* Re: CVE-2022-1462: race condition vulnerability in drivers/tty/tty_buffers.c [not found] <20220602024857.4808-1-hdanton@sina.com> @ 2022-06-02 4:48 ` Jiri Slaby 2022-06-15 10:47 ` Jiri Slaby 0 siblings, 1 reply; 4+ messages in thread From: Jiri Slaby @ 2022-06-02 4:48 UTC (permalink / raw) To: Hillf Danton, Dan Carpenter Cc: ChenBigNB, Greg Kroah-Hartman, linux-mm, linux-kernel On 02. 06. 22, 4:48, Hillf Danton wrote: > On Wed, 1 Jun 2022 21:34:26 +0300 Dan Carpenter wrote: >> Hi Greg, Jiri, >> >> I searched lore.kernel.org and it seemed like CVE-2022-1462 might not >> have ever been reported to you? Here is the original email with the >> syzkaller reproducer. >> >> https://seclists.org/oss-sec/2022/q2/155 >> >> The reporter proposed a fix, but it won't work. Smatch says that some >> of the callers are already holding the port->lock. For example, >> sci_dma_rx_complete() will deadlock. > > Hi Dan > > To erase the deadlock above, we need to add another helper folding > tty_insert_flip_string() and tty_flip_buffer_push() into one nutshell, > with buf->tail covered by port->lock. > > The diff attached in effect reverts > 71a174b39f10 ("pty: do tty_flip_buffer_push without port->lock in pty_write"). > > Only for thoughts now. I think this the likely the best approach. Except few points inlined below. Another would be to split tty_flip_buffer_push() into two and call only the first one (doing smp_store_release()) inside the lock. I tried that already, but it looks much worse. Another would be to add flags to tty_flip_buffer_push(). Like ONLY_ADVANCE and ONLY_QUEUE. Call with the first under the lock, the second outside. Ideas, comments? > Hillf > > +++ b/drivers/tty/pty.c > @@ -116,15 +116,8 @@ static int pty_write(struct tty_struct * > if (tty->flow.stopped) > return 0; > > - if (c > 0) { > - spin_lock_irqsave(&to->port->lock, flags); > - /* Stuff the data into the input queue of the other end */ > - c = tty_insert_flip_string(to->port, buf, c); > - spin_unlock_irqrestore(&to->port->lock, flags); > - /* And shovel */ > - if (c) > - tty_flip_buffer_push(to->port); > - } > + if (c > 0) > + c = tty_flip_insert_and_push_buffer(to->port, buf, c); > return c; > } > > +++ b/drivers/tty/tty_buffer.c > @@ -554,6 +554,26 @@ void tty_flip_buffer_push(struct tty_por > } > EXPORT_SYMBOL(tty_flip_buffer_push); > > +int tty_flip_insert_and_push_buffer(struct tty_port *port, const unsigned char *string, int cnt) It should be _insert_string_, IMO. > +{ > + struct tty_bufhead *buf = &port->buf; > + unsigned long flags; > + > + spin_lock_irqsave(&port->lock, flags); > + cnt = tty_insert_flip_string(port, string, cnt); > + if (cnt) { > + /* > + * Paired w/ acquire in flush_to_ldisc(); ensures flush_to_ldisc() sees > + * buffer data. > + */ > + smp_store_release(&buf->tail->commit, buf->tail->used); > + } > + spin_unlock_irqrestore(&port->lock, flags); > + queue_work(system_unbound_wq, &buf->work); \n here please. > + return cnt; > +} > +EXPORT_SYMBOL(tty_flip_insert_and_push_buffer); No need to export this, right? thanks, -- js suse labs ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: CVE-2022-1462: race condition vulnerability in drivers/tty/tty_buffers.c 2022-06-02 4:48 ` CVE-2022-1462: race condition vulnerability in drivers/tty/tty_buffers.c Jiri Slaby @ 2022-06-15 10:47 ` Jiri Slaby 2022-06-22 14:27 ` Salvatore Bonaccorso 0 siblings, 1 reply; 4+ messages in thread From: Jiri Slaby @ 2022-06-15 10:47 UTC (permalink / raw) To: Hillf Danton, Dan Carpenter Cc: ChenBigNB, Greg Kroah-Hartman, linux-mm, linux-kernel On 02. 06. 22, 6:48, Jiri Slaby wrote: > On 02. 06. 22, 4:48, Hillf Danton wrote: >> On Wed, 1 Jun 2022 21:34:26 +0300 Dan Carpenter wrote: >>> Hi Greg, Jiri, >>> >>> I searched lore.kernel.org and it seemed like CVE-2022-1462 might not >>> have ever been reported to you? Here is the original email with the >>> syzkaller reproducer. >>> >>> https://seclists.org/oss-sec/2022/q2/155 >>> >>> The reporter proposed a fix, but it won't work. Smatch says that some >>> of the callers are already holding the port->lock. For example, >>> sci_dma_rx_complete() will deadlock. >> >> Hi Dan >> >> To erase the deadlock above, we need to add another helper folding >> tty_insert_flip_string() and tty_flip_buffer_push() into one nutshell, >> with buf->tail covered by port->lock. >> >> The diff attached in effect reverts >> 71a174b39f10 ("pty: do tty_flip_buffer_push without port->lock in >> pty_write"). >> >> Only for thoughts now. > > I think this the likely the best approach. Except few points inlined below. > > Another would be to split tty_flip_buffer_push() into two and call only > the first one (doing smp_store_release()) inside the lock. I tried that > already, but it looks much worse. > > Another would be to add flags to tty_flip_buffer_push(). Like > ONLY_ADVANCE and ONLY_QUEUE. Call with the first under the lock, the > second