lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Mon, 10 Nov 2014 09:25:57 +0000
From:	Måns Rullgård <mans@...sr.com>
To:	Christian Riesch <christian.riesch@...cron.at>
Cc:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Jiri Slaby <jslaby@...e.cz>,
	"linux-kernel\@vger.kernel.org" <linux-kernel@...r.kernel.org>,
	Peter Hurley <peter@...leysoftware.com>,
	stable <stable@...r.kernel.org>
Subject: Re: [PATCH] n_tty: Add memory barrier to fix race condition in receive path

Christian Riesch <christian.riesch@...cron.at> writes:

> On Thu, Nov 6, 2014 at 9:56 PM, Greg Kroah-Hartman
> <gregkh@...uxfoundation.org> wrote:
>> On Thu, Nov 06, 2014 at 08:49:01PM +0000, Måns Rullgård wrote:
>>> Greg Kroah-Hartman <gregkh@...uxfoundation.org> writes:
>>>
>>> > On Thu, Nov 06, 2014 at 12:39:59PM +0100, Christian Riesch wrote:
>>> >> The current implementation of put_tty_queue() causes a race condition
>>> >> when re-arranged by the compiler.
>>> >>
>>> >> On my build with gcc 4.8.3, cross-compiling for ARM, the line
>>> >>
>>> >>    *read_buf_addr(ldata, ldata->read_head++) = c;
>>> >>
>>> >> was re-arranged by the compiler to something like
>>> >>
>>> >>    x = ldata->read_head
>>> >>    ldata->read_head++
>>> >>    *read_buf_addr(ldata, x) = c;
>>> >>
>>> >> which causes a race condition. Invalid data is read if data is read
>>> >> before it is actually written to the read buffer.
>>> >
>>> > Really?  A compiler can rearange things like that and expect things to
>>> > actually work?  How is that valid?
>>>
>>> This is actually required by the C spec.  There is a sequence point
>>> before a function call, after the arguments have been evaluated.  Thus
>>> all side-effects, such as the post-increment, must be complete before
>>> the function is called, just like in the example.
>>>
>>> There is no "re-arranging" here.  The code is simply wrong.
>>
>> Ah, ok, time to dig out the C spec...
>>
>> Anyway, because of this, no need for the wmb() calls, just rearrange the
>> logic and all should be good, right?  Christian, can you test that
>> instead?
>
> I ran a test with the patch that I posted in my first email for the
> last 4 days. No communication errors occurred so the patch actually
> fixes my problem. I will run another test as suggested by Greg, just
> with rearranging the logic.

What hardware are you running on?  If it's a single-processor system,
it won't break without barriers even if they are required for SMP.

-- 
Måns Rullgård
mans@...sr.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists