summaryrefslogtreecommitdiff
path: root/drivers/tty/vt
AgeCommit message (Collapse)AuthorFilesLines
2021-05-26tty: vt: always invoke vc->vc_sw->con_resize callbackTetsuo Handa1-1/+1
commit ffb324e6f874121f7dce5bdae5e05d02baae7269 upstream. syzbot is reporting OOB write at vga16fb_imageblit() [1], for resize_screen() from ioctl(VT_RESIZE) returns 0 without checking whether requested rows/columns fit the amount of memory reserved for the graphical screen if current mode is KD_GRAPHICS. ---------- #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <sys/ioctl.h> #include <linux/kd.h> #include <linux/vt.h> int main(int argc, char *argv[]) { const int fd = open("/dev/char/4:1", O_RDWR); struct vt_sizes vt = { 0x4100, 2 }; ioctl(fd, KDSETMODE, KD_GRAPHICS); ioctl(fd, VT_RESIZE, &vt); ioctl(fd, KDSETMODE, KD_TEXT); return 0; } ---------- Allow framebuffer drivers to return -EINVAL, by moving vc->vc_mode != KD_GRAPHICS check from resize_screen() to fbcon_resize(). Link: https://syzkaller.appspot.com/bug?extid=1f29e126cf461c4de3b3 [1] Reported-by: syzbot <syzbot+1f29e126cf461c4de3b3@syzkaller.appspotmail.com> Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Tested-by: syzbot <syzbot+1f29e126cf461c4de3b3@syzkaller.appspotmail.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-05-26vt: Fix character height handling with VT_RESIZEXMaciej W. Rozycki1-3/+3
commit 860dafa902595fb5f1d23bbcce1215188c3341e6 upstream. Restore the original intent of the VT_RESIZEX ioctl's `v_clin' parameter which is the number of pixel rows per character (cell) rather than the height of the font used. For framebuffer devices the two values are always the same, because the former is inferred from the latter one. For VGA used as a true text mode device these two parameters are independent from each other: the number of pixel rows per character is set in the CRT controller, while font height is in fact hardwired to 32 pixel rows and fonts of heights below that value are handled by padding their data with blanks when loaded to hardware for use by the character generator. One can change the setting in the CRT controller and it will update the screen contents accordingly regardless of the font loaded. The `v_clin' parameter is used by the `vgacon' driver to set the height of the character cell and then the cursor position within. Make the parameter explicit then, by defining a new `vc_cell_height' struct member of `vc_data', set it instead of `vc_font.height' from `v_clin' in the VT_RESIZEX ioctl, and then use it throughout the `vgacon' driver except where actual font data is accessed which as noted above is independent from the CRTC setting. This way the framebuffer console driver is free to ignore the `v_clin' parameter as irrelevant, as it always should have, avoiding any issues attempts to give the parameter a meaning there could have caused, such as one that has led to commit 988d0763361b ("vt_ioctl: make VT_RESIZEX behave like VT_RESIZE"): "syzbot is reporting UAF/OOB read at bit_putcs()/soft_cursor() [1][2], for vt_resizex() from ioctl(VT_RESIZEX) allows setting font height larger than actual font height calculated by con_font_set() from ioctl(PIO_FONT). Since fbcon_set_font() from con_font_set() allocates minimal amount of memory based on actual font height calculated by con_font_set(), use of vt_resizex() can cause UAF/OOB read for font data." The problem first appeared around Linux 2.5.66 which predates our repo history, but the origin could be identified with the old MIPS/Linux repo also at: <git://git.kernel.org/pub/scm/linux/kernel/git/ralf/linux.git> as commit 9736a3546de7 ("Merge with Linux 2.5.66."), where VT_RESIZEX code in `vt_ioctl' was updated as follows: if (clin) - video_font_height = clin; + vc->vc_font.height = clin; making the parameter apply to framebuffer devices as well, perhaps due to the use of "font" in the name of the original `video_font_height' variable. Use "cell" in the new struct member then to avoid ambiguity. References: [1] https://syzkaller.appspot.com/bug?id=32577e96d88447ded2d3b76d71254fb855245837 [2] https://syzkaller.appspot.com/bug?id=6b8355d27b2b94fb5cedf4655e3a59162d9e48e3 Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org # v2.6.12+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-05-26vt_ioctl: Revert VT_RESIZEX parameter handling removalMaciej W. Rozycki1-10/+47
