Patch "tty: vt: initialize unicode screen buffer" has been added to the 5.19-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 15 Aug 2022 02:01:23 -0400

This is a note to let you know that I've just added the patch titled

    tty: vt: initialize unicode screen buffer

to the 5.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     tty-vt-initialize-unicode-screen-buffer.patch
and it can be found in the queue-5.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 4ba55f6cee68a9d823d68a382f70be58049709e0
Author: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
Date:   Tue Jul 19 14:49:39 2022 +0900

    tty: vt: initialize unicode screen buffer
    
    [ Upstream commit af77c56aa35325daa2bc2bed5c2ebf169be61b86 ]
    
    syzbot reports kernel infoleak at vcs_read() [1], for buffer can be read
    immediately after resize operation. Initialize buffer using kzalloc().
    
      ----------
      #include <fcntl.h>
      #include <unistd.h>
      #include <sys/ioctl.h>
      #include <linux/fb.h>
    
      int main(int argc, char *argv[])
      {
        struct fb_var_screeninfo var = { };
        const int fb_fd = open("/dev/fb0", 3);
        ioctl(fb_fd, FBIOGET_VSCREENINFO, &var);
        var.yres = 0x21;
        ioctl(fb_fd, FBIOPUT_VSCREENINFO, &var);
        return read(open("/dev/vcsu", O_RDONLY), &var, sizeof(var)) == -1;
      }
      ----------
    
    Link: https://syzkaller.appspot.com/bug?extid=31a641689d43387f05d3 [1]
    Cc: stable <stable@xxxxxxxxxxxxxxx>
    Reported-by: syzbot <syzbot+31a641689d43387f05d3@xxxxxxxxxxxxxxxxxxxxxxxxx>
    Reviewed-by: Jiri Slaby <jirislaby@xxxxxxxxxx>
    Signed-off-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/4ef053cf-e796-fb5e-58b7-3ae58242a4ad@xxxxxxxxxxxxxxxxxxx
    Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index dfc1f4b445f3..6eaf8eb84661 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -344,7 +344,7 @@ static struct uni_screen *vc_uniscr_alloc(unsigned int cols, unsigned int rows)
 	/* allocate everything in one go */
 	memsize = cols * rows * sizeof(char32_t);
 	memsize += rows * sizeof(char32_t *);
-	p = vmalloc(memsize);
+	p = vzalloc(memsize);
 	if (!p)
 		return NULL;
 






