Add a VT_RESIZEX check to ensure that changing the font height will not cause a potential out-of-bounds access. The candidate font height contained in "v_clin", though below the max, could still result in accesses beyond the allocated font data size.
Signed-off-by: George Kennedy <[email protected]> Reported-by: [email protected] --- drivers/tty/vt/vt_ioctl.c | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c index daf61c2..6185f1a 100644 --- a/drivers/tty/vt/vt_ioctl.c +++ b/drivers/tty/vt/vt_ioctl.c @@ -342,6 +342,9 @@ static void vt_disallocate_all(void) } } +/* from fbcon.c */ +#define FNTSIZE(fd) (((int *)(fd))[-2]) +#define FNTCHARCNT(fd) (((int *)(fd))[-3]) /* * We handle the console-specific ioctl's here. We allow the @@ -895,8 +898,23 @@ int vt_ioctl(struct tty_struct *tty, if (vcp) { if (v.v_vlin) vcp->vc_scan_lines = v.v_vlin; - if (v.v_clin) + if (v.v_clin) { + int width, pitch, size; + + width = (vcp->vc_font.width > 8) ? 8 : vcp->vc_font.width; + pitch = (width + 7) >> 3; + + pitch = (pitch) ? pitch : 1; + + /* font size = height * pitch * charcount */ + size = v.v_clin * pitch * FNTCHARCNT(vcp->vc_font.data); + + if (size > FNTSIZE(vcp->vc_font.data)) { + console_unlock(); + return -EINVAL; + } vcp->vc_font.height = v.v_clin; + } vcp->vc_resize_user = 1; vc_resize(vcp, v.v_cols, v.v_rows); } -- 1.8.3.1
