From patchwork Wed Jul 18 01:02:40 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Pitre X-Patchwork-Id: 142229 Delivered-To: patch@linaro.org Received: by 2002:a2e:9754:0:0:0:0:0 with SMTP id f20-v6csp220083ljj; Tue, 17 Jul 2018 18:03:11 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfZIBnyvoiral1YwCot+XGgBXGIHnbkiCMqvno1uvvOxLQ5cdKs8Msiq07E6I0+atmR7buz X-Received: by 2002:a17:902:9687:: with SMTP id n7-v6mr3643209plp.33.1531875791203; Tue, 17 Jul 2018 18:03:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531875791; cv=none; d=google.com; s=arc-20160816; b=yJjHJldM12Q9kOcSRsIBFPkglGHkiXSKXwxa4nxEFj3eXdIwViUorC66Ny5e9WxWxY 8Eod5zYqDE8ow3UeatYSuvTNEl0+wBtdkmLJjjB64jcs8NBDL2w9Zc97KzS4zD89bAI8 qT5VqajClWmQd12lUQpW/UI/5aZAvahJ5zMOU+wnm2C26U5WEoXNSCES5aEv/JUPdBvy 60fP+X7YA/P/ssC4WaU/C6MAvL+Sy/0m2pmM6uttLAID5n4bniz9xaQHdSwA/u+zo+kq hnEfLf8qNYFKtmcmkV960ut+o/aGgbTQw5Cf1CpQuZqLh1jf2WhCzr3+lMVI7gp3C5YV mWVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=GwA3VnsEM1cysAa3byCjW7NaMWmmNc4Zj6OlBrUh0Ec=; b=CRbF1xII+u4yzYI0j/RdfdM886bpPsXtcmFlCdhUHDgjpqIkQVyfqeveNWUxTR61Xh yDm1qWiZH9TZg3+MvqNobW2aWEFIiFoOy53RTJMii5MF7WuZGPeU+jtcMXMdFnxOqJZx KkdHbq4CxlgRr+nDTZLP5gn0T7gu5QBeAjCDym0z68HoxpukPCeJPCbsvIKGPpjRI4r7 2V2qz2898ax+i4oLjBRP+1TFIOJCME89x5+zrPVdWV5vdzp6f9ehqGcjaXrm6XXlGn+w MHDk8n5rfU4ALAZ6tKhBVzmdBaW05NHNZZ5TAQLL9V/JIrIHBgDwlVJlYYDGNbRbIq16 X5Yg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@pobox.com header.s=sasl header.b=OzW4KCOd; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w17-v6si1919042plq.221.2018.07.17.18.03.10; Tue, 17 Jul 2018 18:03:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@pobox.com header.s=sasl header.b=OzW4KCOd; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731465AbeGRBiD (ORCPT + 31 others); Tue, 17 Jul 2018 21:38:03 -0400 Received: from pb-smtp1.pobox.com ([64.147.108.70]:60165 "EHLO pb-smtp1.pobox.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730652AbeGRBiD (ORCPT ); Tue, 17 Jul 2018 21:38:03 -0400 Received: from pb-smtp1.pobox.com (unknown [127.0.0.1]) by pb-smtp1.pobox.com (Postfix) with ESMTP id E16F6EDF44; Tue, 17 Jul 2018 21:02:45 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=from:to:cc :subject:date:message-id:in-reply-to:references; s=sasl; bh=9hsx isrz4BLrEl8XObgHlrjSsws=; b=OzW4KCOdmo8spVgkr75GOZKgdUx6eIiYKmH3 zTfQOCQjHPvlrAynzpeqMU76Bj31mXV6xXZQ8dx6CvlVBTZnfsQX57WH6dFlZLKA Z9lBv9FuVIQwhWDTes27bk8dcG0wbYnZnDIFb01+OfLSWBQGMUpZymdYl7fC8/fG XBp/uds= Received: from pb-smtp1.nyi.icgroup.com (unknown [127.0.0.1]) by pb-smtp1.pobox.com (Postfix) with ESMTP id CAD06EDF40; Tue, 17 Jul 2018 21:02:45 -0400 (EDT) Received: from yoda.home (unknown [70.82.104.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pb-smtp1.pobox.com (Postfix) with ESMTPSA id 3ACD4EDF3B; Tue, 17 Jul 2018 21:02:45 -0400 (EDT) Received: from xanadu.home (xanadu.home [192.168.2.2]) by yoda.home (Postfix) with ESMTP id 629022DA0492; Tue, 17 Jul 2018 21:02:44 -0400 (EDT) From: Nicolas Pitre To: Greg Kroah-Hartman Cc: Kees Cook , Geert Uytterhoeven , Adam Borowski , Dave Mielke , Samuel Thibault , linux-kernel@vger.kernel.org, linux-console@vger.kernel.org Subject: [PATCH 1/3] vt: avoid a VLA in the unicode screen scroll function Date: Tue, 17 Jul 2018 21:02:40 -0400 Message-Id: <20180718010242.5254-2-nicolas.pitre@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180718010242.5254-1-nicolas.pitre@linaro.org> References: <20180718010242.5254-1-nicolas.pitre@linaro.org> X-Pobox-Relay-ID: 47C947BC-8A26-11E8-A67C-063AD72159A7-78420484!pb-smtp1.pobox.com Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The nr argument is typically small: most often nr == 1. However this could be abused with a very large explicit scroll in a resized screen. Make the code scroll lines one at a time in all cases to avoid the VLA. Anything smarter is most likely not warranted here. Requested-by: Kees Cook Signed-off-by: Nicolas Pitre --- drivers/tty/vt/vt.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) -- 2.17.1 Signed-off-by: Nicolas Pitre diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c index 2d14bb195d..03e79f7787 100644 --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -433,20 +433,22 @@ static void vc_uniscr_scroll(struct vc_data *vc, unsigned int t, unsigned int b, if (uniscr) { unsigned int s, d, rescue, clear; - char32_t *save[nr]; s = clear = t; - d = t + nr; - rescue = b - nr; + d = t + 1; + rescue = b - 1; if (dir == SM_UP) { swap(s, d); swap(clear, rescue); } - memcpy(save, uniscr->lines + rescue, nr * sizeof(*save)); - memmove(uniscr->lines + d, uniscr->lines + s, - (b - t - nr) * sizeof(*uniscr->lines)); - memcpy(uniscr->lines + clear, save, nr * sizeof(*save)); - vc_uniscr_clear_lines(vc, clear, nr); + while (nr--) { + char32_t *tmp; + tmp = uniscr->lines[rescue]; + memmove(uniscr->lines + d, uniscr->lines + s, + (b - t - 1) * sizeof(*uniscr->lines)); + uniscr->lines[clear] = tmp; + vc_uniscr_clear_lines(vc, clear, 1); + } } }