From: Adam Borowski Date: Thu, 15 Sep 2016 14:47:09 +0000 (+0200) Subject: vt: Fix a read-past-array in vc_t416_color(). X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=669e0a51b1b50052b1615683cde64e1c28ae895f;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git vt: Fix a read-past-array in vc_t416_color(). This makes it show up on UBSAN: perl -e 'for (0..15) {my @x=("0")x$_;push @x,qw(38 2 64 128 192 4);printf "\e[%smAfter %d zeroes.\e[0m\n", join(";",@x[0..($_+5<15?$_+5:15)]), $_}' Seems harmless: if you can programmatically read attributes of a vt character (/dev/vcsa*), multiple probes can obtain parts of vt_mode then lowest byte (5th on 64-bit big-endian) of a pointer. Signed-off-by: Adam Borowski Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c index 2705ca960e92..b51586fea4e8 100644 --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -1316,7 +1316,7 @@ static int vc_t416_color(struct vc_data *vc, int i, /* 256 colours -- ubiquitous */ i++; rgb_from_256(vc->vc_par[i], &c); - } else if (vc->vc_par[i] == 2 && i <= vc->vc_npar + 3) { + } else if (vc->vc_par[i] == 2 && i + 3 <= vc->vc_npar) { /* 24 bit -- extremely rare */ c.r = vc->vc_par[i + 1]; c.g = vc->vc_par[i + 2];