Unverified Commit d86cf521 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!15825 Fix CVE-2023-52973 for openEuler-1.0-LTS 

Merge Pull Request from: @ci-robot 
 
PR sync from: Yi Yang <yiyang13@huawei.com>
https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/VXGRKR6ZFIQ6P7YZB763CDH2B6QJZJ45/ 
CVE-2023-52973 and later patches.

George Kennedy (2):
  vc_screen: move load of struct vc_data pointer in vcs_read() to avoid
    UAF
  vc_screen: modify vcs_size() handling in vcs_read()

Thomas Weißschuh (1):
  vc_screen: don't clobber return value in vcs_read


-- 
2.25.1
 
https://gitee.com/src-openeuler/kernel/issues/IBWVWQ 
 
Link:https://gitee.com/openeuler/kernel/pulls/15825

 

Reviewed-by: default avatarLu Jialin <lujialin4@huawei.com>
Reviewed-by: default avatarYuan Can <yuancan@huawei.com>
Signed-off-by: default avatarYuan Can <yuancan@huawei.com>
parents ac44c6a4 cbc7fa2e

drivers/tty/vt/vc_screen.c

+7 −7
Original line number Diff line number Diff line
@@ -247,10 +247,6 @@ vcs_read(struct file *file, char __user *buf, size_t count, loff_t *ppos) 


	uni_mode = use_unicode(inode);

	attr = use_attributes(inode);

	ret = -ENXIO;

	vc = vcs_vc(inode, &viewed);

	if (!vc)

		goto unlock_out;



	ret = -EINVAL;

	if (pos < 0)
@@ -270,16 +266,20 @@ vcs_read(struct file *file, char __user *buf, size_t count, loff_t *ppos) 
		ssize_t orig_count;

		long p = pos;



		vc = vcs_vc(inode, &viewed);

		if (!vc) {

			ret = -ENXIO;

			break;

		}



		/* Check whether we are above size each round,

		 * as copy_to_user at the end of this loop

		 * could sleep.

		 */

		size = vcs_size(inode);

		if (size < 0) {

			if (read)

				break;

			ret = size;

			goto unlock_out;

			break;

		}

		if (pos >= size)

			break;