| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8mT8aJsAQPfUnmI5mmsgbUweQAptUFDu5XqhrxPPI1DgJr7GPpbwrpQQW22Nj7fsBc5M5YKG8g0EceNQ_b3d-RPhk6RSQgGCqvaVzzWSIQw=@protonmail.com>
Date: Sat, 22 Nov 2025 07:28:00 +0000
From: Jari Ruusu <jariruusu@...tonmail.com>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: Sasha Levin <sashal@...nel.org>, "stable@...r.kernel.org" <stable@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, Zizhi Wo <wozizhi@...weicloud.com>
Subject: Re: [PATCH 6.12 000/565] 6.12.58-rc1 review
On Friday, November 21st, 2025 at 11:36, Greg Kroah-Hartman <gregkh@...uxfoundation.org> wrote:
> On Tue, Nov 11, 2025 at 06:38:21AM +0000, Jari Ruusu wrote:
> > Backporting upstream fixes that use guard() locking to older stable
> > branches that use old-school locking need "extra sports".
> >
> > Please consider dropping or fixing above mentioned patch.
>
> Can you provide a fixed up patch?
Below is small test program to poke /dev/console using
ioctl(VT_RESIZE) with deliberately bad parameters that
should trigger failed return status. Opening /dev/console
needs appropriate privileges.
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>
#include <linux/vt.h>
#include <sys/ioctl.h>
int main(int argc, char **argv)
{
int f, x, r;
struct vt_sizes s = { 40000, 40000, 0 };
if((f = open("/dev/console", O_RDONLY)) < 0) {
printf("open() failed\n");
exit(1);
}
for(x = 1; x <= 3; x++) {
printf("Starting ioctl(VT_RESIZE), try %d\n", x);
r = ioctl(f, VT_RESIZE, &s);
printf(" got status %d (expected -1)\n", r);
}
close(f);
exit(0);
}
On kernels that return proper failed status,
it plays like this:
| Starting ioctl(VT_RESIZE), try 1
| got status -1 (expected -1)
| Starting ioctl(VT_RESIZE), try 2
| got status -1 (expected -1)
| Starting ioctl(VT_RESIZE), try 3
| got status -1 (expected -1)
On kernels that return "incorrect success" status,
it plays like this:
| Starting ioctl(VT_RESIZE), try 1
| got status 0 (expected -1)
| Starting ioctl(VT_RESIZE), try 2
| got status 0 (expected -1)
| Starting ioctl(VT_RESIZE), try 3
| got status 0 (expected -1)
On kernels that return proper failed status but with
messed up console locking in error handling code path,
it locks up like this:
| Starting ioctl(VT_RESIZE), try 1
| got status -1 (expected -1)
| Starting ioctl(VT_RESIZE), try 2
After that, the console is FUBAR.
Below is a patch for 6.12.58+ and 6.17.8+ stable branches only.
Upstream does not need this.
Signed-off-by: Jari Ruusu <jariruusu@...tonmail.com>
Fixes: da7e8b382396 ("tty/vt: Add missing return value for VT_RESIZE in vt_ioctl()")
--- a/drivers/tty/vt/vt_ioctl.c
+++ b/drivers/tty/vt/vt_ioctl.c
@@ -924,8 +924,10 @@
if (vc) {
/* FIXME: review v tty lock */
ret = __vc_resize(vc_cons[i].d, cc, ll, true);
- if (ret)
+ if (ret) {
+ console_unlock();
return ret;
+ }
}
}
console_unlock();
--
Jari Ruusu 4096R/8132F189 12D6 4C3A DCDA 0AA4 27BD ACDF F073 3C80 8132 F189
Powered by blists - more mailing lists