APPLIED: [SRU Focal PATCH 1/1] vt: drop old FONT ioctls
Stefan Bader
stefan.bader at canonical.com
Mon Aug 8 09:29:40 UTC 2022
On 03.08.22 06:20, Cengiz Can wrote:
> From: Jiri Slaby <jslaby at suse.cz>
>
> commit ff2047fb755d4415ec3c70ac799889371151796d upstream.
>
> Drop support for these ioctls:
> * PIO_FONT, PIO_FONTX
> * GIO_FONT, GIO_FONTX
> * PIO_FONTRESET
>
> As was demonstrated by commit 90bfdeef83f1 (tty: make FONTX ioctl use
> the tty pointer they were actually passed), these ioctls are not used
> from userspace, as:
> 1) they used to be broken (set up font on current console, not the open
> one) and racy (before the commit above)
> 2) KDFONTOP ioctl is used for years instead
>
> Note that PIO_FONTRESET is defunct on most systems as VGA_CONSOLE is set
> on them for ages. That turns on BROKEN_GRAPHICS_PROGRAMS which makes
> PIO_FONTRESET just return an error.
>
> We are removing KD_FONT_FLAG_OLD here as it was used only by these
> removed ioctls. kd.h header exists both in kernel and uapi headers, so
> we can remove the kernel one completely. Everyone includeing kd.h will
> now automatically get the uapi one.
>
> There are now unused definitions of the ioctl numbers and "struct
> consolefontdesc" in kd.h, but as it is a uapi header, I am not touching
> these.
>
> Signed-off-by: Jiri Slaby <jslaby at suse.cz>
> Link: https://lore.kernel.org/r/20210105120239.28031-8-jslaby@suse.cz
> Cc: guodaxing <guodaxing at huawei.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
> CVE-2021-33656
> (cherry picked from commit c87e851b23e5cb2ba90a3049ef38340ed7d5746f linux-5.4.y)
> Signed-off-by: Cengiz Can <cengiz.can at canonical.com>
> ---
Applied to focal:linux/master-next. Thanks.
-Stefan
> drivers/tty/vt/vt.c | 39 +---------
> drivers/tty/vt/vt_ioctl.c | 147 --------------------------------------
> include/linux/kd.h | 8 ---
> 3 files changed, 3 insertions(+), 191 deletions(-)
> delete mode 100644 include/linux/kd.h
>
> diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
> index da2344e5ec340..c28e976a835d6 100644
> --- a/drivers/tty/vt/vt.c
> +++ b/drivers/tty/vt/vt.c
> @@ -4568,16 +4568,8 @@ static int con_font_get(struct vc_data *vc, struct console_font_op *op)
>
> if (op->data && font.charcount > op->charcount)
> rc = -ENOSPC;
> - if (!(op->flags & KD_FONT_FLAG_OLD)) {
> - if (font.width > op->width || font.height > op->height)
> - rc = -ENOSPC;
> - } else {
> - if (font.width != 8)
> - rc = -EIO;
> - else if ((op->height && font.height > op->height) ||
> - font.height > 32)
> - rc = -ENOSPC;
> - }
> + if (font.width > op->width || font.height > op->height)
> + rc = -ENOSPC;
> if (rc)
> goto out;
>
> @@ -4605,7 +4597,7 @@ static int con_font_set(struct vc_data *vc, struct console_font_op *op)
> return -EINVAL;
> if (op->charcount > 512)
> return -EINVAL;
> - if (op->width <= 0 || op->width > 32 || op->height > 32)
> + if (op->width <= 0 || op->width > 32 || !op->height || op->height > 32)
> return -EINVAL;
> size = (op->width+7)/8 * 32 * op->charcount;
> if (size > max_font_size)