commit a90c275eb144c1b755f04769e1f29d832d6daeaf upstream. Revert the removal of code handling extra VT_RESIZEX ioctl's parameters beyond those that VT_RESIZE supports, fixing a functional regression causing `svgatextmode' not to resize the VT anymore. As a consequence of the reverted change when the video adapter is reprogrammed from the original say 80x25 text mode using a 9x16 character cell (720x400 pixel resolution) to say 80x37 text mode and the same character cell (720x592 pixel resolution), the VT geometry does not get updated and only upper two thirds of the screen are used for the VT, and the lower part remains blank. The proportions change according to text mode geometries chosen. Revert the change verbatim then, bringing back previous VT resizing. Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk> Fixes: 988d0763361b ("vt_ioctl: make VT_RESIZEX behave like VT_RESIZE") Cc: stable@vger.kernel.org # v5.10+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-05-12tty: fix memory leak in vc_deallocatePavel Skripkin1-0/+1
commit 211b4d42b70f1c1660feaa968dac0efc2a96ac4d upstream. syzbot reported memory leak in tty/vt. The problem was in VT_DISALLOCATE ioctl cmd. After allocating unimap with PIO_UNIMAP it wasn't freed via VT_DISALLOCATE, but vc_cons[currcons].d was zeroed. Reported-by: syzbot+bcc922b19ccc64240b42@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin <paskripkin@gmail.com> Cc: stable <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20210327214443.21548-1-paskripkin@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-02-09vt_ioctl: Remove in_interrupt() checkAhmed S. Darwish1-2/+1
reset_vc() uses a "!in_interrupt()" conditional before resetting the palettes, which is a blocking operation. Since commit 8b6312f4dcc1e ("[PATCH] vt: refactor console SAK processing") all calls are invoked from a workqueue process context, with the blocking console lock always acquired. Remove the "!in_interrupt()" check. Signed-off-by: Ahmed S. Darwish <a.darwish@linutronix.de> Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Link: https://lore.kernel.org/r/20210208181615.381861-2-bigeasy@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-01-27vt: keyboard, use new API for keyboard_taskletEmil Renner Berthing1-3/+3
This converts the keyboard_tasklet to use the new API in commit 12cc923f1ccc ("tasklet: Introduce new initialization API") The new API changes the argument passed to the callback function, but fortunately the argument isn't used so it is straight forward to use DECLARE_TASKLET_DISABLED() rather than DECLARE_TASKLET_DISABLED_OLD(). Signed-off-by: Emil Renner Berthing <kernel@esmil.dk> Link: https://lore.kernel.org/r/20210127164222.13220-1-kernel@esmil.dk Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-01-07vt: drop old FONT ioctlsJiri Slaby2-187/+3
Drop support for these ioctls: * PIO_FONT, PIO_FONTX * GIO_FONT, GIO_FONTX * PIO_FONTRESET As was demonstrated by commit 90bfdeef83f1 (tty: make FONTX ioctl use the tty pointer they were actually passed), these ioctls are not used from userspace, as: 1) they used to be broken (set up font on current console, not the open one) and racy (before the commit above) 2) KDFONTOP ioctl is used for years instead Note that PIO_FONTRESET is defunct on most systems as VGA_CONSOLE is set on them for ages. That turns on BROKEN_GRAPHICS_PROGRAMS which makes PIO_FONTRESET just return an error. We are removing KD_FONT_FLAG_OLD here as it was used only by these removed ioctls. kd.h header exists both in kernel and uapi headers, so we can remove the kernel one completely. Everyone includeing kd.h will now automatically get the uapi one. There are now unused definitions of the ioctl numbers and "struct consolefontdesc" in kd.h, but as it is a uapi header, I am not touching these. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20210105120239.28031-8-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-01-07vt/consolemap: do font sum unsignedJiri Slaby1-1/+1
