From: Chris Wright <chrisw@sous-sol.org>
To: linux-kernel@vger.kernel.org, stable@kernel.org,
Linus Torvalds <torvalds@linux-foundation.org>
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Hugh Dickins <hugh@veritas.com>,
Egmont Koblinger <egmont@uhulinux.hu>,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [patch 20/54] fix compat console unimap regression
Date: Fri, 08 Jun 2007 00:21:47 -0700 [thread overview]
Message-ID: <20070608072202.761118000@sous-sol.org> (raw)
In-Reply-To: 20070608072127.352723000@sous-sol.org
[-- Attachment #1: fix-compat-console-unimap-regression.patch --]
[-- Type: text/plain, Size: 3469 bytes --]
-stable review patch. If anyone has any objections, please let us know.
---------------------
From: Hugh Dickins <hugh@veritas.com>
Why is it that since the 2f1a2ccb9c0de632ab07193becf5f7121794f6ae console
UTF-8 fixes went into 2.6.22-rc1, the PowerMac G5 shows only inverse video
question marks for the text on tty2-6? whereas tty1 is fine, and so is x86.
No fault of that patch: by removing the old fallback behaviour, it reveals
that 32-bit setfont running on 64-bit kernels has only really worked on
the current console, the rest getting faked by that inadequate fallback.
Bring the compat do_unimap_ioctl into line with the main one: PIO_UNIMAP
and GIO_UNIMAP apply to the specified tty, not redirected to fg_console.
Use the same checks, and most particularly, remember to check access_ok:
con_set_unimap and con_get_unimap are using __get_user and __put_user.
And the compat vt_check should ask for the same capability as the main
one, CAP_SYS_TTY_CONFIG rather than CAP_SYS_ADMIN. Added in vt_ioctl's
vc_cons_allocated check for safety, though failure may well be impossible.
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
fs/compat_ioctl.c | 33 +++++++++++++++++++++++++--------
1 file changed, 25 insertions(+), 8 deletions(-)
--- linux-2.6.21.4.orig/fs/compat_ioctl.c
+++ linux-2.6.21.4/fs/compat_ioctl.c
@@ -1178,6 +1178,7 @@ static int vt_check(struct file *file)
{
struct tty_struct *tty;
struct inode *inode = file->f_path.dentry->d_inode;
+ struct vc_data *vc;
if (file->f_op->ioctl != tty_ioctl)
return -EINVAL;
@@ -1188,12 +1189,16 @@ static int vt_check(struct file *file)
if (tty->driver->ioctl != vt_ioctl)
return -EINVAL;
-
+
+ vc = (struct vc_data *)tty->driver_data;
+ if (!vc_cons_allocated(vc->vc_num)) /* impossible? */
+ return -ENOIOCTLCMD;
+
/*
* To have permissions to do most of the vt ioctls, we either have
- * to be the owner of the tty, or super-user.
+ * to be the owner of the tty, or have CAP_SYS_TTY_CONFIG.
*/
- if (current->signal->tty == tty || capable(CAP_SYS_ADMIN))
+ if (current->signal->tty == tty || capable(CAP_SYS_TTY_CONFIG))
return 1;
return 0;
}
@@ -1294,16 +1299,28 @@ static int do_unimap_ioctl(unsigned int
struct unimapdesc32 tmp;
struct unimapdesc32 __user *user_ud = compat_ptr(arg);
int perm = vt_check(file);
-
- if (perm < 0) return perm;
+ struct vc_data *vc;
+
+ if (perm < 0)
+ return perm;
if (copy_from_user(&tmp, user_ud, sizeof tmp))
return -EFAULT;
+ if (tmp.entries)
+ if (!access_ok(VERIFY_WRITE, compat_ptr(tmp.entries),
+ tmp.entry_ct*sizeof(struct unipair)))
+ return -EFAULT;
+ vc = ((struct tty_struct *)file->private_data)->driver_data;
switch (cmd) {
case PIO_UNIMAP:
- if (!perm) return -EPERM;
- return con_set_unimap(vc_cons[fg_console].d, tmp.entry_ct, compat_ptr(tmp.entries));
+ if (!perm)
+ return -EPERM;
+ return con_set_unimap(vc, tmp.entry_ct,
