mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-08-29 04:09:39 +00:00
860dafa902
Restore the original intent of the VT_RESIZEX ioctl's `v_clin' parameter which is the number of pixel rows per character (cell) rather than the height of the font used. For framebuffer devices the two values are always the same, because the former is inferred from the latter one. For VGA used as a true text mode device these two parameters are independent from each other: the number of pixel rows per character is set in the CRT controller, while font height is in fact hardwired to 32 pixel rows and fonts of heights below that value are handled by padding their data with blanks when loaded to hardware for use by the character generator. One can change the setting in the CRT controller and it will update the screen contents accordingly regardless of the font loaded. The `v_clin' parameter is used by the `vgacon' driver to set the height of the character cell and then the cursor position within. Make the parameter explicit then, by defining a new `vc_cell_height' struct member of `vc_data', set it instead of `vc_font.height' from `v_clin' in the VT_RESIZEX ioctl, and then use it throughout the `vgacon' driver except where actual font data is accessed which as noted above is independent from the CRTC setting. This way the framebuffer console driver is free to ignore the `v_clin' parameter as irrelevant, as it always should have, avoiding any issues attempts to give the parameter a meaning there could have caused, such as one that has led to commit988d076336("vt_ioctl: make VT_RESIZEX behave like VT_RESIZE"): "syzbot is reporting UAF/OOB read at bit_putcs()/soft_cursor() [1][2], for vt_resizex() from ioctl(VT_RESIZEX) allows setting font height larger than actual font height calculated by con_font_set() from ioctl(PIO_FONT). Since fbcon_set_font() from con_font_set() allocates minimal amount of memory based on actual font height calculated by con_font_set(), use of vt_resizex() can cause UAF/OOB read for font data." The problem first appeared around Linux 2.5.66 which predates our repo history, but the origin could be identified with the old MIPS/Linux repo also at: <git://git.kernel.org/pub/scm/linux/kernel/git/ralf/linux.git> as commit 9736a3546de7 ("Merge with Linux 2.5.66."), where VT_RESIZEX code in `vt_ioctl' was updated as follows: if (clin) - video_font_height = clin; + vc->vc_font.height = clin; making the parameter apply to framebuffer devices as well, perhaps due to the use of "font" in the name of the original `video_font_height' variable. Use "cell" in the new struct member then to avoid ambiguity. References: [1] https://syzkaller.appspot.com/bug?id=32577e96d88447ded2d3b76d71254fb855245837 [2] https://syzkaller.appspot.com/bug?id=6b8355d27b2b94fb5cedf4655e3a59162d9e48e3 Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk> Fixes:1da177e4c3("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org # v2.6.12+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
197 lines
7.1 KiB
C
197 lines
7.1 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
/*
|
|
* console_struct.h
|
|
*
|
|
* Data structure describing single virtual console except for data
|
|
* used by vt.c.
|
|
*
|
|
* Fields marked with [#] must be set by the low-level driver.
|
|
* Fields marked with [!] can be changed by the low-level driver
|
|
* to achieve effects such as fast scrolling by changing the origin.
|
|
*/
|
|
|
|
#ifndef _LINUX_CONSOLE_STRUCT_H
|
|
#define _LINUX_CONSOLE_STRUCT_H
|
|
|
|
#include <linux/wait.h>
|
|
#include <linux/vt.h>
|
|
#include <linux/workqueue.h>
|
|
|
|
struct uni_pagedir;
|
|
struct uni_screen;
|
|
|
|
#define NPAR 16
|
|
#define VC_TABSTOPS_COUNT 256U
|
|
|
|
enum vc_intensity {
|
|
VCI_HALF_BRIGHT,
|
|
VCI_NORMAL,
|
|
VCI_BOLD,
|
|
VCI_MASK = 0x3,
|
|
};
|
|
|
|
/**
|
|
* struct vc_state -- state of a VC
|
|
* @x: cursor's x-position
|
|
* @y: cursor's y-position
|
|
* @color: foreground & background colors
|
|
* @Gx_charset: what's G0/G1 slot set to (like GRAF_MAP, LAT1_MAP)
|
|
* @charset: what character set to use (0=G0 or 1=G1)
|
|
* @intensity: see enum vc_intensity for values
|
|
* @reverse: reversed foreground/background colors
|
|
*
|
|
* These members are defined separately from struct vc_data as we save &
|
|
* restore them at times.
