Re: Bug report - slab-out-of-bounds in vcs_scr_readw
From: Dmitry Vyukov
Date: Tue Nov 05 2019 - 05:53:33 EST
On Tue, Nov 5, 2019 at 11:29 AM Jiri Slaby <jslaby@xxxxxxxx> wrote:
>
> On 05. 11. 19, 10:33, Nicolas Pitre wrote:
> > Subject: [PATCH] vcs: prevent write access to vcsu devices
> >
> > Commit d21b0be246bf ("vt: introduce unicode mode for /dev/vcs") guarded
> > against using devices containing attributes as this is not yet
> > implemented. It however failed to guard against writes to any devices
> > as this is also unimplemented.
> >
> > Signed-off-by: Nicolas Pitre <npitre@xxxxxxxxxxxx>
> > Cc: <stable@xxxxxxxxxxxxxxx> # v4.19+
> >
> > diff --git a/drivers/tty/vt/vc_screen.c b/drivers/tty/vt/vc_screen.c
> > index fa07d79027..ef19b95b73 100644
> > --- a/drivers/tty/vt/vc_screen.c
> > +++ b/drivers/tty/vt/vc_screen.c
> > @@ -456,6 +456,9 @@ vcs_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos)
> > size_t ret;
> > char *con_buf;
> >
> > + if (use_unicode(inode))
> > + return -EOPNOTSUPP;
>
> Looks good to me. I am also thinking about a ban directly in open:
>
> if (use_unicode(inode) && (filp->f_flags & O_ACCMODE) != O_RDONLY)
> return -EOPNOTSUPP;
>
> Would that break the unicode users?
On a related note, syzbot seems to get very similar bug reports on
some downstream kernels (4.15):
KASAN: use-after-free Read in vcs_scr_readw
KASAN: use-after-free Write in vcs_scr_writew
but not on upstream. I wonder why. And if we are missing some good
config in upstream kernel or something. This all fuzzing is somewhat
random, so it might have just happened without particular reasons
(maybe it will discover it later). But wanted to check if there are
some low hanging fruits. Anything obviously missing in:
https://github.com/google/syzkaller/blob/master/dashboard/config/upstream-kasan.config
?