> @@ -4615,31 +4607,6 @@ static int con_font_set(struct vc_data *vc, struct console_font_op *op)
> if (IS_ERR(font.data))
> return PTR_ERR(font.data);
>
> - if (!op->height) { /* Need to guess font height [compat] */
> - int h, i;
> - u8 *charmap = font.data;
> -
> - /*
> - * If from KDFONTOP ioctl, don't allow things which can be done
> - * in userland,so that we can get rid of this soon
> - */
> - if (!(op->flags & KD_FONT_FLAG_OLD)) {
> - kfree(font.data);
> - return -EINVAL;
> - }
> -
> - for (h = 32; h > 0; h--)
> - for (i = 0; i < op->charcount; i++)
> - if (charmap[32*i+h-1])
> - goto nonzero;
> -
> - kfree(font.data);
> - return -EINVAL;
> -
> - nonzero:
> - op->height = h;
> - }
> -
> font.charcount = op->charcount;
> font.width = op->width;
> font.height = op->height;
> diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c
> index 9db03dc7eeb99..38cc69477eecc 100644
> --- a/drivers/tty/vt/vt_ioctl.c
> +++ b/drivers/tty/vt/vt_ioctl.c
> @@ -241,48 +241,6 @@ int vt_waitactive(int n)
> #define GPLAST 0x3df
> #define GPNUM (GPLAST - GPFIRST + 1)
>
> -
> -
> -static inline int
> -do_fontx_ioctl(struct vc_data *vc, int cmd, struct consolefontdesc __user *user_cfd, int perm, struct console_font_op *op)
> -{
> - struct consolefontdesc cfdarg;
> - int i;
> -
> - if (copy_from_user(&cfdarg, user_cfd, sizeof(struct consolefontdesc)))
> - return -EFAULT;
> -
> - switch (cmd) {
> - case PIO_FONTX:
> - if (!perm)
> - return -EPERM;
> - op->op = KD_FONT_OP_SET;
> - op->flags = KD_FONT_FLAG_OLD;
> - op->width = 8;
> - op->height = cfdarg.charheight;
> - op->charcount = cfdarg.charcount;
> - op->data = cfdarg.chardata;
> - return con_font_op(vc, op);
> -
> - case GIO_FONTX:
> - op->op = KD_FONT_OP_GET;
> - op->flags = KD_FONT_FLAG_OLD;
> - op->width = 8;
> - op->height = cfdarg.charheight;
> - op->charcount = cfdarg.charcount;
> - op->data = cfdarg.chardata;
> - i = con_font_op(vc, op);
> - if (i)
> - return i;
> - cfdarg.charheight = op->height;
> - cfdarg.charcount = op->charcount;
> - if (copy_to_user(user_cfd, &cfdarg, sizeof(struct consolefontdesc)))
> - return -EFAULT;
> - return 0;
> - }
> - return -EINVAL;
> -}
> -
> static inline int
> do_unimap_ioctl(int cmd, struct unimapdesc __user *user_ud, int perm, struct vc_data *vc)
> {
> @@ -919,30 +877,6 @@ int vt_ioctl(struct tty_struct *tty,
> break;
> }
>
> - case PIO_FONT: {
> - if (!perm)
> - return -EPERM;
> - op.op = KD_FONT_OP_SET;
> - op.flags = KD_FONT_FLAG_OLD | KD_FONT_FLAG_DONT_RECALC; /* Compatibility */
> - op.width = 8;
> - op.height = 0;
> - op.charcount = 256;
> - op.data = up;
> - ret = con_font_op(vc, &op);
> - break;
> - }
> -
> - case GIO_FONT: {
> - op.op = KD_FONT_OP_GET;
> - op.flags = KD_FONT_FLAG_OLD;
> - op.width = 8;
> - op.height = 32;
> - op.charcount = 256;
> - op.data = up;
> - ret = con_font_op(vc, &op);
> - break;
> - }
> -
> case PIO_CMAP:
> if (!perm)
> ret = -EPERM;
> @@ -954,36 +888,6 @@ int vt_ioctl(struct tty_struct *tty,
> ret = con_get_cmap(up);
> break;
>
> - case PIO_FONTX:
> - case GIO_FONTX:
