Bugzilla – Attachment 34500 Details for
Bug 65372
VUL-0: CVE-2005-0178: kernel: tty/setsid race
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
IDP Log In
|
Forgot Password
[patch]
correct patch
setsid-tty-locking (text/plain), 5.22 KB, created by
Karsten Keil
on 2005-04-14 16:00:54 UTC
(
hide
)
Description:
correct patch
Filename:
MIME Type:
Creator:
Karsten Keil
Created:
2005-04-14 16:00:54 UTC
Size:
5.22 KB
patch
obsolete
>From: Alan Cox <alan@lxorguk.ukuu.org.uk> >Subject: Fix tty setsid race >Reference: 65372 >Acked-by: kkeil@suse.de > ># This is a BitKeeper generated diff -Nru style patch. ># ># ChangeSet ># 2005/01/06 16:40:16-08:00 alan@lxorguk.ukuu.org.uk ># [PATCH] First cut at setsid/tty locking ># ># Use the existing "tty_sem" to protect against the process tty changes ># too. ># ># drivers/char/tty_io.c ># 2005/01/04 11:42:29-08:00 alan@lxorguk.ukuu.org.uk +29 -10 ># First cut at setsid/tty locking ># ># kernel/exit.c ># 2005/01/04 10:45:27-08:00 alan@lxorguk.ukuu.org.uk +2 -0 ># First cut at setsid/tty locking ># ># kernel/sys.c ># 2005/01/04 10:47:32-08:00 alan@lxorguk.ukuu.org.uk +2 -0 ># First cut at setsid/tty locking ># >diff -urN linux-2.6.8.old/drivers/char/tty_io.c linux-2.6.8/drivers/char/tty_io.c >--- linux-2.6.8.old/drivers/char/tty_io.c 2005-04-14 17:11:23.772888133 +0200 >+++ linux-2.6.8/drivers/char/tty_io.c 2005-04-14 16:34:25.721931525 +0200 >@@ -579,9 +579,11 @@ > > lock_kernel(); > >+ down(&tty_sem); > tty = current->signal->tty; > if (tty) { > tty_pgrp = tty->pgrp; >+ up(&tty_sem); > if (on_exit && tty->driver->type != TTY_DRIVER_TYPE_PTY) > tty_vhangup(tty); > } else { >@@ -589,6 +591,7 @@ > kill_pg(current->signal->tty_old_pgrp, SIGHUP, on_exit); > kill_pg(current->signal->tty_old_pgrp, SIGCONT, on_exit); > } >+ up(&tty_sem); > unlock_kernel(); > return; > } >@@ -598,15 +601,19 @@ > kill_pg(tty_pgrp, SIGCONT, on_exit); > } > >+ /* Must lock changes to tty_old_pgrp */ >+ down(&tty_sem); > current->signal->tty_old_pgrp = 0; > tty->session = 0; > tty->pgrp = -1; > >+ /* Now clear signal->tty under the lock */ > read_lock(&tasklist_lock); > do_each_task_pid(current->signal->session, PIDTYPE_SID, p) { > p->signal->tty = NULL; > } while_each_task_pid(current->signal->session, PIDTYPE_SID, p); > read_unlock(&tasklist_lock); >+ up(&tty_sem); > unlock_kernel(); > } > >@@ -790,12 +797,6 @@ > struct termios *ltp, **ltp_loc, *o_ltp, **o_ltp_loc; > int retval=0; > >- /* >- * Check whether we need to acquire the tty semaphore to avoid >- * race conditions. For now, play it safe. >- */ >- down(&tty_sem); >- > /* check whether we're reopening an existing tty */ > if (driver->flags & TTY_DRIVER_DEVPTS_MEM) { > tty = devpts_get_tty(idx); >@@ -978,7 +979,6 @@ > > /* All paths come through here to release the semaphore */ > end_init: >- up(&tty_sem); > return retval; > > /* Release locally allocated memory ... nothing placed in slots */ >@@ -1174,9 +1174,14 @@ > * each iteration we avoid any problems. > */ > while (1) { >+ /* Guard against races with tty->count changes elsewhere and >+ opens on /dev/tty */ >+ >+ down(&tty_sem); > tty_closing = tty->count <= 1; > o_tty_closing = o_tty && > (o_tty->count <= (pty_master ? 