|
|
*/
|
|
struct vc_state {
|
|
unsigned int x, y;
|
|
|
|
unsigned char color;
|
|
|
|
unsigned char Gx_charset[2];
|
|
unsigned int charset : 1;
|
|
|
|
/* attribute flags */
|
|
enum vc_intensity intensity;
|
|
bool italic;
|
|
bool underline;
|
|
bool blink;
|
|
bool reverse;
|
|
};
|
|
|
|
/*
|
|
* Example: vc_data of a console that was scrolled 3 lines down.
|
|
*
|
|
* Console buffer
|
|
* vc_screenbuf ---------> +----------------------+-.
|
|
* | initializing W | \
|
|
* | initializing X | |
|
|
* | initializing Y | > scroll-back area
|
|
* | initializing Z | |
|
|
* | | /
|
|
* vc_visible_origin ---> ^+----------------------+-:
|
|
* (changes by scroll) || Welcome to linux | \
|
|
* || | |
|
|
* vc_rows --->< | login: root | | visible on console
|
|
* || password: | > (vc_screenbuf_size is
|
|
* vc_origin -----------> || | | vc_size_row * vc_rows)
|
|
* (start when no scroll) || Last login: 12:28 | /
|
|
* v+----------------------+-:
|
|
* | Have a lot of fun... | \
|
|
* vc_pos -----------------|--------v | > scroll-front area
|
|
* | ~ # cat_ | /
|
|
* vc_scr_end -----------> +----------------------+-:
|
|
* (vc_origin + | | \ EMPTY, to be filled by
|
|
* vc_screenbuf_size) | | / vc_video_erase_char
|
|
* +----------------------+-'
|
|
* <---- 2 * vc_cols ----->
|
|
* <---- vc_size_row ----->
|
|
*
|
|
* Note that every character in the console buffer is accompanied with an
|
|
* attribute in the buffer right after the character. This is not depicted
|
|
* in the figure.
|
|
*/
|
|
struct vc_data {
|
|
struct tty_port port; /* Upper level data */
|
|
|
|
struct vc_state state, saved_state;
|
|
|
|
unsigned short vc_num; /* Console number */
|
|
unsigned int vc_cols; /* [#] Console size */
|
|
unsigned int vc_rows;
|
|
unsigned int vc_size_row; /* Bytes per row */
|
|
unsigned int vc_scan_lines; /* # of scan lines */
|
|
unsigned int vc_cell_height; /* CRTC character cell height */
|
|
unsigned long vc_origin; /* [!] Start of real screen */
|
|
unsigned long vc_scr_end; /* [!] End of real screen */
|
|
unsigned long vc_visible_origin; /* [!] Top of visible window */
|
|
unsigned int vc_top, vc_bottom; /* Scrolling region */
|
|
const struct consw *vc_sw;
|
|
unsigned short *vc_screenbuf; /* In-memory character/attribute buffer */
|
|
unsigned int vc_screenbuf_size;
|
|
unsigned char vc_mode; /* KD_TEXT, ... */
|
|
/* attributes for all characters on screen */
|
|
unsigned char vc_attr; /* Current attributes */
|
|
unsigned char vc_def_color; /* Default colors */
|
|
unsigned char vc_ulcolor; /* Color for underline mode */
|
|
unsigned char vc_itcolor;
|
|
unsigned char vc_halfcolor; /* Color for half intensity mode */
|
|
/* cursor */
|
|
unsigned int vc_cursor_type;
|
|
unsigned short vc_complement_mask; /* [#] Xor mask for mouse pointer */
|
|
unsigned short vc_s_complement_mask; /* Saved mouse pointer mask */
|
|
unsigned long vc_pos; /* Cursor address */
|
|
/* fonts */
|
|
