lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 11 Nov 2014 13:04:28 +0000
From:	Måns Rullgård <mans@...sr.com>
To:	Christian Riesch <christian.riesch@...cron.at>
Cc:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	<linux-kernel@...r.kernel.org>,
	Peter Hurley <peter@...leysoftware.com>,
	<stable@...r.kernel.org>
Subject: Re: [PATCH v2] n_tty: Fix read_buf race condition, increment read_head after pushing data

Christian Riesch <christian.riesch@...cron.at> writes:

> Commit 19e2ad6a09f0c06dbca19c98e5f4584269d913dd ("n_tty: Remove overflow
> tests from receive_buf() path") moved the increment of read_head into
> the arguments list of read_buf_addr(). Function calls represent a
> sequence point in C. Therefore read_head is incremented before the
> character c is placed in the buffer. Since the circular read buffer is
> a lock-less design since commit 6d76bd2618535c581f1673047b8341fd291abc67
> ("n_tty: Make N_TTY ldisc receive path lockless"), this creates a race
> condition that leads to communication errors.
>
> This patch modifies the code to increment read_head _after_ the data
> is placed in the buffer and thus fixes the race for non-SMP machines.
> To fix the problem for SMP machines, memory barriers must be added in
> a separate patch.
>
> Signed-off-by: Christian Riesch <christian.riesch@...cron.at>
> Cc: <stable@...r.kernel.org>
> ---
>
> This is version 2 of the patch in [1].
>
> Changes for v2:
> - Rewrote commit message. Since I did not know better, I blamed the compiler
>   in v1, but actually the code was wrong. See the discussion in [1].
> - Removed memory barriers. For non-SMP machines they are not required,
>   for SMP machines more brainwork and discussions are needed.
>
> Best regards,
> Christian
>
> [1] https://lkml.org/lkml/2014/11/6/216
>
>  drivers/tty/n_tty.c |    4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
> index 2e900a9..b09f326 100644
> --- a/drivers/tty/n_tty.c
> +++ b/drivers/tty/n_tty.c
> @@ -321,7 +321,9 @@ static void n_tty_check_unthrottle(struct tty_struct *tty)
>
>  static inline void put_tty_queue(unsigned char c, struct n_tty_data *ldata)
>  {
> -	*read_buf_addr(ldata, ldata->read_head++) = c;
> +	*read_buf_addr(ldata, ldata->read_head) = c;
> +	/* increment read_head _after_ placing the character in the buffer */
> +	ldata->read_head++;
>  }

Is that comment really necessary?

-- 
Måns Rullgård
mans@...sr.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