The constant 20 makes the font sum computation signed which can lead to sign extensions and signed wraps. It's not much of a problem as we build with -fno-strict-overflow. But if we ever decide not to, be ready, so switch the constant to unsigned. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20210105120239.28031-7-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-01-07vt: keyboard, defkeymap.c_shipped, approach the unicode tableJiri Slaby1-34/+34
Commit 5ce2087ed0eb (Fix default compose table initialization) fixed unicode table so that the values are not sign extended. The upstream (kbd package) chose a different approach. They use hexadecimal values. So use the same, so that the output of loadkeys and our shipped file correspond more to each other. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20210105120239.28031-4-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-01-07vt: keyboard, defkeymap.c_shipped, approach the definitionsJiri Slaby1-7/+7
loadkeys (from kbd) generates 'unsigned short' instead of 'u_short' since 2.0.3. It also marks maps as 'static' for longer than kbd's history. So adapt the shipped defkeymap.c to conform more to loadkeys output. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20210105120239.28031-3-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-01-07vt: keyboard, make keyboard_tasklet localJiri Slaby1-2/+3
Now that the last extern user of the tasklet (set_leds) is in keyboard.c, we can make keyboard_tasklet local to this unit too. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20210105120239.28031-2-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-01-07vt: move set_leds to keyboard.cJiri Slaby2-3/+11
set_leds and compute_shiftstate are called from a single place in vt.c. Let's combine these two into vt_set_leds_compute_shiftstate. This allows for making keyboard_tasklet local in the next patch. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20210105120239.28031-1-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-12-09tty: Fix whitespace inconsistencies in vt_io_ioctlYan.Gao1-2/+2
Replaces spaces with tabs for indentation. Signed-off-by: Yan.Gao <gao.yanB@h3c.com> Link: https://lore.kernel.org/r/20201209030551.48029-1-gao.yanB@h3c.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-11-12vt: keyboard, make use of assign_bit() APIAndy Shevchenko1-4/+1
We have for some time the assign_bit() API to replace open coded if (foo) set_bit(n, bar); else clear_bit(n, bar); Use this API in VT keyboard library code. Acked-by: Jiri Slaby <jirislaby@kernel.org> Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Link: https://lore.kernel.org/r/20201109105601.47159-3-andriy.shevchenko@linux.intel.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-11-12vt: keyboard, replace numbers with \r, \n where appropriateAndy Shevchenko1-3/+3
Instead of 10, 13 use \n, \r respectively. Acked-by: Jiri Slaby <jirislaby@kernel.org> Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Link: https://lore.kernel.org/r/20201109105601.47159-2-andriy.shevchenko@linux.intel.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-11-12vt: keyboard, use BIT() macro instead of open coded variantsAndy Shevchenko1-13/+13
There are few places when BIT() macro is suitable and makes code easier to understand. Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Link: https://lore.kernel.org/r/20201109105601.47159-1-andriy.shevchenko@linux.intel.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-11-09Merge 5.10-rc3 into tty-nextGreg Kroah-Hartman2-39/+21
We need the TTY/vt/serial fixes in here as well. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-11-08Merge tag 'tty-5.10-rc3' of ↵Linus Torvalds1-22/+2
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty Pull tty/serial fixes from Greg KH: "Here are a small number of small tty and serial fixes for some reported problems for the tty core, vt code, and some serial drivers. They include fixes for: - a buggy and obsolete vt font ioctl removal - 8250_mtk serial baudrate runtime warnings - imx serial earlycon build configuration fix - txx9 serial driver error path cleanup issues - tty core fix in release_tty that can be triggered by trying to bind an invalid serial port name to a speakup console device Almost all of these have been in linux-next without any problems, the only one that hasn't, just deletes code :)" * tag 'tty-5.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: vt: Disable KD_FONT_OP_COPY tty: fix crash in release_tty if tty->port is not set serial: txx9: add missing platform_driver_unregister() on error in serial_txx9_init tty: serial: imx: enable earlycon by default if IMX_SERIAL_CONSOLE is enabled serial: 8250_mtk: Fix uart_get_baud_rate warning
