Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp4877768iog; Wed, 22 Jun 2022 07:31:32 -0700 (PDT) X-Google-Smtp-Source: AGRyM1vvie2XUxnZBrkFo4Xtm88jaudqx00+7cKpvysWABOlDWcWiDrXRys7NIXtxHi6QC4R27bp X-Received: by 2002:a17:907:6e1c:b0:711:fea4:bf8d with SMTP id sd28-20020a1709076e1c00b00711fea4bf8dmr3264297ejc.310.1655908291869; Wed, 22 Jun 2022 07:31:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1655908291; cv=none; d=google.com; s=arc-20160816; b=chImw22x0SjM2p0bdTFlHSTpIwvCVxd6W59D2vy/vfwp22FtqS8xJzHlLk0Og4f7Ws DyquEuUsdqEArSM4HuP5FzfREKzoOM+uigV5pLTpUGvnS3xVPMdlxc5vbCcT8H15o46u 9kuDcjxzWDmUoZDf58S2sjN/xPg29bEMvE3KjVLqVew+BivmR3dO8DPhZWBce1m2NPN6 q3czWMWhbH1rFHkYbQbs35xXnjyyqEjMcKOAjrMD6h8nWvgbjMHz8xLPL3/Yb7KNaBEn UasaFjCt4yreOd132Nmk6ZQKGeK3O0LM6UehdAUIE+3tJRYZ/fM2WLBESvT4LkMNl2Yz hT5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:sender:dkim-signature; bh=47AoC0v2wILDvcUXFYwOTE5vORkj5ZcOTwRsnbRawOo=; b=W1E1LRPN7BeXZKBh0mUkQnzuJLrQ5NKWsDBmKcXqn6f8yBXQXRo0hNvpFSMIPJKGfI cfLRtsypk3D+0rAU0kUvl/RJexLjQGWS5HrOE4cy3ZolSbSkZ56Tw0flR0Y9S3AIiDUD AisiONncHcc2TmdBjsn/T4fpFOsntUF1XOZn31xaV5vpbm70Qyo/3NrJU8Km/Mc3Jgef EU/NnSJPx8aS5JB3X24IjR0/F2noB4wFhuOJioyOwYOGf9KKnqLnP+LORj9D9uReiNcI pyh4Xx4pT6jBIo8WcWTyF0OQbiefdx3pEVW5StFH166FfRt4Xysyqoh9tcocpaFaHpYv Vt/Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=j8oZdB6Z; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id dd4-20020a1709069b8400b006ff073403ebsi1073287ejc.677.2022.06.22.07.31.04; Wed, 22 Jun 2022 07:31:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=j8oZdB6Z; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1354289AbiFVO1S (ORCPT + 99 others); Wed, 22 Jun 2022 10:27:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51202 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353545AbiFVO1P (ORCPT ); Wed, 22 Jun 2022 10:27:15 -0400 Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ECB7B27FD0 for ; Wed, 22 Jun 2022 07:27:11 -0700 (PDT) Received: by mail-ed1-x533.google.com with SMTP id c13so19701454eds.10 for ; Wed, 22 Jun 2022 07:27:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to; bh=47AoC0v2wILDvcUXFYwOTE5vORkj5ZcOTwRsnbRawOo=; b=j8oZdB6ZZ75uWTGBqbX8WgBapmrnSRJXitIoqCp6Xoe2R+8SRod75BXuMkUeCX2pxl 2k+8Z8vItisu7trL7y99LrLx2gBGM6gPDbpp2VAKPRWIsopgwZNmeuxVNV/CYKYm+pl7 DXuNahLSZ9HuBu0vAHvbA/D1s12gdL6/K47tcdQHjaFJMEfWhX7Enwh7DNq5dCCWn2Ma 0ks5Nn9/apA5X2pqU+25XggaL2dbK6Gks0TEU2XXMyb9FNth5gL2H9Pf99ZvpjUvTBJ/ uB8eeeP6YAWc83DOhyy/hpYA2mL7ozcureerq3kP6tsuH6Rm4YCJxer750F2dyr79Y+b aB6g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition :content-transfer-encoding:in-reply-to; bh=47AoC0v2wILDvcUXFYwOTE5vORkj5ZcOTwRsnbRawOo=; b=7N9TzZWlbXX8whYbv4IlvrGdyDvDE0xA8gyv6En5H3BMv4ARKLAaloqGny9VSD93Bv 5IdhfMEXddyHOzJ071M8NEmKTjPKSh9Sk/MAADoRqK3Qe/1lwre8DT9fiGfWb+NuKXSG OkXstk1sfG9YnZsPcaHvaQC1iYOWKjYCYi/DW2CYghJAvjl5rZopt55545/81RhQq9zy