| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.LFD.2.01.0908040825210.3270@localhost.localdomain> Date: Tue, 4 Aug 2009 08:40:20 -0700 (PDT) From: Linus Torvalds <torvalds@...ux-foundation.org> To: Greg KH <greg@...ah.com> cc: Sergey Senozhatsky <sergey.senozhatsky@...l.by>, Alan Cox <alan@...rguk.ukuu.org.uk>, OGAWA Hirofumi <hirofumi@...l.parknet.co.jp>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org> Subject: Re: proper tty-ldisc refcounting (was Re: WARNING at: drivers/char/tty_ldisc.c) On Tue, 4 Aug 2009, Greg KH wrote: > > Ok, but due to the lateness of the release cycle, is it worth it to add > those 3 right now? Or do we just take the BUG_ON() out as it's pretty > harmless while shutting down in single user mode? > > What do you think? If the WARN_ON() happens, it's not just that we have a refcount being off, we'll also have memory corruption and a potential oops a bit later. Why? Simply because somebody will be touching that 'struct ldisc', even if it will be just a decrement of the word that contained the refcount. So we have a pretty much guaranteed use-after-free scenario. So taking out the WARN_ON() is the wrong thing. In that case it would probably be better to just leave the WARN_ON(), and at least know "ok, bad things happened". So I think we have a few options: - leave things as-is, leave the WARN_ON(), and know that it's very rare, but that bad things can happen when it triggers. The thing I really dislike about this one is that yes, it's rare, but I could see it be user-triggerable. Users do have access to /dev/console when they are logged in at the console. - Change the old code from WARN_ON(ld->refcount); kfree(ld); to if (!WARN_ON_ONCE(ld->refcount)) kfree(ld); which at least doesn't free the ldisc if it is in use. So now you have a memory leak, but at least hopefully no actual corruption and use-after-free. It's still a bug, but it won't be causing other bugs down the line (except for running out of memory if you can trigger it really easily, but that's unlikely, and I think preferable to unknown problems - even if the unknown problems are very unlikely) - Take the three patches now. I suspect we should take the three now. All of the issues are due to totally rewritten code since 2.6.30 - I suspect the risk from new bugs from that refcounting series is _smaller_ that the risk of bugs from the original ldisc rewrite (commit c65c9bc3e), and if there are bugs, I suspect the three patches are more likely to help than to hurt. Linus -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists