Commitc8bcd9c

thejh

authored and

gregkh

committed

tty: Fix ->session locking

Currently, locking of ->session is very inconsistent; most placesprotect it using the legacy tty mutex, but disassociate_ctty(),__do_SAK(), tiocspgrp() and tiocgsid() don't.Two of the writers hold the ctrl_lock (because they already need it for->pgrp), but __proc_set_tty() doesn't do that yet.On a PREEMPT=y system, an unprivileged user can theoretically abusethis broken locking to read 4 bytes of freed memory via TIOCGSID iftiocgsid() is preempted long enough at the right point. (Other thingsmight also go wrong, especially if root-only ioctls are involved; I'mnot sure about that.)Change the locking on ->session such that: - tty_lock() is held by all writers: By making disassociate_ctty() hold it. This should be fine because the same lock can already be taken through the call to tty_vhangup_session(). The tricky part is that we need to shorten the area covered by siglock to be able to take tty_lock() without ugly retry logic; as far as I can tell, this should be fine, since nothing in the signal_struct is touched in the `if (tty)` branch. - ctrl_lock is held by all writers: By changing __proc_set_tty() to hold the lock a little longer. - All readers that aren't holding tty_lock() hold ctrl_lock: By adding locking to tiocgsid() and __do_SAK(), and expanding the area covered by ctrl_lock in tiocspgrp().Cc: stable@kernel.orgSigned-off-by: Jann Horn <jannh@google.com>Reviewed-by: Jiri Slaby <jirislaby@kernel.org>Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

1 parent54ffccb commitc8bcd9cCopy full SHA for c8bcd9c

File tree

3 files changed

+41

-14

lines changed

drivers/tty
- tty_io.c
- tty_jobctrl.c
include/linux
- tty.h

3 files changed

+41

-14

lines changed

`‎drivers/tty/tty_io.c‎`

Lines changed: 6 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -2897,10 +2897,14 @@ void __do_SAK(struct tty_struct *tty)`
`2897`	`2897`	`structtask_structg,p;`
`2898`	`2898`	`structpid*session;`
`2899`	`2899`	`inti;`
	`2900`	`+unsigned longflags;`
`2900`	`2901`
`2901`	`2902`	`if (!tty)`
`2902`	`2903`	`return;`
`2903`		`-session=tty->session;`
	`2904`	`+`
	`2905`	`+spin_lock_irqsave(&tty->ctrl_lock,flags);`
	`2906`	`+session=get_pid(tty->session);`
	`2907`	`+spin_unlock_irqrestore(&tty->ctrl_lock,flags);`
`2904`	`2908`
`2905`	`2909`	`tty_ldisc_flush(tty);`
`2906`	`2910`
`@@ -2932,6 +2936,7 @@ void __do_SAK(struct tty_struct *tty)`
`2932`	`2936`	`task_unlock(p);`
`2933`	`2937`	`}while_each_thread(g,p);`
`2934`	`2938`	`read_unlock(&tasklist_lock);`
	`2939`	`+put_pid(session);`
`2935`	`2940`	`#endif`
`2936`	`2941`	`}`
`2937`	`2942`