+ compat_ptr(tmp.entries));
case GIO_UNIMAP:
- return con_get_unimap(vc_cons[fg_console].d, tmp.entry_ct, &(user_ud->entry_ct), compat_ptr(tmp.entries));
+ if (!perm && fg_console != vc->vc_num)
+ return -EPERM;
+ return con_get_unimap(vc, tmp.entry_ct, &(user_ud->entry_ct),
+ compat_ptr(tmp.entries));
}
return 0;
}
--
next prev parent reply other threads:[~2007-06-08 7:39 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-08 7:21 [patch 00/54] 2.6.21-stable review Chris Wright
2007-06-08 7:21 ` [patch 01/54] i386: HPET, check if the counter works Chris Wright
2007-06-08 7:21 ` [patch 02/54] Ignore bogus ACPI info for offline CPUs Chris Wright
2007-06-08 7:21 ` [patch 03/54] NOHZ: Rate limit the local softirq pending warning output Chris Wright
2007-06-08 10:34 ` Daniel Thaler
2007-06-08 10:50 ` Thomas Gleixner
2007-06-08 7:21 ` [patch 04/54] i386: Fix K8/core2 oprofile on multiple CPUs Chris Wright
2007-06-08 7:21 ` [patch 05/54] md: Avoid overflow in raid0 calculation with large components Chris Wright
2007-06-08 7:21 ` [patch 06/54] md: Dont write more than is required of the last page of a bitmap Chris Wright
2007-06-08 7:21 ` [patch 07/54] fuse: fix mknod of regular file Chris Wright
2007-06-08 7:21 ` [patch 08/54] make freezeable workqueues singlethread Chris Wright
2007-06-08 7:21 ` [patch 09/54] Prevent going idle with softirq pending Chris Wright
2007-06-08 7:21 ` [patch 10/54] ALSA: hda-intel - Probe additional slots only if necessary Chris Wright
2007-06-08 7:21 ` [patch 11/54] ALSA: hda-intel - Fix detection of audio codec on Toshiba A100 Chris Wright
2007-06-08 7:21 ` [patch 12/54] Char: cyclades, fix deadlock Chris Wright
2007-06-08 7:21 ` [patch 13/54] hpt366: dont check enablebits for HPT36x Chris Wright
2007-06-08 7:21 ` [patch 14/54] e1000: disable polling before registering netdevice Chris Wright
2007-06-08 7:21 ` [patch 15/54] ALSA: usb-audio: explicitly match Logitech QuickCam Chris Wright
2007-06-08 7:21 ` [patch 16/54] Input: i8042 - fix AUX port detection with some chips Chris Wright
2007-06-08 16:52 ` Chuck Ebbert
2007-06-08 7:21 ` [patch 17/54] ieee1394: eth1394: bring back a parent device Chris Wright
2007-06-08 7:21 ` [patch 18/54] V4L/DVB (5593): Budget-ci: Fix tuning for TDM 1316 (160..200 MHz) Chris Wright
2007-06-08 7:21 ` [patch 19/54] zd1211rw: Add AL2230S RF support Chris Wright
2007-06-08 7:21 ` Chris Wright [this message]
2007-06-08 7:21 ` [patch 21/54] ahci: disable 64bit dma on sb600 Chris Wright
2007-06-08 7:21 ` [patch 22/54] ntfs_init_locked_inode(): fix array indexing Chris Wright
2007-06-08 7:21 ` [patch 23/54] PCI: quirk disable MSI on via vt3351 Chris Wright
2007-06-08 7:21 ` [patch 24/54] pci_ids: update patch for Intel ICH9M Chris Wright
2007-06-08 7:21 ` [patch 25/54] x86_64: allocate sparsemem memmap above 4G Chris Wright
2007-06-08 7:21 ` [patch 26/54] tty: fix leakage of -ERESTARTSYS to userland Chris Wright
2007-06-08 7:21 ` [patch 27/54] timer statistics: fix race Chris Wright
2007-06-08 7:21 ` [patch 28/54] timer stats: speedups Chris Wright
2007-06-08 7:21 ` [patch 29/54] ALSA: wm8750 typo fix Chris Wright
2007-06-08 7:21 ` [patch 30/54] neofb: Fix pseudo_palette array overrun in neofb_setcolreg Chris Wright
2007-06-08 7:21 ` [patch 31/54] TG3: Fix link problem on Dells onboard 5906 Chris Wright
2007-06-08 7:21 ` [patch 32/54] UML - Improve host PTRACE_SYSEMU check Chris Wright
2007-06-08 7:22 ` [patch 33/54] x86: fix oprofile double free Chris Wright
2007-06-08 7:22 ` [patch 34/54] Fix roundup_pow_of_two(1) Chris Wright
2007-06-08 8:19 ` Theodore Tso
2007-06-08 18:23 ` Chris Wright
2007-06-11 7:38 ` Rolf Eike Beer
2007-06-08 7:22 ` [patch 35/54] USB: set the correct Interrupt interval in usb_bulk_msg Chris Wright
2007-06-08 7:22 ` [patch 36/54] acpi: fix potential call to a freed memory section Chris Wright
2007-06-08 7:22 ` [patch 37/54] SCSI: aacraid: Correct sa platform support. (Was: [Bug 8469] Bad EIP value on pentium3 SMP kernel-2.6.21.1) Chris Wright
2007-06-08 17:12 ` Stefan Lippers-Hollmann
2007-06-08 17:45 ` [stable] " Chris Wright
2007-06-08 18:21 ` [stable] [patch 37/54] SCSI: aacraid: Correct sa platformsupport. (Was: [Bug 8469] Bad EIP value on pentium3 SMPkernel-2.6.21.1) Salyzyn, Mark
2007-06-08 18:29 ` Chris Wright
2007-06-08 18:32 ` [stable] [patch 37/54] SCSI: aacraid: Correct saplatformsupport. (Was: [Bug 8469] Bad EIP value on pentium3SMPkernel-2.6.21.1) Salyzyn, Mark
2007-06-08 18:40 ` Chris Wright
2007-06-08 19:23 ` [stable] [patch 37/54] SCSI: aacraid: Correctsaplatformsupport. (Was: [Bug 8469] Bad EIP value onpentium3SMPkernel-2.6.21.1) Salyzyn, Mark
2007-06-08 18:32 ` [patch 37/54] SCSI: aacraid: Correct sa platform support. (Was: [Bug 8469] Bad EIP value on pentium3 SMP kernel-2.6.21.1) Dave Jones
2007-06-08 7:22 ` [patch 38/54] cciss: fix pci_driver.shutdown while device is still active Chris Wright
2007-06-08 7:22 ` [patch 39/54] Work around Dell E520 BIOS reboot bug Chris Wright
2007-06-08 7:22 ` [patch 40/54] Fix AF_UNIX OOPS Chris Wright
2007-06-08 7:22 ` [patch 41/54] ICMP: Fix icmp_errors_use_inbound_ifaddr sysctl Chris Wright
2007-06-08 7:22 ` [patch 42/54] NET: parse ip:port strings correctly in in4_pton Chris Wright
2007-06-08 7:22 ` [patch 43/54] IPSEC: Fix panic when using inter address familiy IPsec on loopback Chris Wright
2007-06-08 7:22 ` [patch 44/54] IPV6 ROUTE: No longer handle ::/0 specially Chris Wright
2007-06-08 7:22 ` [patch 45/54] NET: Fix BMSR_100{HALF,FULL}2 defines in linux/mii.h Chris Wright
2007-06-08 7:22 ` [patch 46/54] NET: Fix race condition about network device name allocation Chris Wright
2007-06-08 7:22 ` [patch 47/54] IPV4: Correct rp_filter help text Chris Wright
2007-06-08 7:22 ` [patch 48/54] SPARC: Linux always started with 9600 8N1 Chris Wright
2007-06-08 7:22 ` [patch 49/54] NET: "wrong timeout value" in sk_wait_data() v2 Chris Wright
2007-06-08 7:22 ` [patch 50/54] SPARC64: Fix two bugs wrt. kernel 4MB TSB Chris Wright
2007-06-08 7:22 ` [patch 51/54] SPARC64: Fix _PAGE_EXEC_4U check in sun4u I-TLB miss handler Chris Wright
2007-06-08 7:22 ` [patch 52/54] SPARC64: Dont be picky about virtual-dma values on sun4v Chris Wright
2007-06-08 7:22 ` [patch 53/54] TCP: Use default 32768-61000 outgoing port range in all cases Chris Wright
2007-06-08 7:22 ` [patch 54/54] BLUETOOTH: Fix locking in hci_sock_dev_event() Chris Wright
2007-06-08 7:31 ` [stable] [patch 00/54] 2.6.21-stable review Chris Wright
2007-06-08 21:34 ` Chris Wright
2007-06-08 17:28 ` Dave Jones
2007-06-08 17:33 ` [stable] " Greg KH
2007-06-08 17:34 ` Greg KH
2007-06-08 17:45 ` Chuck Ebbert
2007-06-08 17:47 ` Chris Wright
2007-06-08 18:08 ` Greg KH
2007-06-08 20:32 ` Chris Wright
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070608072202.761118000@sous-sol.org \
--to=chrisw@sous-sol.org \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=egmont@uhulinux.hu \
--cc=gregkh@suse.de \
--cc=hugh@veritas.com \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox