On Tue, Jul 18, 2017 at 05:43:09PM +0200, gregkh@xxxxxxxxxxxxxxxxxxx wrote: > This is a note to let you know that I've just added the patch titled > > vt: fix unchecked __put_user() in tioclinux ioctls > > to the 4.12-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary ---- > From: Adam Borowski <kilobyte@xxxxxxxxxx> > > commit 6987dc8a70976561d22450b5858fc9767788cc1c upstream. > > Only read access is checked before this call. > > Actually, at the moment this is not an issue, as every in-tree arch does > the same manual checks for VERIFY_READ vs VERIFY_WRITE, relying on the MMU > to tell them apart, but this wasn't the case in the past and may happen > again on some odd arch in the future. > > If anyone cares about 3.7 and earlier, this is a security hole (untested) > on real 80386 CPUs. Note that this is a no-op on any modern kernel (>3.7), as on all architectures checking VERIFY_READ is exactly same as VERIFY_WRITE. I've submitted this patch for two reasons: * it makes getting rid of __put_user() easier * in case the distinction between VERIFY_READ and VERIFY_WRITE becomes used again at some point in the future Neither reason applies to stable kernels younger than 3.7. The patch doesn't hurt, though, so if rebasing to drop it would be even a notch more effort for you than keeping, it can stay. The only stable kernel that old still maintained is 3.2 (Ben Hutchings) -- it's _apparently_ a local root hole on real 80386 machines. By 80386 I mean only that exact chip and perhaps faithful clones, 486+ excluded. I have a strong feeling Ben doesn't give a damn about 80386 CPUs, considering that the distribution he cares about doesn't support that hardware for many, many years, and people rolling their own userspace or using an ancient distro don't quite use it for security-sensitive stuff either. > Signed-off-by: Adam Borowski <kilobyte@xxxxxxxxxx> > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> > > --- > drivers/tty/vt/vt.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > --- a/drivers/tty/vt/vt.c > +++ b/drivers/tty/vt/vt.c > @@ -2709,13 +2709,13 @@ int tioclinux(struct tty_struct *tty, un > * related to the kernel should not use this. > */ > data = vt_get_shift_state(); > - ret = __put_user(data, p); > + ret = put_user(data, p); > break; > case TIOCL_GETMOUSEREPORTING: > console_lock(); /* May be overkill */ > data = mouse_reporting(); > console_unlock(); > - ret = __put_user(data, p); > + ret = put_user(data, p); > break; > case TIOCL_SETVESABLANK: > console_lock(); > @@ -2724,7 +2724,7 @@ int tioclinux(struct tty_struct *tty, un > break; > case TIOCL_GETKMSGREDIRECT: > data = vt_get_kmsg_redirect(); > - ret = __put_user(data, p); > + ret = put_user(data, p); > break; > case TIOCL_SETKMSGREDIRECT: > if (!capable(CAP_SYS_ADMIN)) { > > > Patches currently in stable-queue which might be from kilobyte@xxxxxxxxxx are > > queue-4.12/vt-fix-unchecked-__put_user-in-tioclinux-ioctls.patch Meow! -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ A dumb species has no way to open a tuna can. ⢿⡄⠘⠷⠚⠋⠀ A smart species invents a can opener. ⠈⠳⣄⠀⠀⠀⠀ A master species delegates.