On 16. 10. 20, 15:20, Greg KH wrote:
On Fri, Oct 16, 2020 at 02:24:12PM +0200, Jiri Slaby wrote:Both read-side users of func_table/func_buf need locking. Without that, one can easily confuse the code by repeatedly setting altering strings like: while (1) for (a = 0; a < 2; a++) { struct kbsentry kbs = {}; strcpy((char *)kbs.kb_string, a ? ".\n" : "88888\n"); ioctl(fd, KDSKBSENT, &kbs); } When that program runs, one can get unexpected output by holding F1 (note the unxpected period on the last line): . 88888 .8888 So protect all accesses to 'func_table' (and func_buf) by preexisting 'func_buf_lock'. It is easy in 'k_fn' handler as 'puts_queue' is expected not to sleep. On the other hand, KDGKBSENT needs a local (atomic) copy of the string because copy_to_user can sleep. Likely fixes CVE-2020-25656. Signed-off-by: Jiri Slaby <jslaby@xxxxxxx> Reported-by: Minh Yuan <yuanmingbuaa@xxxxxxxxx> --- drivers/tty/vt/keyboard.c | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-)So all 3 of these should go to 5.10-final?
Let me try to eliminate also patch 1/3 which I now think is possible. -- js suse labs
