mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-08-24 09:50:04 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers
History
Igor Matheus Andrade Torrente 067c694d06 tty: Fix out-of-bound vmalloc access in imageblit 
[ Upstream commit 3b0c406124 ]

This issue happens when a userspace program does an ioctl
FBIOPUT_VSCREENINFO passing the fb_var_screeninfo struct
containing only the fields xres, yres, and bits_per_pixel
with values.

If this struct is the same as the previous ioctl, the
vc_resize() detects it and doesn't call the resize_screen(),
leaving the fb_var_screeninfo incomplete. And this leads to
the updatescrollmode() calculates a wrong value to
fbcon_display->vrows, which makes the real_y() return a
wrong value of y, and that value, eventually, causes
the imageblit to access an out-of-bound address value.

To solve this issue I made the resize_screen() be called
even if the screen does not need any resizing, so it will
"fix and fill" the fb_var_screeninfo independently.

Cc: stable <stable@vger.kernel.org> # after 5.15-rc2 is out, give it time to bake
Reported-and-tested-by: syzbot+858dc7a2f7ef07c2c219@syzkaller.appspotmail.com
Signed-off-by: Igor Matheus Andrade Torrente <igormtorrente@gmail.com>
Link: https://lore.kernel.org/r/20210628134509.15895-1-igormtorrente@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-10-06 15:05:08 +02:00
..
accessibility
acpi ACPI: NFIT: Fix support for virtual SPA ranges 2021-08-26 08:37:01 -04:00
amba
android
ata ata: sata_dwc_460ex: No need to call phy_exit() befre phy_init() 2021-09-22 11:45:29 +02:00
atm atm: nicstar: register the interrupt handler in the right place 2021-07-20 16:17:44 +02:00
auxdisplay
base PM: base: power: don't try to use non-existing RTC for storing data 2021-09-22 11:45:33 +02:00
bcma bcma: Fix memory leak for internally-handled cores 2021-09-22 11:45:22 +02:00
block cryptoloop: add a deprecation warning 2021-09-22 11:45:15 +02:00
bluetooth Bluetooth: btusb: fix bt fiwmare downloading failure issue for qca btsoc. 2021-07-20 16:17:45 +02:00
bus bus: qcom: Put child node before return 2021-05-22 10:57:28 +02:00
cdrom cdrom: gdrom: initialize global variable at init time 2021-05-26 11:47:00 +02:00
char virtio_console: Assure used length from device is limited 2021-07-20 16:17:53 +02:00
clk clk: kirkwood: Fix a clocking boot regression 2021-09-22 11:45:23 +02:00
clocksource clocksource/drivers/sh_cmt: Fix wrong setting if don't request IRQ for clock source channel 2021-09-22 11:45:19 +02:00
connector
cpufreq cpufreq: powernv: Fix init_chip_info initialization in numa=off 2021-09-22 11:45:32 +02:00
cpuidle
crypto crypto: talitos - fix max key size for sha384 and sha512 2021-09-26 13:37:28 +02:00
dax
dca
devfreq
dio
dma dmaengine: xilinx_dma: Set DMA mask for coherent APIs 2021-09-26 13:37:29 +02:00
dma-buf dma-buf/sync_file: Don't leak fences on merge failure 2021-07-28 11:12:16 +02:00
edac
eisa
extcon extcon: max8997: Add missing modalias string 2021-07-20 16:17:41 +02:00
firewire
firmware qemu_fw_cfg: Make fw_cfg_rev_attr a proper kobj_attribute 2021-07-20 16:17:47 +02:00
fmc
fpga
fsi
gpio gpio: zynq: Check return value of pm_runtime_get_sync 2021-07-20 16:17:50 +02:00
gpu drm/nouveau/nvkm: Replace -ENOSYS with -ENODEV 2021-09-26 13:37:30 +02:00
hid HID: input: do not report stylus battery state as "full" 2021-09-22 11:45:26 +02:00
hsi HSI: core: fix resource leaks in hsi_add_client_from_dt() 2021-05-22 10:57:31 +02:00
hv hv_utils: Fix passing zero to 'PTR_ERR' warning 2021-07-20 16:17:33 +02:00
hwmon hwmon: (max31790) Fix fan speed reporting for fan7..12 2021-07-20 16:17:35 +02:00
hwspinlock
hwtracing intel_th: Wait until port is in reset before programming it 2021-07-20 16:17:51 +02:00
i2c i2c: mt65xx: fix IRQ check 2021-09-22 11:45:22 +02:00
ide
idle
iio iio: dac: ad5624r: Fix incorrect handling of an optional regulator. 2021-09-22 11:45:27 +02:00
infiniband RDMA/iwcm: Release resources if iw_cm module initialization fails 2021-09-22 11:45:26 +02:00
input Input: hil_kbd - fix error return code in hil_dev_connect() 2021-07-20 16:17:40 +02:00
iommu iommu/vt-d: Fix sysfs leak in alloc_iommu() 2021-06-03 08:36:12 +02:00
ipack ipack: tpci200: fix many double free issues in tpci200_pci_probe 2021-08-26 08:37:09 -04:00
irqchip irqchip/gic-v3-its: Fix potential VPE leak on error 2021-10-06 15:05:06 +02:00
isdn mISDN: fix possible use-after-free in HFC_cleanup() 2021-07-20 16:17:42 +02:00
