| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 13 Jun 2009 21:53:33 +0100 From: Alan Cox <alan@...rguk.ukuu.org.uk> To: James Bottomley <JBottomley@...ell.com> Cc: linux-kernel <linux-kernel@...r.kernel.org> Subject: Re: BUG in pty_chars_in_buffer with 2.6.30 git head using ssh On Sat, 13 Jun 2009 11:09:34 -0500 James Bottomley <JBottomley@...ell.com> wrote: > This is a really odd one. I've used ssh into this box with this same > kernel several times before, I got this (actually logged out as me over > ssh then logged back in as root): Its an ancient long standing bug but from the trace its inadvertently become a NULL pointer deref rather than calling functions unsafely. Change the if (!to ...) to if (!to || !to->ldisc || ... and you'll get a race window thats rather like the one before. The underlying problem is that the tty layer calls one tty ldisc from under the locks of another but without holding the locks it needs. It can't take both locks without deadlocking. It's one I'm currently working on fixing. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists