| From: Alexander Potapenko <glider@google.com> |
| Date: Thu, 14 Jun 2018 12:23:09 +0200 |
| Subject: vt: prevent leaking uninitialized data to userspace via /dev/vcs* |
| |
| commit 21eff69aaaa0e766ca0ce445b477698dc6a9f55a upstream. |
| |
| KMSAN reported an infoleak when reading from /dev/vcs*: |
| |
| BUG: KMSAN: kernel-infoleak in vcs_read+0x18ba/0x1cc0 |
| Call Trace: |
| ... |
| kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253 |
| copy_to_user ./include/linux/uaccess.h:184 |
| vcs_read+0x18ba/0x1cc0 drivers/tty/vt/vc_screen.c:352 |
| __vfs_read+0x1b2/0x9d0 fs/read_write.c:416 |
| vfs_read+0x36c/0x6b0 fs/read_write.c:452 |
| ... |
| Uninit was created at: |
| kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 |
| kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189 |
| kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315 |
| __kmalloc+0x13a/0x350 mm/slub.c:3818 |
| kmalloc ./include/linux/slab.h:517 |
| vc_allocate+0x438/0x800 drivers/tty/vt/vt.c:787 |
| con_install+0x8c/0x640 drivers/tty/vt/vt.c:2880 |
| tty_driver_install_tty drivers/tty/tty_io.c:1224 |
| tty_init_dev+0x1b5/0x1020 drivers/tty/tty_io.c:1324 |
| tty_open_by_driver drivers/tty/tty_io.c:1959 |
| tty_open+0x17b4/0x2ed0 drivers/tty/tty_io.c:2007 |
| chrdev_open+0xc25/0xd90 fs/char_dev.c:417 |
| do_dentry_open+0xccc/0x1440 fs/open.c:794 |
| vfs_open+0x1b6/0x2f0 fs/open.c:908 |
| ... |
| Bytes 0-79 of 240 are uninitialized |
| |
| Consistently allocating |vc_screenbuf| with kzalloc() fixes the problem |
| |
| Reported-by: syzbot+17a8efdf800000@syzkaller.appspotmail.com |
| Signed-off-by: Alexander Potapenko <glider@google.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| drivers/tty/vt/vt.c | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| --- a/drivers/tty/vt/vt.c |
| +++ b/drivers/tty/vt/vt.c |
| @@ -782,7 +782,7 @@ int vc_allocate(unsigned int currcons) / |
| if (!*vc->vc_uni_pagedir_loc) |
| con_set_default_unimap(vc); |
| |
| - vc->vc_screenbuf = kmalloc(vc->vc_screenbuf_size, GFP_KERNEL); |
| + vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_KERNEL); |
| if (!vc->vc_screenbuf) |
| goto err_free; |
| |
| @@ -869,7 +869,7 @@ static int vc_do_resize(struct tty_struc |
| |
| if (new_screen_size > (4 << 20)) |
| return -EINVAL; |
| - newscreen = kmalloc(new_screen_size, GFP_USER); |
| + newscreen = kzalloc(new_screen_size, GFP_USER); |
| if (!newscreen) |
| return -ENOMEM; |
| |