Patch "vt: fix unchecked __put_user() in tioclinux ioctls" has been added to the 4.12-stable tree

All of lore.kernel.org
 help / color / mirror / Atom feed

* Patch "vt: fix unchecked __put_user() in tioclinux ioctls" has been added to the 4.12-stable tree
@ 2017-07-18 15:43 gregkh
  2017-07-18 16:02 ` Adam Borowski
  0 siblings, 1 reply; 3+ messages in thread
From: gregkh @ 2017-07-18 15:43 UTC (permalink / raw)
  To: kilobyte, gregkh; +Cc: stable, stable-commits


This is a note to let you know that I've just added the patch titled

    vt: fix unchecked __put_user() in tioclinux ioctls

to the 4.12-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     vt-fix-unchecked-__put_user-in-tioclinux-ioctls.patch
and it can be found in the queue-4.12 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 6987dc8a70976561d22450b5858fc9767788cc1c Mon Sep 17 00:00:00 2001
From: Adam Borowski <kilobyte@angband.pl>
Date: Sat, 3 Jun 2017 09:35:06 +0200
Subject: vt: fix unchecked __put_user() in tioclinux ioctls

From: Adam Borowski <kilobyte@angband.pl>

commit 6987dc8a70976561d22450b5858fc9767788cc1c upstream.

Only read access is checked before this call.

Actually, at the moment this is not an issue, as every in-tree arch does
the same manual checks for VERIFY_READ vs VERIFY_WRITE, relying on the MMU
to tell them apart, but this wasn't the case in the past and may happen
again on some odd arch in the future.

If anyone cares about 3.7 and earlier, this is a security hole (untested)
on real 80386 CPUs.

Signed-off-by: Adam Borowski <kilobyte@angband.pl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/vt/vt.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -2709,13 +2709,13 @@ int tioclinux(struct tty_struct *tty, un
 	 * related to the kernel should not use this.
 	 */
 			data = vt_get_shift_state();
-			ret = __put_user(data, p);
+			ret = put_user(data, p);
 			break;
 		case TIOCL_GETMOUSEREPORTING:
 			console_lock();	/* May be overkill */
 			data = mouse_reporting();
 			console_unlock();
-			ret = __put_user(data, p);
+			ret = put_user(data, p);
 			break;
 		case TIOCL_SETVESABLANK:
 			console_lock();
@@ -2724,7 +2724,7 @@ int tioclinux(struct tty_struct *tty, un
 			break;
 		case TIOCL_GETKMSGREDIRECT:
 			data = vt_get_kmsg_redirect();
-			ret = __put_user(data, p);
+			ret = put_user(data, p);
 			break;
 		case TIOCL_SETKMSGREDIRECT:
 			if (!capable(CAP_SYS_ADMIN)) {


Patches currently in stable-queue which might be from kilobyte@angband.pl are

queue-4.12/vt-fix-unchecked-__put_user-in-tioclinux-ioctls.patch

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Patch "vt: fix unchecked __put_user() in tioclinux ioctls" has been added to the 4.12-stable tree
  2017-07-18 15:43 Patch "vt: fix unchecked __put_user() in tioclinux ioctls" has been added to the 4.12-stable tree gregkh
@ 2017-07-18 16:02 ` Adam Borowski
  2017-07-18 16:16   ` Greg KH
  0 siblings, 1 reply; 3+ messages in thread
From: Adam Borowski @ 2017-07-18 16:02 UTC (permalink / raw)
  To: gregkh; +Cc: stable, stable-commits

On Tue, Jul 18, 2017 at 05:43:09PM +0200, gregkh@linuxfoundation.org wrote:
> This is a note to let you know that I've just added the patch titled
> 
>     vt: fix unchecked __put_user() in tioclinux ioctls
> 
> to the 4.12-stable tree which can be found at:
>     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
----
> From: Adam Borowski <kilobyte@angband.pl>
> 
> commit 6987dc8a70976561d22450b5858fc9767788cc1c upstream.
> 
> Only read access is checked before this call.
> 
> Actually, at the moment this is not an issue, as every in-tree arch does
> the same manual checks for VERIFY_READ vs VERIFY_WRITE, relying on the MMU
> to tell them apart, but this wasn't the case in the past and may happen
> again on some odd arch in the future.
> 
> If anyone cares about 3.7 and earlier, this is a security hole (untested)
> on real 80386 CPUs.

Note that this is a no-op on any modern kernel (>3.7), as on all
architectures checking VERIFY_READ is exactly same as VERIFY_WRITE.

I've submitted this patch for two reasons:
* it makes getting rid of __put_user() easier
* in case the distinction between VERIFY_READ and VERIFY_WRITE becomes used
  again at some point in the future

Neither reason applies to stable kernels younger than 3.7.  The patch
doesn't hurt, though, so if rebasing to drop it would be even a notch more
effort for you than keeping, it can stay.

