** Description changed: The tty atomic_write_lock does not provide an exclusion guarantee for - the tty driver if the termios settings are LECHO & !OPOST. And since - it is unexpected and not allowed to call TTY buffer helpers like + the tty driver if the termios settings are LECHO & !OPOST. And since it + is unexpected and not allowed to call TTY buffer helpers like tty_insert_flip_string concurrently, this may lead to crashes when concurrect writers call pty_write. In that case the following two - writers: - * the ECHOing from a workqueue and - * pty_write from the process - race and can overflow the corresponding TTY buffer like follows. - - If we look into tty_insert_flip_string_fixed_flag, there is: - int space = __tty_buffer_request_room(port, goal, flags); - struct tty_buffer *tb = port->buf.tail; - ... - memcpy(char_buf_ptr(tb, tb->used), chars, space); - ... - tb->used += space; - - so the race of the two can result in something like this: - A B - __tty_buffer_request_room - __tty_buffer_request_room - memcpy(buf(tb->used), ...) - tb->used += space; - memcpy(buf(tb->used), ...) ->BOOM - - B's memcpy is past the tty_buffer due to the previous A's tb->used - increment. - - Since the N_TTY line discipline input processing can output - concurrently with a tty write, obtain the N_TTY ldisc output_lock to - serialize echo output with normal tty writes. This ensures the tty - buffer helper tty_insert_flip_string is not called concurrently and - everything is fine. - - Note that this is nicely reproducible by an ordinary user using - forkpty and some setup around that (raw termios + ECHO). And it is - exploitable in kernels at least after commit - d945cb9cce20ac7143c2de8d88b187f62db99bdc (pty: Rework the pty layer to - use the normal buffering logic) in 2.6.31-rc3. - - js: add more info to the commit log - js: switch to bool
-- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-armadaxp in Ubuntu. https://bugs.launchpad.net/bugs/1314762 Title: n_tty_write crash when echoing in raw mode Status in “linux” package in Ubuntu: New Status in “linux-armadaxp” package in Ubuntu: New Status in “linux-ec2” package in Ubuntu: New Status in “linux-fsl-imx51” package in Ubuntu: New Status in “linux-lts-quantal” package in Ubuntu: New Status in “linux-lts-raring” package in Ubuntu: New Status in “linux-lts-saucy” package in Ubuntu: New Status in “linux-mvl-dove” package in Ubuntu: New Status in “linux-ti-omap4” package in Ubuntu: New Bug description: The tty atomic_write_lock does not provide an exclusion guarantee for the tty driver if the termios settings are LECHO & !OPOST. And since it is unexpected and not allowed to call TTY buffer helpers like tty_insert_flip_string concurrently, this may lead to crashes when concurrect writers call pty_write. In that case the following two To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1314762/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
