[SRU B/F PATCH 0/1] CVE-2021-33656

Cengiz Can cengiz.can at canonical.com
Wed Aug 3 04:20:29 UTC 2022

When setting font with malicous data by ioctl cmd PIO_FONT, kernel will
write memory out of bounds.

Fix was cherry-picked from closest stable trees.

An additional patch[1] seems to be under discussion (very recently)
for removing leftover macros at `uapi/linux/kd.h`. Since it doesn't
directly contribute to the fix, that patch was ignored.

[Test case]
Compile and boot tested on KVM only.

[Potential regression]
As discussed in mailing list and explained in the patch body, those
ioctls seem to be archaic and not used by any known clients.

However I managed to find a complaint[2] from one of the users. It was
suggested to switch to the newer API instead.

So there's a slight regression potantial, especially from users who
change fonts of framebuffer console.

[1] https://lore.kernel.org/lkml/YuUdWoa7UFHmkNu9@kroah.com/T/#m536ff2bb888b82312895864479bc06ae52aaa8cf
[2] https://www.spinics.net/lists/kernel/msg3985438.html

Jiri Slaby (1):
  vt: drop old FONT ioctls

 drivers/tty/vt/vt.c       |  39 +---------
 drivers/tty/vt/vt_ioctl.c | 149 --------------------------------------
 include/linux/kd.h        |   8 --
 3 files changed, 3 insertions(+), 193 deletions(-)
 delete mode 100644 include/linux/kd.h


More information about the kernel-team mailing list