From: Hillf Danton <hdanton@sina.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: ChenBigNB <chennbnbnb@gmail.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jiri Slaby <jirislaby@kernel.org>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org
Subject: CVE-2022-1462: race condition vulnerability in drivers/tty/tty_buffers.c
Date: Thu, 2 Jun 2022 10:48:57 +0800 [thread overview]
Message-ID: <20220602024857.4808-1-hdanton@sina.com> (raw)
In-Reply-To: <20220601183426.GD2168@kadam>
On Wed, 1 Jun 2022 21:34:26 +0300 Dan Carpenter wrote:
> Hi Greg, Jiri,
>
> I searched lore.kernel.org and it seemed like CVE-2022-1462 might not
> have ever been reported to you? Here is the original email with the
> syzkaller reproducer.
>
> https://seclists.org/oss-sec/2022/q2/155
>
> The reporter proposed a fix, but it won't work. Smatch says that some
> of the callers are already holding the port->lock. For example,
> sci_dma_rx_complete() will deadlock.
Hi Dan
To erase the deadlock above, we need to add another helper folding
tty_insert_flip_string() and tty_flip_buffer_push() into one nutshell,
with buf->tail covered by port->lock.
The diff attached in effect reverts
71a174b39f10 ("pty: do tty_flip_buffer_push without port->lock in pty_write").
Only for thoughts now.
Hillf
+++ b/drivers/tty/pty.c
@@ -116,15 +116,8 @@ static int pty_write(struct tty_struct *
if (tty->flow.stopped)
return 0;
- if (c > 0) {
- spin_lock_irqsave(&to->port->lock, flags);
- /* Stuff the data into the input queue of the other end */
- c = tty_insert_flip_string(to->port, buf, c);
- spin_unlock_irqrestore(&to->port->lock, flags);
- /* And shovel */
- if (c)
- tty_flip_buffer_push(to->port);
- }
+ if (c > 0)
+ c = tty_flip_insert_and_push_buffer(to->port, buf, c);
return c;
}
+++ b/drivers/tty/tty_buffer.c
@@ -554,6 +554,26 @@ void tty_flip_buffer_push(struct tty_por
}
EXPORT_SYMBOL(tty_flip_buffer_push);
+int tty_flip_insert_and_push_buffer(struct tty_port *port, const unsigned char *string, int cnt)
+{
+ struct tty_bufhead *buf = &port->buf;
+ unsigned long flags;
+
+ spin_lock_irqsave(&port->lock, flags);
+ cnt = tty_insert_flip_string(port, string, cnt);
+ if (cnt) {
+ /*
+ * Paired w/ acquire in flush_to_ldisc(); ensures flush_to_ldisc() sees
+ * buffer data.
+ */
+ smp_store_release(&buf->tail->commit, buf->tail->used);
+ }
+ spin_unlock_irqrestore(&port->lock, flags);
+ queue_work(system_unbound_wq, &buf->work);
+ return cnt;
+}
+EXPORT_SYMBOL(tty_flip_insert_and_push_buffer);
+
/**
* tty_buffer_init - prepare a tty buffer structure
* @port: tty port to initialise
next prev parent reply other threads:[~2022-06-02 2:49 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-01 18:34 CVE-2022-1462: race condition vulnerability in drivers/tty/tty_buffers.c Dan Carpenter
2022-06-02 2:48 ` Hillf Danton [this message]
2022-06-02 4:48 ` Jiri Slaby
2022-06-15 10:47 ` Jiri Slaby
2022-06-22 14:27 ` Salvatore Bonaccorso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220602024857.4808-1-hdanton@sina.com \
--to=hdanton@sina.com \
--cc=chennbnbnb@gmail.com \
--cc=dan.carpenter@oracle.com \
--cc=gregkh@linuxfoundation.org \
--cc=jirislaby@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.