redonkable
/
alistair23-linux
1
0
Fork 0
Code Releases Activity
alistair23-linux/drivers/tty/vt
History
Jiri Slaby 87d398f348 vt: keyboard, extend func_buf_lock to readers 
commit 82e61c3909 upstream.

Both read-side users of func_table/func_buf need locking. Without that,
one can easily confuse the code by repeatedly setting altering strings
like:
while (1)
	for (a = 0; a < 2; a++) {
		struct kbsentry kbs = {};
		strcpy((char *)kbs.kb_string, a ? ".\n" : "88888\n");
		ioctl(fd, KDSKBSENT, &kbs);
	}

When that program runs, one can get unexpected output by holding F1
(note the unxpected period on the last line):
.
88888
.8888

So protect all accesses to 'func_table' (and func_buf) by preexisting
'func_buf_lock'.

It is easy in 'k_fn' handler as 'puts_queue' is expected not to sleep.
On the other hand, KDGKBSENT needs a local (atomic) copy of the string
because copy_to_user can sleep. Use already allocated, but unused
'kbs->kb_string' for that purpose.

Note that the program above needs at least CAP_SYS_TTY_CONFIG.

This depends on the previous patch and on the func_buf_lock lock added
in commit 46ca3f735f (tty/vt: fix write/write race in ioctl(KDSKBSENT)
handler) in 5.2.

Likely fixes CVE-2020-25656.

Cc: <stable@vger.kernel.org>
Reported-by: Minh Yuan <yuanmingbuaa@gmail.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Link: https://lore.kernel.org/r/20201019085517.10176-2-jslaby@suse.cz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2020-11-05 11:43:29 +01:00
..
.gitignore tty: fix up a few remaining files without SPDX identifiers 2019-04-04 18:48:43 +02:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
consolemap.c tty/vt: avoid high order pages allocation on GIO_UNIMAP ioctl 2019-04-16 15:21:34 +02:00
cp437.uni tty: fix up a few remaining files without SPDX identifiers 2019-04-04 18:48:43 +02:00
defkeymap.c_shipped tty: fix up a few remaining files without SPDX identifiers 2019-04-04 18:48:43 +02:00
defkeymap.map tty: fix up a few remaining files without SPDX identifiers 2019-04-04 18:48:43 +02:00
keyboard.c vt: keyboard, extend func_buf_lock to readers 2020-11-05 11:43:29 +01:00
selection.c vt: selection, introduce vc_is_sel 2020-04-02 15:11:00 +02:00
vc_screen.c vcs: prevent write access to vcsu devices 2019-12-13 08:43:22 +01:00
vt.c vt: defer kfree() of vc_screenbuf in vc_do_resize() 2020-09-03 11:27:03 +02:00
vt_ioctl.c vt_ioctl: change VT_RESIZEX ioctl to check for error return from vc_resize() 2020-09-03 11:27:03 +02:00