2020-11-08vt: Disable KD_FONT_OP_COPYDaniel Vetter1-22/+2
It's buggy: On Fri, Nov 06, 2020 at 10:30:08PM +0800, Minh Yuan wrote: > We recently discovered a slab-out-of-bounds read in fbcon in the latest > kernel ( v5.10-rc2 for now ). The root cause of this vulnerability is that > "fbcon_do_set_font" did not handle "vc->vc_font.data" and > "vc->vc_font.height" correctly, and the patch > <https://lkml.org/lkml/2020/9/27/223> for VT_RESIZEX can't handle this > issue. > > Specifically, we use KD_FONT_OP_SET to set a small font.data for tty6, and > use KD_FONT_OP_SET again to set a large font.height for tty1. After that, > we use KD_FONT_OP_COPY to assign tty6's vc_font.data to tty1's vc_font.data > in "fbcon_do_set_font", while tty1 retains the original larger > height. Obviously, this will cause an out-of-bounds read, because we can > access a smaller vc_font.data with a larger vc_font.height. Further there was only one user ever. - Android's loadfont, busybox and console-tools only ever use OP_GET and OP_SET - fbset documentation only mentions the kernel cmdline font: option, not anything else. - systemd used OP_COPY before release 232 published in Nov 2016 Now unfortunately the crucial report seems to have gone down with gmane, and the commit message doesn't say much. But the pull request hints at OP_COPY being broken https://github.com/systemd/systemd/pull/3651 So in other words, this never worked, and the only project which foolishly every tried to use it, realized that rather quickly too. Instead of trying to fix security issues here on dead code by adding missing checks, fix the entire thing by removing the functionality. Note that systemd code using the OP_COPY function ignored the return value, so it doesn't matter what we're doing here really - just in case a lone server somewhere happens to be extremely unlucky and running an affected old version of systemd. The relevant code from font_copy_to_all_vcs() in systemd was: /* copy font from active VT, where the font was uploaded to */ cfo.op = KD_FONT_OP_COPY; cfo.height = vcs.v_active-1; /* tty1 == index 0 */ (void) ioctl(vcfd, KDFONTOP, &cfo); Note this just disables the ioctl, garbage collecting the now unused callbacks is left for -next. v2: Tetsuo found the old mail, which allowed me to find it on another archive. Add the link too. Acked-by: Peilin Ye <yepeilin.cs@gmail.com> Reported-by: Minh Yuan <yuanmingbuaa@gmail.com> References: https://lists.freedesktop.org/archives/systemd-devel/2016-June/036935.html References: https://github.com/systemd/systemd/pull/3651 Cc: Greg KH <greg@kroah.com> Cc: Peilin Ye <yepeilin.cs@gmail.com> Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com> Link: https://lore.kernel.org/r/20201108153806.3140315-1-daniel.vetter@ffwll.ch Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-11-06tty: vt: consolemap: Demote weakly documented function headerLee Jones1-2/+1
Fixes the following W=1 kernel build warning(s): drivers/tty/vt/consolemap.c:739: warning: Function parameter or member 'ct' not described in 'con_get_unimap' drivers/tty/vt/consolemap.c:739: warning: Function parameter or member 'uct' not described in 'con_get_unimap' drivers/tty/vt/consolemap.c:739: warning: Function parameter or member 'list' not described in 'con_get_unimap' Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Jiri Slaby <jirislaby@kernel.org> Cc: Jakub Jelinek <jj@ultra.linux.cz> Cc: Stanislav Voronyi <stas@cnti.uanet.kharkov.ua> Signed-off-by: Lee Jones <lee.jones@linaro.org> Link: https://lore.kernel.org/r/20201104193549.4026187-10-lee.jones@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-11-04vt: keyboard, use tty_insert_flip_string in puts_queueJiri Slaby1-5/+2
'puts_queue' currently loops over characters and employs the full tty buffer machinery for every character. Do the buffer allocation only once and copy all the character at once. This is achieved using tty_insert_flip_string instead of loop+tty_insert_flip_char. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20201029113222.32640-17-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-11-04vt: keyboard, use find_next_bit in kbd_matchJiri Slaby1-8/+6
