Commit a564738c authored by Wolfgang Kroworsch's avatar Wolfgang Kroworsch Committed by Linus Torvalds

vt: incomplete initialization of vc_tab_stop

Problem 1 (see patch below):
  vc_tab_stop is declared as an array of 8 unsigned ints in struct
  vc_data in include/linux/console_struct.h .
  In drivers/char/vt.c only 5 of these 8 unsigned ints get initialized
  leading to unintended tabulator placement on displays with more than
  160 columns text.

Problem 2 (open):
  Upcoming displays will have more than 256 columns of text leading to
  invalid memory access in drivers/char/vt.c during tabulator
  calculations:
    if (vc->vc_tab_stop[vc->vc_x >> 5] & (1 << (vc->vc_x & 31)))
	break;
Signed-off-by: default avatarWolfgang Kroworsch <wolfgang@kroworsch.de>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 2197d18d
...@@ -1644,7 +1644,10 @@ static void reset_terminal(struct vc_data *vc, int do_clear) ...@@ -1644,7 +1644,10 @@ static void reset_terminal(struct vc_data *vc, int do_clear)
vc->vc_tab_stop[1] = vc->vc_tab_stop[1] =
vc->vc_tab_stop[2] = vc->vc_tab_stop[2] =
vc->vc_tab_stop[3] = vc->vc_tab_stop[3] =
vc->vc_tab_stop[4] = 0x01010101; vc->vc_tab_stop[4] =
vc->vc_tab_stop[5] =
vc->vc_tab_stop[6] =
vc->vc_tab_stop[7] = 0x01010101;
vc->vc_bell_pitch = DEFAULT_BELL_PITCH; vc->vc_bell_pitch = DEFAULT_BELL_PITCH;
vc->vc_bell_duration = DEFAULT_BELL_DURATION; vc->vc_bell_duration = DEFAULT_BELL_DURATION;
...@@ -1935,7 +1938,10 @@ static void do_con_trol(struct tty_struct *tty, struct vc_data *vc, int c) ...@@ -1935,7 +1938,10 @@ static void do_con_trol(struct tty_struct *tty, struct vc_data *vc, int c)
vc->vc_tab_stop[1] = vc->vc_tab_stop[1] =
vc->vc_tab_stop[2] = vc->vc_tab_stop[2] =
vc->vc_tab_stop[3] = vc->vc_tab_stop[3] =
vc->vc_tab_stop[4] = 0; vc->vc_tab_stop[4] =
vc->vc_tab_stop[5] =
vc->vc_tab_stop[6] =
vc->vc_tab_stop[7] = 0;
} }
return; return;
case 'm': case 'm':
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment