Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp3208148pxb; Mon, 9 Nov 2020 05:37:48 -0800 (PST) X-Google-Smtp-Source: ABdhPJxOrW9SyLP/gGOFSaO6ufv1qFCrhZ5Yh/GUZ3ITQCw07LBuewkQHICiFjDkX+4IorN3Xxdm X-Received: by 2002:aa7:ccd2:: with SMTP id y18mr15703223edt.11.1604929067999; Mon, 09 Nov 2020 05:37:47 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1604929067; cv=none; d=google.com; s=arc-20160816; b=tXKj0PnnT2hHhJBrpvwnubSCjIa/6Gc0rC3MujqtgBdL3kuPtytRNJKBmqeigA0A3G Dq3qJYNc3NT+y8wBKkMRMNeooh90ro7hNintvvlIQltsLMWBeE411i8LTizEFpSJHjci 0bpJ4+bpvamqwJ9kB3xzPku900QdykshVKD7kwzwIL5Cp/Nl4z6FTvZFPS8JTDy1W0DT CPc9bxSxXZnWuZPoltJ98wyBW1EuM/yEz0ElcdyJYu1LJL29tKcpJyZk6drC8CNBBN3A hcisnGhBOgjBX2tQ61UXgsgMUISNFtnPGzzTJxgjwY3xLJB0RkGAH7gBnt/jImac5LdO BvcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=mQ3mQ3ivzBpfm0PddQdU75cl0L3BpOSA7z9bTLLwmn0=; b=Vbb+vxDEhvA7hb547mboOgWbvjebEF1asnz/srhuFWw/LtsyCzStjAtFBsgdIrLrop fqJnWxFB8AvLalx2yrzbJwkK9kbvdaLmRJARamfQ1K3z6Cx/tP96AcFHZCcPydTDdVfi uBA06X1IZkIokGR49Wwe+DTqJoe0Xj3vUjIxL4S3dSQpzr/Pshr/JaCNgQlAoTMkDKHJ CTWKgYmlFHdOkWF+MOcUj+yoLQFJ/22BAMtKTv7b61TWO5S0XJThkt4FlUPgq4M/KlW8 WhiMjxQ5E45JSLPCXWMlf9yM4RrS8OzVT8D7caPCaIg6RMMK+aiO3W09ochE7Pp3qWh0 oBFA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=omvz8u6C; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j15si6822159ejb.160.2020.11.09.05.37.24; Mon, 09 Nov 2020 05:37:47 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=omvz8u6C; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731217AbgKINgK (ORCPT + 99 others); Mon, 9 Nov 2020 08:36:10 -0500 Received: from mail.kernel.org ([198.145.29.99]:57920 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730806AbgKINE5 (ORCPT ); Mon, 9 Nov 2020 08:04:57 -0500 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2A4FA20663; Mon, 9 Nov 2020 13:04:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1604927096; bh=H86+1Uc73/Dc730N/5iuXSUW4imTNA8NAqnG+K2dBsM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=omvz8u6C3r+j8NdyiEzloSi3KxC7YB2RqeGDGhb9RrD2IvrayL7QzlO99ET2eZ5MG CcFhzctbn2xPbPI7HcBrW4uEkcFgu92cNOshhhR7X7AwZPfmPcPx5t3XBznv5MclG8 2BVocQ1Olbviesqkn+0mbCfa6BBYZQ0Fra6ae1R0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Peilin Ye , Minh Yuan , Greg KH , Tetsuo Handa , Daniel Vetter Subject: [PATCH 4.9 108/117] vt: Disable KD_FONT_OP_COPY Date: Mon, 9 Nov 2020 13:55:34 +0100 Message-Id: <20201109125030.823694059@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201109125025.630721781@linuxfoundation.org> References: <20201109125025.630721781@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Daniel Vetter commit 3c4e0dff2095c579b142d5a0693257f1c58b4804 upstream. It's buggy: On Fri, Nov 06, 2020 at 10:30:08PM +0800, Minh Yuan wrote: > We recently discovered a slab-out-of-bounds read in fbcon in the latest > kernel ( v5.10-rc2 for now ). The root cause of this vulnerability is that > "fbcon_do_set_font" did not handle "vc->vc_font.data" and > "vc->vc_font.height" correctly, and the patch > for VT_RESIZEX can't handle this > issue. > > Specifically, we use KD_FONT_OP_SET to set a small font.data for tty6, and > use KD_FONT_OP_SET again to set a large font.height for tty1. After that, > we use KD_FONT_OP_COPY to assign tty6's vc_font.data to tty1's vc_font.data > in "fbcon_do_set_font", while tty1 retains the original larger > height. Obviously, this will cause an out-of-bounds read, because we can > access a smaller vc_font.data with a larger vc_font.height. Further there was only one user ever. - Android's loadfont, busybox and console-tools only ever use OP_GET and OP_SET - fbset documentation only mentions the kernel cmdline font: option, not anything else. - systemd used OP_COPY before release 232 published in Nov 2016 Now unfortunately the crucial report seems to have gone down with gmane, and the commit message doesn't say much. But the pull request hints at OP_COPY being broken https://github.com/systemd/systemd/pull/3651 So in other words, this never worked, and the only project which foolishly every tried to use it, realized that rather quickly too. Instead of trying to fix security issues here on dead code by adding missing checks, fix the entire thing by removing the functionality. Note that systemd code using the OP_COPY function ignored the return value, so it doesn't matter what we're doing here really - just in case a lone server somewhere happens to be extremely unlucky and running an affected old version of systemd. The relevant code from font_copy_to_all_vcs() in systemd was: /* copy font from active VT, where the font was uploaded to */ cfo.op = KD_FONT_OP_COPY; cfo.height = vcs.v_active-1; /* tty1 == index 0 */ (void) ioctl(vcfd, KDFONTOP, &cfo); Note this just disables the ioctl, garbage collecting the now unused callbacks is left for -next. v2: Tetsuo found the old mail, which allowed me to find it on another archive. Add the link too. Acked-by: Peilin Ye Reported-by: Minh Yuan Cc: Greg KH Cc: Peilin Ye Cc: Tetsuo Handa Signed-off-by: Daniel Vetter Link: https://lore.kernel.org/r/20201108153806.3140315-1-daniel.vetter@ffwll.ch Signed-off-by: Greg Kroah-Hartman --- drivers/tty/vt/vt.c | 24 ++---------------------- 1 file changed, 2 insertions(+), 22 deletions(-) --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -4235,27 +4235,6 @@ static int con_font_default(struct vc_da return rc; } -static int con_font_copy(struct vc_data *vc, struct console_font_op *op) -{ - int con = op->height; - int rc; - - - console_lock(); - if (vc->vc_mode != KD_TEXT) - rc = -EINVAL; - else if (!vc->vc_sw->con_font_copy) - rc = -ENOSYS; - else if (con < 0 || !vc_cons_allocated(con)) - rc = -ENOTTY; - else if (con == vc->vc_num) /* nothing to do */ - rc = 0; - else - rc = vc->vc_sw->con_font_copy(vc, con); - console_unlock(); - return rc; -} - int con_font_op(struct vc_data *vc, struct console_font_op *op) { switch (op->op) { @@ -4266,7 +4245,8 @@ int con_font_op(struct vc_data *vc, stru case KD_FONT_OP_SET_DEFAULT: return con_font_default(vc, op); case KD_FONT_OP_COPY: - return con_font_copy(vc, op); + /* was buggy and never really used */ + return -EINVAL; } return -ENOSYS; }