From patchwork Tue Apr 4 19:39:34 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Daniel Vetter X-Patchwork-Id: 13200924 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0A90EC6FD1D for ; Tue, 4 Apr 2023 19:39:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235693AbjDDTjt (ORCPT ); Tue, 4 Apr 2023 15:39:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37290 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235350AbjDDTjs (ORCPT ); Tue, 4 Apr 2023 15:39:48 -0400 Received: from mail-ej1-x636.google.com (mail-ej1-x636.google.com [IPv6:2a00:1450:4864:20::636]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6285040D9 for ; Tue, 4 Apr 2023 12:39:47 -0700 (PDT) Received: by mail-ej1-x636.google.com with SMTP id a640c23a62f3a-947a47eb908so43988866b.0 for ; Tue, 04 Apr 2023 12:39:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ffwll.ch; s=google; t=1680637186; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=mrNIWGuvU8yOmyqKo15r+2UzOPnnoKtvW2Ll77+OFto=; b=gSzrUwfdoR5VtsIY8A4GpMgcBhLgJG7OwQRLOmZBsmJngmydike2cIXmpAYWdtGjOs QYJv6h5zYjueik2anibn1olQB0taAkHxLT8CbHFd9VGYpoESaX9RTA8NKfXwqtorXp8n jT6m2vL4ewcxbv3cQZfFMU292dfCO9Oc90YDE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680637186; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=mrNIWGuvU8yOmyqKo15r+2UzOPnnoKtvW2Ll77+OFto=; b=5Fp5D/jGf3Gx9fNJRUnDtdeIrUAVn5pHnixupyV8hlcgS67z5dzwhtNfwR9arbaAwg klu79h80sc05LktqgiNrDH6PCIMsPdUqTtbSBJK5bCqruSemZlYXks1heAylHGFS3mfZ Y9CE+EjppvESzli2kKrXZP/LI9YnSjN2FSr2aexVpHQROX5PP3RmQkuL7It32sgbTLql pm72YDCI1sHpoBVhs7yetGjec+X7E8VJ69yk+bWcaVEOpNsHEYsImUO0mE/iKAPdG5Xy lRdbQrleGZQ5HDkkuqqBrSiA7R4PC3SVR0/n81yERaM2cg44Q65T36+kJN2CNsMaIlmq PuOQ== X-Gm-Message-State: AAQBX9d59saA2AcAYskTr71LZvPYvvpneTpXizFsZzDg59IgjXSnUbpj QunRn8Euud9l3F+NXBJIk9W97Q== X-Google-Smtp-Source: AKy350beChT3SpPqih5hlkUZBblDzme1WlDy3x/T4nEeCCijX3y5G1sD2OZRfpdDWTc7CwOJLUToEw== X-Received: by 2002:a17:906:5195:b0:92c:fc0:b229 with SMTP id y21-20020a170906519500b0092c0fc0b229mr748920ejk.0.1680637185857; Tue, 04 Apr 2023 12:39:45 -0700 (PDT) Received: from phenom.ffwll.local (212-51-149-33.fiber7.init7.net. [212.51.149.33]) by smtp.gmail.com with ESMTPSA id mc3-20020a170906eb4300b009334d87d106sm6428730ejb.147.2023.04.04.12.39.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Apr 2023 12:39:45 -0700 (PDT) From: Daniel Vetter To: Intel Graphics Development Cc: Daniel Vetter , Daniel Vetter , Alex Deucher , shlomo@fastmail.com, =?utf-8?q?Mi?= =?utf-8?q?chel_D=C3=A4nzer?= , =?utf-8?q?Noralf_Tr?= =?utf-8?q?=C3=B8nnes?= , Thomas Zimmermann , Maarten Lankhorst , Maxime Ripard , David Airlie , Daniel Vetter , dri-devel@lists.freedesktop.org, stable@vger.kernel.org, Bartlomiej Zolnierkiewicz , Geert Uytterhoeven , Nathan Chancellor , Qiujun Huang , Peter Rosin , linux-fbdev@vger.kernel.org, Helge Deller , Sam Ravnborg , Geert Uytterhoeven , Samuel Thibault , Tetsuo Handa , Shigeru Yoshida Subject: [PATCH] fbmem: Reject FB_ACTIVATE_KD_TEXT from userspace Date: Tue, 4 Apr 2023 21:39:34 +0200 Message-Id: <20230404193934.472457-1-daniel.vetter@ffwll.ch> X-Mailer: git-send-email 2.40.0 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fbdev@vger.kernel.org This is an oversight from dc5bdb68b5b3 ("drm/fb-helper: Fix vt restore") - I failed to realize that nasty userspace could set this. It's not pretty to mix up kernel-internal and userspace uapi flags like this, but since the entire fb_var_screeninfo structure is uapi we'd need to either add a new parameter to the ->fb_set_par callback and fb_set_par() function, which has a _lot_ of users. Or some other fairly ugly side-channel int fb_info. Neither is a pretty prospect. Instead just correct the issue at hand by filtering out this kernel-internal flag in the ioctl handling code. Signed-off-by: Daniel Vetter Fixes: dc5bdb68b5b3 ("drm/fb-helper: Fix vt restore") Cc: Alex Deucher Cc: shlomo@fastmail.com Cc: Michel Dänzer Cc: Noralf Trønnes Cc: Thomas Zimmermann Cc: Daniel Vetter Cc: Maarten Lankhorst Cc: Maxime Ripard Cc: David Airlie Cc: Daniel Vetter Cc: dri-devel@lists.freedesktop.org Cc: # v5.7+ Cc: Bartlomiej Zolnierkiewicz Cc: Geert Uytterhoeven Cc: Nathan Chancellor Cc: Qiujun Huang Cc: Peter Rosin Cc: linux-fbdev@vger.kernel.org Cc: Helge Deller Cc: Sam Ravnborg Cc: Geert Uytterhoeven Cc: Samuel Thibault Cc: Tetsuo Handa Cc: Shigeru Yoshida Acked-by: Maarten Lankhorst Reviewed-by: Javier Martinez Canillas --- drivers/video/fbdev/core/fbmem.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c index 875541ff185b..3fd95a79e4c3 100644 --- a/drivers/video/fbdev/core/fbmem.c +++ b/drivers/video/fbdev/core/fbmem.c @@ -1116,6 +1116,8 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, case FBIOPUT_VSCREENINFO: if (copy_from_user(&var, argp, sizeof(var))) return -EFAULT; + /* only for kernel-internal use */ + var.activate &= ~FB_ACTIVATE_KD_TEXT; console_lock(); lock_fb_info(info); ret = fbcon_modechange_possible(info, &var);