Instead of a 'for' loop with 'test_bit's to find a bit in a range, use find_next_bit to achieve the same in a simpler and faster manner. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20201029113222.32640-16-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-11-04vt: keyboard, make HW_RAW a functionJiri Slaby1-6/+16
Instead of a multiline macro, convert HW_RAW to an inline function. It allows for type checking of the parameter. And given we split the code into two tests, it is now more readable too. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20201029113222.32640-15-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-11-04vt: keyboard, union perm checks in vt_do_kdgkb_ioctlJiri Slaby1-4/+1
Do the permission check on a single place. That is where perm is really checked. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20201029113222.32640-14-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-11-04vt: keyboard, extract and simplify vt_kdskbsentJiri Slaby1-79/+23
Setting of function key strings is now very complex. It uses a global buffer 'func_buf' which is prefilled in defkeymap.c_shipped. Then there is also an index table called 'func_table'. So initially, we have something like this: char func_buf[] = "\e[[A\0" // for F1 "\e[[B\0" // for F2 ...; char *func_table[] = { func_buf + 0, // for F1 func_buf + 5, // for F2 ... } When a user changes some specific func string by KDSKBSENT, it is changed in 'func_buf'. If it is shorter or equal to the current one, it is handled by a very quick 'strcpy'. When the user's string is longer, the whole 'func_buf' is reallocated to allow expansion somewhere in the middle. The buffer before the user's string is copied, the user's string appended and the rest appended too. Now, the index table (func_table) needs to be recomputed, of course. One more complication is the held spinlock -- we have to unlock, reallocate, lock again and do the whole thing again to be sure noone raced with us. In this patch, we chose completely orthogonal approach: when the user's string is longer than the current one, we simply assign the 'kstrdup'ed copy to the index table (func_table) and modify func_buf in no way. We only need to make sure we free the old entries. So we need a bitmap is_kmalloc and free the old entries (but not the original func_buf rodata string). Also note that we do not waste so much space as previous approach. We only allocate space for single entries which are longer, while before, the whole buffer was duplicated plus space for the longer string. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20201029113222.32640-12-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-11-04vt: keyboard, reorder user buffer handling in vt_do_kdgkb_ioctlJiri Slaby1-22/+20
KDGKBSENT (the getter) needs only 'user_kdgkb->kb_func' from the userspace, i.e. the index. Then it needs a buffer for a local copy of 'kb_string'. KDSKBSENT (the setter) needs a copy up to the length of 'user_kdgkb->kb_string'. That means, we obtain the index before the switch-case and use it in both paths and: 1) allocate full space in the getter case, and 2) copy the string only in the setter case. We do it by strndup_user helper now which was not available when this function was written. Given we copy the two members of 'struct kbsentry' separately, we no longer need a local definition. Hence we need to change all the sizeofs here too. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20201029113222.32640-11-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-11-04vt: keyboard, rename i to kb_func in vt_do_kdgkb_ioctlJiri Slaby1-8/+9
There are too many one-letter variables in vt_do_kdgkb_ioctl which is rather confusing. Rename 'i' to 'kb_func' and change its type to be the same as its originating value (struct kbsentry.kb_func) -- unsigned char. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20201029113222.32640-10-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-11-04vt: keyboard, use bool for repJiri Slaby1-1/+1
