• Alexander Potapenko's avatar
    vt: prevent leaking uninitialized data to userspace via /dev/vcs* · 21eff69a
    Alexander Potapenko authored
    KMSAN reported an infoleak when reading from /dev/vcs*:
    
      BUG: KMSAN: kernel-infoleak in vcs_read+0x18ba/0x1cc0
      Call Trace:
      ...
       kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253
       copy_to_user ./include/linux/uaccess.h:184
       vcs_read+0x18ba/0x1cc0 drivers/tty/vt/vc_screen.c:352
       __vfs_read+0x1b2/0x9d0 fs/read_write.c:416
       vfs_read+0x36c/0x6b0 fs/read_write.c:452
      ...
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279
       kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189
       kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315
       __kmalloc+0x13a/0x350 mm/slub.c:3818
       kmalloc ./include/linux/slab.h:517
       vc_allocate+0x438/0x800 drivers/tty/vt/vt.c:787
       con_install+0x8c/0x640 drivers/tty/vt/vt.c:2880
       tty_driver_install_tty drivers/tty/tty_io.c:1224
       tty_init_dev+0x1b5/0x1020 drivers/tty/tty_io.c:1324
       tty_open_by_driver drivers/tty/tty_io.c:1959
       tty_open+0x17b4/0x2ed0 drivers/tty/tty_io.c:2007
       chrdev_open+0xc25/0xd90 fs/char_dev.c:417
       do_dentry_open+0xccc/0x1440 fs/open.c:794
       vfs_open+0x1b6/0x2f0 fs/open.c:908
      ...
      Bytes 0-79 of 240 are uninitialized
    
    Consistently allocating |vc_screenbuf| with kzalloc() fixes the problem
    
    Reported-by: syzbot+17a8efdf800000@syzkaller.appspotmail.com
    Signed-off-by: default avatarAlexander Potapenko <glider@google.com>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    21eff69a
vt.c 104 KB