Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1110926imm; Wed, 1 Aug 2018 10:21:19 -0700 (PDT) X-Google-Smtp-Source: AAOMgpftPGQ1XOGDsH0TkArlPzNxMUx7b4MZf2OTUCJUvp+hJpNNFjBDXZoLuo2XXlAf1/iNFpeQ X-Received: by 2002:a63:e247:: with SMTP id y7-v6mr25545263pgj.231.1533144079558; Wed, 01 Aug 2018 10:21:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533144079; cv=none; d=google.com; s=arc-20160816; b=pb5pLWXQtccInQmGKOKTxh4UFlVZlorSERH6xUxttU9ldIufW+cKq/zpKCUMYWV1Ye NlDbWgoEHqH7kwyONcPqjPCQapLU2O409jyaKkp3k7ia5K/fk8qZ6yXd3kTBArgZaMvF 3izjN4m6LtUawKzxqzKgX0E5J1zNO/xMhdiicDY91sqed4zAebubmb/ZI+MudG7PUA3w PAHvluk8jmlbNSqTqYhK2pg6AU6GJfaK/qUVhpeBzrPYxd28G5hch33U2BvaEUSEuHPa 2SHVvzqY7gDsJkL8pWbXhmofLNUqZdLrIEuC7v48JcmbvrDc3/mFfOqu0AFEBRhy1jPo NjQA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=1PU2nPYVl4EiPtS9SXfVZK4n/C4sITbqZKlDtkX6xGE=; b=O7oNBjLsbdSpifXjrsSvc4+kQYrAjX3QILjVO7KtRMn40fJS5cZyBwsNpapLgc1ZxU qqlLePFbWCRk2rNJp7KDyccttWsIugBBYYz8HS5s09kQirazgxguvhTeEiy5Nq686dJ9 kiK4SvQInrwEiB7/pbf5jawnCkFnu0V+aNbXeTtOuw62WLo/RkmMGbDpalXnEtoc7W7g ZYsNzdifmn0lHvYgKbMG4Xy8coCBx2bWNPAVipoz5VpEwZ+yZg+ZV9f1vAJ/5chpvzj2 N/8WZ7y1QOD6MAc+fPZq9wNXhcvUQ8DXeo7LsNNnVUuvobBMBb9qhealElCoIJGcOAWc YugA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c62-v6si19038368pfb.98.2018.08.01.10.21.04; Wed, 01 Aug 2018 10:21:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2405189AbeHATGK (ORCPT + 99 others); Wed, 1 Aug 2018 15:06:10 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:48234 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2403884AbeHATGK (ORCPT ); Wed, 1 Aug 2018 15:06:10 -0400 Received: from localhost (D57E6652.static.ziggozakelijk.nl [213.126.102.82]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id A5439D0A; Wed, 1 Aug 2018 17:19:28 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, DaeRyong Jeong , Sasha Levin Subject: [PATCH 4.14 147/246] tty: Fix data race in tty_insert_flip_string_fixed_flag Date: Wed, 1 Aug 2018 18:50:57 +0200 Message-Id: <20180801165018.767325472@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180801165011.700991984@linuxfoundation.org> References: <20180801165011.700991984@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: DaeRyong Jeong [ Upstream commit b6da31b2c07c46f2dcad1d86caa835227a16d9ff ] Unlike normal serials, in pty layer, there is no guarantee that multiple threads don't insert input characters at the same time. If it is happened, tty_insert_flip_string_fixed_flag can be executed concurrently. This can lead slab out-of-bounds write in tty_insert_flip_string_fixed_flag. Call sequences are as follows. CPU0 CPU1 n_tty_ioctl_helper n_tty_ioctl_helper __start_tty tty_send_xchar tty_wakeup pty_write n_hdlc_tty_wakeup tty_insert_flip_string n_hdlc_send_frames tty_insert_flip_string_fixed_flag pty_write tty_insert_flip_string tty_insert_flip_string_fixed_flag To fix the race, acquire port->lock in pty_write() before it inserts input characters to tty buffer. It prevents multiple threads from inserting input characters concurrently. The crash log is as follows: BUG: KASAN: slab-out-of-bounds in tty_insert_flip_string_fixed_flag+0xb5/ 0x130 drivers/tty/tty_buffer.c:316 at addr ffff880114fcc121 Write of size 1792 by task syz-executor0/30017 CPU: 1 PID: 30017 Comm: syz-executor0 Not tainted 4.8.0 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 0000000000000000 ffff88011638f888 ffffffff81694cc3 ffff88007d802140 ffff880114fcb300 ffff880114fcc300 ffff880114fcb300 ffff88011638f8b0 ffffffff8130075c ffff88011638f940 ffff88007d802140 ffff880194fcc121 Call Trace: __dump_stack lib/dump_stack.c:15 [inline] dump_stack+0xb3/0x110 lib/dump_stack.c:51 kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 print_address_description mm/kasan/report.c:194 [inline] kasan_report_error+0x1f7/0x4e0 mm/kasan/report.c:283 kasan_report+0x36/0x40 mm/kasan/report.c:303 check_memory_region_inline mm/kasan/kasan.c:292 [inline] check_memory_region+0x13e/0x1a0 mm/kasan/kasan.c:299 memcpy+0x37/0x50 mm/kasan/kasan.c:335 tty_insert_flip_string_fixed_flag+0xb5/0x130 drivers/tty/tty_buffer.c:316 tty_insert_flip_string include/linux/tty_flip.h:35 [inline] pty_write+0x7f/0xc0 drivers/tty/pty.c:115 n_hdlc_send_frames+0x1d4/0x3b0 drivers/tty/n_hdlc.c:419 n_hdlc_tty_wakeup+0x73/0xa0 drivers/tty/n_hdlc.c:496 tty_wakeup+0x92/0xb0 drivers/tty/tty_io.c:601 __start_tty.part.26+0x66/0x70 drivers/tty/tty_io.c:1018 __start_tty+0x34/0x40 drivers/tty/tty_io.c:1013 n_tty_ioctl_helper+0x146/0x1e0 drivers/tty/tty_ioctl.c:1138 n_hdlc_tty_ioctl+0xb3/0x2b0 drivers/tty/n_hdlc.c:794 tty_ioctl+0xa85/0x16d0 drivers/tty/tty_io.c:2992 vfs_ioctl fs/ioctl.c:43 [inline] do_vfs_ioctl+0x13e/0xba0 fs/ioctl.c:679 SYSC_ioctl fs/ioctl.c:694 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 entry_SYSCALL_64_fastpath+0x1f/0xbd Signed-off-by: DaeRyong Jeong Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/tty/pty.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/tty/pty.c +++ b/drivers/tty/pty.c @@ -110,16 +110,19 @@ static void pty_unthrottle(struct tty_st static int pty_write(struct tty_struct *tty, const unsigned char *buf, int c) { struct tty_struct *to = tty->link; + unsigned long flags; if (tty->stopped) return 0; if (c > 0) { + spin_lock_irqsave(&to->port->lock, flags); /* Stuff the data into the input queue of the other end */ c = tty_insert_flip_string(to->port, buf, c); /* And shovel */ if (c) tty_flip_buffer_push(to->port); + spin_unlock_irqrestore(&to->port->lock, flags); } return c; }