From fc806bad18035b0c9ab46b30eafc163eaebcbac7 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 28 Feb 2020 12:45:51 +0100 Subject: [PATCH] drop vt-selection-close-sel_buffer-race.patch for 5.5, 5.4, 4.19 --- queue-4.19/series | 1 - .../vt-selection-close-sel_buffer-race.patch | 155 ------------------ queue-5.4/series | 1 - .../vt-selection-close-sel_buffer-race.patch | 155 ------------------ queue-5.5/series | 1 - .../vt-selection-close-sel_buffer-race.patch | 155 ------------------ 6 files changed, 468 deletions(-) delete mode 100644 queue-4.19/vt-selection-close-sel_buffer-race.patch delete mode 100644 queue-5.4/vt-selection-close-sel_buffer-race.patch delete mode 100644 queue-5.5/vt-selection-close-sel_buffer-race.patch diff --git a/queue-4.19/series b/queue-4.19/series index 5879c0d1745..5470e17c798 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -12,7 +12,6 @@ usb-misc-iowarrior-add-support-for-the-100-device.patch floppy-check-fdc-index-for-errors-before-assigning-it.patch vt-fix-scrollback-flushing-on-background-consoles.patch vt-selection-handle-pending-signals-in-paste_selection.patch -vt-selection-close-sel_buffer-race.patch vt-vt_ioctl-fix-race-in-vt_resizex.patch staging-android-ashmem-disallow-ashmem-memory-from-being-remapped.patch staging-vt6656-fix-sign-of-rx_dbm-to-bb_pre_ed_rssi.patch diff --git a/queue-4.19/vt-selection-close-sel_buffer-race.patch b/queue-4.19/vt-selection-close-sel_buffer-race.patch deleted file mode 100644 index 5871ad25c37..00000000000 --- a/queue-4.19/vt-selection-close-sel_buffer-race.patch +++ /dev/null @@ -1,155 +0,0 @@ -From 07e6124a1a46b4b5a9b3cacc0c306b50da87abf5 Mon Sep 17 00:00:00 2001 -From: Jiri Slaby -Date: Mon, 10 Feb 2020 09:11:31 +0100 -Subject: vt: selection, close sel_buffer race - -From: Jiri Slaby - -commit 07e6124a1a46b4b5a9b3cacc0c306b50da87abf5 upstream. - -syzkaller reported this UAF: -BUG: KASAN: use-after-free in n_tty_receive_buf_common+0x2481/0x2940 drivers/tty/n_tty.c:1741 -Read of size 1 at addr ffff8880089e40e9 by task syz-executor.1/13184 - -CPU: 0 PID: 13184 Comm: syz-executor.1 Not tainted 5.4.7 #1 -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 -Call Trace: -... - kasan_report+0xe/0x20 mm/kasan/common.c:634 - n_tty_receive_buf_common+0x2481/0x2940 drivers/tty/n_tty.c:1741 - tty_ldisc_receive_buf+0xac/0x190 drivers/tty/tty_buffer.c:461 - paste_selection+0x297/0x400 drivers/tty/vt/selection.c:372 - tioclinux+0x20d/0x4e0 drivers/tty/vt/vt.c:3044 - vt_ioctl+0x1bcf/0x28d0 drivers/tty/vt/vt_ioctl.c:364 - tty_ioctl+0x525/0x15a0 drivers/tty/tty_io.c:2657 - vfs_ioctl fs/ioctl.c:47 [inline] - -It is due to a race between parallel paste_selection (TIOCL_PASTESEL) -and set_selection_user (TIOCL_SETSEL) invocations. One uses sel_buffer, -while the other frees it and reallocates a new one for another -selection. Add a mutex to close this race. - -The mutex takes care properly of sel_buffer and sel_buffer_lth only. The -other selection global variables (like sel_start, sel_end, and sel_cons) -are protected only in set_selection_user. The other functions need quite -some more work to close the races of the variables there. This is going -to happen later. - -This likely fixes (I am unsure as there is no reproducer provided) bug -206361 too. It was marked as CVE-2020-8648. - -Signed-off-by: Jiri Slaby -Reported-by: syzbot+59997e8d5cbdc486e6f6@syzkaller.appspotmail.com -References: https://bugzilla.kernel.org/show_bug.cgi?id=206361 -Cc: stable -Link: https://lore.kernel.org/r/20200210081131.23572-2-jslaby@suse.cz -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/tty/vt/selection.c | 23 +++++++++++++++++------ - 1 file changed, 17 insertions(+), 6 deletions(-) - ---- a/drivers/tty/vt/selection.c -+++ b/drivers/tty/vt/selection.c -@@ -14,6 +14,7 @@ - #include - #include - #include -+#include - #include - #include - -@@ -43,6 +44,7 @@ static volatile int sel_start = -1; /* - static int sel_end; - static int sel_buffer_lth; - static char *sel_buffer; -+static DEFINE_MUTEX(sel_lock); - - /* clear_selection, highlight and highlight_pointer can be called - from interrupt (via scrollback/front) */ -@@ -173,7 +175,7 @@ int set_selection(const struct tiocl_sel - char *bp, *obp; - int i, ps, pe, multiplier; - u32 c; -- int mode; -+ int mode, ret = 0; - - poke_blanked_console(); - if (copy_from_user(&v, sel, sizeof(*sel))) -@@ -200,6 +202,7 @@ int set_selection(const struct tiocl_sel - if (ps > pe) /* make sel_start <= sel_end */ - swap(ps, pe); - -+ mutex_lock(&sel_lock); - if (sel_cons != vc_cons[fg_console].d) { - clear_selection(); - sel_cons = vc_cons[fg_console].d; -@@ -245,9 +248,10 @@ int set_selection(const struct tiocl_sel - break; - case TIOCL_SELPOINTER: - highlight_pointer(pe); -- return 0; -+ goto unlock; - default: -- return -EINVAL; -+ ret = -EINVAL; -+ goto unlock; - } - - /* remove the pointer */ -@@ -269,7 +273,7 @@ int set_selection(const struct tiocl_sel - else if (new_sel_start == sel_start) - { - if (new_sel_end == sel_end) /* no action required */ -- return 0; -+ goto unlock; - else if (new_sel_end > sel_end) /* extend to right */ - highlight(sel_end + 2, new_sel_end); - else /* contract from right */ -@@ -297,7 +301,8 @@ int set_selection(const struct tiocl_sel - if (!bp) { - printk(KERN_WARNING "selection: kmalloc() failed\n"); - clear_selection(); -- return -ENOMEM; -+ ret = -ENOMEM; -+ goto unlock; - } - kfree(sel_buffer); - sel_buffer = bp; -@@ -322,7 +327,9 @@ int set_selection(const struct tiocl_sel - } - } - sel_buffer_lth = bp - sel_buffer; -- return 0; -+unlock: -+ mutex_unlock(&sel_lock); -+ return ret; - } - - /* Insert the contents of the selection buffer into the -@@ -351,6 +358,7 @@ int paste_selection(struct tty_struct *t - tty_buffer_lock_exclusive(&vc->port); - - add_wait_queue(&vc->paste_wait, &wait); -+ mutex_lock(&sel_lock); - while (sel_buffer && sel_buffer_lth > pasted) { - set_current_state(TASK_INTERRUPTIBLE); - if (signal_pending(current)) { -@@ -358,7 +366,9 @@ int paste_selection(struct tty_struct *t - break; - } - if (tty_throttled(tty)) { -+ mutex_unlock(&sel_lock); - schedule(); -+ mutex_lock(&sel_lock); - continue; - } - __set_current_state(TASK_RUNNING); -@@ -367,6 +377,7 @@ int paste_selection(struct tty_struct *t - count); - pasted += count; - } -+ mutex_unlock(&sel_lock); - remove_wait_queue(&vc->paste_wait, &wait); - __set_current_state(TASK_RUNNING); - diff --git a/queue-5.4/series b/queue-5.4/series index 27b1680a45c..ad6451399f0 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -16,7 +16,6 @@ e1000e-use-rtnl_lock-to-prevent-race-conditions-between-net-and-pci-pm.patch floppy-check-fdc-index-for-errors-before-assigning-it.patch vt-fix-scrollback-flushing-on-background-consoles.patch vt-selection-handle-pending-signals-in-paste_selection.patch -vt-selection-close-sel_buffer-race.patch vt-vt_ioctl-fix-race-in-vt_resizex.patch staging-android-ashmem-disallow-ashmem-memory-from-being-remapped.patch staging-vt6656-fix-sign-of-rx_dbm-to-bb_pre_ed_rssi.patch diff --git