• Alexander Potapenko's avatar
    vt: prevent leaking uninitialized data to userspace via /dev/vcs* · 21eff69a
    Alexander Potapenko authored
    KMSAN reported an infoleak when reading from /dev/vcs*:
    
      BUG: KMSAN: kernel-infoleak in vcs_read+0x18ba/0x1cc0
      Call Trace:
      ...
       kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253
       copy_to_user ./include/linux/uaccess.h:184
       vcs_read+0x18ba/0x1cc0 drivers/tty/vt/vc_screen.c:352
       __vfs_read+0x1b2/0x9d0 fs/read_write.c:416
       vfs_read+0x36c/0x6b0 fs/read_write.c:452
      ...
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279
       kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189
       kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315
       __kmalloc+0x13a/0x350 mm/slub.c:3818
       kmalloc ./include/linux/slab.h:517
       vc_allocate+0x438/0x800 drivers/tty/vt/vt.c:787
       con_install+0x8c/0x640 drivers/tty/vt/vt.c:2880
       tty_driver_install_tty drivers/tty/tty_io.c:1224
       tty_init_dev+0x1b5/0x1020 drivers/tty/tty_io.c:1324
       tty_open_by_driver drivers/tty/tty_io.c:1959
       tty_open+0x17b4/0x2ed0 drivers/tty/tty_io.c:2007
       chrdev_open+0xc25/0xd90 fs/char_dev.c:417
       do_dentry_open+0xccc/0x1440 fs/open.c:794
       vfs_open+0x1b6/0x2f0 fs/open.c:908
      ...
      Bytes 0-79 of 240 are uninitialized
    
    Consistently allocating |vc_screenbuf| with kzalloc() fixes the problem
    
    Reported-by: syzbot+17a8efdf800000@syzkaller.appspotmail.com
    Signed-off-by: default avatarAlexander Potapenko <glider@google.com>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    21eff69a
Name
Last commit
Last update
..
hvc Loading commit data...
ipwireless Loading commit data...
serdev Loading commit data...
serial Loading commit data...
vt Loading commit data...
Kconfig Loading commit data...
Makefile Loading commit data...
amiserial.c Loading commit data...
cyclades.c Loading commit data...
ehv_bytechan.c Loading commit data...
goldfish.c Loading commit data...
isicom.c Loading commit data...
mips_ejtag_fdc.c Loading commit data...
moxa.c Loading commit data...
moxa.h Loading commit data...
mxser.c Loading commit data...
mxser.h Loading commit data...
n_gsm.c Loading commit data...
n_hdlc.c Loading commit data...
n_null.c Loading commit data...
n_r3964.c Loading commit data...
n_tracerouter.c Loading commit data...
n_tracesink.c Loading commit data...
n_tracesink.h Loading commit data...
n_tty.c Loading commit data...
nozomi.c Loading commit data...
pty.c Loading commit data...
rocket.c Loading commit data...
rocket.h Loading commit data...
rocket_int.h Loading commit data...
synclink.c Loading commit data...
synclink_gt.c Loading commit data...
synclinkmp.c Loading commit data...
sysrq.c Loading commit data...
tty_audit.c Loading commit data...
tty_baudrate.c Loading commit data...
tty_buffer.c Loading commit data...
tty_io.c Loading commit data...
tty_ioctl.c Loading commit data...
tty_jobctrl.c Loading commit data...
tty_ldisc.c Loading commit data...
tty_ldsem.c Loading commit data...
tty_mutex.c Loading commit data...
tty_port.c Loading commit data...
vcc.c Loading commit data...