leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
b216df5384
linux/drivers/tty
History
Cyrill Gorcunov b216df5384 tty: Fix potential use after free in release_one_tty 
In case if we're releasing the last tty reference the following
call sequence is possible

tty_driver_kref_put
  destruct_tty_driver
    kfree(driver);

where @driver is used in next module_put call, which leads to

 | [ 285.964007] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
 | [ 285.964007] Workqueue: events release_one_tty
 | [ 285.964007] task: ffff8800cc7ea5f0 ti: ffff8800cb800000 task.ti: ffff8800cb800000
 | [ 285.964007] RIP: 0010:[<ffffffff810aeaf5>] [<ffffffff810aeaf5>] module_put+0x24/0xf4
 | [ 285.964007] RSP: 0018:ffff8800cb801d48 EFLAGS: 00010213
 | [ 285.964007] RAX: ffff8800cb801fd8 RBX: ffff8800ca3429d0 RCX: ffff8800cb1db400
 | [ 285.964007] RDX: 0000000000000000 RSI: ffffffff817349c1 RDI: 0000000000000001
 | [ 285.964007] RBP: ffff8800cb801d60 R08: ffff8800cd632b40 R09: 0000000000000000
 | [ 285.964007] R10: 00000000ffffffff R11: ffff88011f40a000 R12: 6b6b6b6b6b6b6b6b
 | [ 285.964007] R13: ffff8800ca342520 R14: 0000000000000000 R15: ffff88011f5d8200
 | [ 285.964007] FS: 0000000000000000(0000) GS:ffff88011f400000(0000) knlGS:0000000000000000
 | [ 285.964007] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
 | [ 285.964007] CR2: 00007faf5229d090 CR3: 0000000001c0b000 CR4: 00000000000006f0
 | [ 285.964007] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 | [ 285.964007] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
 | [ 285.964007] Stack:
 | [ 285.964007] ffff8800ca3429d0 ffff8800ca342a30 ffff8800ca342520 ffff8800cb801d88
 | [ 285.964007] ffffffff8146554a ffff8800cc77cc78 ffff8800ca3429d0 ffff88011f5d3800
 | [ 285.964007] ffff8800cb801e08 ffffffff810683c1 ffffffff810682ff 0000000000000046
 | [ 285.964007] Call Trace:
 | [ 285.964007] [<ffffffff8146554a>] release_one_tty+0x54/0xa3
 | [ 285.964007] [<ffffffff810683c1>] process_one_work+0x223/0x404
 | [ 285.964007] [<ffffffff810682ff>] ? process_one_work+0x161/0x404
 | [ 285.964007] [<ffffffff81068971>] worker_thread+0x136/0x205
 | [ 285.964007] [<ffffffff8106883b>] ? rescuer_thread+0x26a/0x26a
 | [ 285.964007] [<ffffffff8106e5bf>] kthread+0xa2/0xaa
 | [ 285.964007] [<ffffffff810a4586>] ? trace_hardirqs_on_caller+0x16/0x1eb
 | [ 285.964007] [<ffffffff8106e51d>] ? __kthread_parkme+0x65/0x65
 | [ 285.964007] [<ffffffff8173f59c>] ret_from_fork+0x7c/0xb0
 | [ 285.964007] [<ffffffff8106e51d>] ? __kthread_parkme+0x65/0x65
 | [ 285.964007] Code: 09 00 5b 41 5c 5d c3 0f 1f 44 00 00 55 48 85 ff 48 89 e5 41 55 41 54 49 89 fc 53 0f 84 d3 00
 | 00 00 bf 01 00 00 00 e8 d0 a1 fc ff <49> 8b 84 24 50 02 00 00 65 48 ff 40 08 4c 8b 6d 08 0f 1f 44 00

so simply keep a local reference to the module owner and
use it later.

CC: Pavel Emelyanov <xemul@parallels.com>
CC: Jiri Slaby <jslaby@suse.cz>
CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-09-08 15:55:25 -07:00
..
hvc tty: Update hypervisor tty drivers to use core stdout parsing code. 2014-06-26 17:12:23 +01:00
ipwireless tty: ipwireless: Remove tty->closing abort from ipw_open() 2014-07-10 16:06:49 -07:00
serial serial: msm_serial: Fix kgdb continue 2014-09-08 15:55:25 -07:00
vt Merge tag 'drm-intel-fixes-2014-06-17' of git://anongit.freedesktop.org/drm-intel into drm-next 2014-06-19 10:54:35 +10:00
amiserial.c tty/amiserial: avoid interruptible_sleep_on 2014-01-07 17:05:21 -08:00
bfin_jtag_comm.c
cyclades.c tty: Remove tty_hung_up_p() tests from tty drivers' open() 2014-07-10 16:06:49 -07:00
ehv_bytechan.c tty: Update hypervisor tty drivers to use core stdout parsing code. 2014-06-26 17:12:23 +01:00
goldfish.c goldfish: clean up the checkpatch warnings 2014-05-15 13:20:42 -07:00
isicom.c
Kconfig drivers/tty: ehv_bytechan fails to build as a module 2014-01-09 17:52:12 -06:00
Makefile
metag_da.c
moxa.c TTY: fix decimal printf format specifiers prefixed with 0x 2014-09-08 15:51:35 -07:00
moxa.h
mxser.c
mxser.h
n_gsm.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2014-08-06 09:38:14 -07:00
n_hdlc.c drivers/tty/n_hdlc.c: replace kmalloc/memset by kzalloc 2014-05-28 13:33:18 -07:00
n_r3964.c
n_tracerouter.c
n_tracesink.c
n_tracesink.h
n_tty.c tty: Correct INPCK handling 2014-06-19 13:04:52 -07:00
nozomi.c
pty.c drivers: tty: Fix use-after-free in pty_common_install 2014-07-12 17:21:47 -07:00
rocket_int.h
rocket.c tty: remove DEFINE_PCI_DEVICE_TABLE macro 2013-12-08 17:09:07 -08:00
rocket.h
synclink_gt.c synclink_gt: use pci_zalloc_consistent 2014-08-08 15:57:30 -07:00
synclink.c tty: Remove tty_hung_up_p() tests from tty drivers' open() 2014-07-10 16:06:49 -07:00
synclinkmp.c tty: Remove tty_hung_up_p() tests from tty drivers' open() 2014-07-10 16:06:49 -07:00
sysrq.c mm, oom: ensure memoryless node zonelist always includes zones 2014-08-06 18:01:21 -07:00
tty_audit.c audit: anchor all pid references in the initial pid namespace 2014-03-20 10:11:55 -04:00
tty_buffer.c Staging: speakup: Update __speakup_paste_selection() tty (ab)usage to match vt 2014-05-24 02:25:11 +09:00
tty_io.c tty: Fix potential use after free in release_one_tty 2014-09-08 15:55:25 -07:00
tty_ioctl.c tty: fix typo in comment of tty_termios_encode_baud_rate 2014-09-08 15:32:05 -07:00
tty_ldisc.c tty: delete non-required instances of include <linux/init.h> 2014-01-07 17:05:21 -08:00
tty_ldsem.c lockdep: Make held_lock->check and "int check" argument bool 2014-02-09 21:18:54 +01:00
tty_mutex.c
tty_port.c tty: Remove tty_hung_up_p() tests from tty drivers' open() 2014-07-10 16:06:49 -07:00