lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Y7gGUPuoQ/vdGVl6@kroah.com>
Date:   Fri, 6 Jan 2023 12:30:24 +0100
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     Hang Zhang <zh.nvgt@...il.com>
Cc:     Jiri Slaby <jirislaby@...nel.org>,
        Ilpo Järvinen <ilpo.jarvinen@...ux.intel.com>,
        Daniel Vetter <daniel.vetter@...ll.ch>,
        Yangxi Xiang <xyangxi5@...il.com>,
        Xuezhi Zhang <zhangxuezhi1@...lpad.com>,
        Helge Deller <deller@....de>,
        Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] tty: vt: add some NULL checks for vc_data

On Tue, Jan 03, 2023 at 10:01:15PM -0500, Hang Zhang wrote:
> On Tue, Jan 3, 2023 at 4:24 AM Jiri Slaby <jirislaby@...nel.org> wrote:
> >
> > On 29. 12. 22, 7:41, Hang Zhang wrote:
> > > vc_selection(), do_blank_screen() and scrollfront() all access "vc_data"
> > > structures obtained from the global "vc_cons[fg_console].d", which can
> > > be freed and nullified (e.g., in the error path of vc_allocate()). But
> > > these functions don't have any NULL checks against the pointers before
> > > dereferencing them, causing potentially use-after-free or null pointer
> > > dereference.
> >
> > Could you elaborate under what circumstances is fg_console set to a
> > non-allocated console?
> 
> Hi, Jiri, thank you for your reply! I am not a developer for tty
> subsystem, so the reasoning here is based on my best-effort code
> reading. Please correct me if I am wrong.
> 
> This patch is based on several observations:
> 
> (1) at the beginning of vc_selection() (where one NULL check is
> inserted in this patch), poke_blanked_console() is invoked, which
> explicitly checks whether "vc_cons[fg_console].d" is NULL, suggesting
> the possibility of "fg_console" associated with an unallocated console
> at this point. However, poke_blanked_console() returns "void", so
> even if "fg_console" is NULL, after returning to vc_selection(),
> it will just keep executing, resulting in the possible NULL pointer
> dereference later ("vc" in vc_selection() can be "vc_cons[fg_console].d"
> if called from set_selection_kernel()). So this patch actually tries
> to make the already existing NULL check take effect on the control
> flow (e.g., early return if NULL).

But again, how can that value ever be NULL?

And why are you returning "success" if it is?

> (2) a similar NULL check for "vc_cons[fg_console].d" can also be found
> in do_unblank_screen() ("if (!vc_cons_allocated(fg_console))") before
> accessing the corresponding "vc_data". I do notice that the NULL check
> has a comment "/* impossible */", but the check has not been removed so
> far. My guess is that there might still be a chance that it can be
> unallocated at that point.

Please verify that this really ever could be NULL or not.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