[RH7,1/2] vt: selection, push console lock down

Submitted by Evgenii Shatokhin on Oct. 13, 2020, 8:44 p.m.

Details

Message ID 20201013204404.18742-2-eshatokhin@virtuozzo.com
State New
Series "Follow-up fixes for CVE-2020-8648"
Headers show

Commit Message

Evgenii Shatokhin Oct. 13, 2020, 8:44 p.m.
From: Jiri Slaby <jslaby@suse.cz>

We need to nest the console lock in sel_lock, so we have to push it down
a bit. Fortunately, the callers of set_selection_* just lock the console
lock around the function call. So moving it down is easy.

In the next patch, we switch the order.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Fixes: 07e6124a1a46 ("vt: selection, close sel_buffer race")
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200228115406.5735-1-jslaby@suse.cz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

https://jira.sw.ru/browse/PSBM-121234

This is a backport of mainline commit 4b70dd57a15d2f4685ac6e38056bad93e81e982f:

* speakup-related hunk was dropped because that driver does not use
set_selection(): it is not exported in this kernel version;

* the affected code is in set_selection() rather than set_selection_kernel().

Signed-off-by: Evgenii Shatokhin <eshatokhin@virtuozzo.com>
---
 drivers/tty/vt/selection.c | 13 ++++++++++++-
 drivers/tty/vt/vt.c        |  2 --
 2 files changed, 12 insertions(+), 3 deletions(-)

Patch hide | download patch | download mbox

diff --git a/drivers/tty/vt/selection.c b/drivers/tty/vt/selection.c
index 145cf969d3ae..1c31746f9f5e 100644
--- a/drivers/tty/vt/selection.c
+++ b/drivers/tty/vt/selection.c
@@ -157,7 +157,7 @@  static int store_utf8(u16 c, char *p)
  *	The entire selection process is managed under the console_lock. It's
  *	 a lot under the lock but its hardly a performance path
  */
-int set_selection(const struct tiocl_selection __user *sel, struct tty_struct *tty)
+static int __set_selection(const struct tiocl_selection __user *sel, struct tty_struct *tty)
 {
 	struct vc_data *vc = vc_cons[fg_console].d;
 	int sel_mode, new_sel_start, new_sel_end, spc;
@@ -333,6 +333,17 @@  unlock:
 	return ret;
 }
 
+int set_selection(const struct tiocl_selection __user *sel, struct tty_struct *tty)
+{
+	int ret;
+
+	console_lock();
+	ret = __set_selection(sel, tty);
+	console_unlock();
+
+	return ret;
+}
+
 /* Insert the contents of the selection buffer into the
  * queue of the tty associated with the current console.
  * Invoked by ioctl().
diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 795d7867ac24..07078cfa2524 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -2603,9 +2603,7 @@  int tioclinux(struct tty_struct *tty, unsigned long arg)
 	switch (type)
 	{
 		case TIOCL_SETSEL:
-			console_lock();
 			ret = set_selection((struct tiocl_selection __user *)(p+1), tty);
-			console_unlock();
 			break;
 		case TIOCL_PASTESEL:
 			ret = paste_selection(tty);