> - ret = do_fontx_ioctl(vc, cmd, up, perm, &op);
> - break;
> -
> - case PIO_FONTRESET:
> - {
> - if (!perm)
> - return -EPERM;
> -
> -#ifdef BROKEN_GRAPHICS_PROGRAMS
> - /* With BROKEN_GRAPHICS_PROGRAMS defined, the default
> - font is not saved. */
> - ret = -ENOSYS;
> - break;
> -#else
> - {
> - op.op = KD_FONT_OP_SET_DEFAULT;
> - op.data = NULL;
> - ret = con_font_op(vc, &op);
> - if (ret)
> - break;
> - console_lock();
> - con_set_default_unimap(vc);
> - console_unlock();
> - break;
> - }
> -#endif
> - }
> -
> case KDFONTOP: {
> if (copy_from_user(&op, up, sizeof(op))) {
> ret = -EFAULT;
> @@ -1097,54 +1001,6 @@ void vc_SAK(struct work_struct *work)
>
> #ifdef CONFIG_COMPAT
>
> -struct compat_consolefontdesc {
> - unsigned short charcount; /* characters in font (256 or 512) */
> - unsigned short charheight; /* scan lines per character (1-32) */
> - compat_caddr_t chardata; /* font data in expanded form */
> -};
> -
> -static inline int
> -compat_fontx_ioctl(struct vc_data *vc, int cmd,
> - struct compat_consolefontdesc __user *user_cfd,
> - int perm, struct console_font_op *op)
> -{
> - struct compat_consolefontdesc cfdarg;
> - int i;
> -
> - if (copy_from_user(&cfdarg, user_cfd, sizeof(struct compat_consolefontdesc)))
> - return -EFAULT;
> -
> - switch (cmd) {
> - case PIO_FONTX:
> - if (!perm)
> - return -EPERM;
> - op->op = KD_FONT_OP_SET;
> - op->flags = KD_FONT_FLAG_OLD;
> - op->width = 8;
> - op->height = cfdarg.charheight;
> - op->charcount = cfdarg.charcount;
> - op->data = compat_ptr(cfdarg.chardata);
> - return con_font_op(vc, op);
> -
> - case GIO_FONTX:
> - op->op = KD_FONT_OP_GET;
> - op->flags = KD_FONT_FLAG_OLD;
> - op->width = 8;
> - op->height = cfdarg.charheight;
> - op->charcount = cfdarg.charcount;
> - op->data = compat_ptr(cfdarg.chardata);
> - i = con_font_op(vc, op);
> - if (i)
> - return i;
> - cfdarg.charheight = op->height;
> - cfdarg.charcount = op->charcount;
> - if (copy_to_user(user_cfd, &cfdarg, sizeof(struct compat_consolefontdesc)))
> - return -EFAULT;
> - return 0;
> - }
> - return -EINVAL;
> -}
> -
> struct compat_console_font_op {
> compat_uint_t op; /* operation code KD_FONT_OP_* */
> compat_uint_t flags; /* KD_FONT_FLAG_* */
> @@ -1221,9 +1077,6 @@ long vt_compat_ioctl(struct tty_struct *tty,
> /*
> * these need special handlers for incompatible data structures
> */
> - case PIO_FONTX:
> - case GIO_FONTX:
> - return compat_fontx_ioctl(vc, cmd, up, perm, &op);
>
> case KDFONTOP:
> return compat_kdfontop_ioctl(up, perm, &op, vc);
> diff --git a/include/linux/kd.h b/include/linux/kd.h
> deleted file mode 100644
> index b130a18f860f0..0000000000000
> --- a/include/linux/kd.h
> +++ /dev/null
> @@ -1,8 +0,0 @@
> -/* SPDX-License-Identifier: GPL-2.0 */
> -#ifndef _LINUX_KD_H
> -#define _LINUX_KD_H
> -
> -#include <uapi/linux/kd.h>
> -
> -#define KD_FONT_FLAG_OLD 0x80000000 /* Invoked via old interface [compat] */
> -#endif /* _LINUX_KD_H */
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20220808/a382f910/attachment.sig>
More information about the kernel-team
mailing list