeYdZV1mHZV5WooJpUaEUMn0QQjQ/ruRf89y/Xu3IGAXjnlLlafE3cN1dfqf7oJ1e4B+Y2F9EloUHHxXxavzOxwqp5p6GCiAG+s8FhCNlS9ST7aFX6MguIietsNGpoEIUMlwzjndg3XhSR51SNuJAl7ITl8zlL0dxRF+EoEYGHUVlJliG9b5Lud0TfD8j34bNDLNP07CHWphXSspMTWBfl7DtoyuBMbwPnz5VNGUea6YHL/krm56XXJ/Se2n5VZOLMj1oJobwXR3mwHxGY60dwLYE+uueMVzggSEiBeDBBp887jCCHV4/oCa1AaVhHKcjYbhEwgKJU6CG6bMfOH2C8O1rCAYG5pqoPDUf0pqPpgZwM5 mqcK10hY GoSJ/txV6HSUiOkkTRzpOsxvUm8Wm6i+isQss8OhZzafkNAAibgVmSdtWzHdlQItDZ+mx2a6oEj8+RYvYtspeRvBrU1/VtS5R/AQVZ/zVhwHcTdD0H7b204XTl9YVgWMh2b5G5R549+wllaObE/siPx6RWoIdw8SKOnCTBzqmyZbwp3yBaBDDMK0Jd1DkYPhDVKFq4sNwMn6npxAxmeDIw2MpRkRBFNmHz7GBlrdZEEAcU7vy0d+oxTL62cb239DOf4yOD71LsbfBDP8q6ifIUFip4wp1ljb9KNGZJmli2rwW3U9Yb8mrF2ysR1eMynT5O0ahI/vxyL32DDdPlIbE1aWQK1BXHO1oPbOeu8V5i7iA/OugV9a6JllpBllhgTs5nNMfd4KY5iW2ZvJt3Lba80CwVeqqg6pZTH+Eb3cUniSgsNGqodDdTfenwmafXhxmhkhVGUNsUzDi0x5qFzhWZ1VqdjqI6WOmW0NXfGDKTjzM8VLqmnetvIIhrS6RPbllDvdsvSWIPfN/whvtozf6tOFbT2U9Mr4Kz+i5ZA4QW3f5YMkEa0E7w/ryzEOZzzmuyoieGc4L3F/zF5qRYPR69Yg/H37EL+upx4VoAYNGD2irO4k9tHsx7olSQFnHZWXkmh2mBiw7vJib7ohmYXTRWOnzqk2qwVT+IPO3dMWAvBIXR4vvMar9J1/rVVASxaS13HUJDUlPZWX2t5l5FWJ7hTCN+uKJfbWxd3IQvWEy8nj1JFdSPi2ePW7qBdsVXoZ1p/tLrCZv2DFgWNXA8tuUVCMW7JhLJ8Vh+CnlvRPFqxb3BVbPIwoJsqoNGE1d4pg8vequiq63IFzjxe4GCwH8ezOLKPr+umcPuTyx X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 05. 03. 23, 18:54, Samuel Thibault wrote: > Kees Cook, le ven. 03 mars 2023 14:07:04 -0800, a ecrit: >> #define max_font_width 64 >> #define max_font_height 128 >> #define max_font_glyphs 512 >> #define max_font_size (max_font_glyphs*max_font_width*max_font_height) >> ... >> font.data = kvmalloc(max_font_size, GFP_KERNEL); >> ... >> if (op->data && copy_to_user(op->data, font.data, c)) >> rc = -EFAULT; >> >> it is correctly seeing "c" (4194560 in the report) as larger than >> "max_font_size" (4194304, seen reported by "folio_size(folio)"). The >> "c" calculation comes from: >> >> unsigned int vpitch = op->op == KD_FONT_OP_GET_TALL ? op->height : 32; >> ... >> rc = vc->vc_sw->con_font_get(vc, &font, vpitch); >> ... >> c = (font.width+7)/8 * vpitch * font.charcount; >> >> So yes, 4194560 is larger than 4194304, and a memory exposure was, >> in fact, blocked here. >> >> Given the recent work in this area, I'm not sure which calculation is >> wrong, max_font_size or c. Samuel? > > They are not wrong. It's the vpitch value (coming from userland's > op.height) which is out of bound and missing a check. > > The patch below should be fixing it, could you check? > > I don't know how I am supposed to properly reference the syzbot report > etc., could somebody used to the process handle submitting the fix? It's as simple as adding: Reported-by: syzbot+3af17071816b61e807ed@syzkaller.appspotmail.com to the tags. > VT: Protect KD_FONT_OP_GET_TALL from unbound access > > In ioctl(KD_FONT_OP_GET_TALL), userland tells through op->height which > vpitch should be used to copy over the font. In con_font_get, we were > not checking that it is within the maximum height value, and thus > userland could make the vc->vc_sw->con_font_get(vc, &font, vpitch); > call possibly overflow the allocated max_font_size bytes, and the > copy_to_user(op->data, font.data, c) call possibly read out of that > allocated buffer. > > By checking vpitch against max_font_height, the max_font_size buffer > will always be large enough for the vc->vc_sw->con_font_get(vc, &font, > vpitch) call (since we already prevent loading a font larger than that), > and c = (font.width+7)/8 * vpitch * font.charcount will always remain > below max_font_size. > > Fixes: 24d69384bcd3 ("VT: Add KD_FONT_OP_SET/GET_TALL operations") Reviewed-by: Jiri Slaby > Signed-off-by: Samuel Thibault > > diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c > index 57a5c23b51d4..3c2ea9c098f7 100644 > --- a/drivers/tty/vt/vt.c > +++ b/drivers/tty/vt/vt.c > @@ -4545,6 +4545,9 @@ static int con_font_get(struct vc_data *vc, struct console_font_op *op) > int c; > unsigned int vpitch = op->op == KD_FONT_OP_GET_TALL ? op->height : 32; > > + if (vpitch > max_font_height) > + return -EINVAL; > + > if (op->data) { > font.data = kvmalloc(max_font_size, GFP_KERNEL); > if (!font.data) -- js