1 : 0)); >+ up(&tty_sem); > do_sleep = 0; > > if (tty_closing) { >@@ -1212,6 +1217,8 @@ > * both sides, and we've completed the last operation that could > * block, so it's safe to proceed with closing. > */ >+ >+ down(&tty_sem); > if (pty_master) { > if (--o_tty->count < 0) { > printk(KERN_WARNING "release_dev: bad pty slave count " >@@ -1225,7 +1232,8 @@ > tty->count, tty_name(tty, buf)); > tty->count = 0; > } >- >+ up(&tty_sem); >+ > /* > * We've decremented tty->count, so we need to remove this file > * descriptor off the tty->tty_files list; this serves two >@@ -1349,10 +1357,14 @@ > noctty = filp->f_flags & O_NOCTTY; > index = -1; > retval = 0; >+ >+ down(&tty_sem); > > if (device == MKDEV(TTYAUX_MAJOR,0)) { >- if (!current->signal->tty) >+ if (!current->signal->tty) { >+ up(&tty_sem); > return -ENXIO; >+ } > driver = current->signal->tty->driver; > index = current->signal->tty->index; > filp->f_flags |= O_NONBLOCK; /* Don't let /dev/tty block */ >@@ -1377,14 +1389,18 @@ > noctty = 1; > goto got_driver; > } >+ up(&tty_sem); > return -ENODEV; > } > > driver = get_tty_driver(device, &index); >- if (!driver) >+ if (!driver) { >+ up(&tty_sem); > return -ENODEV; >+ } > got_driver: > retval = init_dev(driver, index, &tty); >+ up(&tty_sem); > if (retval) > return retval; > >@@ -1470,7 +1486,10 @@ > } > up(&allocated_ptys_lock); > >+ down(&tty_sem); > retval = init_dev(ptm_driver, index, &tty); >+ up(&tty_sem); >+ > if (retval) > goto out; > >diff -urN linux-2.6.8.old/kernel/exit.c linux-2.6.8/kernel/exit.c >--- linux-2.6.8.old/kernel/exit.c 2005-04-14 17:11:23.773887797 +0200 >+++ linux-2.6.8/kernel/exit.c 2005-04-14 16:34:25.722931190 +0200 >@@ -332,7 +332,9 @@ > exit_mm(current); > > set_special_pids(1, 1); >+ down(&tty_sem); > current->signal->tty = NULL; >+ up(&tty_sem); > > /* Block and flush all signals */ > sigfillset(&blocked); >diff -urN linux-2.6.8.old/kernel/sys.c linux-2.6.8/kernel/sys.c >--- linux-2.6.8.old/kernel/sys.c 2005-04-14 17:11:23.775887125 +0200 >+++ linux-2.6.8/kernel/sys.c 2005-04-14 17:14:27.490123136 +0200 >@@ -23,6 +23,7 @@ > #include <linux/security.h> > #include <linux/dcookies.h> > #include <linux/suspend.h> >+#include <linux/tty.h> > > #include <asm/uaccess.h> > #include <asm/io.h> >@@ -1129,6 +1130,7 @@ > if (!thread_group_leader(current)) > return -EINVAL; > >+ down(&tty_sem); > write_lock_irq(&tasklist_lock); > > pid = find_pid(PIDTYPE_PGID, current->pid); >@@ -1142,6 +1144,7 @@ > err = process_group(current); > out: > write_unlock_irq(&tasklist_lock); >+ up(&tty_sem); > return err; > } >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=34500">View the attachment on a separate page</a>.</b>
Actions:
View
|
Diff
Attachments on
bug 65372
:
28091
| 34500 |
34570