Draft: vc_screen: UAF fix in vcs_read() (!3057) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-9

Ricardo Robaina requested to merge rrobaina/centos-stream-9:bz2221465 into main Sep 13, 2023

Bugzilla: https://bugzilla.redhat.com/2221465
CVE: CVE-2023-3567
Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=55273310
Omitted-fix: 46d733d0efc7 vc_screen: modify vcs_size() handling in vcs_read()
This commit does not touch any changes made by the commits in this series. It
seems that the author referenced commit 226fae124b2d ("vc_screen: move load
of struct vc_data pointer in vcs_read() to avoid UAF") by mistake.

After a call to console_unlock() in vcs_read() the vc_data struct can be
freed by vc_deallocate(). Because of that, the struct vc_data pointer
load must be done at the top of while loop in vcs_read() to avoid a UAF
when vcs_size() is called.

The first patch in the series fixes the flaw while the second is a small
fix to the first one.

Ricardo Robaina (2):
vc_screen: move load of struct vc_data pointer in vcs_read() to avoid
UAF
vc_screen: don't clobber return value in vcs_read

drivers/tty/vt/vc_screen.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)

Signed-off-by: Ricardo Robaina rrobaina@redhat.com

Edited Sep 13, 2023 by Ricardo Robaina

Admin message

Draft: vc_screen: UAF fix in vcs_read()

Merge request reports