Re: KASAN: use-after-free Read in bit_putcs
From: Peilin Ye
Date: Sun Sep 27 2020 - 05:27:13 EST
On Sun, Sep 27, 2020 at 05:28:12PM +0900, Tetsuo Handa wrote:
> Well, vt_io_ioctl(PIO_FONT) initializes "struct console_font_op op;" with
>
> op.width = 8;
> op.height = 0;
> op.charcount = 256;
>
> and calls con_font_set() from con_font_op(). But the "/* Need to guess font height [compat] */"
> chunk in con_font_set() guesses font's height due to being initialized with op.height = 0.
> Then, con_font_set() calls fbcon_set_font() via vc->vc_sw->con_font_set(), and fbcon_set_font()
> allocates minimal amount of memory for font data based on font's height calcllated by con_font_set().
>
> Therefore, any attempt to change font's height (like vt_resizex()) larger than font's height
> calculated by con_font_set() can cause OOB read of memory block for font data. If we allocate
> maximal amount of memory for any font, OOB read of memory block for font data should not happen.
>
> ----------------------------------------
>
> static char fontdata[8192] = { 2 };
>
> [ 227.065369] bit_putcs: width=1 cellsize=1 count=80 maxcnt=8192 scan_align=0 buf_align=0 image.height=1
> [ 227.066254] bit_putcs: width=1 cellsize=1 count=80 maxcnt=8192 scan_align=0 buf_align=0 image.height=1
> [ 227.067642] vc=ffff8880d69b4000 v.v_rows=0 v.v_cols=0 v.v_vlin=1 v.v_clin=9 v.v_vcol=0 v.v_ccol=0 ret=0
> [ 227.067699] vcp=ffff8880d69b4000 before: ->vc_rows=480 ->vc_cols=80 ->vc_scan_lines=1 save_scan_lines=400 ->vc_font.height=9 save_font_height=1
> [ 227.067774] vcp=ffff8880d69b4000 after: ->vc_rows=480 ->vc_cols=80 ->vc_scan_lines=1 save_scan_lines=400 ->vc_font.height=9 save_font_height=1 ret=0
> [ 227.067831] vcp=ffff8880cac4b000 before: ->vc_rows=30 ->vc_cols=80 ->vc_scan_lines=1 save_scan_lines=0 ->vc_font.height=9 save_font_height=16
> [ 227.067891] vcp=ffff8880cac4b000 after: ->vc_rows=30 ->vc_cols=80 ->vc_scan_lines=1 save_scan_lines=0 ->vc_font.height=9 save_font_height=16 ret=0
> [ 227.067947] vcp=ffff8880c6180000 before: ->vc_rows=30 ->vc_cols=80 ->vc_scan_lines=1 save_scan_lines=0 ->vc_font.height=9 save_font_height=16
> [ 227.068007] vcp=ffff8880c6180000 after: ->vc_rows=30 ->vc_cols=80 ->vc_scan_lines=1 save_scan_lines=0 ->vc_font.height=9 save_font_height=16 ret=0
> [ 227.068063] vcp=ffff8880d6b84000 before: ->vc_rows=30 ->vc_cols=80 ->vc_scan_lines=1 save_scan_lines=0 ->vc_font.height=9 save_font_height=16
> [ 227.068123] vcp=ffff8880d6b84000 after: ->vc_rows=30 ->vc_cols=80 ->vc_scan_lines=1 save_scan_lines=0 ->vc_font.height=9 save_font_height=16 ret=0
> [ 227.068179] vcp=ffff8880ca8c0000 before: ->vc_rows=30 ->vc_cols=80 ->vc_scan_lines=1 save_scan_lines=0 ->vc_font.height=9 save_font_height=16
> [ 227.068255] vcp=ffff8880ca8c0000 after: ->vc_rows=30 ->vc_cols=80 ->vc_scan_lines=1 save_scan_lines=0 ->vc_font.height=9 save_font_height=16 ret=0
> [ 227.068455] vcp=ffff8880cbd5d000 before: ->vc_rows=30 ->vc_cols=80 ->vc_scan_lines=1 save_scan_lines=0 ->vc_font.height=9 save_font_height=16
> [ 227.068515] vcp=ffff8880cbd5d000 after: ->vc_rows=30 ->vc_cols=80 ->vc_scan_lines=1 save_scan_lines=0 ->vc_font.height=9 save_font_height=16 ret=0
> [ 227.084709] ==================================================================
> [ 227.084729] BUG: KASAN: slab-out-of-bounds in soft_cursor+0x34e/0x4a0
> [ 227.084748] Read of size 9 at addr ffff8880c98d5930 by task a.out/1662
Very interesting, I remember seeing this on the syzbot dashboard...
Yes, I guess it is this one:
KASAN: slab-out-of-bounds Read in soft_cursor
https://syzkaller.appspot.com/bug?id=6b8355d27b2b94fb5cedf4655e3a59162d9e48e3
There is a `0x560aul` ioctl() in the reproducer, which is `VT_RESIZEX`.
Thank you,
Peilin Ye