From: Jiri Slaby <jirislaby@kernel.org>
To: Hang Zhang <zh.nvgt@gmail.com>
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Ilpo Järvinen" <ilpo.jarvinen@linux.intel.com>,
"Daniel Vetter" <daniel.vetter@ffwll.ch>,
"Yangxi Xiang" <xyangxi5@gmail.com>,
"Xuezhi Zhang" <zhangxuezhi1@coolpad.com>,
"Helge Deller" <deller@gmx.de>,
"Tetsuo Handa" <penguin-kernel@I-love.SAKURA.ne.jp>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] tty: vt: add some NULL checks for vc_data
Date: Tue, 3 Jan 2023 10:24:28 +0100 [thread overview]
Message-ID: <182d36d5-df77-2479-882a-5bb588c5f170@kernel.org> (raw)
In-Reply-To: <20221229064153.23511-1-zh.nvgt@gmail.com>
On 29. 12. 22, 7:41, Hang Zhang wrote:
> vc_selection(), do_blank_screen() and scrollfront() all access "vc_data"
> structures obtained from the global "vc_cons[fg_console].d", which can
> be freed and nullified (e.g., in the error path of vc_allocate()). But
> these functions don't have any NULL checks against the pointers before
> dereferencing them, causing potentially use-after-free or null pointer
> dereference.
Could you elaborate under what circumstances is fg_console set to a
non-allocated console?
> Prevent these potential issues by placing NULL checks in these functions
> before accessing "vc_data" structures. Similar checks can be found in
> other functions like vt_console_print() and poke_blanked_console().
>
> Signed-off-by: Hang Zhang <zh.nvgt@gmail.com>
> ---
> drivers/tty/vt/selection.c | 3 +++
> drivers/tty/vt/vt.c | 5 +++++
> 2 files changed, 8 insertions(+)
>
> diff --git a/drivers/tty/vt/selection.c b/drivers/tty/vt/selection.c
> index 6ef22f01cc51..c727fd947683 100644
> --- a/drivers/tty/vt/selection.c
> +++ b/drivers/tty/vt/selection.c
> @@ -319,6 +319,9 @@ static int vc_selection(struct vc_data *vc, struct tiocl_selection *v,
> {
> int ps, pe;
>
> + if (!vc)
> + return 0;
> +
> poke_blanked_console();
>
> if (v->sel_mode == TIOCL_SELCLEAR) {
> diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
> index 981d2bfcf9a5..00f8fdc61e9f 100644
> --- a/drivers/tty/vt/vt.c
> +++ b/drivers/tty/vt/vt.c
> @@ -1493,6 +1493,8 @@ void scrollback(struct vc_data *vc)
>
> void scrollfront(struct vc_data *vc, int lines)
> {
> + if (!vc)
> + return;
> if (!lines)
> lines = vc->vc_rows / 2;
> scrolldelta(lines);
> @@ -4346,6 +4348,9 @@ void do_blank_screen(int entering_gfx)
> struct vc_data *vc = vc_cons[fg_console].d;
> int i;
>
> + if (!vc)
> + return;
> +
> might_sleep();
>
> WARN_CONSOLE_UNLOCKED();
thanks,
--
js
suse labs
next prev parent reply other threads:[~2023-01-03 9:24 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-29 6:41 [PATCH] tty: vt: add some NULL checks for vc_data Hang Zhang
2023-01-03 9:24 ` Jiri Slaby [this message]
2023-01-04 3:01 ` Hang Zhang
2023-01-06 11:30 ` Greg Kroah-Hartman
2023-01-06 17:39 ` Hang Zhang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=182d36d5-df77-2479-882a-5bb588c5f170@kernel.org \
--to=jirislaby@kernel.org \
--cc=daniel.vetter@ffwll.ch \
--cc=deller@gmx.de \
--cc=gregkh@linuxfoundation.org \
--cc=ilpo.jarvinen@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=xyangxi5@gmail.com \
--cc=zh.nvgt@gmail.com \
--cc=zhangxuezhi1@coolpad.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).