From 669e0a51b1b50052b1615683cde64e1c28ae895f Mon Sep 17 00:00:00 2001 From: Adam Borowski Date: Thu, 15 Sep 2016 16:47:09 +0200 Subject: [PATCH] vt: Fix a read-past-array in vc_t416_color(). This makes it show up on UBSAN: perl -e 'for (0..15) {my @x=("0")x$_;push @x,qw(38 2 64 128 192 4);printf "\e[%smAfter %d zeroes.\e[0m\n", join(";",@x[0..($_+5<15?$_+5:15)]), $_}' Seems harmless: if you can programmatically read attributes of a vt character (/dev/vcsa*), multiple probes can obtain parts of vt_mode then lowest byte (5th on 64-bit big-endian) of a pointer. Signed-off-by: Adam Borowski Signed-off-by: Greg Kroah-Hartman --- drivers/tty/vt/vt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c index 2705ca960e92..b51586fea4e8 100644 --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -1316,7 +1316,7 @@ static int vc_t416_color(struct vc_data *vc, int i, /* 256 colours -- ubiquitous */ i++; rgb_from_256(vc->vc_par[i], &c); - } else if (vc->vc_par[i] == 2 && i <= vc->vc_npar + 3) { + } else if (vc->vc_par[i] == 2 && i + 3 <= vc->vc_npar) { /* 24 bit -- extremely rare */ c.r = vc->vc_par[i + 1]; c.g = vc->vc_par[i + 2]; -- GitLab