rep is used as a bool in the code, so declare it as such. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20201029113222.32640-9-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-11-04vt: keyboard, use DECLARE_BITMAP for key_downJiri Slaby1-1/+1
key_down is sued as a bitmap using test_bit, set_bit and similar. So declare it using DECLARE_BITMAP to make it obvious even from the declaration. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20201029113222.32640-8-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-11-04vt: keyboard, union perm checks in vt_do_kdsk_ioctlJiri Slaby1-4/+1
Do the permission check on a single place. That is where perm is really checked. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20201029113222.32640-7-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-11-04vt: keyboard, extract vt_kdgkbent and vt_kdskbentJiri Slaby1-87/+102
Split vt_do_kdsk_ioctl into three functions: * getter (KDGKBENT/vt_kdgkbent) * setter (KDSKBENT/vt_kdskbent) * switch-case helper (vt_do_kdsk_ioctl) This eliminates the need of ugly one-letter macros as we use parameters now: * i aka tmp.kb_index -> idx * s aka tmp.kb_table -> map * v aka tmp.kb_value -> val Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20201029113222.32640-6-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-11-04vt: keyboard, clean up max_valsJiri Slaby1-4/+16
Define one limit per line and index them by their index, so that it is clear what is what. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20201029113222.32640-5-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-11-04vt: keyboard, sort includesJiri Slaby1-16/+15
There are many includes and it is hard to check if something is there or not. So sort them alphabetically. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20201029113222.32640-3-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-11-04vt: keyboard, include linux/spinlock.hJiri Slaby1-0/+1
We use spin locks, but don't include linux/spinlock.h in keyboards.c. So fix this up. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20201029113222.32640-2-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-11-04vt: keyboard, remove ctrl_alt_del declarationJiri Slaby1-2/+0
ctrl_alt_del is already declared in linux/reboot.h which we include. So remove this second (superfluous) declaration. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20201029113222.32640-1-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-11-03tty: make FONTX ioctl use the tty pointer they were actually passedLinus Torvalds1-17/+19
Some of the font tty ioctl's always used the current foreground VC for their operations. Don't do that then. This fixes a data race on fg_console. Side note: both Michael Ellerman and Jiri Slaby point out that all these ioctls are deprecated, and should probably have been removed long ago, and everything seems to be using the KDFONTOP ioctl instead. In fact, Michael points out that it looks like busybox's loadfont program seems to have switched over to using KDFONTOP exactly _because_ of this bug (ahem.. 12 years ago ;-). Reported-by: Minh Yuan <yuanmingbuaa@gmail.com> Acked-by: Michael Ellerman <mpe@ellerman.id.au> Acked-by: Jiri Slaby <jirislaby@kernel.org> Cc: Greg KH <greg@kroah.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2020-10-28vt_ioctl: fix GIO_UNIMAP regressionJiri Slaby1-6/+5
In commit 5ba127878722, we shuffled with the check of 'perm'. But my brain somehow inverted the condition in 'do_unimap_ioctl' (I thought it is ||, not &&), so GIO_UNIMAP stopped working completely. Move the 'perm' checks back to do_unimap_ioctl and do them right again. In fact, this reverts this part of code to the pre-5ba127878722 state. Except 'perm' is now a bool. Fixes: 5ba127878722 ("vt_ioctl: move perm checks level up") Cc: stable@vger.kernel.org Reported-by: Fabian Vogt <fvogt@suse.com> Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20201026055419.30518-1-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-10-28vt: keyboard, extend func_buf_lock to readersJiri Slaby1-4/+13
