tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

vc_screen: don't clobber return value in vcs_read

Commit 226fae124b2d ("vc_screen: move load of struct vc_data pointer in
vcs_read() to avoid UAF") moved the call to vcs_vc() into the loop.

While doing this it also moved the unconditional assignment of

ret = -ENXIO;

This unconditional assignment was valid outside the loop but within it
it clobbers the actual value of ret.

To avoid this only assign "ret = -ENXIO" when actually needed.

[ Also, the 'goto unlock_out" needs to be just a "break", so that it
does the right thing when it exits on later iterations when partial
success has happened - Linus ]

Reported-by: Storm Dragon <stormdragon2976@gmail.com>
Link: https://lore.kernel.org/lkml/Y%2FKS6vdql2pIsCiI@hotmail.com/
Fixes: 226fae124b2d ("vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF")
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Link: https://lore.kernel.org/lkml/64981d94-d00c-4b31-9063-43ad0a384bde@t-8ch.de/
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Thomas Weißschuh and committed by
Linus Torvalds ae3419fb 981ee95c

+4 -3
+4 -3
drivers/tty/vt/vc_screen.c
··· 403 403 unsigned int this_round, skip = 0; 404 404 int size; 405 405 406 - ret = -ENXIO; 407 406 vc = vcs_vc(inode, &viewed); 408 - if (!vc) 409 - goto unlock_out; 407 + if (!vc) { 408 + ret = -ENXIO; 409 + break; 410 + } 410 411 411 412 /* Check whether we are above size each round, 412 413 * as copy_to_user at the end of this loop