[Linux-kernel-mentees] [PATCH 15/16] vc_screen: extract vcs_read_buf_header

Peilin Ye yepeilin.cs at gmail.com
Tue Aug 25 16:48:04 UTC 2020


Hi all,

Link: https://syzkaller.appspot.com/bug?id=f332576321998d36cd07d09c9c1268cfed1895c9

As reported by syzbot, vcs_read_buf() is overflowing `con_buf16`, since
this patch removed the following check:

-		if (count > CON_BUF_SIZE) {
-			count = CON_BUF_SIZE;
-			filled = count - pos;
-		}

Decreasing `count` by `min(HEADER_SIZE - pos, count)` bypasses this check.
Additionally, this patch also removed updates to `skip` and `filled`.

What should we do in order to fix it?

Thank you,
Peilin Ye


More information about the Linux-kernel-mentees mailing list