Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp3193906pxb; Mon, 9 Nov 2020 05:18:05 -0800 (PST) X-Google-Smtp-Source: ABdhPJzpxlkehGV1sHyabu5dxWZGd3NZI0n80MPjmwQ30rQVeulknGx9BQSfPjrKupZpo+jNtnz7 X-Received: by 2002:a50:e149:: with SMTP id i9mr15927452edl.56.1604927885203; Mon, 09 Nov 2020 05:18:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1604927885; cv=none; d=google.com; s=arc-20160816; b=AL5/uZ5vS4piQWydkG+vvemuQgeGMTIUpNGgGEG2VSnDW64iPlNft4+S4sFgHo08RJ 8Wih6aKS4tQ9r0udJePMAmnZW6YDWav4p9OpKgWUBsk2qmqyE0lswV691k9HX809T/F5 3cgzmuUssJcjkjH+g9J//gkg8txyy4AsZvn+ZbpCkm6Rqm6a76GiEmTrLAYHRWfBujAh wPqKO8W3/Tz9J2y02F88vb345iw2vjLEfcNoWSNafGJ7X6tdHyL4LyW8hCAWTda0Snvr 5Ej4HhZzAJMGUI+KXd5iSs62YYAhmyEH16itHQ6OlH1MPOYqxqjWSzbzAWa810m15WvM mO+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=OcV39H0y8sDB0QqEalBeOh34HjyTMku9YAYcYZ2TcZQ=; b=Q9SJGpm10dARMgLmN7n/eLc95o/HUudy7in9Bg/frW/1zQF+taet3tXihC0G//pjb3 cRYkM9RhAE1ulmmkWV3FbXzfKkStYZ2BK+vGVaDYWvFb+mEFOZsS6KNMf2ZFjDxf1TuC z5hEVhsdfP9LC/ri68DUjSMfBdDJz8zLA+QBdQ/8JYHrm4OiFWx0zwaiElI+UCZbiZIu HWQgNAJexplFRTCgWmMmMbdj2xVFl2EG5pSY+o/S2r0DaXuuh8UeOQdweqlmMu7XaNbm iU62SXNlB3MYyEI3NWtVgme8JSVpBpW8kxnZNc7bnuLK8PDSboFW2wwJSLaEYoVgYyFV +DUg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=MgRwekhm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 27si7018091edw.379.2020.11.09.05.17.41; Mon, 09 Nov 2020 05:18:05 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=MgRwekhm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733288AbgKINPd (ORCPT + 99 others); Mon, 9 Nov 2020 08:15:33 -0500 Received: from mail.kernel.org ([198.145.29.99]:42328 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732918AbgKINPa (ORCPT ); Mon, 9 Nov 2020 08:15:30 -0500 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 78F1C2083B; Mon, 9 Nov 2020 13:15:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1604927729; bh=/sqYBOK3C5WCnq4KdLOWoOZ/NfZGEwSzPzEPmWSggLE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MgRwekhm4pjP6MxodwTHZQequ3vC6s4e38c1cLYvQWhAhf+KmQ/d2NCtezWGgWyP4 RVldB1ScIss1taSuFjhX+sfz+3UTmwHNOC2PSVKZwalhGCjzCZcFs1EttGxSlnGeq+ C7/IpwYhzoncQwSfdRIVluwElUYEqXA0Smj3hssc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Peilin Ye , Minh Yuan , Greg KH , Tetsuo Handa , Daniel Vetter Subject: [PATCH 5.4 64/85] vt: Disable KD_FONT_OP_COPY Date: Mon, 9 Nov 2020 13:56:01 +0100 Message-Id: <20201109125025.641044622@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201109125022.614792961@linuxfoundation.org> References: <20201109125022.614792961@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Daniel Vetter commit 3c4e0dff2095c579b142d5a0693257f1c58b4804 upstream. It's buggy: On Fri, Nov 06, 2020 at 10:30:08PM +0800, Minh Yuan wrote: > We recently discovered a slab-out-of-bounds read in fbcon in the latest > kernel ( v5.10-rc2 for now ). The root cause of this vulnerability is that > "fbcon_do_set_font" did not handle "vc->vc_font.data" and > "vc->vc_font.height" correctly, and the patch > for VT_RESIZEX can't handle this > issue. > > Specifically, we use KD_FONT_OP_SET to set a small font.data for tty6, and > use KD_FONT_OP_SET again to set a large font.height for tty1. After that, > we use KD_FONT_OP_COPY to assign tty6's vc_font.data to tty1's vc_font.data > in "fbcon_do_set_font", while tty1 retains the original larger > height. Obviously, this will cause an out-of-bounds read, because we can > access a smaller vc_font.data with a larger vc_font.height. Further there was only one user ever. - Android's loadfont, busybox and console-tools only ever use OP_GET and OP_SET - fbset documentation only mentions the kernel cmdline font: option, not anything else. - systemd used OP_COPY before release 232 published in Nov 2016 Now unfortunately the crucial report seems to have gone down with gmane, and the commit message doesn't say much. But the pull request hints at OP_COPY being broken https://github.com/systemd/systemd/pull/3651 So in other words, this never worked, and the only project which foolishly every tried to use it, realized that rather quickly too. Instead of trying to fix security issues here on dead code by adding missing checks, fix the entire thing by removing the functionality. Note that systemd code using the OP_COPY function ignored the return value, so it doesn't matter what we're doing here really - just in case a lone server somewhere happens to be extremely unlucky and running an affected old version of systemd. The relevant code from font_copy_to_all_vcs() in systemd was: /* copy font from active VT, where the font was uploaded to */ cfo.op = KD_FONT_OP_COPY; cfo.height = vcs.v_active-1; /* tty1 == index 0 */ (void) ioctl(vcfd, KDFONTOP, &cfo); Note this just disables the ioctl, garbage collecting the now unused callbacks is left for -next. v2: Tetsuo found the old mail, which allowed me to find it on another archive. Add the link too. Acked-by: Peilin Ye Reported-by: Minh Yuan Cc: Greg KH Cc: Peilin Ye Cc: Tetsuo Handa Signed-off-by: Daniel Vetter Link: https://lore.kernel.org/r/20201108153806.3140315-1-daniel.vetter@ffwll.ch Signed-off-by: Greg Kroah-Hartman --- drivers/tty/vt/vt.c | 24 ++---------------------- 1 file changed, 2 insertions(+), 22 deletions(-) --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -4620,27 +4620,6 @@ static int con_font_default(struct vc_da return rc; } -static int con_font_copy(struct vc_data *vc, struct console_font_op *op) -{ - int con = op->height; - int rc; - - - console_lock(); - if (vc->vc_mode != KD_TEXT) - rc = -EINVAL; - else if (!vc->vc_sw->con_font_copy) - rc = -ENOSYS; - else if (con < 0 || !vc_cons_allocated(con)) - rc = -ENOTTY; - else if (con == vc->vc_num) /* nothing to do */ - rc = 0; - else - rc = vc->vc_sw->con_font_copy(vc, con); - console_unlock(); - return rc; -} - int con_font_op(struct vc_data *vc, struct console_font_op *op) { switch (op->op) { @@ -4651,7 +4630,8 @@ int con_font_op(struct vc_data *vc, stru case KD_FONT_OP_SET_DEFAULT: return con_font_default(vc, op); case KD_FONT_OP_COPY: - return con_font_copy(vc, op); + /* was buggy and never really used */ + return -EINVAL; } return -ENOSYS; }