Re: [PATCH 4.17 16/46] vt: prevent leaking uninitialized data to userspace via /dev/vcs*

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



4.17-stable review patch. If anyone has any objections, please let me know.

------------------

From: Alexander Potapenko <glider@xxxxxxxxxx>

commit 21eff69aaaa0e766ca0ce445b477698dc6a9f55a upstream.

KMSAN reported an infoleak when reading from /dev/vcs*:

   BUG: KMSAN: kernel-infoleak in vcs_read+0x18ba/0x1cc0
   Call Trace:
   ...
    kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253
    copy_to_user ./include/linux/uaccess.h:184
    vcs_read+0x18ba/0x1cc0 drivers/tty/vt/vc_screen.c:352
    __vfs_read+0x1b2/0x9d0 fs/read_write.c:416
    vfs_read+0x36c/0x6b0 fs/read_write.c:452
   ...
   Uninit was created at:
    kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279
    kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189
    kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315
    __kmalloc+0x13a/0x350 mm/slub.c:3818
    kmalloc ./include/linux/slab.h:517
    vc_allocate+0x438/0x800 drivers/tty/vt/vt.c:787
    con_install+0x8c/0x640 drivers/tty/vt/vt.c:2880
    tty_driver_install_tty drivers/tty/tty_io.c:1224
    tty_init_dev+0x1b5/0x1020 drivers/tty/tty_io.c:1324
    tty_open_by_driver drivers/tty/tty_io.c:1959
    tty_open+0x17b4/0x2ed0 drivers/tty/tty_io.c:2007
    chrdev_open+0xc25/0xd90 fs/char_dev.c:417
    do_dentry_open+0xccc/0x1440 fs/open.c:794
    vfs_open+0x1b6/0x2f0 fs/open.c:908
   ...
   Bytes 0-79 of 240 are uninitialized

Consistently allocating |vc_screenbuf| with kzalloc() fixes the problem

Reported-by: syzbot+17a8efdf800000@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Alexander Potapenko <glider@xxxxxxxxxx>
Cc: stable <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
  drivers/tty/vt/vt.c |    4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -784,7 +784,7 @@ int vc_allocate(unsigned int currcons)	/
  	if (!*vc->vc_uni_pagedir_loc)
  		con_set_default_unimap(vc);

-	vc->vc_screenbuf = kmalloc(vc->vc_screenbuf_size, GFP_KERNEL);
+	vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_KERNEL);
  	if (!vc->vc_screenbuf)
  		goto err_free;

@@ -871,7 +871,7 @@ static int vc_do_resize(struct tty_struc

  	if (new_screen_size > (4 << 20))
  		return -EINVAL;
-	newscreen = kmalloc(new_screen_size, GFP_USER);
+	newscreen = kzalloc(new_screen_size, GFP_USER);
  	if (!newscreen)
  		return -ENOMEM;




Can't find the corresponding bug.




[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux