diff options
author | Jiri Olsa <jolsa@redhat.com> | 2010-11-08 13:01:47 -0500 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2010-11-09 18:02:02 -0500 |
commit | e045fec48970df84647a47930fcf7a22ff7229c0 (patch) | |
tree | 166eeaf241f594ab70f6cc4da80d3b194228f931 /drivers/tty | |
parent | c9bd9d01db02319c33767da5ee310ea37afda059 (diff) |
tty: prevent DOS in the flush_to_ldisc
There's a small window inside the flush_to_ldisc function,
where the tty is unlocked and calling ldisc's receive_buf
function. If in this window new buffer is added to the tty,
the processing might never leave the flush_to_ldisc function.
This scenario will hog the cpu, causing other tty processing
starving, and making it impossible to interface the computer
via tty.
I was able to exploit this via pty interface by sending only
control characters to the master input, causing the flush_to_ldisc
to be scheduled, but never actually generate any output.
To reproduce, please run multiple instances of following code.
- SNIP
#define _XOPEN_SOURCE
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
int main(int argc, char **argv)
{
int i, slave, master = getpt();
char buf[8192];
sprintf(buf, "%s", ptsname(master));
grantpt(master);
unlockpt(master);
slave = open(buf, O_RDWR);
if (slave < 0) {
perror("open slave failed");
return 1;
}
for(i = 0; i < sizeof(buf); i++)
buf[i] = rand() % 32;
while(1) {
write(master, buf, sizeof(buf));
}
return 0;
}
- SNIP
The attached patch (based on -next tree) fixes this by checking on the
tty buffer tail. Once it's reached, the current work is rescheduled
and another could run.
Signed-off-by: Jiri Olsa <jolsa@redhat.com>
Cc: stable <stable@kernel.org>
Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers/tty')
-rw-r--r-- | drivers/tty/tty_buffer.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c index cc1e9850d65..d8210ca0072 100644 --- a/drivers/tty/tty_buffer.c +++ b/drivers/tty/tty_buffer.c | |||
@@ -413,7 +413,8 @@ static void flush_to_ldisc(struct work_struct *work) | |||
413 | spin_lock_irqsave(&tty->buf.lock, flags); | 413 | spin_lock_irqsave(&tty->buf.lock, flags); |
414 | 414 | ||
415 | if (!test_and_set_bit(TTY_FLUSHING, &tty->flags)) { | 415 | if (!test_and_set_bit(TTY_FLUSHING, &tty->flags)) { |
416 | struct tty_buffer *head; | 416 | struct tty_buffer *head, *tail = tty->buf.tail; |
417 | int seen_tail = 0; | ||
417 | while ((head = tty->buf.head) != NULL) { | 418 | while ((head = tty->buf.head) != NULL) { |
418 | int count; | 419 | int count; |
419 | char *char_buf; | 420 | char *char_buf; |
@@ -423,6 +424,15 @@ static void flush_to_ldisc(struct work_struct *work) | |||
423 | if (!count) { | 424 | if (!count) { |
424 | if (head->next == NULL) | 425 | if (head->next == NULL) |
425 | break; | 426 | break; |
427 | /* | ||
428 | There's a possibility tty might get new buffer | ||
429 | added during the unlock window below. We could | ||
430 | end up spinning in here forever hogging the CPU | ||
431 | completely. To avoid this let's have a rest each | ||
432 | time we processed the tail buffer. | ||
433 | */ | ||
434 | if (tail == head) | ||
435 | seen_tail = 1; | ||
426 | tty->buf.head = head->next; | 436 | tty->buf.head = head->next; |
427 | tty_buffer_free(tty, head); | 437 | tty_buffer_free(tty, head); |
428 | continue; | 438 | continue; |
@@ -432,7 +442,7 @@ static void flush_to_ldisc(struct work_struct *work) | |||
432 | line discipline as we want to empty the queue */ | 442 | line discipline as we want to empty the queue */ |
433 | if (test_bit(TTY_FLUSHPENDING, &tty->flags)) | 443 | if (test_bit(TTY_FLUSHPENDING, &tty->flags)) |
434 | break; | 444 | break; |
435 | if (!tty->receive_room) { | 445 | if (!tty->receive_room || seen_tail) { |
436 | schedule_delayed_work(&tty->buf.work, 1); | 446 | schedule_delayed_work(&tty->buf.work, 1); |
437 | break; | 447 | break; |
438 | } | 448 | } |