a/queue-5.4/vt-selection-close-sel_buffer-race.patch b/queue-5.4/vt-selection-close-sel_buffer-race.patch deleted file mode 100644 index 39b299e5b61..00000000000 --- a/queue-5.4/vt-selection-close-sel_buffer-race.patch +++ /dev/null @@ -1,155 +0,0 @@ -From 07e6124a1a46b4b5a9b3cacc0c306b50da87abf5 Mon Sep 17 00:00:00 2001 -From: Jiri Slaby -Date: Mon, 10 Feb 2020 09:11:31 +0100 -Subject: vt: selection, close sel_buffer race - -From: Jiri Slaby - -commit 07e6124a1a46b4b5a9b3cacc0c306b50da87abf5 upstream. - -syzkaller reported this UAF: -BUG: KASAN: use-after-free in n_tty_receive_buf_common+0x2481/0x2940 drivers/tty/n_tty.c:1741 -Read of size 1 at addr ffff8880089e40e9 by task syz-executor.1/13184 - -CPU: 0 PID: 13184 Comm: syz-executor.1 Not tainted 5.4.7 #1 -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 -Call Trace: -... - kasan_report+0xe/0x20 mm/kasan/common.c:634 - n_tty_receive_buf_common+0x2481/0x2940 drivers/tty/n_tty.c:1741 - tty_ldisc_receive_buf+0xac/0x190 drivers/tty/tty_buffer.c:461 - paste_selection+0x297/0x400 drivers/tty/vt/selection.c:372 - tioclinux+0x20d/0x4e0 drivers/tty/vt/vt.c:3044 - vt_ioctl+0x1bcf/0x28d0 drivers/tty/vt/vt_ioctl.c:364 - tty_ioctl+0x525/0x15a0 drivers/tty/tty_io.c:2657 - vfs_ioctl fs/ioctl.c:47 [inline] - -It is due to a race between parallel paste_selection (TIOCL_PASTESEL) -and set_selection_user (TIOCL_SETSEL) invocations. One uses sel_buffer, -while the other frees it and reallocates a new one for another -selection. Add a mutex to close this race. - -The mutex takes care properly of sel_buffer and sel_buffer_lth only. The -other selection global variables (like sel_start, sel_end, and sel_cons) -are protected only in set_selection_user. The other functions need quite -some more work to close the races of the variables there. This is going -to happen later. - -This likely fixes (I am unsure as there is no reproducer provided) bug -206361 too. It was marked as CVE-2020-8648. - -Signed-off-by: Jiri Slaby -Reported-by: syzbot+59997e8d5cbdc486e6f6@syzkaller.appspotmail.com -References: https://bugzilla.kernel.org/show_bug.cgi?id=206361 -Cc: stable -Link: https://lore.kernel.org/r/20200210081131.23572-2-jslaby@suse.cz -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/tty/vt/selection.c | 23 +++++++++++++++++------ - 1 file changed, 17 insertions(+), 6 deletions(-) - ---- a/drivers/tty/vt/selection.c -+++ b/drivers/tty/vt/selection.c -@@ -16,6 +16,7 @@ - #include - #include - #include -+#include - #include - #include - -@@ -45,6 +46,7 @@ static volatile int sel_start = -1; /* - static int sel_end; - static int sel_buffer_lth; - static char *sel_buffer; -+static DEFINE_MUTEX(sel_lock); - - /* clear_selection, highlight and highlight_pointer can be called - from interrupt (via scrollback/front) */ -@@ -186,7 +188,7 @@ int set_selection_kernel(struct tiocl_se - char *bp, *obp; - int i, ps, pe, multiplier; - u32 c; -- int mode; -+ int mode, ret = 0; - - poke_blanked_console(); - -@@ -212,6 +214,7 @@ int set_selection_kernel(struct tiocl_se - if (ps > pe) /* make sel_start <= sel_end */ - swap(ps, pe); - -+ mutex_lock(&sel_lock); - if (sel_cons != vc_cons[fg_console].d) { - clear_selection(); - sel_cons = vc_cons[fg_console].d; -@@ -257,9 +260,10 @@ int set_selection_kernel(struct tiocl_se - break; - case TIOCL_SELPOINTER: - highlight_pointer(pe); -- return 0; -+ goto unlock; - default: -- return -EINVAL; -+ ret = -EINVAL; -+ goto unlock; - } - - /* remove the pointer */ -@@ -281,7 +285,7 @@ int set_selection_kernel(struct tiocl_se - else