Unverified Commit c5633a85 authored Jul 24, 2023 by openeuler-ci-bot Committed by Gitee Jul 24, 2023

!1482 CVE-2023-3567 fix patches

Merge Pull Request from: @ci-robot 
 
PR sync from: Lu Jialin <lujialin4@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/MIDF5L7L2X2TOVLMC5V5F4QF7ZAKGN5I/ 
First is the patch to fix CVE-2023-3567. The latter two patches are the
bugfix patches for the first patch.

George Kennedy (2):
  vc_screen: move load of struct vc_data pointer in vcs_read() to avoid
    UAF
  vc_screen: modify vcs_size() handling in vcs_read()

Thomas Weißschuh (1):
  vc_screen: don't clobber return value in vcs_read


-- 
2.17.1
 
https://gitee.com/src-openeuler/kernel/issues/I7JRBO?from=project-issue 
 
Link:https://gitee.com/openeuler/kernel/pulls/1482

 

Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com>
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>

parents f8c447a5 60927aaa

drivers/tty/vt/vc_screen.c

+7 −7

Original line number	Diff line number	Diff line
		@@ -386,10 +386,6 @@ vcs_read(struct file file, char __user buf, size_t count, loff_t *ppos)

		uni_mode = use_unicode(inode);
		attr = use_attributes(inode);
		ret = -ENXIO;
		vc = vcs_vc(inode, &viewed);
		if (!vc)
		goto unlock_out;

		ret = -EINVAL;
		if (pos < 0)
		@@ -407,16 +403,20 @@ vcs_read(struct file file, char __user buf, size_t count, loff_t *ppos)
		unsigned int this_round, skip = 0;
		int size;

		vc = vcs_vc(inode, &viewed);
		if (!vc) {
		ret = -ENXIO;
		break;
		}

		/* Check whether we are above size each round,
		* as copy_to_user at the end of this loop
		* could sleep.
		*/
		size = vcs_size(vc, attr, uni_mode);
		if (size < 0) {
		if (read)
		break;
		ret = size;
		goto unlock_out;
		break;
		}
		if (pos >= size)
		break;