Commit 6987dc8a authored by Adam Borowski's avatar Adam Borowski Committed by Greg Kroah-Hartman

vt: fix unchecked __put_user() in tioclinux ioctls

Only read access is checked before this call.

Actually, at the moment this is not an issue, as every in-tree arch does
the same manual checks for VERIFY_READ vs VERIFY_WRITE, relying on the MMU
to tell them apart, but this wasn't the case in the past and may happen
again on some odd arch in the future.

If anyone cares about 3.7 and earlier, this is a security hole (untested)
on real 80386 CPUs.
Signed-off-by: default avatarAdam Borowski <kilobyte@angband.pl>
CC: stable@vger.kernel.org # v3.7-
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent cc1e66f9
...@@ -2709,13 +2709,13 @@ int tioclinux(struct tty_struct *tty, unsigned long arg) ...@@ -2709,13 +2709,13 @@ int tioclinux(struct tty_struct *tty, unsigned long arg)
* related to the kernel should not use this. * related to the kernel should not use this.
*/ */
data = vt_get_shift_state(); data = vt_get_shift_state();
ret = __put_user(data, p); ret = put_user(data, p);
break; break;
case TIOCL_GETMOUSEREPORTING: case TIOCL_GETMOUSEREPORTING:
console_lock(); /* May be overkill */ console_lock(); /* May be overkill */
data = mouse_reporting(); data = mouse_reporting();
console_unlock(); console_unlock();
ret = __put_user(data, p); ret = put_user(data, p);
break; break;
case TIOCL_SETVESABLANK: case TIOCL_SETVESABLANK:
console_lock(); console_lock();
...@@ -2724,7 +2724,7 @@ int tioclinux(struct tty_struct *tty, unsigned long arg) ...@@ -2724,7 +2724,7 @@ int tioclinux(struct tty_struct *tty, unsigned long arg)
break; break;
case TIOCL_GETKMSGREDIRECT: case TIOCL_GETKMSGREDIRECT:
data = vt_get_kmsg_redirect(); data = vt_get_kmsg_redirect();
ret = __put_user(data, p); ret = put_user(data, p);
break; break;
case TIOCL_SETKMSGREDIRECT: case TIOCL_SETKMSGREDIRECT:
if (!capable(CAP_SYS_ADMIN)) { if (!capable(CAP_SYS_ADMIN)) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment