forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/drivers
History
DaeRyong Jeong 6dbfa9b5ae tty: Fix data race in tty_insert_flip_string_fixed_flag 
[ Upstream commit b6da31b2c0 ]

Unlike normal serials, in pty layer, there is no guarantee that multiple
threads don't insert input characters at the same time. If it is happened,
tty_insert_flip_string_fixed_flag can be executed concurrently. This can
lead slab out-of-bounds write in tty_insert_flip_string_fixed_flag.

Call sequences are as follows.
CPU0                                    CPU1
n_tty_ioctl_helper                      n_tty_ioctl_helper
__start_tty                             tty_send_xchar
tty_wakeup                              pty_write
n_hdlc_tty_wakeup                       tty_insert_flip_string
n_hdlc_send_frames                      tty_insert_flip_string_fixed_flag
pty_write
tty_insert_flip_string
tty_insert_flip_string_fixed_flag

To fix the race, acquire port->lock in pty_write() before it inserts input
characters to tty buffer. It prevents multiple threads from inserting
input characters concurrently.

The crash log is as follows:
BUG: KASAN: slab-out-of-bounds in tty_insert_flip_string_fixed_flag+0xb5/
0x130 drivers/tty/tty_buffer.c:316 at addr ffff880114fcc121
Write of size 1792 by task syz-executor0/30017
CPU: 1 PID: 30017 Comm: syz-executor0 Not tainted 4.8.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
 0000000000000000 ffff88011638f888 ffffffff81694cc3 ffff88007d802140
 ffff880114fcb300 ffff880114fcc300 ffff880114fcb300 ffff88011638f8b0
 ffffffff8130075c ffff88011638f940 ffff88007d802140 ffff880194fcc121
Call Trace:
 __dump_stack lib/dump_stack.c:15 [inline]
 dump_stack+0xb3/0x110 lib/dump_stack.c:51
 kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
 print_address_description mm/kasan/report.c:194 [inline]
 kasan_report_error+0x1f7/0x4e0 mm/kasan/report.c:283
 kasan_report+0x36/0x40 mm/kasan/report.c:303
 check_memory_region_inline mm/kasan/kasan.c:292 [inline]
 check_memory_region+0x13e/0x1a0 mm/kasan/kasan.c:299
 memcpy+0x37/0x50 mm/kasan/kasan.c:335
 tty_insert_flip_string_fixed_flag+0xb5/0x130 drivers/tty/tty_buffer.c:316
 tty_insert_flip_string include/linux/tty_flip.h:35 [inline]
 pty_write+0x7f/0xc0 drivers/tty/pty.c:115
 n_hdlc_send_frames+0x1d4/0x3b0 drivers/tty/n_hdlc.c:419
 n_hdlc_tty_wakeup+0x73/0xa0 drivers/tty/n_hdlc.c:496
 tty_wakeup+0x92/0xb0 drivers/tty/tty_io.c:601
 __start_tty.part.26+0x66/0x70 drivers/tty/tty_io.c:1018
 __start_tty+0x34/0x40 drivers/tty/tty_io.c:1013
 n_tty_ioctl_helper+0x146/0x1e0 drivers/tty/tty_ioctl.c:1138
 n_hdlc_tty_ioctl+0xb3/0x2b0 drivers/tty/n_hdlc.c:794
 tty_ioctl+0xa85/0x16d0 drivers/tty/tty_io.c:2992
 vfs_ioctl fs/ioctl.c:43 [inline]
 do_vfs_ioctl+0x13e/0xba0 fs/ioctl.c:679
 SYSC_ioctl fs/ioctl.c:694 [inline]
 SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
 entry_SYSCALL_64_fastpath+0x1f/0xbd

