lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20090613215333.0e8a440e@lxorguk.ukuu.org.uk>
Date:	Sat, 13 Jun 2009 21:53:33 +0100
From:	Alan Cox <alan@...rguk.ukuu.org.uk>
To:	James Bottomley <JBottomley@...ell.com>
Cc:	linux-kernel <linux-kernel@...r.kernel.org>
Subject: Re: BUG in pty_chars_in_buffer with 2.6.30 git head using ssh

On Sat, 13 Jun 2009 11:09:34 -0500
James Bottomley <JBottomley@...ell.com> wrote:

> This is a really odd one.  I've used ssh into this box with this same
> kernel several times before, I got this (actually logged out as me over
> ssh then logged back in as root):

Its an ancient long standing bug but from the trace its inadvertently
become a NULL pointer deref rather than calling functions unsafely.

Change the if (!to ...) to if (!to || !to->ldisc || ...

and you'll get a race window thats rather like the one before.

The underlying problem is that the tty layer calls one tty ldisc from
under the locks of another but without holding the locks it needs. It
can't take both locks without deadlocking.

It's one I'm currently working on fixing.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