Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp12677627rwl; Tue, 3 Jan 2023 19:12:31 -0800 (PST) X-Google-Smtp-Source: AMrXdXtRUpurzjgpKJCcYBs7maDtwfO/bQCZaICfqbKaagYNsOU2s90RVUYxHmdmvoK3KZ9nrbKV X-Received: by 2002:a17:90b:3618:b0:219:f911:9879 with SMTP id ml24-20020a17090b361800b00219f9119879mr50015114pjb.33.1672801950940; Tue, 03 Jan 2023 19:12:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1672801950; cv=none; d=google.com; s=arc-20160816; b=LbM/MWQ9cv2ho+fWQKKExrjUnAj/+RtFdIM3QhSFZZ9rz3O4O8hszHC5bAR+9lg7NT QkPwoKL6D1vYMALKHKteORypcyxP8440MfPxwmQWTt/kzRRWGVx8uiP/UQu8cGigE9Cw DBGXHvyT0Z3Ma3aB9/XacLS7pWllL9UQAEtKMYXrx/k4HBtdbFS2LYeQNvgny1o8w31U 20uIwzdj/Q6RboYg8+5/bTh+C3GWrEnWKAFVoEzo9h4a7Tp//5GKUg6cEQ15iT4ljql6 HbW+GYSuzmUQk/8P7xd8CdfXymUvhsEmr5Ddwz6jSoI7HOz9yP+Lw/NMzu2TU8YE9rCE XY+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=tXByn+ACuglAkHudoIgfKGJhzxKIbiM9K1erxGhIcNA=; b=Vwoek3HOKpG6RC+rKsje/QdJQs72LOOcNxtEYG3fcHHB/W1GmSczIrV3KXptN3VlsP pGRip5WPxPy7y8+O9R1PAjUju+D+wK/eE67ogsW27MEvCx8RSOcdasUMapA0djX7jwWZ gyKoddX0q5Z4p4iUeHZiDNIfC75Z5wPEI1BEDjVP3sN2pLZaD2fCNSkKArb06GgQc0vT CqO5cUUf5pqWBFbzfVHS8ubJedmQ0+SNbFQmKx+TSwkpMmO8l/PdmdujWRRWh+Ki9HA2 S6XER82aLuyunHKnqvaY7mP1AKxf6tdY93XtscXQPxrOUyRDNqFEzVUIku8WABqbBLXw ISKA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=ErKhEwsz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ay4-20020a17090b030400b0020354bcfe09si7774478pjb.129.2023.01.03.19.12.23; Tue, 03 Jan 2023 19:12:30 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=ErKhEwsz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234008AbjADDBa (ORCPT + 57 others); Tue, 3 Jan 2023 22:01:30 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59620 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230297AbjADDB2 (ORCPT ); Tue, 3 Jan 2023 22:01:28 -0500 Received: from mail-oi1-x235.google.com (mail-oi1-x235.google.com [IPv6:2607:f8b0:4864:20::235]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4B443E0A0 for ; Tue, 3 Jan 2023 19:01:27 -0800 (PST) Received: by mail-oi1-x235.google.com with SMTP id j130so22994621oif.4 for ; Tue, 03 Jan 2023 19:01:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=tXByn+ACuglAkHudoIgfKGJhzxKIbiM9K1erxGhIcNA=; b=ErKhEwszuKNipZkCwv1KMipcE6tY/azpRjAGmdbpKY7Lg58pfh6HnyNcAREc5lTbP1 /HHfE2BsVnonfOrf7Chf4/QCU1W4yVWHDX7FUjwzWOwCC4FrdWqVmtk4xTlBUy1FJ2Hf MCBf2g/4InAmkpmqwZBv1cI9wR45AYLPoE+Njtu/klZ3/rvC4MZoD6PHPBew9tiD9QRe i9/ESLHoOSMe+fMH3lAvLXEEFavNdC6Rtk3h8NKnSogyzfq+M5EJWTDNBfWd+c4QnAdz SXxqysUkNZuLlz+w7zowJuivNcYwZqxLqYRoA2z+YCJtVS117W6qEWxOtx7RPbBTjZxF OWWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=tXByn+ACuglAkHudoIgfKGJhzxKIbiM9K1erxGhIcNA=; b=dS0AEXGSh7ZxIq1WtYq0Wry9bj93qFar9Ajh7K+VrU4KkNz59bgWINUjzJHOTzl1Gw vFgv3rSLJAuuN9niGTo8Uwc/gdfgo39O7dtRuEiik/E+zFN8gBv+OWO2J3EW7SXlH/1W 3zpNHapm7qUeOldKTU7Yq7QQ3SYb+JetptpgGCOLi539JtPk3QZFkZ/LA7csOoobJuzp VBGnm3zINFBEUFsJQnyhYBDY5Q56+x17u/NE8/i/7ZKQSdbhsm96JCfZfjgRm/Jb5t2G VCpd9qCjOvgXoaDYAqkInnLdQCKlHdYb0tWpDuE+u8NbNKlF8cX7Zx4vNbNZUAQvAYa0 eMOQ== X-Gm-Message-State: AFqh2kqHZITkxo1iKNhsEnZ+t4qlfqT7/WPAqPJsahDp5RBtmsvJpizv pLZxHBQAcFS9Lzf81bO7cwaIILl1GWve6KE93Jg= X-Received: by 2002:a05:6808:c:b0:35d:ff69:49c0 with SMTP id u12-20020a056808000c00b0035dff6949c0mr2945782oic.146.1672801286576; Tue, 03 Jan 2023 19:01:26 -0800 (PST) MIME-Version: 1.0 References: <20221229064153.23511-1-zh.nvgt@gmail.com> <182d36d5-df77-2479-882a-5bb588c5f170@kernel.org> In-Reply-To: <182d36d5-df77-2479-882a-5bb588c5f170@kernel.org> From: Hang Zhang Date: Tue, 3 Jan 2023 22:01:15 -0500 Message-ID: Subject: Re: [PATCH] tty: vt: add some NULL checks for vc_data To: Jiri Slaby Cc: Greg Kroah-Hartman , =?UTF-8?Q?Ilpo_J=C3=A4rvinen?= , Daniel Vetter , Yangxi Xiang , Xuezhi Zhang , Helge Deller , Tetsuo Handa , linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 3, 2023 at 4:24 AM Jiri Slaby wrote: > > On 29. 12. 