leds leds: ktd2692: Fix an error handling path 2021-07-20 16:17:41 +02:00
lightnvm
macintosh
mailbox
mcb mcb: fix error handling in mcb_alloc_bus() 2021-10-06 15:05:05 +02:00
md md: fix a lock order reversal in md_alloc 2021-10-06 15:05:06 +02:00
media media: v4l2-dv-timings.c: fix wrong condition in two for-loops 2021-09-22 11:45:29 +02:00
memory memory: fsl_ifc: fix leak of private memory on probe failure 2021-07-20 16:17:55 +02:00
memstick
message
mfd mfd: Don't use irq_create_mapping() to resolve a mapping 2021-09-22 11:45:34 +02:00
misc VMCI: fix NULL pointer dereference when unmapping queue pair 2021-09-22 11:45:25 +02:00
mmc mmc: rtsx_pci: Fix long reads when clock is prescaled 2021-09-22 11:45:30 +02:00
mtd mtd: rawnand: cafe: Fix a resource leak in the error handling path of 'cafe_nand_probe()' 2021-09-22 11:45:35 +02:00
mux
net net: 6pack: Fix tx timeout and slot time 2021-10-06 15:05:07 +02:00
nfc nfc: nfcsim: fix use after free during module unload 2021-08-04 12:22:16 +02:00
ntb
nubus
nvdimm
nvme nvme-rdma: don't update queue count when failing to set io queues 2021-09-22 11:45:17 +02:00
nvmem
of of: Fix truncation of memory sizes on 32-bit platforms 2021-07-20 16:17:40 +02:00
oprofile
parisc parisc: Move pci_dev_is_behind_card_dino to where it is used 2021-09-26 13:37:29 +02:00
parport parport: remove non-zero check on count 2021-09-22 11:45:31 +02:00
pci PCI: aardvark: Fix checking for PIO status 2021-10-06 15:05:07 +02:00
pcmcia pcmcia: i82092: fix a null pointer dereference bug 2021-08-15 13:03:32 +02:00
perf perf/arm_pmu_platform: Fix error handling 2021-05-22 10:57:17 +02:00
phy phy: ti: dm816x: Fix the error handling path in 'dm816x_usb_phy_probe() 2021-07-20 16:17:41 +02:00
pinctrl pinctrl: single: Fix error return code in pcs_parse_bits_in_pinctrl_entry() 2021-09-22 11:45:26 +02:00
platform platform/chrome: cros_ec_proto: Send command again when timeout occurs 2021-09-22 11:45:32 +02:00
pnp
power power: supply: max17042: handle fails of reading status register 2021-09-22 11:45:24 +02:00
powercap
pps
ps3
ptp ptp_pch: Restore dependency on PCI 2021-08-26 08:37:09 -04:00
pwm pwm: rockchip: Don't modify HW state in .remove() callback 2021-09-26 13:37:30 +02:00
rapidio rapidio: handle create_workqueue() failure 2021-05-26 11:46:59 +02:00
ras
regulator regulator: da9052: Ensure enough delay time for .set_voltage_time_sel 2021-07-20 16:17:32 +02:00
remoteproc
reset reset: ti-syscon: fix to_ti_syscon_reset_data macro 2021-07-28 11:12:14 +02:00
rpmsg rpmsg: qcom_glink_native: fix error return code of qcom_glink_rx_data() 2021-05-22 10:57:38 +02:00
rtc rtc: tps65910: Correct driver module alias 2021-09-22 11:45:23 +02:00
s390 s390/cio: add dev_busid sysfs entry for each subchannel 2021-09-22 11:45:18 +02:00
sbus
scsi scsi: iscsi: Adjust iface sysfs attr detection 2021-10-06 15:05:06 +02:00
sfi
sh
sn
soc soc: qcom: smsm: Fix missed interrupts if state changes while masked 2021-09-22 11:45:20 +02:00
spi spi: Fix tegra20 build with CONFIG_PM=n 2021-10-06 15:05:07 +02:00
spmi
ssb ssb: sdio: Don't overwrite const buffer if block_write fails 2021-07-20 16:17:30 +02:00
staging staging: greybus: uart: fix tty use after free 2021-10-06 15:05:05 +02:00
target scsi: target: Fix protect handling in WRITE SAME(32) 2021-07-28 11:12:18 +02:00
tc
tee tee: optee: do not check memref size on return from Secure World 2021-05-22 10:57:16 +02:00
thermal thermal/core: Potential buffer overflow in thermal_build_list_of_policies() 2021-10-06 15:05:06 +02:00
thunderbolt thunderbolt: dma_port: Fix NVM read buffer bounds and offset issue 2021-06-03 08:36:15 +02:00
tty tty: Fix out-of-bound vmalloc access in imageblit 2021-10-06 15:05:08 +02:00
uio
usb USB: serial: option: add device id for Foxconn T99W265 2021-10-06 15:05:05 +02:00
uwb
vfio vfio: Use config not menuconfig for VFIO_NOIOMMU 2021-09-22 11:45:26 +02:00
vhost vringh: Use wiov->used to check for read/write desc order 2021-09-03 09:56:25 +02:00
video video: fbdev: riva: Error out if 'pixclock' equals zero 2021-09-22 11:45:28 +02:00
virt
virtio virtio: Improve vq->broken access to avoid any compiler optimization 2021-09-03 09:56:25 +02:00
vlynq
vme
w1 w1: ds2438: fixing bug that would always get page0 2021-07-20 16:17:49 +02:00
watchdog Revert "watchdog: iTCO_wdt: Account for rebooting on second timeout" 2021-08-08 08:53:29 +02:00
xen xen/balloon: fix balloon kthread freezing 2021-10-06 15:05:07 +02:00
zorro
Kconfig
Makefile