Both read-side users of func_table/func_buf need locking. Without that, one can easily confuse the code by repeatedly setting altering strings like: while (1) for (a = 0; a < 2; a++) { struct kbsentry kbs = {}; strcpy((char *)kbs.kb_string, a ? ".\n" : "88888\n"); ioctl(fd, KDSKBSENT, &kbs); } When that program runs, one can get unexpected output by holding F1 (note the unxpected period on the last line): . 88888 .8888 So protect all accesses to 'func_table' (and func_buf) by preexisting 'func_buf_lock'. It is easy in 'k_fn' handler as 'puts_queue' is expected not to sleep. On the other hand, KDGKBSENT needs a local (atomic) copy of the string because copy_to_user can sleep. Use already allocated, but unused 'kbs->kb_string' for that purpose. Note that the program above needs at least CAP_SYS_TTY_CONFIG. This depends on the previous patch and on the func_buf_lock lock added in commit 46ca3f735f34 (tty/vt: fix write/write race in ioctl(KDSKBSENT) handler) in 5.2. Likely fixes CVE-2020-25656. Cc: <stable@vger.kernel.org> Reported-by: Minh Yuan <yuanmingbuaa@gmail.com> Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20201019085517.10176-2-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-10-28vt: keyboard, simplify vt_kdgkbsentJiri Slaby1-19/+9
Use 'strlen' of the string, add one for NUL terminator and simply do 'copy_to_user' instead of the explicit 'for' loop. This makes the KDGKBSENT case more compact. The only thing we need to take care about is NULL 'func_table[i]'. Use an empty string in that case. The original check for overflow could never trigger as the func_buf strings are always shorter or equal to 'struct kbsentry's. Cc: <stable@vger.kernel.org> Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20201019085517.10176-1-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-09-27vt_ioctl: make VT_RESIZEX behave like VT_RESIZETetsuo Handa1-47/+10
syzbot is reporting UAF/OOB read at bit_putcs()/soft_cursor() [1][2], for vt_resizex() from ioctl(VT_RESIZEX) allows setting font height larger than actual font height calculated by con_font_set() from ioctl(PIO_FONT). Since fbcon_set_font() from con_font_set() allocates minimal amount of memory based on actual font height calculated by con_font_set(), use of vt_resizex() can cause UAF/OOB read for font data. VT_RESIZEX was introduced in Linux 1.3.3, but it is unclear that what comes to the "+ more" part, and I couldn't find a user of VT_RESIZEX. #define VT_RESIZE 0x5609 /* set kernel's idea of screensize */ #define VT_RESIZEX 0x560A /* set kernel's idea of screensize + more */ So far we are not aware of syzbot reports caused by setting non-zero value to v_vlin parameter. But given that it is possible that nobody is using VT_RESIZEX, we can try removing support for v_clin and v_vlin parameters. Therefore, this patch effectively makes VT_RESIZEX behave like VT_RESIZE, with emitting a message if somebody is still using v_clin and/or v_vlin parameters. [1] https://syzkaller.appspot.com/bug?id=32577e96d88447ded2d3b76d71254fb855245837 [2] https://syzkaller.appspot.com/bug?id=6b8355d27b2b94fb5cedf4655e3a59162d9e48e3 Reported-by: syzbot <syzbot+b308f5fd049fbbc6e74f@syzkaller.appspotmail.com> Reported-by: syzbot <syzbot+16469b5e8e5a72e9131e@syzkaller.appspotmail.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Cc: stable <stable@vger.kernel.org> Link: https://lore.kernel.org/r/4933b81b-9b1a-355b-df0e-9b31e8280ab9@i-love.sakura.ne.jp Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-31Merge 5.9-rc3 into tty-nextGreg Kroah-Hartman2-6/+17
We need the tty/serial fixes in here as well. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-26Merge tag 'tty-5.9-rc3' of ↵Linus Torvalds2-3/+14
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty Pull tty/serial fixes from Greg KH: "Here are a few small TTY/Serial/vt fixes for 5.9-rc3 Included in here are: - qcom serial fixes - vt ioctl and core bugfixes - pl011 serial driver fixes - 8250 serial driver fixes - other misc serial driver fixes and for good measure: - fbcon fix for syzbot found problem. All of these have been in linux-next for a while with no reported issues" * tag 'tty-5.9-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: tty: serial: imx: add dependence and build for earlycon serial: samsung: Removes the IRQ not found warning serial: 8250: change lock order in serial8250_do_startup() serial: stm32: avoid kernel warning on absence of optional IRQ serial: pl011: Fix oops on -EPROBE_DEFER serial: pl011: Don't leak amba_ports entry on driver register error serial: 8250_exar: Fix number of ports for Commtech PCIe cards tty: serial: qcom_geni_serial: Drop __init from qcom_geni_console_setup serial: qcom_geni_serial: Fix recent kdb hang vt_ioctl: change VT_RESIZEX ioctl to check for error return from vc_resize() fbcon: prevent user font height or width change from causing potential out-of-bounds access vt: defer kfree() of vc_screenbuf in vc_do_resize()
