lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 7 Feb 2020 09:10:06 +0100
From:   Greg KH <gregkh@...uxfoundation.org>
To:     Shen Kai <shenkai8@...wei.com>
Cc:     jslaby@...e.com, linux-kernel@...r.kernel.org,
        hushiyuan@...wei.com, linfeilong@...wei.com
Subject: Re: [PATCH] add lock proctect to __handle_sysrq in
 write_sysrq_trigger

On Fri, Feb 07, 2020 at 07:56:06AM +0000, Shen Kai wrote:
> From: Feilong Lin <linfeilong@...wei.com>
> 
> Add lock protect to __handle_sysrq to avoid race condition.
> __handle_sysrq will change console_loglevel without lock protect
> which can lead to console_loglevel to be set as an unexpected value.
> 
> Problem may occur when "echo t > /proc/sysrq-trigger" is called on 
> multiple cpus concurrently.
> 
> In this case in __handle_sysrq, console_loglevel is set to 7 to print
> some head info to the console then restore it. But without lock protect
> in parallel execution situation, restoring may go wrong. The new 
> loglevel may be taken as the previous loglevel incorrectly.
> Console_loglevel can be 7 at last, which causes the terminal to output
> info in most log levels.
> 
> This bug was found on linux 4.19
> 
> Signed-off-by: Feilong Lin <linfeilong@...wei.com>
> Reported-by: Kai Shen <shenkai8@...wei.com>
> ---
>  drivers/tty/sysrq.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
> index f724962..cbb48a9 100644
> --- a/drivers/tty/sysrq.c
> +++ b/drivers/tty/sysrq.c
> @@ -1087,6 +1087,8 @@ EXPORT_SYMBOL(unregister_sysrq_key);
>  /*
>   * writing 'C' to /proc/sysrq-trigger is like sysrq-C
>   */
> +static DEFINE_MUTEX(sysrq_mutex);
> +
>  static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
>  				   size_t count, loff_t *ppos)
>  {
> @@ -1095,7 +1097,9 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
>  
>  		if (get_user(c, buf))
>  			return -EFAULT;
> +		mutex_lock(&sysrq_mutex);
>  		__handle_sysrq(c, false);
> +		mutex_unlock(&sysrq_mutex);

What exactly are you protecting here?  What other task is doing this at
the same exact time?

You mention different tasks hitting this sysrq-trigger at the same time,
but really, "just do not do that" should be the real answer, as even
with this lock, you don't know what the end result will be as the "last"
one in will have the last word, right?

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