lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAHk-=whxC0ob3f--B-igBp34ujA5PZQMcTnDQ8Zh8HA7+ZbeWg@mail.gmail.com>
Date:   Mon, 27 Feb 2023 17:58:12 -0800
From:   Linus Torvalds <torvalds@...ux-foundation.org>
To:     linux@...ssschuh.net
Cc:     George Kennedy <george.kennedy@...cle.com>, jirislaby@...nel.org,
        gregkh@...uxfoundation.org, sfr@...b.auug.org.au,
        akpm@...ux-foundation.org, linux-kernel@...r.kernel.org,
        linux-serial@...r.kernel.org, regressions@...ts.linux.dev
Subject: Re: [PATCH v2] vc_screen: modify vcs_size() handling in vcs_read()

On Mon, Feb 27, 2023 at 5:46 PM <linux@...ssschuh.net> wrote:
>
> This still seems to be broken for me.

Looks that way.

> I still need the patch from
>
> https://lore.kernel.org/lkml/20230220064612.1783-1-linux@weissschuh.net/

.. and that has the same problem with "what if the error happens
during an iteration that wasn't the first, and we already succeeded
partially".

The "goto unlock_out" is bogus, since it jumps over all the "update
pos and check if we read something".

It was the correct thing to do *above* the loop, but not inside the loop.

IOW, I think the proper patch is to also turn the "goto unlock_out"
into a "break". Mind testing something like this (whitespace-damaged,
but you get the idea):

    --- a/drivers/tty/vt/vc_screen.c
    +++ b/drivers/tty/vt/vc_screen.c
    @@ -403,10 +403,11 @@ vcs_read(struct file *file, char __user
*buf, size_t count, loff_t *ppos)
                unsigned int this_round, skip = 0;
                int size;

    -           ret = -ENXIO;
                vc = vcs_vc(inode, &viewed);
    -           if (!vc)
    -                   goto unlock_out;
    +           if (!vc) {
    +                   ret = -ENXIO;
    +                   break;
    +           }

                /* Check whether we are above size each round,
                 * as copy_to_user at the end of this loop

which hopefully really fixes this (at least I don't see any other
"goto unlock_out" cases).

              Linus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