2020-08-24Revert "vc_screen: extract vcs_read_buf_header"Jiri Slaby1-18/+13
This reverts commit b1c32fcfadf5593ab7a63261cc8a5747c36e627e, because Syzkaller reports a use-after-free, a write in vcs_read: BUG: KASAN: use-after-free in vcs_read_buf drivers/tty/vt/vc_screen.c:357 [inline] BUG: KASAN: use-after-free in vcs_read+0xaa7/0xb40 drivers/tty/vt/vc_screen.c:449 Write of size 2 at addr ffff8880a8014000 by task syz-executor.5/16936 CPU: 1 PID: 16936 Comm: syz-executor.5 Not tainted 5.9.0-rc1-next-20200820-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: ... kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 vcs_read_buf drivers/tty/vt/vc_screen.c:357 [inline] vcs_read+0xaa7/0xb40 drivers/tty/vt/vc_screen.c:449 There are two issues with the patch: 1) vcs_read rounds the 'count' *up* to an even number. So if we read odd bytes from the header (3 bytes in the reproducer), the second byte of a (2-byte/ushort) write to temporary con_buf won't fit. It is because with the patch applied, we only subtract the real number read (3 bytes) and not the whole header (4 bytes). 2) in this scenario, we perform unaligned accesses now: there are 2-byte/ushort writes to odd addresses. Due to the same reason as above. Revert this for now, re-think and retry later. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Reported-by: syzbot+ad1f53726c3bd11180cb@syzkaller.appspotmail.com Fixes: b1c32fcfadf5 ("vc_screen: extract vcs_read_buf_header") Cc: akpm@linux-foundation.org Cc: nico@fluxnic.net Link: https://lore.kernel.org/r/20200824095425.4376-1-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-24treewide: Use fallthrough pseudo-keywordGustavo A. R. Silva1-3/+3
Replace the existing /* fall through */ comments and its variants with the new pseudo-keyword macro fallthrough[1]. Also, remove unnecessary fall-through markings when it is the case. [1] https://www.kernel.org/doc/html/v5.7/process/deprecated.html?highlight=fallthrough#implicit-switch-case-fall-through Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
2020-08-18tty: vt, fix kernel-docJiri Slaby3-6/+6
As in the previous patches, fix kernel-doc in vt. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200818085655.12071-6-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-18vc_screen: prune macrosJiri Slaby1-4/+0
Do not undefine random words. I guess this was here as there were macros with such generic names somewhere. I very doubt they still exist. So drop these. And remove a spare blank line. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200818085706.12163-16-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-18vc_screen: extract vcs_read_buf_headerJiri Slaby1-13/+18
The attribute header handling is terrible in vcs_read_buf. Separate it to a new function and simply do memmove (of up to 4 bytes) to the start of the con_buf -- if user seeked. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200818085706.12163-15-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-18vc_screen: extract vcs_read_bufJiri Slaby1-68/+78
And finally, move the attributes buffer handling to a separate function. Leaving vcs_read quite compact. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200818085706.12163-14-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-18vc_screen: extract vcs_read_buf_noattrJiri Slaby1-11/+22
Now, move the code for no-attributes handling to a separate function. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200818085706.12163-13-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-08-18vc_screen: extract vcs_read_buf_uniJiri Slaby1-19/+30
The same as making write more readable, extract unicode handling from vcs_read. The other two cases (w/ and w/o attributes) will follow. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Link: https://lore.kernel.org/r/20200818085706.12163-12-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>