| Message ID | 20201016122412.31767-3-jslaby@suse.cz |
|---|---|
| State | New |
| Headers | show |
| Series | None | expand |
On Fri, Oct 16, 2020 at 02:24:12PM +0200, Jiri Slaby wrote: > Both read-side users of func_table/func_buf need locking. Without that, > one can easily confuse the code by repeatedly setting altering strings > like: > while (1) > for (a = 0; a < 2; a++) { > struct kbsentry kbs = {}; > strcpy((char *)kbs.kb_string, a ? ".\n" : "88888\n"); > ioctl(fd, KDSKBSENT, &kbs); > } > > When that program runs, one can get unexpected output by holding F1 > (note the unxpected period on the last line): > . > 88888 > .8888 > > So protect all accesses to 'func_table' (and func_buf) by preexisting > 'func_buf_lock'. > > It is easy in 'k_fn' handler as 'puts_queue' is expected not to sleep. > On the other hand, KDGKBSENT needs a local (atomic) copy of the string > because copy_to_user can sleep. > > Likely fixes CVE-2020-25656. > > Signed-off-by: Jiri Slaby <jslaby@suse.cz> > Reported-by: Minh Yuan <yuanmingbuaa@gmail.com> > --- > drivers/tty/vt/keyboard.c | 26 +++++++++++++++++++++----- > 1 file changed, 21 insertions(+), 5 deletions(-) So all 3 of these should go to 5.10-final? thanks, greg k-h
On 16. 10. 20, 15:20, Greg KH wrote: > On Fri, Oct 16, 2020 at 02:24:12PM +0200, Jiri Slaby wrote: >> Both read-side users of func_table/func_buf need locking. Without that, >> one can easily confuse the code by repeatedly setting altering strings >> like: >> while (1) >> for (a = 0; a < 2; a++) { >> struct kbsentry kbs = {}; >> strcpy((char *)kbs.kb_string, a ? ".\n" : "88888\n"); >> ioctl(fd, KDSKBSENT, &kbs); >> } >> >> When that program runs, one can get unexpected output by holding F1 >> (note the unxpected period on the last line): >> . >> 88888 >> .8888 >> >> So protect all accesses to 'func_table' (and func_buf) by preexisting >> 'func_buf_lock'. >> >> It is easy in 'k_fn' handler as 'puts_queue' is expected not to sleep. >> On the other hand, KDGKBSENT needs a local (atomic) copy of the string >> because copy_to_user can sleep. >> >> Likely fixes CVE-2020-25656. >> >> Signed-off-by: Jiri Slaby <jslaby@suse.cz> >> Reported-by: Minh Yuan <yuanmingbuaa@gmail.com> >> --- >> drivers/tty/vt/keyboard.c | 26 +++++++++++++++++++++----- >> 1 file changed, 21 insertions(+), 5 deletions(-) > > So all 3 of these should go to 5.10-final? Let me try to eliminate also patch 1/3 which I now think is possible.
diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c index 68f9f6a62d02..68b1acc0074c 100644 --- a/drivers/tty/vt/keyboard.c +++ b/drivers/tty/vt/keyboard.c @@ -743,8 +743,13 @@ static void k_fn(struct vc_data *vc, unsigned char value, char up_flag) return; if ((unsigned)value < ARRAY_SIZE(func_table)) { + unsigned long flags; + + spin_lock_irqsave(&func_buf_lock, flags); if (func_table[value]) puts_queue(vc, func_table[value]); + spin_unlock_irqrestore(&func_buf_lock, flags); + } else pr_err("k_fn called with value=%d\n", value); } @@ -1991,7 +1996,7 @@ int vt_do_kdsk_ioctl(int cmd, struct kbentry __user *user_kbe, int perm, #undef s #undef v -/* FIXME: This one needs untangling and locking */ +/* FIXME: This one needs untangling */ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm) { char *kbs; @@ -2014,12 +2019,23 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm) switch (cmd) { case KDGKBSENT: { /* size should have been a struct member */ - unsigned char *from = func_table[i] ? : ""; + char *func_copy; + ssize_t len = sizeof(user_kdgkb->kb_string); - if (copy_to_user(user_kdgkb->kb_string, from, strlen(from) + 1)) - return -EFAULT; + func_copy = kmalloc(len, GFP_KERNEL); + if (!func_copy) + return -ENOMEM; - return 0; + spin_lock_irqsave(&func_buf_lock, flags); + len = strlcpy(func_copy, func_table[i] ? : "", len); + spin_unlock_irqrestore(&func_buf_lock, flags); + + ret = copy_to_user(user_kdgkb->kb_string, func_copy, len + 1) ? + -EFAULT : 0; + + kfree(func_copy); + + return ret; } case KDSKBSENT: if (!perm)
Both read-side users of func_table/func_buf need locking. Without that, one can easily confuse the code by repeatedly setting altering strings like: while (1) for (a = 0; a < 2; a++) { struct kbsentry kbs = {}; strcpy((char *)kbs.kb_string, a ? ".\n" : "88888\n"); ioctl(fd, KDSKBSENT, &kbs); } When that program runs, one can get unexpected output by holding F1 (note the unxpected period on the last line): . 88888 .8888 So protect all accesses to 'func_table' (and func_buf) by preexisting 'func_buf_lock'. It is easy in 'k_fn' handler as 'puts_queue' is expected not to sleep. On the other hand, KDGKBSENT needs a local (atomic) copy of the string because copy_to_user can sleep. Likely fixes CVE-2020-25656. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Reported-by: Minh Yuan <yuanmingbuaa@gmail.com> --- drivers/tty/vt/keyboard.c | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-)