Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-25656: keyboard, reorder user buffer handling in vt_do_kdgkb_ioctl

A flaw was found in the Linux kernel. A use-after-free was found in the way the console subsystem was using ioctls KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read memory access out of bounds. The highest threat from this vulnerability is to data confidentiality.

CVE
#vulnerability#linux#js#git#ssl

From

Subject

[PATCH 11/17] vt: keyboard, reorder user buffer handling in vt_do_kdgkb_ioctl

Date

Thu, 29 Oct 2020 12:32:16 +0100

KDGKBSENT (the getter) needs only ‘user_kdgkb->kb_func’ from the
userspace, i.e. the index. Then it needs a buffer for a local copy of
'kb_string’.

KDSKBSENT (the setter) needs a copy up to the length of
'user_kdgkb->kb_string’.

That means, we obtain the index before the switch-case and use it in
both paths and:

  1. allocate full space in the getter case, and
  2. copy the string only in the setter case. We do it by strndup_user
    helper now which was not available when this function was written.

Given we copy the two members of ‘struct kbsentry’ separately, we no
longer need a local definition. Hence we need to change all the sizeofs
here too.

Signed-off-by: Jiri Slaby [email protected]

drivers/tty/vt/keyboard.c | 42 ++++++++++++++++++±-------------------
1 file changed, 20 insertions(+), 22 deletions(-)

diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c
index 55014f57a3de…81afe0438b34 100644
— a/drivers/tty/vt/keyboard.c
+++ b/drivers/tty/vt/keyboard.c
@@ -2021,7 +2021,7 @@ int vt_do_kdsk_ioctl(int cmd, struct kbentry __user *user_kbe, int perm,
/* FIXME: This one needs untangling */
int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
{
- struct kbsentry *kbs;

  • char *kbs;
    u_char *q;
    int sz, fnw_sz;
    int delta;
    @@ -2034,39 +2034,37 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
    if (!capable(CAP_SYS_TTY_CONFIG))
    perm = 0;
  • kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
    - if (!kbs) {
    - ret = -ENOMEM;
    - goto reterr;
    - }
  • if (get_user(kb_func, &user_kdgkb->kb_func))
  •   return -EFAULT;
    
  • /* we mostly copy too much here (512bytes), but who cares ;) */
    - if (copy_from_user(kbs, user_kdgkb, sizeof(struct kbsentry))) {
    - ret = -EFAULT;
    - goto reterr;
    - }
    - kbs->kb_string[sizeof(kbs->kb_string)-1] = '\0’;
    - kb_func = array_index_nospec(kbs->kb_func, MAX_NR_FUNC);
  • kb_func = array_index_nospec(kb_func, MAX_NR_FUNC);

    switch (cmd) {
    case KDGKBSENT: {
    /* size should have been a struct member */
    ssize_t len = sizeof(user_kdgkb->kb_string);

  •  kbs = kmalloc(len, GFP\_KERNEL);  
    
  •   if (!kbs)  
    
  •       return -ENOMEM;  
    
  •   spin\_lock\_irqsave(&func\_buf\_lock, flags);  
    

- len = strlcpy(kbs->kb_string, func_table[kb_func] ? : "", len);

  •   len = strlcpy(kbs, func\_table\[kb\_func\] ? : "", len);  
      spin\_unlock\_irqrestore(&func\_buf\_lock, flags);
    
  •  ret = copy\_to\_user(user\_kdgkb->kb\_string, kbs->kb\_string,  
    

- len + 1) ? -EFAULT : 0;

  •   ret = copy\_to\_user(user\_kdgkb->kb\_string, kbs, len + 1) ?  
    
  •       -EFAULT : 0;
    
      goto reterr;  
    
    }
    case KDSKBSENT:
    - if (!perm) {
    - ret = -EPERM;
    - goto reterr;
    - }
  •   if (!perm)  
    
  •       return -EPERM;  
    
  •   kbs = strndup\_user(user\_kdgkb->kb\_string,  
    
  •           sizeof(user\_kdgkb->kb\_string));  
    
  •   if (IS\_ERR(kbs))  
    
  •       return PTR\_ERR(kbs);
    
      fnw = NULL;  
      fnw\_sz = 0;  
    

@@ -2084,7 +2082,7 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
else
fj = first_free;
/* buffer usage increase by new entry */
- delta = (q ? -strlen(q) : 1) + strlen(kbs->kb_string);

  •   delta = (q ? -strlen(q) : 1) + strlen(kbs);
    
      if (delta <= funcbufleft) {     /\* it fits in current buf \*/  
          if (j < MAX\_NR\_FUNC) {  
    

@@ -2136,7 +2134,7 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
funcbufsize = sz;
}
/* finally insert item itself */
- strcpy(func_table[kb_func], kbs->kb_string);

  •   strcpy(func\_table\[kb\_func\], kbs);  
      spin\_unlock\_irqrestore(&func\_buf\_lock, flags);  
      break;  
    
    }

    2.29.1

Related news

CVE-2020-25668: [SECURITY] [DLA 2494-1] linux security update

A flaw was found in Linux Kernel because access to the global variable fg_console is not properly synchronized leading to a use after free in con_font_op.

CVE-2020-25668: [SECURITY] [DLA 2494-1] linux security update

A flaw was found in Linux Kernel because access to the global variable fg_console is not properly synchronized leading to a use after free in con_font_op.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907