Commit cb34175d authored Oct 31, 2024 by Jeongjun Park Committed by Gu Bowen Oct 31, 2024

vt: prevent kernel-infoleak in con_font_get()

stable inclusion
from stable-v6.6.58
commit dc2d5f02636c7587bdd6d1f60fc59c55860b00a4
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB0ENE
CVE: CVE-2024-50076

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=dc2d5f02636c7587bdd6d1f60fc59c55860b00a4



--------------------------------

commit f956052e00de211b5c9ebaa1958366c23f82ee9e upstream.

font.data may not initialize all memory spaces depending on the implementation
of vc->vc_sw->con_font_get. This may cause info-leak, so to prevent this, it
is safest to modify it to initialize the allocated memory space to 0, and it
generally does not affect the overall performance of the system.

Cc: stable@vger.kernel.org
Reported-by:  <syzbot+955da2d57931604ee691@syzkaller.appspotmail.com>
Fixes: 05e2600c ("VT: Bump font size limitation to 64x128 pixels")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Link: https://lore.kernel.org/r/20241010174619.59662-1-aha310510@gmail.com


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Gu Bowen <gubowen5@huawei.com>

parent 04bcd1e6

drivers/tty/vt/vt.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -4550,7 +4550,7 @@ static int con_font_get(struct vc_data vc, struct console_font_op op)
		return -EINVAL;

		if (op->data) {
		font.data = kvmalloc(max_font_size, GFP_KERNEL);
		font.data = kvzalloc(max_font_size, GFP_KERNEL);
		if (!font.data)
		return -ENOMEM;
		} else