22, 7:41, Hang Zhang wrote: > > vc_selection(), do_blank_screen() and scrollfront() all access "vc_data" > > structures obtained from the global "vc_cons[fg_console].d", which can > > be freed and nullified (e.g., in the error path of vc_allocate()). But > > these functions don't have any NULL checks against the pointers before > > dereferencing them, causing potentially use-after-free or null pointer > > dereference. > > Could you elaborate under what circumstances is fg_console set to a > non-allocated console? Hi, Jiri, thank you for your reply! I am not a developer for tty subsystem, so the reasoning here is based on my best-effort code reading. Please correct me if I am wrong. This patch is based on several observations: (1) at the beginning of vc_selection() (where one NULL check is inserted in this patch), poke_blanked_console() is invoked, which explicitly checks whether "vc_cons[fg_console].d" is NULL, suggesting the possibility of "fg_console" associated with an unallocated console at this point. However, poke_blanked_console() returns "void", so even if "fg_console" is NULL, after returning to vc_selection(), it will just keep executing, resulting in the possible NULL pointer dereference later ("vc" in vc_selection() can be "vc_cons[fg_console].d" if called from set_selection_kernel()). So this patch actually tries to make the already existing NULL check take effect on the control flow (e.g., early return if NULL). (2) a similar NULL check for "vc_cons[fg_console].d" can also be found in do_unblank_screen() ("if (!vc_cons_allocated(fg_console))") before accessing the corresponding "vc_data". I do notice that the NULL check has a comment "/* impossible */", but the check has not been removed so far. My guess is that there might still be a chance that it can be unallocated at that point. (3) regarding how "fg_console" can be unallocated, one place I noticed is vc_allocate() (invoked from vt_ioctl$VT_ACTIVATE), where the user can specify the index of "vc_cons" to be activated (can be "fg_console" in theory). If any error happens and the code under the label "err_free" is executed, then "vc_cons[fg_console].d" can be freed and nullified. But I am not sure about the exact scenario/flow to make "fg_console" unallocated, as this seems to need a thorough understanding of all places manipulating "fg_console" across the whole subsystem (including the synchronization between them). So, in conclusion, I cannot exclude the possibility of potential NULL dereference/use-after-free issues with my limited domain knowledge. Inspired by existing checks in the code as aforementioned, I think it's safer to add some additional NULL checks. If the developers finally decide that "fg_console" cannot be unallocated in reality, then maybe we should also consider removing some unnecessary checks. > > > Prevent these potential issues by placing NULL checks in these functions > > before accessing "vc_data" structures. Similar checks can be found in > > other functions like vt_console_print() and poke_blanked_console(). > > > > Signed-off-by: Hang Zhang > > --- > > drivers/tty/vt/selection.c | 3 +++ > > drivers/tty/vt/vt.c | 5 +++++ > > 2 files changed, 8 insertions(+) > > > > diff --git a/drivers/tty/vt/selection.c b/drivers/tty/vt/selection.c > > index 6ef22f01cc51..c727fd947683 100644 > > --- a/drivers/tty/vt/selection.c > > +++ b/drivers/tty/vt/selection.c > > @@ -319,6 +319,9 @@ static int vc_selection(struct vc_data *vc, struct tiocl_selection *v, > > { > > int ps, pe; > > > > + if (!vc) > > + return 0; > > + > > poke_blanked_console(); > > > > if (v->sel_mode == TIOCL_SELCLEAR) { > > diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c > > index 981d2bfcf9a5..00f8fdc61e9f 100644 > > --- a/drivers/tty/vt/vt.c > > +++ b/drivers/tty/vt/vt.c > > @@ -1493,6 +1493,8 @@ void scrollback(struct vc_data *vc) > > > > void scrollfront(struct vc_data *vc, int lines) > > { > > + if (!vc) > > + return; > > if (!lines) > > lines = vc->vc_rows / 2; > > scrolldelta(lines); > > @@ -4346,6 +4348,9 @@ void do_blank_screen(int entering_gfx) > > struct vc_data *vc = vc_cons[fg_console].d; > > int i; > > > > + if (!vc) > > + return; > > + > > might_sleep(); > > > > WARN_CONSOLE_UNLOCKED(); > > thanks, > -- > js > suse labs >