unsigned short vc_hi_font_mask; /* [#] Attribute set for upper 256 chars of font or 0 if not supported */
|
|
struct console_font vc_font; /* Current VC font set */
|
|
unsigned short vc_video_erase_char; /* Background erase character */
|
|
/* VT terminal data */
|
|
unsigned int vc_state; /* Escape sequence parser state */
|
|
unsigned int vc_npar,vc_par[NPAR]; /* Parameters of current escape sequence */
|
|
/* data for manual vt switching */
|
|
struct vt_mode vt_mode;
|
|
struct pid *vt_pid;
|
|
int vt_newvt;
|
|
wait_queue_head_t paste_wait;
|
|
/* mode flags */
|
|
unsigned int vc_disp_ctrl : 1; /* Display chars < 32? */
|
|
unsigned int vc_toggle_meta : 1; /* Toggle high bit? */
|
|
unsigned int vc_decscnm : 1; /* Screen Mode */
|
|
unsigned int vc_decom : 1; /* Origin Mode */
|
|
unsigned int vc_decawm : 1; /* Autowrap Mode */
|
|
unsigned int vc_deccm : 1; /* Cursor Visible */
|
|
unsigned int vc_decim : 1; /* Insert Mode */
|
|
/* misc */
|
|
unsigned int vc_priv : 3;
|
|
unsigned int vc_need_wrap : 1;
|
|
unsigned int vc_can_do_color : 1;
|
|
unsigned int vc_report_mouse : 2;
|
|
unsigned char vc_utf : 1; /* Unicode UTF-8 encoding */
|
|
unsigned char vc_utf_count;
|
|
int vc_utf_char;
|
|
DECLARE_BITMAP(vc_tab_stop, VC_TABSTOPS_COUNT); /* Tab stops. 256 columns. */
|
|
unsigned char vc_palette[16*3]; /* Colour palette for VGA+ */
|
|
unsigned short * vc_translate;
|
|
unsigned int vc_resize_user; /* resize request from user */
|
|
unsigned int vc_bell_pitch; /* Console bell pitch */
|
|
unsigned int vc_bell_duration; /* Console bell duration */
|
|
unsigned short vc_cur_blink_ms; /* Cursor blink duration */
|
|
struct vc_data **vc_display_fg; /* [!] Ptr to var holding fg console for this display */
|
|
struct uni_pagedir *vc_uni_pagedir;
|
|
struct uni_pagedir **vc_uni_pagedir_loc; /* [!] Location of uni_pagedir variable for this console */
|
|
struct uni_screen *vc_uni_screen; /* unicode screen content */
|
|
/* additional information is in vt_kern.h */
|
|
};
|
|
|
|
struct vc {
|
|
struct vc_data *d;
|
|
struct work_struct SAK_work;
|
|
|
|
/* might add scrmem, kbd at some time,
|
|
to have everything in one place */
|
|
};
|
|
|
|
extern struct vc vc_cons [MAX_NR_CONSOLES];
|
|
extern void vc_SAK(struct work_struct *work);
|
|
|
|
#define CUR_MAKE(size, change, set) ((size) | ((change) << 8) | \
|
|
((set) << 16))
|
|
#define CUR_SIZE(c) ((c) & 0x00000f)
|
|
# define CUR_DEF 0
|
|
# define CUR_NONE 1
|
|
# define CUR_UNDERLINE 2
|
|
# define CUR_LOWER_THIRD 3
|
|
# define CUR_LOWER_HALF 4
|
|
# define CUR_TWO_THIRDS 5
|
|
# define CUR_BLOCK 6
|
|
#define CUR_SW 0x000010
|
|
#define CUR_ALWAYS_BG 0x000020
|
|
#define CUR_INVERT_FG_BG 0x000040
|
|
#define CUR_FG 0x000700
|
|
#define CUR_BG 0x007000
|
|
#define CUR_CHANGE(c) ((c) & 0x00ff00)
|
|
#define CUR_SET(c) (((c) & 0xff0000) >> 8)
|
|
|
|
bool con_is_visible(const struct vc_data *vc);
|
|
|
|
#endif /* _LINUX_CONSOLE_STRUCT_H */
|