qTWIODPoec/u9ZavXEEWW3j9MkgwSBsHcMkqjr808uu069XFcVMUjlyXIQ6UAwTmKloF keq1+aBqN1neSO8QR3T4bumwBRsOEHmYczwocr48XxXHDqQpkYdZgED1VEZWPp3vh8Su 8Ajw== X-Gm-Message-State: AJIora/LQjU3s0zK5WfpbOh7X4MeCyuMqyhpglEGJtlrrpcmMKsfFgIo T6ej7j3GkqaPo17gslnzXEU2w/Tiv1mcAQ== X-Received: by 2002:a05:6402:4301:b0:42d:e8fb:66f7 with SMTP id m1-20020a056402430100b0042de8fb66f7mr4467435edc.229.1655908029834; Wed, 22 Jun 2022 07:27:09 -0700 (PDT) Received: from eldamar (c-82-192-242-114.customer.ggaweb.ch. [82.192.242.114]) by smtp.gmail.com with ESMTPSA id w1-20020a170906480100b006fe9f9d0938sm9525240ejq.175.2022.06.22.07.27.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Jun 2022 07:27:09 -0700 (PDT) Sender: Salvatore Bonaccorso Date: Wed, 22 Jun 2022 16:27:08 +0200 From: Salvatore Bonaccorso To: Jiri Slaby Cc: Hillf Danton , Dan Carpenter , ChenBigNB , Greg Kroah-Hartman , linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: Re: CVE-2022-1462: race condition vulnerability in drivers/tty/tty_buffers.c Message-ID: References: <20220602024857.4808-1-hdanton@sina.com> <0dc35f2e-746c-bcec-160c-645055a6f8d2@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org hi, On Wed, Jun 15, 2022 at 12:47:20PM +0200, Jiri Slaby wrote: > On 02. 06. 22, 6:48, Jiri Slaby wrote: > > On 02. 06. 22, 4:48, Hillf Danton wrote: > > > On Wed, 1 Jun 2022 21:34:26 +0300 Dan Carpenter wrote: > > > > Hi Greg, Jiri, > > > > > > > > I searched lore.kernel.org and it seemed like CVE-2022-1462 might not > > > > have ever been reported to you?? Here is the original email with the > > > > syzkaller reproducer. > > > > > > > > https://seclists.org/oss-sec/2022/q2/155 > > > > > > > > The reporter proposed a fix, but it won't work.? Smatch says that some > > > > of the callers are already holding the port->lock.? For example, > > > > sci_dma_rx_complete() will deadlock. > > > > > > Hi Dan > > > > > > To erase the deadlock above, we need to add another helper folding > > > tty_insert_flip_string() and tty_flip_buffer_push() into one nutshell, > > > with buf->tail covered by port->lock. > > > > > > The diff attached in effect reverts > > > 71a174b39f10 ("pty: do tty_flip_buffer_push without port->lock in > > > pty_write"). > > > > > > Only for thoughts now. > > > > I think this the likely the best approach. Except few points inlined below. > > > > Another would be to split tty_flip_buffer_push() into two and call only > > the first one (doing smp_store_release()) inside the lock. I tried that > > already, but it looks much worse. > > > > Another would be to add flags to tty_flip_buffer_push(). Like > > ONLY_ADVANCE and ONLY_QUEUE. Call with the first under the lock, the > > second outside. > > > > Ideas, comments? > > Apparently not, so Hillf, could you resend your patch after fixing the > comments below? Any news here? I'm not sure if I missed the followup submission but was not able to find it. Regards, Salvatore