Headline
CVE-2020-25656: keyboard, reorder user buffer handling in vt_do_kdgkb_ioctl
A flaw was found in the Linux kernel. A use-after-free was found in the way the console subsystem was using ioctls KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read memory access out of bounds. The highest threat from this vulnerability is to data confidentiality.
From
Subject
[PATCH 11/17] vt: keyboard, reorder user buffer handling in vt_do_kdgkb_ioctl
Date
Thu, 29 Oct 2020 12:32:16 +0100
KDGKBSENT (the getter) needs only ‘user_kdgkb->kb_func’ from the
userspace, i.e. the index. Then it needs a buffer for a local copy of
'kb_string’.
KDSKBSENT (the setter) needs a copy up to the length of
'user_kdgkb->kb_string’.
That means, we obtain the index before the switch-case and use it in
both paths and:
- allocate full space in the getter case, and
- copy the string only in the setter case. We do it by strndup_user
helper now which was not available when this function was written.
Given we copy the two members of ‘struct kbsentry’ separately, we no
longer need a local definition. Hence we need to change all the sizeofs
here too.
Signed-off-by: Jiri Slaby [email protected]
—
drivers/tty/vt/keyboard.c | 42 ++++++++++++++++++±-------------------
1 file changed, 20 insertions(+), 22 deletions(-)
diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c
index 55014f57a3de…81afe0438b34 100644
— a/drivers/tty/vt/keyboard.c
+++ b/drivers/tty/vt/keyboard.c
@@ -2021,7 +2021,7 @@ int vt_do_kdsk_ioctl(int cmd, struct kbentry __user *user_kbe, int perm,
/* FIXME: This one needs untangling */
int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
{
- struct kbsentry *kbs;
- char *kbs;
u_char *q;
int sz, fnw_sz;
int delta;
@@ -2034,39 +2034,37 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
if (!capable(CAP_SYS_TTY_CONFIG))
perm = 0;
- kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
- if (!kbs) {
- ret = -ENOMEM;
- goto reterr;
- }
- if (get_user(kb_func, &user_kdgkb->kb_func))
return -EFAULT;
- /* we mostly copy too much here (512bytes), but who cares ;) */
- if (copy_from_user(kbs, user_kdgkb, sizeof(struct kbsentry))) {
- ret = -EFAULT;
- goto reterr;
- }
- kbs->kb_string[sizeof(kbs->kb_string)-1] = '\0’;
- kb_func = array_index_nospec(kbs->kb_func, MAX_NR_FUNC);
kb_func = array_index_nospec(kb_func, MAX_NR_FUNC);
switch (cmd) {
case KDGKBSENT: {
/* size should have been a struct member */
ssize_t len = sizeof(user_kdgkb->kb_string);kbs = kmalloc(len, GFP\_KERNEL);
if (!kbs)
return -ENOMEM;
spin\_lock\_irqsave(&func\_buf\_lock, flags);
- len = strlcpy(kbs->kb_string, func_table[kb_func] ? : "", len);
len = strlcpy(kbs, func\_table\[kb\_func\] ? : "", len); spin\_unlock\_irqrestore(&func\_buf\_lock, flags);
ret = copy\_to\_user(user\_kdgkb->kb\_string, kbs->kb\_string,
- len + 1) ? -EFAULT : 0;
ret = copy\_to\_user(user\_kdgkb->kb\_string, kbs, len + 1) ?
}-EFAULT : 0; goto reterr;
case KDSKBSENT:
- if (!perm) {
- ret = -EPERM;
- goto reterr;
- }if (!perm)
return -EPERM;
kbs = strndup\_user(user\_kdgkb->kb\_string,
sizeof(user\_kdgkb->kb\_string));
if (IS\_ERR(kbs))
return PTR\_ERR(kbs); fnw = NULL; fnw\_sz = 0;
@@ -2084,7 +2082,7 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
else
fj = first_free;
/* buffer usage increase by new entry */
- delta = (q ? -strlen(q) : 1) + strlen(kbs->kb_string);
delta = (q ? -strlen(q) : 1) + strlen(kbs); if (delta <= funcbufleft) { /\* it fits in current buf \*/ if (j < MAX\_NR\_FUNC) {
@@ -2136,7 +2134,7 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
funcbufsize = sz;
}
/* finally insert item itself */
- strcpy(func_table[kb_func], kbs->kb_string);
}strcpy(func\_table\[kb\_func\], kbs); spin\_unlock\_irqrestore(&func\_buf\_lock, flags); break;
–
2.29.1
Related news
A flaw was found in Linux Kernel because access to the global variable fg_console is not properly synchronized leading to a use after free in con_font_op.
A flaw was found in Linux Kernel because access to the global variable fg_console is not properly synchronized leading to a use after free in con_font_op.