The only stable kernel that old still maintained is 3.2 (Ben Hutchings) --
it's _apparently_ a local root hole on real 80386 machines.  By 80386 I mean
only that exact chip and perhaps faithful clones, 486+ excluded.  I have a
strong feeling Ben doesn't give a damn about 80386 CPUs, considering that
the distribution he cares about doesn't support that hardware for many, many
years, and people rolling their own userspace or using an ancient distro
don't quite use it for security-sensitive stuff either.

> Signed-off-by: Adam Borowski <kilobyte@angband.pl>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> ---
>  drivers/tty/vt/vt.c |    6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> --- a/drivers/tty/vt/vt.c
> +++ b/drivers/tty/vt/vt.c
> @@ -2709,13 +2709,13 @@ int tioclinux(struct tty_struct *tty, un
>  	 * related to the kernel should not use this.
>  	 */
>  			data = vt_get_shift_state();
> -			ret = __put_user(data, p);
> +			ret = put_user(data, p);
>  			break;
>  		case TIOCL_GETMOUSEREPORTING:
>  			console_lock();	/* May be overkill */
>  			data = mouse_reporting();
>  			console_unlock();
> -			ret = __put_user(data, p);
> +			ret = put_user(data, p);
>  			break;
>  		case TIOCL_SETVESABLANK:
>  			console_lock();
> @@ -2724,7 +2724,7 @@ int tioclinux(struct tty_struct *tty, un
>  			break;
>  		case TIOCL_GETKMSGREDIRECT:
>  			data = vt_get_kmsg_redirect();
> -			ret = __put_user(data, p);
> +			ret = put_user(data, p);
>  			break;
>  		case TIOCL_SETKMSGREDIRECT:
>  			if (!capable(CAP_SYS_ADMIN)) {
> 
> 
> Patches currently in stable-queue which might be from kilobyte@angband.pl are
> 
> queue-4.12/vt-fix-unchecked-__put_user-in-tioclinux-ioctls.patch


Meow!
-- 
⢀⣴⠾⠻⢶⣦⠀ 
⣾⠁⢠⠒⠀⣿⡁ A dumb species has no way to open a tuna can.
⢿⡄⠘⠷⠚⠋⠀ A smart species invents a can opener.
⠈⠳⣄⠀⠀⠀⠀ A master species delegates.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Patch "vt: fix unchecked __put_user() in tioclinux ioctls" has been added to the 4.12-stable tree
  2017-07-18 16:02 ` Adam Borowski
@ 2017-07-18 16:16   ` Greg KH
  0 siblings, 0 replies; 3+ messages in thread
From: Greg KH @ 2017-07-18 16:16 UTC (permalink / raw)
  To: Adam Borowski; +Cc: stable, stable-commits

On Tue, Jul 18, 2017 at 06:02:21PM +0200, Adam Borowski wrote:
> On Tue, Jul 18, 2017 at 05:43:09PM +0200, gregkh@linuxfoundation.org wrote:
> > This is a note to let you know that I've just added the patch titled
> > 
> >     vt: fix unchecked __put_user() in tioclinux ioctls
> > 
> > to the 4.12-stable tree which can be found at:
> >     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> ----
> > From: Adam Borowski <kilobyte@angband.pl>
> > 
> > commit 6987dc8a70976561d22450b5858fc9767788cc1c upstream.
> > 
> > Only read access is checked before this call.
> > 
> > Actually, at the moment this is not an issue, as every in-tree arch does
> > the same manual checks for VERIFY_READ vs VERIFY_WRITE, relying on the MMU
> > to tell them apart, but this wasn't the case in the past and may happen
> > again on some odd arch in the future.
> > 
> > If anyone cares about 3.7 and earlier, this is a security hole (untested)
> > on real 80386 CPUs.
> 
> Note that this is a no-op on any modern kernel (>3.7), as on all
> architectures checking VERIFY_READ is exactly same as VERIFY_WRITE.
> 
> I've submitted this patch for two reasons:
> * it makes getting rid of __put_user() easier
> * in case the distinction between VERIFY_READ and VERIFY_WRITE becomes used
>   again at some point in the future
> 
> Neither reason applies to stable kernels younger than 3.7.  The patch
> doesn't hurt, though, so if rebasing to drop it would be even a notch more
> effort for you than keeping, it can stay.
> 
> The only stable kernel that old still maintained is 3.2 (Ben Hutchings) --
> it's _apparently_ a local root hole on real 80386 machines.  By 80386 I mean
> only that exact chip and perhaps faithful clones, 486+ excluded.  I have a
> strong feeling Ben doesn't give a damn about 80386 CPUs, considering that
> the distribution he cares about doesn't support that hardware for many, many
> years, and people rolling their own userspace or using an ancient distro
> don't quite use it for security-sensitive stuff either.

I think it's good to have backported so that people, if they are using
older kernels, will see this and know to apply it (like Ben, or those
"enterprise" distros out there supporting older-than-3.2 kernels...)

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2017-07-18 16:17 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-07-18 15:43 Patch "vt: fix unchecked __put_user() in tioclinux ioctls" has been added to the 4.12-stable tree gregkh
2017-07-18 16:02 ` Adam Borowski
2017-07-18 16:16   ` Greg KH

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.