From: Salvatore Bonaccorso <carnil@debian.org>
To: Jiri Slaby <jirislaby@kernel.org>
Cc: Hillf Danton <hdanton@sina.com>,
Dan Carpenter <dan.carpenter@oracle.com>,
ChenBigNB <chennbnbnb@gmail.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org
Subject: Re: CVE-2022-1462: race condition vulnerability in drivers/tty/tty_buffers.c
Date: Wed, 22 Jun 2022 16:27:08 +0200 [thread overview]
Message-ID: <YrMmvAoCAKmr7UhZ@eldamar.lan> (raw)
In-Reply-To: <ca7fdc92-b94e-56e8-3d4a-739535cdf8c3@kernel.org>
hi,
On Wed, Jun 15, 2022 at 12:47:20PM +0200, Jiri Slaby wrote:
> On 02. 06. 22, 6:48, Jiri Slaby wrote:
> > On 02. 06. 22, 4:48, Hillf Danton wrote:
> > > On Wed, 1 Jun 2022 21:34:26 +0300 Dan Carpenter wrote:
> > > > Hi Greg, Jiri,
> > > >
> > > > I searched lore.kernel.org and it seemed like CVE-2022-1462 might not
> > > > have ever been reported to you? Here is the original email with the
> > > > syzkaller reproducer.
> > > >
> > > > https://seclists.org/oss-sec/2022/q2/155
> > > >
> > > > The reporter proposed a fix, but it won't work. Smatch says that some
> > > > of the callers are already holding the port->lock. For example,
> > > > sci_dma_rx_complete() will deadlock.
> > >
> > > Hi Dan
> > >
> > > To erase the deadlock above, we need to add another helper folding
> > > tty_insert_flip_string() and tty_flip_buffer_push() into one nutshell,
> > > with buf->tail covered by port->lock.
> > >
> > > The diff attached in effect reverts
> > > 71a174b39f10 ("pty: do tty_flip_buffer_push without port->lock in
> > > pty_write").
> > >
> > > Only for thoughts now.
> >
> > I think this the likely the best approach. Except few points inlined below.
> >
> > Another would be to split tty_flip_buffer_push() into two and call only
> > the first one (doing smp_store_release()) inside the lock. I tried that
> > already, but it looks much worse.
> >
> > Another would be to add flags to tty_flip_buffer_push(). Like
> > ONLY_ADVANCE and ONLY_QUEUE. Call with the first under the lock, the
> > second outside.
> >
> > Ideas, comments?
>
> Apparently not, so Hillf, could you resend your patch after fixing the
> comments below?
Any news here? I'm not sure if I missed the followup submission but
was not able to find it.
Regards,
Salvatore
prev parent reply other threads:[~2022-06-22 14:27 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-01 18:34 CVE-2022-1462: race condition vulnerability in drivers/tty/tty_buffers.c Dan Carpenter
2022-06-02 2:48 ` Hillf Danton
2022-06-02 4:48 ` Jiri Slaby
2022-06-15 10:47 ` Jiri Slaby
2022-06-22 14:27 ` Salvatore Bonaccorso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YrMmvAoCAKmr7UhZ@eldamar.lan \
--to=carnil@debian.org \
--cc=chennbnbnb@gmail.com \
--cc=dan.carpenter@oracle.com \
--cc=gregkh@linuxfoundation.org \
--cc=hdanton@sina.com \
--cc=jirislaby@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.