if (new_sel_start == sel_start) - { - if (new_sel_end == sel_end) /* no action required */ -- return 0; -+ goto unlock; - else if (new_sel_end > sel_end) /* extend to right */ - highlight(sel_end + 2, new_sel_end); - else /* contract from right */ -@@ -309,7 +313,8 @@ int set_selection_kernel(struct tiocl_se - if (!bp) { - printk(KERN_WARNING "selection: kmalloc() failed\n"); - clear_selection(); -- return -ENOMEM; -+ ret = -ENOMEM; -+ goto unlock; - } - kfree(sel_buffer); - sel_buffer = bp; -@@ -334,7 +339,9 @@ int set_selection_kernel(struct tiocl_se - } - } - sel_buffer_lth = bp - sel_buffer; -- return 0; -+unlock: -+ mutex_unlock(&sel_lock); -+ return ret; - } - EXPORT_SYMBOL_GPL(set_selection_kernel); - -@@ -364,6 +371,7 @@ int paste_selection(struct tty_struct *t - tty_buffer_lock_exclusive(&vc->port); - - add_wait_queue(&vc->paste_wait, &wait); -+ mutex_lock(&sel_lock); - while (sel_buffer && sel_buffer_lth > pasted) { - set_current_state(TASK_INTERRUPTIBLE); - if (signal_pending(current)) { -@@ -371,7 +379,9 @@ int paste_selection(struct tty_struct *t - break; - } - if (tty_throttled(tty)) { -+ mutex_unlock(&sel_lock); - schedule(); -+ mutex_lock(&sel_lock); - continue; - } - __set_current_state(TASK_RUNNING); -@@ -380,6 +390,7 @@ int paste_selection(struct tty_struct *t - count); - pasted += count; - } -+ mutex_unlock(&sel_lock); - remove_wait_queue(&vc->paste_wait, &wait); - __set_current_state(TASK_RUNNING); - diff --git a/queue-5.5/series b/queue-5.5/series index 02f4ea16118..467a61058fa 100644 --- a/queue-5.5/series +++ b/queue-5.5/series @@ -24,7 +24,6 @@ floppy-check-fdc-index-for-errors-before-assigning-it.patch usb-serial-ch341-fix-receiver-regression.patch vt-fix-scrollback-flushing-on-background-consoles.patch vt-selection-handle-pending-signals-in-paste_selection.patch -vt-selection-close-sel_buffer-race.patch vt-vt_ioctl-fix-race-in-vt_resizex.patch staging-android-ashmem-disallow-ashmem-memory-from-being-remapped.patch staging-vt6656-fix-sign-of-rx_dbm-to-bb_pre_ed_rssi.patch diff --git a/queue-5.5/vt-selection-close-sel_buffer-race.patch b/queue-5.5/vt-selection-close-sel_buffer-race.patch deleted file mode 100644 index 39b299e5b61..00000000000 --- a/queue-5.5/vt-selection-close-sel_buffer-race.patch +++ /dev/null @@ -1,155 +0,0 @@ -From 07e6124a1a46b4b5a9b3cacc0c306b50da87abf5 Mon Sep 17 00:00:00 2001 -From: Jiri Slaby -Date: Mon, 10 Feb 2020 09:11:31 +0100 -Subject: vt: selection, close sel_buffer race - -From: Jiri Slaby - -commit 07e6124a1a46b4b5a9b3cacc0c306b50da87abf5 upstream. - -syzkaller reported this UAF: -BUG: KASAN: use-after-free in n_tty_receive_buf_common+0x2481/0x2940 drivers/tty/n_tty.c:1741 -Read of size 1 at addr ffff8880089e40e9 by task syz-executor.1/13184 - -CPU: 0 PID: 13184 Comm: syz-executor.1 Not tainted 5.4.7 #1 -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 -Call Trace: -... - kasan_report+0xe/0x20 mm/kasan/common.c:634 - n_tty_receive_buf_common+0x2481/0x2940 drivers/tty/n_tty.c:1741 - tty_ldisc_receive_buf+0xac/0x190 drivers/tty/tty_buffer.c:461 - paste_selection+0x297/0x400 drivers/tty/vt/selection.c:372 - tioclinux+0x20d/0x4e0 drivers/tty/vt/vt.c:3044 - vt_ioctl+0x1bcf/0x28d0 drivers/tty/vt/vt_ioctl.c:364 - tty_ioctl+0x525/0x15a0 drivers/tty/tty_io.c:2657 - vfs_ioctl fs/ioctl.c:47 [inline] - -It is due to a race between parallel paste_selection (TIOCL_PASTESEL) -and set_selection_user (TIOCL_SETSEL) invocations. One uses sel_buffer, -while the other frees it and reallocates a new one for another -selection. Add a mutex to close this race. - -The mutex takes care properly of sel_buffer and sel_buffer_lth only. The -other selection global variables (like sel_start, sel_end, and sel_cons) -are protected only in set_selection_user. The other functions need quite -some more work to close the races of the variables there. This is going -to happen later. - -This likely fixes (I am unsure as there is no reproducer provided) bug -206361 too. It was marked as CVE-2020-8648. - -Signed-off-by: Jiri Slaby -Reported-by: syzbot+59997e8d5cbdc486e6f6@syzkaller.appspotmail.com -References: https://bugzilla.kernel.org/show_bug.cgi?id=206361 -Cc: stable -Link: https://lore.kernel.org/r/20200210081131.23572-2-jslaby@suse.cz -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/tty/vt/selection.c | 23 +++++++++++++++++------ - 1 file changed, 17 insertions(+), 6 deletions(-) - ---- a/drivers/tty/vt/selection.c -+++ b/drivers/tty/vt/selection.c -@@ -16,6 +16,7 @@ - #include - #include - #include -+#include - #include - #include - -@@ -45,6 +46,7 @@ static volatile int sel_start = -1; /* - static int sel_end; - static int sel_buffer_lth; - static char *sel_buffer; -+static DEFINE_MUTEX(sel_lock); - - /* clear_selection, highlight and highlight_pointer can be called - from interrupt (via scrollback/front) */ -@@ -186,7 +188,7 @@ int set_selection_kernel(struct tiocl_se - char *bp, *obp; - int i, ps, pe, multiplier; - u32 c; -- int mode; -+ int mode, ret = 0; - - poke_blanked_console(); - -@@ -212,6 +214,7 @@ int set_selection_kernel(struct tiocl_se - if (ps > pe) /* make sel_start <= sel_end */ - swap(ps, pe); - -+ mutex_lock(&sel_lock); - if (sel_cons != vc_cons[fg_console].d) { - clear_selection(); - sel_cons = vc_cons[fg_console].d; -@@ -257,9 +260,10 @@ int set_selection_kernel(struct tiocl_se - break; - case TIOCL_SELPOINTER: - highlight_pointer(pe); -- return 0; -+ goto unlock; - default: -- return -EINVAL; -+ ret = -EINVAL; -+ goto unlock; - } - - /* remove the pointer */ -@@ -281,7 +285,7 @@ int set_selection_kernel(struct tiocl_se - else if (new_sel_start == sel_start) - { - if (new_sel_end == sel_end) /* no action required */ -- return 0; -+ goto unlock; - else if (new_sel_end > sel_end) /* extend to right */ - highlight(sel_end + 2, new_sel_end); - else /* contract from right */ -@@ -309,7 +313,8 @@ int set_selection_kernel(struct tiocl_se - if (!bp) { - printk(KERN_WARNING "selection: kmalloc() failed\n"); - clear_selection(); -- return -ENOMEM; -+ ret = -ENOMEM; -+ goto unlock; - } - kfree(sel_buffer); - sel_buffer = bp; -@@ -334,7 +339,9 @@ int set_selection_kernel(struct tiocl_se - } - } - sel_buffer_lth = bp - sel_buffer; -- return 0; -+unlock: -+ mutex_unlock(&sel_lock); -+ return ret; - } - EXPORT_SYMBOL_GPL(set_selection_kernel); - -@@ -364,6 +371,7 @@ int paste_selection(struct tty_struct *t - tty_buffer_lock_exclusive(&vc->port); - - add_wait_queue(&vc->paste_wait, &wait); -+ mutex_lock(&sel_lock); - while (sel_buffer && sel_buffer_lth > pasted) { - set_current_state(TASK_INTERRUPTIBLE); - if (signal_pending(current)) { -@@ -371,7 +379,9 @@ int paste_selection(struct tty_struct *t - break; - } - if (tty_throttled(tty)) { -+ mutex_unlock(&sel_lock); - schedule(); -+ mutex_lock(&sel_lock); - continue; - } - __set_current_state(TASK_RUNNING); -@@ -380,6 +390,7 @@ int paste_selection(struct tty_struct *t - count); - pasted += count; - } -+ mutex_unlock(&sel_lock); - remove_wait_queue(&vc->paste_wait, &wait); - __set_current_state(TASK_RUNNING); - -- 2.47.3