outside. > > Ideas, comments? Apparently not, so Hillf, could you resend your patch after fixing the comments below? Thanks. >> Hillf >> >> +++ b/drivers/tty/pty.c >> @@ -116,15 +116,8 @@ static int pty_write(struct tty_struct * >> if (tty->flow.stopped) >> return 0; >> - if (c > 0) { >> - spin_lock_irqsave(&to->port->lock, flags); >> - /* Stuff the data into the input queue of the other end */ >> - c = tty_insert_flip_string(to->port, buf, c); >> - spin_unlock_irqrestore(&to->port->lock, flags); >> - /* And shovel */ >> - if (c) >> - tty_flip_buffer_push(to->port); >> - } >> + if (c > 0) >> + c = tty_flip_insert_and_push_buffer(to->port, buf, c); >> return c; >> } >> +++ b/drivers/tty/tty_buffer.c >> @@ -554,6 +554,26 @@ void tty_flip_buffer_push(struct tty_por >> } >> EXPORT_SYMBOL(tty_flip_buffer_push); >> +int tty_flip_insert_and_push_buffer(struct tty_port *port, const >> unsigned char *string, int cnt) > > It should be _insert_string_, IMO. > >> +{ >> + struct tty_bufhead *buf = &port->buf; >> + unsigned long flags; >> + >> + spin_lock_irqsave(&port->lock, flags); >> + cnt = tty_insert_flip_string(port, string, cnt); >> + if (cnt) { >> + /* >> + * Paired w/ acquire in flush_to_ldisc(); ensures >> flush_to_ldisc() sees >> + * buffer data. >> + */ >> + smp_store_release(&buf->tail->commit, buf->tail->used); >> + } >> + spin_unlock_irqrestore(&port->lock, flags); >> + queue_work(system_unbound_wq, &buf->work); > > \n here please. > >> + return cnt; >> +} >> +EXPORT_SYMBOL(tty_flip_insert_and_push_buffer); > > No need to export this, right? > > thanks, -- js suse labs ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: CVE-2022-1462: race condition vulnerability in drivers/tty/tty_buffers.c 2022-06-15 10:47 ` Jiri Slaby @ 2022-06-22 14:27 ` Salvatore Bonaccorso 0 siblings, 0 replies; 4+ messages in thread From: Salvatore Bonaccorso @ 2022-06-22 14:27 UTC (permalink / raw) To: Jiri Slaby Cc: Hillf Danton, Dan Carpenter, ChenBigNB, Greg Kroah-Hartman, linux-mm, linux-kernel hi, On Wed, Jun 15, 2022 at 12:47:20PM +0200, Jiri Slaby wrote: > On 02. 06. 22, 6:48, Jiri Slaby wrote: > > On 02. 06. 22, 4:48, Hillf Danton wrote: > > > On Wed, 1 Jun 2022 21:34:26 +0300 Dan Carpenter wrote: > > > > Hi Greg, Jiri, > > > > > > > > I searched lore.kernel.org and it seemed like CVE-2022-1462 might not > > > > have ever been reported to you? Here is the original email with the > > > > syzkaller reproducer. > > > > > > > > https://seclists.org/oss-sec/2022/q2/155 > > > > > > > > The reporter proposed a fix, but it won't work. Smatch says that some > > > > of the callers are already holding the port->lock. For example, > > > > sci_dma_rx_complete() will deadlock. > > > > > > Hi Dan > > > > > > To erase the deadlock above, we need to add another helper folding > > > tty_insert_flip_string() and tty_flip_buffer_push() into one nutshell, > > > with buf->tail covered by port->lock. > > > > > > The diff attached in effect reverts > > > 71a174b39f10 ("pty: do tty_flip_buffer_push without port->lock in > > > pty_write"). > > > > > > Only for thoughts now. > > > > I think this the likely the best approach. Except few points inlined below. > > > > Another would be to split tty_flip_buffer_push() into two and call only > > the first one (doing smp_store_release()) inside the lock. I tried that > > already, but it looks much worse. > > > > Another would be to add flags to tty_flip_buffer_push(). Like > > ONLY_ADVANCE and ONLY_QUEUE. Call with the first under the lock, the > > second outside. > > > > Ideas, comments? > > Apparently not, so Hillf, could you resend your patch after fixing the > comments below? Any news here? I'm not sure if I missed the followup submission but was not able to find it. Regards, Salvatore ^ permalink raw reply [flat|nested] 4+ messages in thread
* CVE-2022-1462: race condition vulnerability in drivers/tty/tty_buffers.c @ 2022-06-01 18:34 Dan Carpenter 0 siblings, 0 replies; 4+ messages in thread From: Dan Carpenter @ 2022-06-01 18:34 UTC (permalink / raw) To: 一只狗, Greg Kroah-Hartman, Jiri Slaby; +Cc: linux-kernel Hi Greg, Jiri, I searched lore.kernel.org and it seemed like CVE-2022-1462 might not have ever been reported to you? Here is the original email with the syzkaller reproducer. https://seclists.org/oss-sec/2022/q2/155 The reporter proposed a fix, but it won't work. Smatch says that some of the callers are already holding the port->lock. For example, sci_dma_rx_complete() will deadlock. regards, dan carpenter ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-06-22 14:27 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20220602024857.4808-1-hdanton@sina.com>
2022-06-02 4:48 ` CVE-2022-1462: race condition vulnerability in drivers/tty/tty_buffers.c Jiri Slaby
2022-06-15 10:47 ` Jiri Slaby
2022-06-22 14:27 ` Salvatore Bonaccorso
2022-06-01 18:34 Dan Carpenter
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).