A memory overlapping copy occurs when deleting a long line. Fix it by
using scr_memmovew.

Signed-off-by: Yangxi Xiang <xyangxi5@gmail.com>
---
 drivers/tty/vt/vt.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index f8c87c4d7399..d87bff9d8ed5 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -853,9 +853,13 @@ static void insert_char(struct vc_data *vc, unsigned int nr)
 static void delete_char(struct vc_data *vc, unsigned int nr)
 {
 	unsigned short *p = (unsigned short *) vc->vc_pos;
+	unsigned short cp = (vc->vc_cols - vc->state.x - nr) * 2;
 
 	vc_uniscr_delete(vc, nr);
-	scr_memcpyw(p, p + nr, (vc->vc_cols - vc->state.x - nr) * 2);
+	if (cp > nr)
+		scr_memmovew(p, p + nr, cp);
+	else
+		scr_memcpyw(p, p + nr, cp);
 	scr_memsetw(p + vc->vc_cols - vc->state.x - nr, vc->vc_video_erase_char,
 			nr * 2);
 	vc->vc_need_wrap = 0;
-- 
2.17.1

On Mon, Jun 27, 2022 at 06:29:40PM +0800, Yangxi Xiang wrote:
> A memory overlapping copy occurs when deleting a long line. Fix it by
> using scr_memmovew.
> 
> Signed-off-by: Yangxi Xiang <xyangxi5@gmail.com>

What commit does this fix?  how was this tested?

thanks,

greg k-h

> What commit does this fix?  how was this tested?

This bug is triggered by running a dynamic analysis on the kernel,
with the help of sanitizer to observe this bug. This memory
overlapping copy can cause data corruption when scr_memcpyw is
optimized to memcpy because memcpy does not ensure its behavior if
the destination buffer overlaps with the source buffer.

Yangxi Xiang

On Mon, Jun 27, 2022 at 07:04:17PM +0800, Yangxi Xiang wrote:
> > What commit does this fix?  how was this tested?
> 
> This bug is triggered by running a dynamic analysis on the kernel,
> with the help of sanitizer to observe this bug. This memory
> overlapping copy can cause data corruption when scr_memcpyw is
> optimized to memcpy because memcpy does not ensure its behavior if
> the destination buffer overlaps with the source buffer.

And what commit id does this fix, or has it always been broken?

thanks,

greg k-h

> And what commit id does this fix, or has it always been broken?

It fixes the commit 81732c3 (tty vt: Fix line garbage in virtual
console on command line edition). The line buffer is not always
broken, because the memcpy utilized the hardware acceleration, whose
result is not deterministic. I fix this issue by replacing the
scr_memcpyw with scr_memmovew used in insert_char, and preserving the
memcpy optimization when the buffers are not overlapping.

Yangxi Xiang

On Mon, Jun 27, 2022 at 07:40:16PM +0800, Yangxi Xiang wrote:
> > And what commit id does this fix, or has it always been broken?
> 
> It fixes the commit 81732c3 (tty vt: Fix line garbage in virtual
> console on command line edition). The line buffer is not always
> broken, because the memcpy utilized the hardware acceleration, whose
> result is not deterministic. I fix this issue by replacing the
> scr_memcpyw with scr_memmovew used in insert_char, and preserving the
> memcpy optimization when the buffers are not overlapping.

Great, can you please resend the patch with that information all in it,
and the proper Fixes: line tag added?

thanks,

greg k-h