From: Jiri Slaby <jslaby@suse.cz>
To: gregkh@linuxfoundation.org
Cc: linux-serial@vger.kernel.org, linux-kernel@vger.kernel.org,
Jiri Slaby <jslaby@suse.cz>
Subject: [PATCH 11/17] vt: keyboard, reorder user buffer handling in vt_do_kdgkb_ioctl
Date: Thu, 29 Oct 2020 12:32:16 +0100 [thread overview]
Message-ID: <20201029113222.32640-11-jslaby@suse.cz> (raw)
In-Reply-To: <20201029113222.32640-1-jslaby@suse.cz>
KDGKBSENT (the getter) needs only 'user_kdgkb->kb_func' from the
userspace, i.e. the index. Then it needs a buffer for a local copy of
'kb_string'.
KDSKBSENT (the setter) needs a copy up to the length of
'user_kdgkb->kb_string'.
That means, we obtain the index before the switch-case and use it in
both paths and:
1) allocate full space in the getter case, and
2) copy the string only in the setter case. We do it by strndup_user
helper now which was not available when this function was written.
Given we copy the two members of 'struct kbsentry' separately, we no
longer need a local definition. Hence we need to change all the sizeofs
here too.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
drivers/tty/vt/keyboard.c | 42 +++++++++++++++++++--------------------
1 file changed, 20 insertions(+), 22 deletions(-)
diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c
index 55014f57a3de..81afe0438b34 100644
--- a/drivers/tty/vt/keyboard.c
+++ b/drivers/tty/vt/keyboard.c
@@ -2021,7 +2021,7 @@ int vt_do_kdsk_ioctl(int cmd, struct kbentry __user *user_kbe, int perm,
/* FIXME: This one needs untangling */
int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
{
- struct kbsentry *kbs;
+ char *kbs;
u_char *q;
int sz, fnw_sz;
int delta;
@@ -2034,39 +2034,37 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
if (!capable(CAP_SYS_TTY_CONFIG))
perm = 0;
- kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
- if (!kbs) {
- ret = -ENOMEM;
- goto reterr;
- }
+ if (get_user(kb_func, &user_kdgkb->kb_func))
+ return -EFAULT;
- /* we mostly copy too much here (512bytes), but who cares ;) */
- if (copy_from_user(kbs, user_kdgkb, sizeof(struct kbsentry))) {
- ret = -EFAULT;
- goto reterr;
- }
- kbs->kb_string[sizeof(kbs->kb_string)-1] = '\0';
- kb_func = array_index_nospec(kbs->kb_func, MAX_NR_FUNC);
+ kb_func = array_index_nospec(kb_func, MAX_NR_FUNC);
switch (cmd) {
case KDGKBSENT: {
/* size should have been a struct member */
ssize_t len = sizeof(user_kdgkb->kb_string);
+ kbs = kmalloc(len, GFP_KERNEL);
+ if (!kbs)
+ return -ENOMEM;
+
spin_lock_irqsave(&func_buf_lock, flags);
- len = strlcpy(kbs->kb_string, func_table[kb_func] ? : "", len);
+ len = strlcpy(kbs, func_table[kb_func] ? : "", len);
spin_unlock_irqrestore(&func_buf_lock, flags);
- ret = copy_to_user(user_kdgkb->kb_string, kbs->kb_string,
- len + 1) ? -EFAULT : 0;
+ ret = copy_to_user(user_kdgkb->kb_string, kbs, len + 1) ?
+ -EFAULT : 0;
goto reterr;
}
case KDSKBSENT:
- if (!perm) {
- ret = -EPERM;
- goto reterr;
- }
+ if (!perm)
+ return -EPERM;
+
+ kbs = strndup_user(user_kdgkb->kb_string,
+ sizeof(user_kdgkb->kb_string));
+ if (IS_ERR(kbs))
+ return PTR_ERR(kbs);
fnw = NULL;
fnw_sz = 0;
@@ -2084,7 +2082,7 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
else
fj = first_free;
/* buffer usage increase by new entry */
- delta = (q ? -strlen(q) : 1) + strlen(kbs->kb_string);
+ delta = (q ? -strlen(q) : 1) + strlen(kbs);
if (delta <= funcbufleft) { /* it fits in current buf */
if (j < MAX_NR_FUNC) {
@@ -2136,7 +2134,7 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
funcbufsize = sz;
}
/* finally insert item itself */
- strcpy(func_table[kb_func], kbs->kb_string);
+ strcpy(func_table[kb_func], kbs);
spin_unlock_irqrestore(&func_buf_lock, flags);
break;
}
--
2.29.1
next prev parent reply other threads:[~2020-10-29 11:32 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-29 11:32 [PATCH 01/17] vt: keyboard, remove ctrl_alt_del declaration Jiri Slaby
2020-10-29 11:32 ` [PATCH 02/17] vt: keyboard, include linux/spinlock.h Jiri Slaby
2020-10-29 11:32 ` [PATCH 03/17] vt: keyboard, sort includes Jiri Slaby
2020-10-29 11:32 ` [PATCH 04/17] vt: keyboard, sort key types by their number Jiri Slaby
2020-10-29 11:32 ` [PATCH 05/17] vt: keyboard, clean up max_vals Jiri Slaby
2020-10-29 11:32 ` [PATCH 06/17] vt: keyboard, extract vt_kdgkbent and vt_kdskbent Jiri Slaby
2020-10-29 11:32 ` [PATCH 07/17] vt: keyboard, union perm checks in vt_do_kdsk_ioctl Jiri Slaby
2020-10-29 11:32 ` [PATCH 08/17] vt: keyboard, use DECLARE_BITMAP for key_down Jiri Slaby
2020-10-29 11:32 ` [PATCH 09/17] vt: keyboard, use bool for rep Jiri Slaby
2020-10-29 11:32 ` [PATCH 10/17] vt: keyboard, rename i to kb_func in vt_do_kdgkb_ioctl Jiri Slaby
2020-10-29 11:32 ` Jiri Slaby [this message]
2020-10-29 11:32 ` [PATCH 12/17] vt: keyboard, extract and simplify vt_kdskbsent Jiri Slaby
2020-10-29 11:32 ` [PATCH 13/17] vt: keyboard, remove unneeded func_* declarations Jiri Slaby
2020-10-29 11:32 ` [PATCH 14/17] vt: keyboard, union perm checks in vt_do_kdgkb_ioctl Jiri Slaby
2020-10-29 11:32 ` [PATCH 15/17] vt: keyboard, make HW_RAW a function Jiri Slaby
2020-10-29 11:32 ` [PATCH 16/17] vt: keyboard, use find_next_bit in kbd_match Jiri Slaby
2020-10-29 11:32 ` [PATCH 17/17] vt: keyboard, use tty_insert_flip_string in puts_queue Jiri Slaby
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201029113222.32640-11-jslaby@suse.cz \
--to=jslaby@suse.cz \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-serial@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).