lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1363493197.3937.241.camel@deadeye.wl.decadent.org.uk>
Date:	Sun, 17 Mar 2013 04:06:37 +0000
From:	Ben Hutchings <ben@...adent.org.uk>
To:	Ilya Zykov <ilya@...x.ru>
Cc:	linux-kernel@...r.kernel.org, stable@...r.kernel.org,
	linux-serial@...r.kernel.org
Subject: Re: [PATCH] tty: Correct tty buffer flush.

On Mon, 2013-03-04 at 23:19 +0400, Ilya Zykov wrote:
> On 03.12.2012 13:54, Ilya Zykov wrote:
> >   The root of problem is carelessly zeroing pointer(in function __tty_buffer_flush()),
> > when another thread can use it. It can be cause of "NULL pointer dereference".
> >   Main idea of the patch, this is never release last (struct tty_buffer) in the active buffer.
> > Only flush data for ldisc(tty->buf.head->read = tty->buf.head->commit).
> > At that moment driver can collect(write) data in buffer without conflict.
> > It is repeat behavior of flush_to_ldisc(), only without feeding data to ldisc.
> > Test program and bug report you can see:
> > https://lkml.org/lkml/2012/11/29/368
> > 
> > Cc: stable@...r.kernel.org
> > Signed-off-by: Ilya Zykov <ilya@...x.ru>
> > ---
> > diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c
> > index 6c9b7cd..4f02f9c 100644
> > --- a/drivers/tty/tty_buffer.c
> > +++ b/drivers/tty/tty_buffer.c
> > @@ -114,11 +114,14 @@ static void __tty_buffer_flush(struct tty_struct *tty)
> >  {
> >  	struct tty_buffer *thead;
> >  
> > -	while ((thead = tty->buf.head) != NULL) {
> > -		tty->buf.head = thead->next;
> > -		tty_buffer_free(tty, thead);
> > +	if (tty->buf.head == NULL)
> > +		return;
> > +	while ((thead = tty->buf.head->next) != NULL) {
> > +		tty_buffer_free(tty, tty->buf.head);
> > +		tty->buf.head = thead;
> >  	}
> > -	tty->buf.tail = NULL;
> > +	WARN_ON(tty->buf.head != tty->buf.tail);
> > +	tty->buf.head->read = tty->buf.head->commit;
> >  }
> >  
> >  /**
> > 
> 
> You can include this patch, in 3.2 series , for improve stability,
> it would be merged in upstream 3.9-rc1.

Added to the queue, thanks.

Ben.

-- 
Ben Hutchings
Usenet is essentially a HUGE group of people passing notes in class.
                      - Rachel Kadel, `A Quick Guide to Newsgroup Etiquette'

Download attachment "signature.asc" of type "application/pgp-signature" (829 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