[RHEL8,COMMIT] ms/vt: selection, push console lock down #PSBM-120640

Submitted by Konstantin Khorenko on Oct. 14, 2020, 12:32 p.m.

Details

Message ID 202010141232.09ECWrGK1528433@finist-co8.sw.ru
State New
Series "Fixes for CVE-2020-8648"
Headers show

Commit Message

Konstantin Khorenko Oct. 14, 2020, 12:32 p.m.
The commit is pushed to "branch-rh8-4.18.0-193.6.3.vz8.4.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-193.6.3.vz8.4.12
------>
commit 2305a61979a0e62c63a23c48c6cd250da9516cfa
Author: Jiri Slaby <jslaby@suse.cz>
Date:   Wed Oct 14 15:32:53 2020 +0300

    ms/vt: selection, push console lock down #PSBM-120640
    
    We need to nest the console lock in sel_lock, so we have to push it down
    a bit. Fortunately, the callers of set_selection_* just lock the console
    lock around the function call. So moving it down is easy.
    
    In the next patch, we switch the order.
    
    Signed-off-by: Jiri Slaby <jslaby@suse.cz>
    Fixes: 07e6124a1a46 ("vt: selection, close sel_buffer race")
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20200228115406.5735-1-jslaby@suse.cz
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    
    https://jira.sw.ru/browse/PSBM-120640
    
    This is a backport of mainline commit 4b70dd57a15d2f4685ac6e38056bad93e81e982f:
    
    * speakup-related hunk was dropped because that driver does not use
    set_selection(): it is not exported in this kernel version;
    
    * the affected code is in set_selection() rather than set_selection_kernel().
    
    Signed-off-by: Evgenii Shatokhin <eshatokhin@virtuozzo.com>
---
 drivers/tty/vt/selection.c | 13 ++++++++++++-
 drivers/tty/vt/vt.c        |  2 --
 2 files changed, 12 insertions(+), 3 deletions(-)

Patch hide | download patch | download mbox

diff --git a/drivers/tty/vt/selection.c b/drivers/tty/vt/selection.c
index 2a68d6fdb7b1..2f378a7cd1fe 100644
--- a/drivers/tty/vt/selection.c
+++ b/drivers/tty/vt/selection.c
@@ -155,7 +155,7 @@  static int store_utf8(u16 c, char *p)
  *	The entire selection process is managed under the console_lock. It's
  *	 a lot under the lock but its hardly a performance path
  */
-int set_selection(const struct tiocl_selection __user *sel, struct tty_struct *tty)
+static int __set_selection(const struct tiocl_selection __user *sel, struct tty_struct *tty)
 {
 	struct vc_data *vc = vc_cons[fg_console].d;
 	int new_sel_start, new_sel_end, spc;
@@ -320,6 +320,17 @@  int set_selection(const struct tiocl_selection __user *sel, struct tty_struct *t
 	return ret;
 }
 
+int set_selection(const struct tiocl_selection __user *sel, struct tty_struct *tty)
+{
+	int ret;
+
+	console_lock();
+	ret = __set_selection(sel, tty);
+	console_unlock();
+
+	return ret;
+}
+
 /* Insert the contents of the selection buffer into the
  * queue of the tty associated with the current console.
  * Invoked by ioctl().
diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 29cf1cd7aff0..440a2d085729 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -2694,9 +2694,7 @@  int tioclinux(struct tty_struct *tty, unsigned long arg)
 	switch (type)
 	{
 		case TIOCL_SETSEL:
-			console_lock();
 			ret = set_selection((struct tiocl_selection __user *)(p+1), tty);
-			console_unlock();
 			break;
 		case TIOCL_PASTESEL:
 			ret = paste_selection(tty);