github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-14 18:12:23 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
6dbfa9b5ae
linux/drivers/tty
History
DaeRyong Jeong 6dbfa9b5ae tty: Fix data race in tty_insert_flip_string_fixed_flag 
[ Upstream commit b6da31b2c0 ]

Unlike normal serials, in pty layer, there is no guarantee that multiple
threads don't insert input characters at the same time. If it is happened,
tty_insert_flip_string_fixed_flag can be executed concurrently. This can
lead slab out-of-bounds write in tty_insert_flip_string_fixed_flag.

Call sequences are as follows.
CPU0                                    CPU1
n_tty_ioctl_helper                      n_tty_ioctl_helper
__start_tty                             tty_send_xchar
tty_wakeup                              pty_write
n_hdlc_tty_wakeup                       tty_insert_flip_string
n_hdlc_send_frames                      tty_insert_flip_string_fixed_flag
pty_write
tty_insert_flip_string
tty_insert_flip_string_fixed_flag

To fix the race, acquire port->lock in pty_write() before it inserts input
characters to tty buffer. It prevents multiple threads from inserting
input characters concurrently.

The crash log is as follows:
BUG: KASAN: slab-out-of-bounds in tty_insert_flip_string_fixed_flag+0xb5/
0x130 drivers/tty/tty_buffer.c:316 at addr ffff880114fcc121
Write of size 1792 by task syz-executor0/30017
CPU: 1 PID: 30017 Comm: syz-executor0 Not tainted 4.8.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
 0000000000000000 ffff88011638f888 ffffffff81694cc3 ffff88007d802140
 ffff880114fcb300 ffff880114fcc300 ffff880114fcb300 ffff88011638f8b0
 ffffffff8130075c ffff88011638f940 ffff88007d802140 ffff880194fcc121
Call Trace:
 __dump_stack lib/dump_stack.c:15 [inline]
 dump_stack+0xb3/0x110 lib/dump_stack.c:51
 kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
 print_address_description mm/kasan/report.c:194 [inline]
 kasan_report_error+0x1f7/0x4e0 mm/kasan/report.c:283
 kasan_report+0x36/0x40 mm/kasan/report.c:303
 check_memory_region_inline mm/kasan/kasan.c:292 [inline]
 check_memory_region+0x13e/0x1a0 mm/kasan/kasan.c:299
 memcpy+0x37/0x50 mm/kasan/kasan.c:335
 tty_insert_flip_string_fixed_flag+0xb5/0x130 drivers/tty/tty_buffer.c:316
 tty_insert_flip_string include/linux/tty_flip.h:35 [inline]
 pty_write+0x7f/0xc0 drivers/tty/pty.c:115
 n_hdlc_send_frames+0x1d4/0x3b0 drivers/tty/n_hdlc.c:419
 n_hdlc_tty_wakeup+0x73/0xa0 drivers/tty/n_hdlc.c:496
 tty_wakeup+0x92/0xb0 drivers/tty/tty_io.c:601
 __start_tty.part.26+0x66/0x70 drivers/tty/tty_io.c:1018
 __start_tty+0x34/0x40 drivers/tty/tty_io.c:1013
 n_tty_ioctl_helper+0x146/0x1e0 drivers/tty/tty_ioctl.c:1138
 n_hdlc_tty_ioctl+0xb3/0x2b0 drivers/tty/n_hdlc.c:794
 tty_ioctl+0xa85/0x16d0 drivers/tty/tty_io.c:2992
 vfs_ioctl fs/ioctl.c:43 [inline]
 do_vfs_ioctl+0x13e/0xba0 fs/ioctl.c:679
 SYSC_ioctl fs/ioctl.c:694 [inline]
 SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
 entry_SYSCALL_64_fastpath+0x1f/0xbd

Signed-off-by: DaeRyong Jeong <threeearcat@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-08-06 16:24:36 +02:00
..
hvc hvc_opal: don't set tb_ticks_per_usec in udbg_init_opal_common() 2018-08-06 16:24:31 +02:00
ipwireless
serial serial: sh-sci: Use spin_{try}lock_irqsave instead of open coding version 2018-07-03 11:21:26 +02:00
vt vt: change SGR 21 to follow the standards 2018-04-08 11:52:01 +02:00
amiserial.c
bfin_jtag_comm.c
cyclades.c
ehv_bytechan.c
goldfish.c Revert "tty: goldfish: Fix a parameter of a call to free_irq" 2017-10-21 17:09:06 +02:00
isicom.c
Kconfig tty: cyclades: cyz_interrupt is only used for PCI 2018-02-25 11:03:48 +01:00
Makefile
metag_da.c
mips_ejtag_fdc.c
moxa.c
moxa.h
mxser.c
mxser.h
n_gsm.c tty: n_gsm: Fix DLCI handling for ADM mode if debug & 2 is not set 2018-05-02 07:53:40 -07:00
n_hdlc.c tty: n_hdlc: get rid of racy n_hdlc.tbuf 2017-03-15 09:57:10 +08:00
n_r3964.c
n_tracerouter.c
n_tracesink.c
n_tracesink.h
n_tty.c n_tty: Access echo_* variables carefully. 2018-07-11 16:03:47 +02:00
nozomi.c tty: nozomi: avoid a harmless gcc warning 2017-04-30 05:49:27 +02:00
pty.c tty: Fix data race in tty_insert_flip_string_fixed_flag 2018-08-06 16:24:36 +02:00
rocket_int.h
rocket.c
rocket.h
synclink_gt.c
synclink.c
synclinkmp.c
sysrq.c sysrq: Fix warning in sysrq generated crash. 2018-01-17 09:35:28 +01:00
tty_audit.c
tty_buffer.c tty: fix __tty_insert_flip_char regression 2017-09-27 11:00:13 +02:00
tty_io.c tty: Don't call panic() at tty_ldisc_init() 2018-05-02 07:53:40 -07:00
tty_ioctl.c
tty_ldisc.c tty: Use __GFP_NOFAIL for tty_ldisc_get() 2018-05-02 07:53:41 -07:00
tty_ldsem.c
tty_mutex.c tty: Drop krefs for interrupted tty lock 2017-06-14 13:16:26 +02:00
tty_port.c