From 6a8f2c8cf1fd546b7801ea87bca7a4a44516bef1 Mon Sep 17 00:00:00 2001 From: Nicolas Pitre Date: Thu, 23 May 2024 19:30:43 +0800 Subject: [PATCH] vt: fix unicode buffer corruption when deleting characters stable inclusion from stable-v4.19.312 commit fc7dfe3d123f00e720be80b920da287810a1f37d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q994 CVE: CVE-2024-35823 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=fc7dfe3d123f00e720be80b920da287810a1f37d commit 1581dafaf0d34bc9c428a794a22110d7046d186d upstream. This is the same issue that was fixed for the VGA text buffer in commit 39cdb68c64d8 ("vt: fix memory overlapping when deleting chars in the buffer"). The cure is also the same i.e. replace memcpy() with memmove() due to the overlaping buffers. Signed-off-by: Nicolas Pitre Fixes: 81732c3b2fed ("tty vt: Fix line garbage in virtual console on command line edition") Cc: stable Link: https://lore.kernel.org/r/sn184on2-3p0q-0qrq-0218-895349s4753o@syhkavp.arg Signed-off-by: Greg Kroah-Hartman Signed-off-by: Xiang Yang --- drivers/tty/vt/vt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c index 163186cbfe79..12ddd82f0dad 100644 --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -405,7 +405,7 @@ static void vc_uniscr_delete(struct vc_data *vc, unsigned int nr) char32_t *ln = uniscr->lines[vc->vc_y]; unsigned int x = vc->vc_x, cols = vc->vc_cols; - memcpy(&ln[x], &ln[x + nr], (cols - x - nr) * sizeof(*ln)); + memmove(&ln[x], &ln[x + nr], (cols - x - nr) * sizeof(*ln)); memset32(&ln[cols - nr], ' ', nr); } } -- Gitee