lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:	Wed, 11 Nov 2009 15:01:03 -0200
From:	Mauro Carvalho Chehab <mchehab@...hat.com>
To:	Alan Cox <alan@...rguk.ukuu.org.uk>,
	"Theodore Ts'o" <tytso@....edu>
Cc:	LKML <linux-kernel@...r.kernel.org>
Subject: [RFC] potential ancient bug (since 1.99.14) at char/pty

Hi Alan/Ts'o,

There's an open bugzilla at Red Hat for the pty driver that I'm not sure
what would be the better fix. It tracks to kernel 1.99.14:
	http://www.linuxhq.com/kernel/v1.99/13/drivers/char/ChangeLog
	http://www.linuxhq.com/kernel/v1.99/13/drivers/char/pty.c

The code is still present upstream.

The pty changes added two lines to pty_close(): tty->packet = 0 and
tty->link->packet = 0.

The bug is at:
	https://bugzilla.redhat.com/show_bug.cgi?id=504703

The result of the bug is a race condition where telnetd may not properly
recognize the logout message (as it assumes that the device is in packet mode,
where the driver already changed its state to non-packet mode).

By removing tty->link->packet = 0, it fixes the issue, with a patch like:

--- a/drivers/char/pty.c
+++ b/drivers/char/pty.c
@@ -51,7 +51,6 @@ static void pty_close(struct tty_struct *tty, struct file *filp)
 	tty->packet = 0;
 	if (!tty->link)
 		return;
-	tty->link->packet = 0;
 	set_bit(TTY_OTHER_CLOSED, &tty->link->flags);
 	wake_up_interruptible(&tty->link->read_wait);
 	wake_up_interruptible(&tty->link->write_wait);

However, I'm not sure if this is the better fix, since it means that, after
closing both devices and opening again, link->packet will be 1, and this seems
wrong.

So, maybe the better way would be to add an open counter to pty and changing
link->packet to zero only if the open usage count is zero.

Another point to be considered is that a change like that on a very old code can
cause regressions on other parts.

Comments?

Cheers,
Mauro
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists