[PATCH (?)] vt: fix possible memory corruption in complement_pos

Hi.

In the file drivers/char/vt.c the function complement_pos (used byselection: complement pointer position) saves the memory position ofprevious pointer position. If, between 2 successive calls of thisfunction, the memory location of the screen has changed (e.g. the windowhas been resized), the old pointer position is invalid, and, if thismemory position has been allocated by another kernel data, this data maybe corrupted since this function will try to restore the previous data.

I don't know if this is the right approach, but this patch will solvethis bug.

--- linux-2.6.12-rc4-mm2.orig/drivers/char/vt.c 2005-05-2512:04:54.000000000 -0300+++ linux-2.6.12-rc4-mm2/drivers/char/vt.c 2005-05-2512:36:20.000000000 -0300

@@ -434,21 +434,21 @@ void invert_screen(struct vc_data *vc, i
/* used by selection: complement pointer position */
void complement_pos(struct vc_data *vc, int offset)
{
-       static unsigned short *p;
+       static int old_offset=-1;
       static unsigned short old;
       static unsigned short oldx, oldy;

       WARN_CONSOLE_UNLOCKED();

-       if (p) {
-               scr_writew(old, p);
+       if (old_offset!=-1) {
+               scr_writew(old, screenpos(vc, old_offset, 1));
               if (DO_UPDATE(vc))
                       vc->vc_sw->con_putc(vc, old, oldy, oldx);
       }
-       if (offset == -1)
-               p = NULL;
-       else {
+       old_offset=offset;
+       if (offset != -1) {
               unsigned short new;
+               unsigned short *p;
               p = screenpos(vc, offset, 1);
               old = scr_readw(p);
               new = old ^ vc->vc_complement_mask;

--- linux-2.6.12-rc4-mm2.orig/drivers/char/vt.c	2005-05-25 12:04:54.000000000 -0300
+++ linux-2.6.12-rc4-mm2/drivers/char/vt.c	2005-05-25 12:36:20.000000000 -0300
@@ -434,21 +434,21 @@ void invert_screen(struct vc_data *vc, i
 /* used by selection: complement pointer position */
 void complement_pos(struct vc_data *vc, int offset)
 {
-	static unsigned short *p;
+	static int old_offset=-1;
 	static unsigned short old;
 	static unsigned short oldx, oldy;
 
 	WARN_CONSOLE_UNLOCKED();
 
-	if (p) {
-		scr_writew(old, p);
+	if (old_offset!=-1) {
+		scr_writew(old, screenpos(vc, old_offset, 1));
 		if (DO_UPDATE(vc))
 			vc->vc_sw->con_putc(vc, old, oldy, oldx);
 	}
-	if (offset == -1)
-		p = NULL;
-	else {
+	old_offset=offset;
+	if (offset != -1) {
 		unsigned short new;
+		unsigned short *p;
 		p = screenpos(vc, offset, 1);
 		old = scr_readw(p);
 		new = old ^ vc->vc_complement_mask;

Prev by Date: Requesting PREEMPT_RT talk at OLS
Next by Date: Re: initramfs
Previous by thread: Requesting PREEMPT_RT talk at OLS
Next by thread: Error while reading /proc/acpi/battery/BAT1/state
Index(es):
- Date
- Thread

[Index of Archives] [Kernel Newbies] [Netfilter] [Bugtraq] [Photo] [Stuff] [Gimp] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Video 4 Linux] [Linux for the blind] [Linux Resources]