!1524 [sync] PR-1482: CVE-2023-3567 fix patches

Merge Pull Request from: @openeuler-sync-bot 
 

Origin pull request: 
https://gitee.com/openeuler/kernel/pulls/1482 
 
PR sync from: Lu Jialin <lujialin4@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/MIDF5L7L2X2TOVLMC5V5F4QF7ZAKGN5I/ 
First is the patch to fix CVE-2023-3567. The latter two patches are the
bugfix patches for the first patch.

George Kennedy (2):
  vc_screen: move load of struct vc_data pointer in vcs_read() to avoid
    UAF
  vc_screen: modify vcs_size() handling in vcs_read()

Thomas Weißschuh (1):
  vc_screen: don't clobber return value in vcs_read


-- 
2.17.1
 
https://gitee.com/src-openeuler/kernel/issues/I7JRBO?from=project-issue 
 
Link:https://gitee.com/openeuler/kernel/pulls/1524 

Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 

drivers/tty/vt/vc_screen.c

@@ -386,10 +386,6 @@ vcs_read(struct file *file, char __user *buf, size_t count, loff_t *ppos)
 
 	uni_mode = use_unicode(inode);
 	attr = use_attributes(inode);
-	ret = -ENXIO;
-	vc = vcs_vc(inode, &viewed);
-	if (!vc)
-		goto unlock_out;
 
 	ret = -EINVAL;
 	if (pos < 0)
@@ -407,16 +403,20 @@ vcs_read(struct file *file, char __user *buf, size_t count, loff_t *ppos)
 		unsigned int this_round, skip = 0;
 		int size;
 
+		vc = vcs_vc(inode, &viewed);
+		if (!vc) {
+			ret = -ENXIO;
+			break;
+		}
+
 		/* Check whether we are above size each round,
 		 * as copy_to_user at the end of this loop
 		 * could sleep.
 		 */
 		size = vcs_size(vc, attr, uni_mode);
 		if (size < 0) {
-			if (read)
-				break;
 			ret = size;
-			goto unlock_out;
+			break;
 		}
 		if (pos >= size)
 			break;