Sven Schnelle db4df8e9d7 tty: fix out-of-bounds access in tty_driver_lookup_tty() ... When specifying an invalid console= device like console=tty3270, tty_driver_lookup_tty() returns the tty struct without checking whether index is a valid number. To reproduce: qemu-system-x86_64 -enable-kvm -nographic -serial mon:stdio \ -kernel ../linux-build-x86/arch/x86/boot/bzImage \ -append "console=ttyS0 console=tty3270" This crashes with: [ 0.770599] BUG: kernel NULL pointer dereference, address: 00000000000000ef [ 0.771265] #PF: supervisor read access in kernel mode [ 0.771773] #PF: error_code(0x0000) - not-present page [ 0.772609] Oops: 0000 [#1] PREEMPT SMP PTI [ 0.774878] RIP: 0010:tty_open+0x268/0x6f0 [ 0.784013] chrdev_open+0xbd/0x230 [ 0.784444] ? cdev_device_add+0x80/0x80 [ 0.784920] do_dentry_open+0x1e0/0x410 [ 0.785389] path_openat+0xca9/0x1050 [ 0.785813] do_filp_open+0xaa/0x150 [ 0.786240] file_open_name+0x133/0x1b0 [ 0.786746] filp_open+0x27/0x50 [ 0.787244] console_on_rootfs+0x14/0x4d [ 0.787800] kernel_init_freeable+0x1e4/0x20d [ 0.788383] ? rest_init+0xc0/0xc0 [ 0.788881] kernel_init+0x11/0x120 [ 0.789356] ret_from_fork+0x22/0x30 Signed-off-by: Sven Schnelle <svens@linux.ibm.com> Reviewed-by: Jiri Slaby <jirislaby@kernel.org> Link: https://lore.kernel.org/r/20221209112737.3222509-2-svens@linux.ibm.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2023-01-19 15:04:56 +01:00
..
hvc	xen: branch for v6.2-rc4	2023-01-12 17:02:20 -06:00
ipwireless	tty: drop put_tty_driver	2021-07-27 12:17:21 +02:00
serdev	tty: Replace acpi_bus_get_device()	2022-01-31 14:30:06 +01:00
serial	serial: 8250_early: Convert literals to use defines	2023-01-19 15:01:20 +01:00
vt	Merge 6.0-rc4 into tty-next	2022-09-05 07:59:28 +02:00
amiserial.c	tty: Make ->set_termios() old ktermios const	2022-08-30 14:22:35 +02:00
ehv_bytechan.c	tty: evh_bytechan: Replace NO_IRQ by 0	2022-11-02 08:10:42 +01:00
goldfish.c	tty: goldfish: Fix free_irq() on remove	2022-06-10 13:31:31 +02:00
Kconfig	tty: Allow TIOCSTI to be disabled	2022-11-03 01:58:03 +01:00
Makefile	tty: add rpmsg driver	2021-10-21 12:35:35 +02:00
mips_ejtag_fdc.c	serial: Convert SERIAL_XMIT_SIZE to UART_XMIT_SIZE	2022-06-27 14:41:31 +02:00
moxa.c	tty: Make ->set_termios() old ktermios const	2022-08-30 14:22:35 +02:00
mxser.c	tty: mxser: remove redundant assignment to hwid	2022-09-01 17:59:36 +02:00
n_gsm.c	treewide: Convert del_timer*() to timer_shutdown*()	2022-12-25 13:38:09 -08:00
n_hdlc.c	tty: n_hdlc: remove HDLC_MAGIC	2022-09-22 16:12:34 +02:00
n_null.c
n_tty.c	n_tty: Rename tail to old_tail in n_tty_read()	2022-11-22 17:51:34 +01:00
nozomi.c	tty: drop put_tty_driver	2021-07-27 12:17:21 +02:00
pty.c	tty: Make ->set_termios() old ktermios const	2022-08-30 14:22:35 +02:00
rpmsg_tty.c	tty: rpmsg: Fix race condition releasing tty port	2022-01-26 14:50:26 +01:00
synclink_gt.c	tty: synclink_gt: unwind actions in error path of net device open	2022-11-22 17:52:57 +01:00
sysrq.c	treewide: Convert del_timer*() to timer_shutdown*()	2022-12-25 13:38:09 -08:00
tty_audit.c
tty_baudrate.c	tty: Fix comment style in tty_termios_input_baud_rate()	2022-08-30 14:22:34 +02:00
tty_buffer.c	tty: Convert tty_buffer flags to bool	2022-11-09 13:02:16 +01:00
tty_io.c	tty: fix out-of-bounds access in tty_driver_lookup_tty()	2023-01-19 15:04:56 +01:00
tty_ioctl.c	termios: start unifying non-UAPI parts of asm/termios.h	2022-09-09 10:44:34 +02:00
tty_jobctrl.c	signal: Replace __group_send_sig_info with send_signal_locked	2022-05-11 14:33:17 -05:00
tty_ldisc.c	tty: Move sysctl setup into "core" tty logic	2022-11-03 01:58:03 +01:00
tty_ldsem.c	tty/ldsem: Fix syntax errors in comments	2021-12-21 09:15:49 +01:00
tty_mutex.c	tty: remove TTY_MAGIC	2022-09-22 16:12:34 +02:00
tty_port.c	tty: Implement lookahead to process XON/XOFF timely	2022-06-10 13:51:31 +02:00
tty.h	tty: Move sysctl setup into "core" tty logic	2022-11-03 01:58:03 +01:00
ttynull.c	tty: drop put_tty_driver	2021-07-27 12:17:21 +02:00
vcc.c	termios: start unifying non-UAPI parts of asm/termios.h	2022-09-09 10:44:34 +02:00