Signed-off-by: DaeRyong Jeong <threeearcat@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-08-06 16:24:36 +02:00
..
accessibility
acpi PCI: pciehp: Request control of native hotplug only if supported 2018-08-06 16:24:34 +02:00
amba ARM: amba: Don't read past the end of sysfs "driver_override" buffer 2018-05-02 07:53:42 -07:00
android binder: add missing binder_unlock() 2018-02-28 10:17:23 +01:00
ata ahci: Disable LPM on Lenovo 50 series laptops with a too old BIOS 2018-07-17 11:31:43 +02:00
atm atm: zatm: Fix potential Spectre v1 2018-07-22 14:25:52 +02:00
auxdisplay
base driver core: Partially revert "driver core: correct device's shutdown order" 2018-07-28 07:45:03 +02:00
bcma
block loop: remember whether sysfs_create_group() was done 2018-07-17 11:31:46 +02:00
bluetooth Bluetooth: btusb: Add a new Realtek 8723DE ID 2ff8:b011 2018-08-06 16:24:32 +02:00
bus bus: brcmstb_gisb: correct support for 64-bit address output 2018-04-13 19:50:05 +02:00
cdrom cdrom: do not call check_disk_change() inside cdrom_open() 2018-05-30 07:49:13 +02:00
char ipmi:bt: Set the timeout before doing a capabilities check 2018-07-03 11:21:28 +02:00
clk clk: tegra: Fix PLL_U post divider and initial rate on Tegra30 2018-07-25 10:18:32 +02:00
clocksource clocksource/drivers/fsl_ftm_timer: Fix error return checking 2018-05-30 07:49:01 +02:00
connector
cpufreq cpufreq: Fix new policy initialization during limits updates via sysfs 2018-07-03 11:21:26 +02:00
cpuidle cpuidle: powernv: Fix promotion from snooze if next state disabled 2018-07-03 11:21:29 +02:00
crypto crypto: crypto4xx - fix crypto4xx_build_pdr, crypto4xx_build_sdr leak 2018-07-22 14:25:52 +02:00
dca
devfreq PM / devfreq: Propagate error from devfreq_add_device() 2018-02-22 15:44:58 +01:00
dio
dma dmaengine: usb-dmac: fix endless loop in usb_dmac_chan_terminate_all() 2018-06-06 16:46:22 +02:00
dma-buf
edac EDAC, mv64x60: Fix an error handling path 2018-04-13 19:50:23 +02:00
eisa
extcon extcon: palmas: Check the parent instance to prevent the NULL 2017-11-21 09:21:18 +01:00
firewire firewire-ohci: work around oversized DMA reads on JMicron controllers 2018-05-30 07:48:52 +02:00
firmware firmware: dmi_scan: Fix handling of empty DMI strings 2018-05-30 07:48:56 +02:00
fmc
fpga
gpio gpio: No NULL owner 2018-06-16 09:54:26 +02:00
gpu drm/radeon: fix mode_valid's return type 2018-08-06 16:24:35 +02:00
hid HID: i2c-hid: check if device is there before really probing 2018-08-06 16:24:36 +02:00
hsi HSI: ssi_protocol: double free in ssip_pn_xmit() 2018-03-24 10:58:42 +01:00
hv Drivers: hv: vmbus: fix build warning 2018-02-25 11:03:46 +01:00
hwmon hwmon: (pmbus/adm1275) Accept negative page register values 2018-05-30 07:49:13 +02:00
hwspinlock
hwtracing hwtracing: stm: fix build error on some arches 2018-06-06 16:46:23 +02:00
i2c i2c: rcar: fix resume by always initializing registers before transfer 2018-07-11 16:03:47 +02:00
ide cdrom: do not call check_disk_change() inside cdrom_open() 2018-05-30 07:49:13 +02:00
idle idle: i7300: add PCI dependency 2018-02-25 11:03:51 +01:00
iio iio:buffer: make length types match kfifo types 2018-07-03 11:21:30 +02:00
infiniband RDMA/mad: Convert BUG_ONs to error flows 2018-08-06 16:24:31 +02:00
input Input: elan_i2c - add another ACPI ID for Lenovo Ideapad 330-15AST 2018-08-06 16:24:29 +02:00
iommu x86/cpufeature: Remove unused and seldomly used cpu_has_xx macros 2018-06-16 09:54:24 +02:00
ipack
irqchip irqchip/gic-v3: Change pr_debug message to pr_devel 2018-05-30 07:48:57 +02:00
isdn isdn: eicon: fix a missing-check bug 2018-06-13 16:15:28 +02:00
leds leds: pca955x: Correct I2C Functionality 2018-04-13 19:50:09 +02:00
lguest
lightnvm
macintosh
mailbox mailbox: handle empty message in tx_tick 2017-08-06 19:19:41 -07:00
mcb
md md: fix NULL dereference of mddev->pers in remove_and_add_spares() 2018-08-06 16:24:35 +02:00
media media: smiapp: fix timeout checking in smiapp_read_nvm 2018-08-06 16:24:35 +02:00
memory ARM: OMAP2+: gpmc-onenand: propagate error on initialization failure 2017-12-16 10:33:51 +01:00
memstick
message scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo() 2018-05-30 07:48:58 +02:00
mfd mfd: cros_ec: Fail early if we cannot identify the EC 2018-08-06 16:24:32 +02:00
misc vmw_balloon: fix inflation with batching 2018-07-17 11:31:43 +02:00
mmc mmc: sdhci-iproc: fix 32bit writes for TRANSFER_MODE register 2018-05-30 07:48:51 +02:00
mtd ubi: fastmap: Erase outdated anchor PEBs during attach 2018-07-25 10:18:33 +02:00
net mwifiex: correct histogram data with appropriate index 2018-08-06 16:24:34 +02:00
nfc NFC: nfcmrvl: double free on error path 2018-03-22 09:23:23 +01:00
ntb ntb_transport: Fix bug with max_mw_size parameter 2018-05-30 07:48:55 +02:00
nubus
nvdimm linvdimm, pmem: Preserve read-only setting for pmem devices 2018-07-03 11:21:31 +02:00
nvme nvme-pci: initialize queue memory before interrupts 2018-07-11 16:03:47 +02:00
nvmem nvmem: imx-ocotp: Fix wrong register size 2017-08-06 19:19:46 -07:00
of of: unittest: for strings, account for trailing \0 in property length field 2018-07-03 11:21:29 +02:00
oprofile
parisc parisc/pci: Switch LBA PCI bus from Hard Fail to Soft Fail mode 2018-05-30 07:49:10 +02:00
parport parport_pc: Add support for WCH CH382L PCI-E single parallel port card. 2018-04-08 11:52:00 +02:00
pci PCI: Prevent sysfs disable of device while driver is attached 2018-08-06 16:24:33 +02:00
pcmcia
perf drivers/perf: arm_pmu: handle no platform_device 2018-03-22 09:23:26 +01:00
phy phy: work around 'phys' references to usb-nop-xceiv devices 2018-01-23 19:50:16 +01:00
pinctrl pinctrl: at91-pio4: add missing of_node_put 2018-08-06 16:24:34 +02:00
platform platform/chrome: Use proper protocol transfer function 2018-03-24 10:58:47 +01:00
pnp
power power: supply: pda_power: move from timer to delayed_work 2018-03-24 10:58:45 +01:00
powercap PowerCap: Fix an error code in powercap_register_zone() 2018-04-13 19:50:05 +02:00
pps
ps3
ptp ptp: fix missing break in switch 2018-07-25 10:18:17 +02:00
pwm pwm: tegra: Increase precision in PWM rate calculation 2018-03-22 09:23:27 +01:00
rapidio
ras
regulator regulator: pfuze100: add .is_enable() for pfuze100_swb_regulator_ops 2018-08-06 16:24:35 +02:00
remoteproc
reset
rpmsg
rtc rtc: ensure rtc_set_alarm fails when alarms are not supported 2018-08-06 16:24:30 +02:00
s390 scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread 2018-07-03 11:21:31 +02:00
sbus
scsi scsi: ufs: fix exception event handling 2018-08-06 16:24:35 +02:00
sfi
sh
sn
soc
spi spi: Fix scatterlist elements size in spi_map_buf 2018-07-03 11:21:35 +02:00
spmi spmi: Include OF based modalias in device uevent 2017-07-27 15:06:10 -07:00
ssb ssb: mark ssb_bus_register as __maybe_unused 2018-02-25 11:03:44 +01:00
staging staging: comedi: quatech_daqp_cs: fix no-op loop daqp_ao_insn_write() 2018-07-11 16:03:51 +02:00
target tcm_fileio: Prevent information leak for short reads 2018-03-24 10:58:45 +01:00
tc
thermal thermal: imx: Fix race condition in imx_thermal_probe() 2018-04-24 09:32:08 +02:00
thunderbolt thunderbolt: Resume control channel after hibernation image is created 2018-04-24 09:32:07 +02:00
tty tty: Fix data race in tty_insert_flip_string_fixed_flag 2018-08-06 16:24:36 +02:00
uio
usb usb: gadget: f_fs: Only return delayed status when len is 0 2018-07-28 07:45:03 +02:00
uwb uwb: ensure that endpoint is interrupt 2017-10-12 11:27:35 +02:00
vfio vfio/pci: Virtualize Maximum Read Request Size 2018-04-24 09:32:09 +02:00
vhost vhost_net: validate sock before trying to put its fd 2018-07-22 14:25:53 +02:00
video video: uvesafb: Fix integer overflow in allocation 2018-07-03 11:21:34 +02:00
virt
virtio virtio_balloon: prevent uninitialized variable use 2018-02-25 11:03:42 +01:00
vlynq
vme
w1 1wire: family module autoload fails because of upper/lower case mismatch. 2018-07-03 11:21:27 +02:00
watchdog watchdog: f71808e_wdt: Fix magic close handling 2018-05-30 07:49:03 +02:00
xen xen: Remove unnecessary BUG_ON from __unbind_from_irq() 2018-07-03 11:21:34 +02:00
zorro zorro: Set up z->dev.dma_mask for the DMA API 2018-05-30 07:49:11 +02:00
Kconfig
Makefile usb: build drivers/usb/common/ when USB_SUPPORT is set 2018-02-25 11:03:38 +01:00