Re: [PATCH 3/3] vt: keyboard, extend func_buf_lock to readers

From: Jiri Slaby
Date: Mon Oct 19 2020 - 04:00:49 EST

Next message: Maxime Ripard: "Re: [PATCH] [v2] rtc: sun6i: Fix memleak in sun6i_rtc_clk_init"
Previous message: Joakim Zhang: "[PATCH V2 5/8] can: flexcan: add ECC initialization for VF610"
In reply to: Greg KH: "Re: [PATCH 3/3] vt: keyboard, extend func_buf_lock to readers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 16. 10. 20, 15:20, Greg KH wrote:

On Fri, Oct 16, 2020 at 02:24:12PM +0200, Jiri Slaby wrote:

Both read-side users of func_table/func_buf need locking. Without that,
one can easily confuse the code by repeatedly setting altering strings
like:
while (1)
for (a = 0; a < 2; a++) {
struct kbsentry kbs = {};
strcpy((char *)kbs.kb_string, a ? ".\n" : "88888\n");
ioctl(fd, KDSKBSENT, &kbs);
}

When that program runs, one can get unexpected output by holding F1
(note the unxpected period on the last line):
.
88888
.8888

So protect all accesses to 'func_table' (and func_buf) by preexisting
'func_buf_lock'.

It is easy in 'k_fn' handler as 'puts_queue' is expected not to sleep.
On the other hand, KDGKBSENT needs a local (atomic) copy of the string
because copy_to_user can sleep.

Likely fixes CVE-2020-25656.

Signed-off-by: Jiri Slaby <jslaby@xxxxxxx>
Reported-by: Minh Yuan <yuanmingbuaa@xxxxxxxxx>
---
drivers/tty/vt/keyboard.c | 26 +++++++++++++++++++++-----
1 file changed, 21 insertions(+), 5 deletions(-)

So all 3 of these should go to 5.10-final?

Let me try to eliminate also patch 1/3 which I now think is possible.

--
js
suse labs

Next message: Maxime Ripard: "Re: [PATCH] [v2] rtc: sun6i: Fix memleak in sun6i_rtc_clk_init"
Previous message: Joakim Zhang: "[PATCH V2 5/8] can: flexcan: add ECC initialization for VF610"
In reply to: Greg KH: "Re: [PATCH 3/3] vt: keyboard, extend func_buf_lock to readers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]