| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Jan 2013 10:46:26 +0800 From: snakky.zhang@...il.com To: linux-kernel@...r.kernel.org Subject: Is this a bug that n_tty_set_room not serialized? If so please correct it. Hi experts, Seems there is an bug related to function n_tty_set_roomin source file drivers/tty/n_tty.c. This function is used to set receive_room based on the read_cntby both the consumer and the producer of the tty's read buffer. But this function is not serialized, so I am afraid there is a risk like: The producer make the buffer full and then call this function to set the receive_room to 0; while it is preempted by the consumer that empty the buffer(read_cnt is 0)and then call this very function to set the receive_room to a non-zero value. But when the producer continue, receive_room was set to 0 again. Thus both read_cnt and receive_room is 0.For consumer theread_cnt is 0 that no data can be read; while for the producer, thebuffer is full since the receive_room is 0. Both of them blockhere... Two methods to avoid it: A) Addor find a lock to serialize this function; B) Once the producer find the buffer is full, double check/set the buffer with n_tty_set_room. For example in function "flush_to_ldisc". Please correct me if I misunderstand something. Or please fix it. Thanks Xiao -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists