Re: [PATCH 3/3] vt: keyboard, extend func_buf_lock to readers

From: Greg KH
Date: Fri Oct 16 2020 - 09:20:16 EST


On Fri, Oct 16, 2020 at 02:24:12PM +0200, Jiri Slaby wrote:
> Both read-side users of func_table/func_buf need locking. Without that,
> one can easily confuse the code by repeatedly setting altering strings
> like:
> while (1)
> for (a = 0; a < 2; a++) {
> struct kbsentry kbs = {};
> strcpy((char *)kbs.kb_string, a ? ".\n" : "88888\n");
> ioctl(fd, KDSKBSENT, &kbs);
> }
>
> When that program runs, one can get unexpected output by holding F1
> (note the unxpected period on the last line):
> .
> 88888
> .8888
>
> So protect all accesses to 'func_table' (and func_buf) by preexisting
> 'func_buf_lock'.
>
> It is easy in 'k_fn' handler as 'puts_queue' is expected not to sleep.
> On the other hand, KDGKBSENT needs a local (atomic) copy of the string
> because copy_to_user can sleep.
>
> Likely fixes CVE-2020-25656.
>
> Signed-off-by: Jiri Slaby <jslaby@xxxxxxx>
> Reported-by: Minh Yuan <yuanmingbuaa@xxxxxxxxx>
> ---
> drivers/tty/vt/keyboard.c | 26 +++++++++++++++++++++-----
> 1 file changed, 21 insertions(+), 5 deletions(-)

So all 3 of these should go to 5.10-final?

thanks,

greg k-h