未验证 提交 9def6b33 编写于 作者: O openeuler-ci-bot 提交者: Gitee

!1525 [sync] PR-1482: CVE-2023-3567 fix patches

Merge Pull Request from: @openeuler-sync-bot 
 

Origin pull request: 
https://gitee.com/openeuler/kernel/pulls/1482 
 
PR sync from: Lu Jialin <lujialin4@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/MIDF5L7L2X2TOVLMC5V5F4QF7ZAKGN5I/ 
First is the patch to fix CVE-2023-3567. The latter two patches are the
bugfix patches for the first patch.

George Kennedy (2):
  vc_screen: move load of struct vc_data pointer in vcs_read() to avoid
    UAF
  vc_screen: modify vcs_size() handling in vcs_read()

Thomas Weißschuh (1):
  vc_screen: don't clobber return value in vcs_read


-- 
2.17.1
 
https://gitee.com/src-openeuler/kernel/issues/I7JRBO?from=project-issue 
 
Link:https://gitee.com/openeuler/kernel/pulls/1525 

Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 
......@@ -386,10 +386,6 @@ vcs_read(struct file *file, char __user *buf, size_t count, loff_t *ppos)
uni_mode = use_unicode(inode);
attr = use_attributes(inode);
ret = -ENXIO;
vc = vcs_vc(inode, &viewed);
if (!vc)
goto unlock_out;
ret = -EINVAL;
if (pos < 0)
......@@ -407,16 +403,20 @@ vcs_read(struct file *file, char __user *buf, size_t count, loff_t *ppos)
unsigned int this_round, skip = 0;
int size;
vc = vcs_vc(inode, &viewed);
if (!vc) {
ret = -ENXIO;
break;
}
/* Check whether we are above size each round,
* as copy_to_user at the end of this loop
* could sleep.
*/
size = vcs_size(vc, attr, uni_mode);
if (size < 0) {
if (read)
break;
ret = size;
goto unlock_out;
break;
}
if (pos >= size)
break;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册