From patchwork Tue Apr 18 12:21:16 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Greg Kroah-Hartman X-Patchwork-Id: 675728 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8EADAC77B75 for ; Tue, 18 Apr 2023 12:39:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231807AbjDRMjK (ORCPT ); Tue, 18 Apr 2023 08:39:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55470 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231797AbjDRMjJ (ORCPT ); Tue, 18 Apr 2023 08:39:09 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E9D7613867; Tue, 18 Apr 2023 05:39:07 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 55543632E0; Tue, 18 Apr 2023 12:39:07 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 455AAC433EF; Tue, 18 Apr 2023 12:39:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1681821546; bh=2f+Am8ClJm0HmIKTaCxmCtNekRMLmg1AX1y+BDsZZXc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LevL8V9KBkSUaB1hOVW58W0wvMCj5h71ebdB9dHj3wH6XqZB3KWBc4AM88ceZGPOW FgIVwIbGrQ6WrIREjEEYOQshFykJIbXby0sNwdX/5KVYN+RwkV/JB+93fwnclPLhd3 STnDURDx3B10apcbLt6i87sl4Jnpueoi3rSxMQiY= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Javier Martinez Canillas , Maarten Lankhorst , Daniel Vetter , Alex Deucher , shlomo@fastmail.com, =?utf-8?q?Mi?= =?utf-8?q?chel_D=C3=A4nzer?= , =?utf-8?q?Noralf_Tr?= =?utf-8?q?=C3=B8nnes?= , Thomas Zimmermann , Maxime Ripard , David Airlie , Daniel Vetter , dri-devel@lists.freedesktop.org, Bartlomiej Zolnierkiewicz , Geert Uytterhoeven , Nathan Chancellor , Qiujun Huang , Peter Rosin , linux-fbdev@vger.kernel.org, Helge Deller , Sam Ravnborg , Geert Uytterhoeven , Samuel Thibault , Tetsuo Handa , Shigeru Yoshida Subject: [PATCH 5.15 12/91] fbmem: Reject FB_ACTIVATE_KD_TEXT from userspace Date: Tue, 18 Apr 2023 14:21:16 +0200 Message-Id: <20230418120305.975477545@linuxfoundation.org> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230418120305.520719816@linuxfoundation.org> References: <20230418120305.520719816@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fbdev@vger.kernel.org From: Daniel Vetter commit 6fd33a3333c7916689b8f051a185defe4dd515b0 upstream. This is an oversight from dc5bdb68b5b3 ("drm/fb-helper: Fix vt restore") - I failed to realize that nasty userspace could set this. It's not pretty to mix up kernel-internal and userspace uapi flags like this, but since the entire fb_var_screeninfo structure is uapi we'd need to either add a new parameter to the ->fb_set_par callback and fb_set_par() function, which has a _lot_ of users. Or some other fairly ugly side-channel int fb_info. Neither is a pretty prospect. Instead just correct the issue at hand by filtering out this kernel-internal flag in the ioctl handling code. Reviewed-by: Javier Martinez Canillas Acked-by: Maarten Lankhorst Signed-off-by: Daniel Vetter Fixes: dc5bdb68b5b3 ("drm/fb-helper: Fix vt restore") Cc: Alex Deucher Cc: shlomo@fastmail.com Cc: Michel Dänzer Cc: Noralf Trønnes Cc: Thomas Zimmermann Cc: Daniel Vetter Cc: Maarten Lankhorst Cc: Maxime Ripard Cc: David Airlie Cc: Daniel Vetter Cc: dri-devel@lists.freedesktop.org Cc: # v5.7+ Cc: Bartlomiej Zolnierkiewicz Cc: Geert Uytterhoeven Cc: Nathan Chancellor Cc: Qiujun Huang Cc: Peter Rosin Cc: linux-fbdev@vger.kernel.org Cc: Helge Deller Cc: Sam Ravnborg Cc: Geert Uytterhoeven Cc: Samuel Thibault Cc: Tetsuo Handa Cc: Shigeru Yoshida Link: https://patchwork.freedesktop.org/patch/msgid/20230404193934.472457-1-daniel.vetter@ffwll.ch Signed-off-by: Greg Kroah-Hartman --- drivers/video/fbdev/core/fbmem.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/video/fbdev/core/fbmem.c +++ b/drivers/video/fbdev/core/fbmem.c @@ -1119,6 +1119,8 @@ static long do_fb_ioctl(struct fb_info * case FBIOPUT_VSCREENINFO: if (copy_from_user(&var, argp, sizeof(var))) return -EFAULT; + /* only for kernel-internal use */ + var.activate &= ~FB_ACTIVATE_KD_TEXT; console_lock(); lock_fb_info(info); ret = fbcon_modechange_possible(info, &var);