lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 16 Mar 2012 21:53:47 +0100
From:	Jiri Slaby <jslaby@...e.cz>
To:	"Du, Alek" <alek.du@...el.com>
CC:	Jiri Slaby <jirislaby@...il.com>,
	Alan Cox <alan@...rguk.ukuu.org.uk>,
	"Tu, Xiaobing" <xiaobing.tu@...el.com>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
	"Zhang, Yanmin" <yanmin.zhang@...el.com>,
	"Zuo, Jiao" <jiao.zuo@...el.com>
Subject: Re: [PATCH] tty: hold lock across tty buffer finding and buffer filling

On 03/16/2012 02:50 PM, Du, Alek wrote:
> For #1, as I said, we already held the tty refcount. The tty refcount cannot help this crash.

Where exactly? Do you have some local changes?
$ grep tty_port_tty_ drivers/tty/serial/mfd.c
$

> For #2, this patch will avoid memcpy to a NULL pointer and avoid a kernel crash.

Ok, could you explain how? Linearized code from moxa.c with your patch
applied follows:
ofs = baseAddr + DynPage_addr + bufhead + head;
size = (tail >= head) ? (tail - head) : (rx_mask + 1 - head);
size = min(size, count);
// call to tty_prepare_flip_string
	spin_lock_irqsave(&tty->buf.lock, flags);
	space = __tty_buffer_request_room(tty, size);

	tb = tty->buf.tail;
 	if (likely(space)) {
 		*chars = tb->char_buf_ptr + tb->used;
 		memset(tb->flag_buf_ptr + tb->used, TTY_NORMAL, space);
 		tb->used += space;
 	}
	spin_unlock_irqrestore(&tty->buf.lock, flags);
// return to MoxaPortReadData
memcpy_fromio(*chars, ofs, space); <- memcpy without buf.lock
head = (head + len) & rx_mask;
...

thanks,
-- 
js
suse labs
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