lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20141106220249.GA952@kroah.com>
Date:	Thu, 6 Nov 2014 14:02:49 -0800
From:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:	Måns Rullgård <mans@...sr.com>
Cc:	Christian Riesch <christian.riesch@...cron.at>,
	Jiri Slaby <jslaby@...e.cz>, linux-kernel@...r.kernel.org,
	Peter Hurley <peter@...leysoftware.com>, stable@...r.kernel.org
Subject: Re: [PATCH] n_tty: Add memory barrier to fix race condition in
 receive path

On Thu, Nov 06, 2014 at 09:38:59PM +0000, Måns Rullgård wrote:
> Greg Kroah-Hartman <gregkh@...uxfoundation.org> writes:
> 
> > On Thu, Nov 06, 2014 at 09:01:36PM +0000, Måns Rullgård wrote:
> >> Greg Kroah-Hartman <gregkh@...uxfoundation.org> writes:
> >> 
> >> > On Thu, Nov 06, 2014 at 08:49:01PM +0000, Måns Rullgård wrote:
> >> >> Greg Kroah-Hartman <gregkh@...uxfoundation.org> writes:
> >> >> 
> >> >> > On Thu, Nov 06, 2014 at 12:39:59PM +0100, Christian Riesch wrote:
> >> >> >> The current implementation of put_tty_queue() causes a race condition
> >> >> >> when re-arranged by the compiler.
> >> >> >> 
> >> >> >> On my build with gcc 4.8.3, cross-compiling for ARM, the line
> >> >> >> 
> >> >> >> 	*read_buf_addr(ldata, ldata->read_head++) = c;
> >> >> >> 
> >> >> >> was re-arranged by the compiler to something like
> >> >> >> 
> >> >> >> 	x = ldata->read_head
> >> >> >> 	ldata->read_head++
> >> >> >> 	*read_buf_addr(ldata, x) = c;
> >> >> >> 
> >> >> >> which causes a race condition. Invalid data is read if data is read
> >> >> >> before it is actually written to the read buffer.
> >> >> >
> >> >> > Really?  A compiler can rearange things like that and expect things to
> >> >> > actually work?  How is that valid?
> >> >> 
> >> >> This is actually required by the C spec.  There is a sequence point
> >> >> before a function call, after the arguments have been evaluated.  Thus
> >> >> all side-effects, such as the post-increment, must be complete before
> >> >> the function is called, just like in the example.
> >> >> 
> >> >> There is no "re-arranging" here.  The code is simply wrong.
> >> >
> >> > Ah, ok, time to dig out the C spec...
> >> >
> >> > Anyway, because of this, no need for the wmb() calls, just rearrange the
> >> > logic and all should be good, right?  Christian, can you test that
> >> > instead?
> >> 
> >> Weakly ordered SMP systems probably need some kind of barrier.  I didn't
> >> look at it carefully.
> >
> > It shouldn't need a barier, as it is a sequence point with the function
> > call.  Well, it's an inline function, but that "shouldn't" matter here,
> > right?
> 
> Sequence points say nothing about the order in which stores become
> visible to other CPUs.  That's why there are barrier instructions.

Yes, but "order" matters.

If I write code that does:

100	x = ldata->read_head;
101	&ldata->read_head[x & SOME_VALUE] = y;
102	ldata->read_head++;

the compiler can not reorder lines 102 and 101 just because it feels
like it, right?  Or is it time to go spend some reading of the C spec
again...

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