lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 28 Feb 2023 03:42:12 +0000
From:   Thomas Weißschuh <linux@...ssschuh.net>
To:     stable@...r.kernel.org
Cc:     Storm Dragon <stormdragon2976@...il.com>,
        Thomas Weißschuh <linux@...ssschuh.net>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        linux-kernel@...r.kernel.org
Subject: Please backport commit ae3419fbac84 ("vc_screen: don't clobber
 return value in vcs_read")

Hi,

please backport the following commit[0] to all stable releases that
contain the commit
226fae124b2d ("vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF")

Commit 46d733d0efc7 ("vc_screen: modify vcs_size() handling in vcs_read()") [1]
also tries to fix this commit but should not actually be necessary for a
proper fix. It may make sense to also backport for consistency.


commit ae3419fbac845b4d3f3a9fae4cc80c68d82cdf6e
Author: Thomas Weißschuh <linux@...ssschuh.net>
Date:   Mon Feb 20 06:46:12 2023 +0000

    vc_screen: don't clobber return value in vcs_read
    
    Commit 226fae124b2d ("vc_screen: move load of struct vc_data pointer in
    vcs_read() to avoid UAF") moved the call to vcs_vc() into the loop.
    
    While doing this it also moved the unconditional assignment of
    
            ret = -ENXIO;
    
    This unconditional assignment was valid outside the loop but within it
    it clobbers the actual value of ret.
    
    To avoid this only assign "ret = -ENXIO" when actually needed.
    
    [ Also, the 'goto unlock_out" needs to be just a "break", so that it
      does the right thing when it exits on later iterations when partial
      success has happened - Linus ]
    
    Reported-by: Storm Dragon <stormdragon2976@...il.com>
    Link: https://lore.kernel.org/lkml/Y%2FKS6vdql2pIsCiI@hotmail.com/
    Fixes: 226fae124b2d ("vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF")
    Signed-off-by: Thomas Weißschuh <linux@...ssschuh.net>
    Link: https://lore.kernel.org/lkml/64981d94-d00c-4b31-9063-43ad0a384bde@t-8ch.de/
    Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org>


Thanks,
Thomas

[0] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ae3419fbac845b4d3f3a9fae4cc80c68d82cdf6e
[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=46d733d0efc79bc8430d63b57ab88011806d5180

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