`‎drivers/tty/tty_jobctrl.c‎`

Lines changed: 31 additions & 13 deletions

Original file line number	Diff line number	Diff line change
`@@ -103,8 +103,8 @@ static void __proc_set_tty(struct tty_struct *tty)`
`103`	`103`	`put_pid(tty->session);`
`104`	`104`	`put_pid(tty->pgrp);`
`105`	`105`	`tty->pgrp=get_pid(task_pgrp(current));`
`106`		`-spin_unlock_irqrestore(&tty->ctrl_lock,flags);`
`107`	`106`	`tty->session=get_pid(task_session(current));`
	`107`	`+spin_unlock_irqrestore(&tty->ctrl_lock,flags);`
`108`	`108`	`if (current->signal->tty) {`
`109`	`109`	`tty_debug(tty,"current tty %s not NULL!!\n",`
`110`	`110`	`current->signal->tty->name);`
`@@ -293,20 +293,23 @@ void disassociate_ctty(int on_exit)`
`293`	`293`	`spin_lock_irq(&current->sighand->siglock);`
`294`	`294`	`put_pid(current->signal->tty_old_pgrp);`
`295`	`295`	`current->signal->tty_old_pgrp=NULL;`
`296`		`-`
`297`	`296`	`tty=tty_kref_get(current->signal->tty);`
	`297`	`+spin_unlock_irq(&current->sighand->siglock);`
	`298`	`+`
`298`	`299`	`if (tty) {`
`299`	`300`	`unsigned longflags;`
	`301`	`+`
	`302`	`+tty_lock(tty);`
`300`	`303`	`spin_lock_irqsave(&tty->ctrl_lock,flags);`
`301`	`304`	`put_pid(tty->session);`
`302`	`305`	`put_pid(tty->pgrp);`
`303`	`306`	`tty->session=NULL;`
`304`	`307`	`tty->pgrp=NULL;`
`305`	`308`	`spin_unlock_irqrestore(&tty->ctrl_lock,flags);`
	`309`	`+tty_unlock(tty);`
`306`	`310`	`tty_kref_put(tty);`
`307`	`311`	`}`
`308`	`312`
`309`		`-spin_unlock_irq(&current->sighand->siglock);`
`310`	`313`	`/* Now clear signal->tty under the lock */`
`311`	`314`	`read_lock(&tasklist_lock);`
`312`	`315`	`session_clear_tty(task_session(current));`
`@@ -477,14 +480,19 @@ static int tiocspgrp(struct tty_struct tty, struct tty_struct real_tty, pid_t`
`477`	`480`	`return-ENOTTY;`
`478`	`481`	`if (retval)`
`479`	`482`	`returnretval;`
`480`		`-if (!current->signal->tty\|\|`
`481`		`- (current->signal->tty!=real_tty)\|\|`
`482`		`- (real_tty->session!=task_session(current)))`
`483`		`-return-ENOTTY;`
	`483`	`+`
`484`	`484`	`if (get_user(pgrp_nr,p))`
`485`	`485`	`return-EFAULT;`
`486`	`486`	`if (pgrp_nr<0)`
`487`	`487`	`return-EINVAL;`
	`488`	`+`
	`489`	`+spin_lock_irq(&real_tty->ctrl_lock);`
	`490`	`+if (!current->signal->tty\|\|`
	`491`	`+ (current->signal->tty!=real_tty)\|\|`
	`492`	`+ (real_tty->session!=task_session(current))) {`
	`493`	`+retval=-ENOTTY;`
	`494`	`+gotoout_unlock_ctrl;`
	`495`	`+}`
`488`	`496`	`rcu_read_lock();`
`489`	`497`	`pgrp=find_vpid(pgrp_nr);`
`490`	`498`	`retval=-ESRCH;`
`@@ -494,12 +502,12 @@ static int tiocspgrp(struct tty_struct tty, struct tty_struct real_tty, pid_t`
`494`	`502`	`if (session_of_pgrp(pgrp)!=task_session(current))`
`495`	`503`	`gotoout_unlock;`
`496`	`504`	`retval=0;`
`497`		`-spin_lock_irq(&real_tty->ctrl_lock);`
`498`	`505`	`put_pid(real_tty->pgrp);`
`499`	`506`	`real_tty->pgrp=get_pid(pgrp);`
`500`		`-spin_unlock_irq(&real_tty->ctrl_lock);`
`501`	`507`	`out_unlock:`
`502`	`508`	`rcu_read_unlock();`
	`509`	`+out_unlock_ctrl:`
	`510`	`+spin_unlock_irq(&real_tty->ctrl_lock);`
`503`	`511`	`returnretval;`
`504`	`512`	`}`
`505`	`513`
`@@ -511,20 +519,30 @@ static int tiocspgrp(struct tty_struct tty, struct tty_struct real_tty, pid_t`
`511`	`519`	`*`
`512`	`520`	`*Obtain the session id of the tty. If there is no session`
`513`	`521`	`*return an error.`
`514`		`- *`
`515`		`- *Locking: none. Reference to current->signal->tty is safe.`
`516`	`522`	`*/`
`517`	`523`	`staticinttiocgsid(structtty_structtty,structtty_structreal_tty,pid_t__user*p)`
`518`	`524`	`{`
	`525`	`+unsigned longflags;`
	`526`	`+pid_tsid;`
	`527`	`+`
`519`	`528`	`/*`
`520`	`529`	`* (tty == real_tty) is a cheap way of`
`521`	`530`	`* testing if the tty is NOT a master pty.`
`522`	`531`	`*/`
`523`	`532`	`if (tty==real_tty&&current->signal->tty!=real_tty)`
`524`	`533`	`return-ENOTTY;`
	`534`	`+`
	`535`	`+spin_lock_irqsave(&real_tty->ctrl_lock,flags);`
`525`	`536`	`if (!real_tty->session)`
`526`		`-return-ENOTTY;`
`527`		`-returnput_user(pid_vnr(real_tty->session),p);`
	`537`	`+gotoerr;`
	`538`	`+sid=pid_vnr(real_tty->session);`
	`539`	`+spin_unlock_irqrestore(&real_tty->ctrl_lock,flags);`
	`540`	`+`
	`541`	`+returnput_user(sid,p);`
	`542`	`+`
	`543`	`+err:`
	`544`	`+spin_unlock_irqrestore(&real_tty->ctrl_lock,flags);`
	`545`	`+return-ENOTTY;`
`528`	`546`	`}`
`529`	`547`
`530`	`548`	`/*`

`‎include/linux/tty.h‎`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -306,6 +306,10 @@ struct tty_struct {`
`306`	`306`	`structtermioxtermiox;/ May be NULL for unsupported */`
`307`	`307`	`charname[64];`
`308`	`308`	`structpidpgrp;/ Protected by ctrl lock */`
	`309`	`+/*`
	`310`	`+ * Writes protected by both ctrl lock and legacy mutex, readers must use`
	`311`	`+ * at least one of them.`
	`312`	`+ */`
`309`	`313`	`structpid*session;`
`310`	`314`	`unsigned longflags;`
`311`	`315`	`intcount;`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitc8bcd9c

File tree

3 files changed

3 files changed

`‎drivers/tty/tty_io.c‎`

`‎drivers/tty/tty_jobctrl.c‎`

`‎include/linux/tty.h‎`

0 commit comments