kernel / kernel-source

Clone
Source Code
GIT

Blame patches.kernel.org/6.2.2-004-vc_screen-don-t-clobber-return-value-in-vcs_rea.patch

ALP-current ALP-current-GA ALP-current-RT ALP-current-RT-GA SLE12-SP5 SLE12-SP5-AZURE SLE12-SP5-RT SLE15-SP2-EB SLE15-SP3-RT-LTSS SLE15-SP4-RT-LTSS SLE15-SP5 SLE15-SP5-AZURE SLE15-SP5-RT SLE15-SP6 SLE15-SP6-AZURE SLE15-SP6-AZURE-GA SLE15-SP6-GA SLE15-SP6-RT SLE15-SP6-RT-GA linux-next master packaging scripts slowroll stable vanilla
  1.   ee74620710502ce0a7a56c85bf7c8d9bcada5d03
  2.   patches.kernel.org
  3.   6.2.2-004-vc_screen-don-t-clobber-return-value-in-vcs_rea.patch
Blob History Raw
Jiri Slaby fc7b92 
From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= <linux@weissschuh.net>
Jiri Slaby fc7b92 
Date: Mon, 20 Feb 2023 06:46:12 +0000
Jiri Slaby fc7b92 
Subject: [PATCH] vc_screen: don't clobber return value in vcs_read
Jiri Slaby fc7b92 
MIME-Version: 1.0
Jiri Slaby fc7b92 
Content-Type: text/plain; charset=UTF-8
Jiri Slaby fc7b92 
Content-Transfer-Encoding: 8bit
Jiri Slaby fc7b92 
References: bsc#1012628
Jiri Slaby fc7b92 
Patch-mainline: 6.2.2
Jiri Slaby fc7b92 
Git-commit: ae3419fbac845b4d3f3a9fae4cc80c68d82cdf6e
Jiri Slaby fc7b92
Jiri Slaby fc7b92 
commit ae3419fbac845b4d3f3a9fae4cc80c68d82cdf6e upstream.
Jiri Slaby fc7b92
Jiri Slaby fc7b92 
Commit 226fae124b2d ("vc_screen: move load of struct vc_data pointer in
Jiri Slaby fc7b92 
vcs_read() to avoid UAF") moved the call to vcs_vc() into the loop.
Jiri Slaby fc7b92
Jiri Slaby fc7b92 
While doing this it also moved the unconditional assignment of
Jiri Slaby fc7b92
Jiri Slaby fc7b92 
	ret = -ENXIO;
Jiri Slaby fc7b92
Jiri Slaby fc7b92 
This unconditional assignment was valid outside the loop but within it
Jiri Slaby fc7b92 
it clobbers the actual value of ret.
Jiri Slaby fc7b92
Jiri Slaby fc7b92 
To avoid this only assign "ret = -ENXIO" when actually needed.
Jiri Slaby fc7b92
Jiri Slaby fc7b92 
[ Also, the 'goto unlock_out" needs to be just a "break", so that it
Jiri Slaby fc7b92 
  does the right thing when it exits on later iterations when partial
Jiri Slaby fc7b92 
  success has happened - Linus ]
Jiri Slaby fc7b92
Jiri Slaby fc7b92 
Reported-by: Storm Dragon <stormdragon2976@gmail.com>
Jiri Slaby fc7b92 
Link: https://lore.kernel.org/lkml/Y%2FKS6vdql2pIsCiI@hotmail.com/
Jiri Slaby fc7b92 
Fixes: 226fae124b2d ("vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF")
Jiri Slaby fc7b92 
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Jiri Slaby fc7b92 
Link: https://lore.kernel.org/lkml/64981d94-d00c-4b31-9063-43ad0a384bde@t-8ch.de/
Jiri Slaby fc7b92 
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Jiri Slaby fc7b92 
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jiri Slaby fc7b92 
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Jiri Slaby fc7b92 
---
Jiri Slaby fc7b92 
 drivers/tty/vt/vc_screen.c | 7 ++++---
Jiri Slaby fc7b92 
 1 file changed, 4 insertions(+), 3 deletions(-)
Jiri Slaby fc7b92
Jiri Slaby fc7b92 
diff --git a/drivers/tty/vt/vc_screen.c b/drivers/tty/vt/vc_screen.c
Jiri Slaby fc7b92 
index f566eb18..71e091f8 100644
Jiri Slaby fc7b92 
--- a/drivers/tty/vt/vc_screen.c
Jiri Slaby fc7b92 
+++ b/drivers/tty/vt/vc_screen.c
Jiri Slaby fc7b92 
@@ -403,10 +403,11 @@ vcs_read(struct file *file, char __user *buf, size_t count, loff_t *ppos)
Jiri Slaby fc7b92 
 		unsigned int this_round, skip = 0;
Jiri Slaby fc7b92 
 		int size;
Jiri Slaby fc7b92
Jiri Slaby fc7b92 
-		ret = -ENXIO;
Jiri Slaby fc7b92 
 		vc = vcs_vc(inode, &viewed);
Jiri Slaby fc7b92 
-		if (!vc)
Jiri Slaby fc7b92 
-			goto unlock_out;
Jiri Slaby fc7b92 
+		if (!vc) {
Jiri Slaby fc7b92 
+			ret = -ENXIO;
Jiri Slaby fc7b92 
+			break;
Jiri Slaby fc7b92 
+		}
Jiri Slaby fc7b92
Jiri Slaby fc7b92 
 		/* Check whether we are above size each round,
Jiri Slaby fc7b92 
 		 * as copy_to_user at the end of this loop
Jiri Slaby fc7b92 
--
Jiri Slaby fc7b92 
2.35.3
Jiri Slaby fc7b92
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.