| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 08 Aug 2007 08:13:33 -0600 From: Paul Fulghum <paulkf@...rogate.com> To: Laurent Pinchart <laurentp@...-semaphore.com> CC: linux-kernel@...r.kernel.org Subject: Re: Serial buffer memory leak Laurent Pinchart wrote: > Patch c5c34d4862e18ef07c1276d233507f540fb5a532 (tty: flush flip buffer on > ldisc input queue flush) introduces a race condition which can lead to memory > leaks. > > The problem can be triggered when tcflush() is called when data are being > pushed to the line discipline driver by flush_to_ldisc(). > > flush_to_ldisc() releases tty->buf.lock when calling the line discipline > receive_buf function. At that poing tty_buffer_flush() kicks in and sets both > tty->buf.head and tty->buf.tail to NULL. When flush_to_ldisc() finishes, it > restores tty->buf.head but doesn't touch tty->buf.tail. This corrups the > buffer queue, and the next call to tty_buffer_request_room() will allocate a > new buffer and overwrite tty->buf.head. The previous buffer is then lost > forever without being released. Your description is clear enough, I'll make the patch. Thanks, Paul - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists