From patchwork Tue Apr 4 19:39:34 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Daniel Vetter X-Patchwork-Id: 13200925 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 9B650C77B62 for ; Tue, 4 Apr 2023 19:39:51 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id ED1A510E78F; Tue, 4 Apr 2023 19:39:49 +0000 (UTC) Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634]) by gabe.freedesktop.org (Postfix) with ESMTPS id B9C5D10E791 for ; Tue, 4 Apr 2023 19:39:47 +0000 (UTC) Received: by mail-ej1-x634.google.com with SMTP id a640c23a62f3a-947a47eb908so43988166b.0 for ; Tue, 04 Apr 2023 12:39:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ffwll.ch; s=google; t=1680637186; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=mrNIWGuvU8yOmyqKo15r+2UzOPnnoKtvW2Ll77+OFto=; b=gSzrUwfdoR5VtsIY8A4GpMgcBhLgJG7OwQRLOmZBsmJngmydike2cIXmpAYWdtGjOs QYJv6h5zYjueik2anibn1olQB0taAkHxLT8CbHFd9VGYpoESaX9RTA8NKfXwqtorXp8n jT6m2vL4ewcxbv3cQZfFMU292dfCO9Oc90YDE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680637186; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=mrNIWGuvU8yOmyqKo15r+2UzOPnnoKtvW2Ll77+OFto=; b=CE+Nh+xz70Y9Jmj39m/uytQyZJXXaoawPOzikHzoNY7Muk4lPlOIMgs01iGXn8m6v3 iFKRCmO1udZs/mvglOuOudvKEy2DRUb6TqhuD4HFY7T8/L6UFl0m1rskmmVUVb74LoKv S2an/me8siwy/RJvHznuJmgwek92DXfSJyJHdRMqTy/fKH5XqoWrdEW0FR7HyaZH+bGT 5AgndacYxrdnMp8V0Or6gkqE0SPA942+GKt7aSnF4elxMaQ2Mm0FaZy+cAJVEIf57/VF pulpmpY2EOtgPdSEXLen2M1yPkeQi+wGUCucAkHzLP+PhSAESXQy8K9cMQ6B5xF/Syhz i+ZQ== X-Gm-Message-State: AAQBX9eNWukrPLBHAX5QkI7wVpDKsL0IcW8/pyXAPCCY6sdRNLyFzuWr swI656jBO4ib78M56h9vhjvimw== X-Google-Smtp-Source: AKy350beChT3SpPqih5hlkUZBblDzme1WlDy3x/T4nEeCCijX3y5G1sD2OZRfpdDWTc7CwOJLUToEw== X-Received: by 2002:a17:906:5195:b0:92c:fc0:b229 with SMTP id y21-20020a170906519500b0092c0fc0b229mr748920ejk.0.1680637185857; Tue, 04 Apr 2023 12:39:45 -0700 (PDT) Received: from phenom.ffwll.local (212-51-149-33.fiber7.init7.net. [212.51.149.33]) by smtp.gmail.com with ESMTPSA id mc3-20020a170906eb4300b009334d87d106sm6428730ejb.147.2023.04.04.12.39.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Apr 2023 12:39:45 -0700 (PDT) From: Daniel Vetter To: Intel Graphics Development Subject: [PATCH] fbmem: Reject FB_ACTIVATE_KD_TEXT from userspace Date: Tue, 4 Apr 2023 21:39:34 +0200 Message-Id: <20230404193934.472457-1-daniel.vetter@ffwll.ch> X-Mailer: git-send-email 2.40.0 MIME-Version: 1.0 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-fbdev@vger.kernel.org, Shigeru Yoshida , Geert Uytterhoeven , David Airlie , Daniel Vetter , dri-devel@lists.freedesktop.org, Daniel Vetter , Sam Ravnborg , Helge Deller , Tetsuo Handa , Geert Uytterhoeven , Samuel Thibault , Thomas Zimmermann , Bartlomiej Zolnierkiewicz , =?utf-8?q?Michel_D?= =?utf-8?q?=C3=A4nzer?= , shlomo@fastmail.com, Nathan Chancellor , stable@vger.kernel.org, =?utf-8?q?Noralf_Tr=C3=B8nnes?= , Alex Deucher , Peter Rosin , Qiujun Huang Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" This is an oversight from dc5bdb68b5b3 ("drm/fb-helper: Fix vt restore") - I failed to realize that nasty userspace could set this. It's not pretty to mix up kernel-internal and userspace uapi flags like this, but since the entire fb_var_screeninfo structure is uapi we'd need to either add a new parameter to the ->fb_set_par callback and fb_set_par() function, which has a _lot_ of users. Or some other fairly ugly side-channel int fb_info. Neither is a pretty prospect. Instead just correct the issue at hand by filtering out this kernel-internal flag in the ioctl handling code. Signed-off-by: Daniel Vetter Fixes: dc5bdb68b5b3 ("drm/fb-helper: Fix vt restore") Cc: Alex Deucher Cc: shlomo@fastmail.com Cc: Michel Dänzer Cc: Noralf Trønnes Cc: Thomas Zimmermann Cc: Daniel Vetter Cc: Maarten Lankhorst Cc: Maxime Ripard Cc: David Airlie Cc: Daniel Vetter Cc: dri-devel@lists.freedesktop.org Cc: # v5.7+ Cc: Bartlomiej Zolnierkiewicz Cc: Geert Uytterhoeven Cc: Nathan Chancellor Cc: Qiujun Huang Cc: Peter Rosin Cc: linux-fbdev@vger.kernel.org Cc: Helge Deller Cc: Sam Ravnborg Cc: Geert Uytterhoeven Cc: Samuel Thibault Cc: Tetsuo Handa Cc: Shigeru Yoshida Acked-by: Maarten Lankhorst Reviewed-by: Javier Martinez Canillas --- drivers/video/fbdev/core/fbmem.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c index 875541ff185b..3fd95a79e4c3 100644 --- a/drivers/video/fbdev/core/fbmem.c +++ b/drivers/video/fbdev/core/fbmem.c @@ -1116,6 +1116,8 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, case FBIOPUT_VSCREENINFO: if (copy_from_user(&var, argp, sizeof(var))) return -EFAULT; + /* only for kernel-internal use */ + var.activate &= ~FB_ACTIVATE_KD_TEXT; console_lock(); lock_fb_info(info); ret = fbcon_modechange_possible(info, &var);