| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 17 May 2013 21:22:03 +0200 From: Alexander Holler <holler@...oftware.de> To: Peter Hurley <peter@...leysoftware.com> CC: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Jiri Slaby <jslaby@...e.cz>, linux-kernel@...r.kernel.org, stable@...r.kernel.org Subject: Re: [PATCH] tty: make sure a BUG is hit if tty_port will be destroyed before tty Am 17.05.2013 20:06, schrieb Peter Hurley: > On 05/17/2013 12:41 PM, Alexander Holler wrote: >> Am 17.05.2013 17:31, schrieb Greg Kroah-Hartman: >>> On Fri, May 17, 2013 at 09:12:08AM +0200, Alexander Holler wrote: >>>> tty depends on tty_port until tty_release() was called. Make sure a BUG >>>> will be hit, if tty_port will be destroyed before tty. >>> >>> So you want to ensure that we crash a machine? No, please never add >> >> Exactly. Let me quote myself: >> >> >> As described before, it ends up with memory corruption because freed >> >> memory is used, so if a BUG() happens, it doesn't help much. E.g. >> with >> >> kernel 3.9.2 I never have seen a bug, just a rebooting machine >> >> (sometimes minutes after the real bug happened). >> >>> BUG() statements to the kernel, unless something _really_ bad is going >>> to happen if we don't call it. I never want to stop a machine from >>> running, do you? >> >> Yes. I'm not sure how you define _really_ bad, but a memory corruption >> with undefined result is exactly how I would define such. > > First, I like the idea of a diagnostic here. But I'm with Greg on > this; BUG() is overkill. Just because the specific path which you found > only kills the process doesn't mean that other callers might not > prompt machine halt. > > The memory corruption happens as a result of the tty_port being freed > by tty_port_destructor(). So a suitable diagnostic is to detect the > condition, WARN, and return without actually performing the destroy, yes? > >> And in the case of rfcomm, the box doesn't stop, at least not here. >> Just the process is killed together with an easy to identfiy oops. And >> the BUG_ON() prevents that memory will become corrupted and the >> machine is still usable afterwards. If that isn't a use case for >> BUG_ON(), I really don't know what else would be a use case for it. Sorry, I didn't express it such, that this can't be misunderstood. Without that BUG_ON() in my proposed patch, my boxes always died afterwards. And that with a lot of different results before. Sometimes nothing happened and the machine just rebooted, sometimes I've just seen a warn_slowpath before the machine stopped/rebooted, sometimes I've just got the BUG I posted in a previous mail, and often I've seen many OOPSes before the machine rebooted. But in every case, the machine died unexpectly. The case that the machine didn't die, but just the process, only happens when my proposed patch is applied, which prevents the memory corruption. Regards, Alexander Holler -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists