The tty atomic_write_lock does not provide an exclusion guarantee for
the tty driver if the termios settings are LECHO & !OPOST. And since
it is unexpected and not allowed to call TTY buffer helpers like
tty_insert_flip_string concurrently, this may lead to crashes when
concurrect writers call pty_write. In that case the following two
writers:
* the ECHOing from a workqueue and
* pty_write from the process
race and can overflow the corresponding TTY buffer like follows.
If we look into tty_insert_flip_string_fixed_flag, there is:
int space = __tty_buffer_request_room(port, goal, flags);
struct tty_buffer *tb = port->buf.tail;
...
memcpy(char_buf_ptr(tb, tb->used), chars, space);
...
tb->used += space;
so the race of the two can result in something like this:
A B
__tty_buffer_request_room
__tty_buffer_request_room
memcpy(buf(tb->used), ...)
tb->used += space;
memcpy(buf(tb->used), ...) ->BOOM
B's memcpy is past the tty_buffer due to the previous A's tb->used
increment.
Since the N_TTY line discipline input processing can output
concurrently with a tty write, obtain the N_TTY ldisc output_lock to
serialize echo output with normal tty writes. This ensures the tty
buffer helper tty_insert_flip_string is not called concurrently and
everything is fine.
Note that this is nicely reproducible by an ordinary user using
forkpty and some setup around that (raw termios + ECHO). And it is
present in kernels at least after commit
d945cb9 (pty: Rework the pty layer to
use the normal buffering logic) in 2.6.31-rc3.
js: add more info to the commit log
js: switch to bool
js: lock unconditionally
js: lock only the tty->ops->write call
References: CVE-2014-0196
Reported-and-tested-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ref: 4291086b1f
Since re-exec change in 2022.82 Dropbear count
treat authenticated sessions towards the unauthenticated
session limit. This is fixed by passing the childpipe FD
through to the re-execed process.
Ref: 544f28a051
slip: remove unnecessary break after goto
8904120b52
slip: Check if rstate is initialized before uncompressing
3f01ddb962
slip: make slhc_free() silently accept an error pointer
baf76f0c58
slip: make slhc_compress() more robust against malicious packets
110a40dfb7
slip: remove unnecessary break after goto
8904120b52
slip: Check if rstate is initialized before uncompressing
3f01ddb962
slip: make slhc_free() silently accept an error pointer
baf76f0c58
slip: make slhc_compress() more robust against malicious packets
110a40dfb7
net/veth: Fix packet checksumming
0b7967503d
veth: Fix the byte counters
675071a2ef
Revert: veth: remove unneeded ifname code from veth_newlink()
6c8c44462a
veth: convert to 64 bit statistics
6311cc44a2
veth: fix 64bit stats on 32bit arches
cf05c700cf
veth: Allow to create peer link with given ifindex
e6f8f1a739
net/veth: Fix packet checksumming
0b7967503d
veth: Fix the byte counters
675071a2ef
Revert: veth: remove unneeded ifname code from veth_newlink()
6c8c44462a
veth: convert to 64 bit statistics
6311cc44a2
veth: fix 64bit stats on 32bit arches
cf05c700cf
veth: Allow to create peer link with given ifindex
e6f8f1a739
Extract "Protocol" field decompression code from transport protocols to
PPP generic layer, where it actually belongs. As a consequence, this
patch fixes incorrect place of PFC decompression in L2TP driver (when
it's not PPPOX_BOUND) and also enables this decompression for other
protocols, like PPPoE.
Protocol field decompression also happens in PPP Multilink Protocol
code and in PPP compression protocols implementations (bsd, deflate,
mppe). It looks like there is no easy way to get rid of that, so it was
decided to leave it as is, but provide those cases with appropriate
comments instead.
Changes in v2:
- Fix the order of checking skb data room and proto decompression
- Remove "inline" keyword from ppp_decompress_proto()
- Don't split line before function name
- Prefix ppp_decompress_proto() function with "__"
- Add ppp_decompress_proto() function with skb data room checks
- Add description for introduced functions
- Fix comments (as per review on mailing list)
Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org>
Reviewed-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ref: 7fb1b8ca8f
Extract "Protocol" field decompression code from transport protocols to
PPP generic layer, where it actually belongs. As a consequence, this
patch fixes incorrect place of PFC decompression in L2TP driver (when
it's not PPPOX_BOUND) and also enables this decompression for other
protocols, like PPPoE.
Protocol field decompression also happens in PPP Multilink Protocol
code and in PPP compression protocols implementations (bsd, deflate,
mppe). It looks like there is no easy way to get rid of that, so it was
decided to leave it as is, but provide those cases with appropriate
comments instead.
Changes in v2:
- Fix the order of checking skb data room and proto decompression
- Remove "inline" keyword from ppp_decompress_proto()
- Don't split line before function name
- Prefix ppp_decompress_proto() function with "__"
- Add ppp_decompress_proto() function with skb data room checks
- Add description for introduced functions
- Fix comments (as per review on mailing list)
Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org>
Reviewed-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ref: 7fb1b8ca8f
l2tp: Fix PPP header erasure and memory leak
55b92b7a11
l2tp: Correctly return -EBADF from pppol2tp_getname
4ac36a4ada
l2tp: Fix the connect status check in pppol2tp_getname
56cff471d0
l2tp: Fix PPP header erasure and memory leak
55b92b7a11
l2tp: Correctly return -EBADF from pppol2tp_getname
4ac36a4ada
l2tp: Fix the connect status check in pppol2tp_getname
56cff471d0
ppp: deflate: never return len larger than output buffer
e2a4800e75
ppp: deflate: Fix possible crash in deflate_init
3ebe1bca58
ppp: deflate: Remove useless call "zlib_inflateEnd"
dc5fa2073f
ppp: deflate: never return len larger than output buffer
e2a4800e75
ppp: deflate: Fix possible crash in deflate_init
3ebe1bca58
ppp: deflate: Remove useless call "zlib_inflateEnd"
dc5fa2073f
Use vzalloc() and vzalloc_node() in net drivers
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Jon Mason <jon.mason@exar.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ref: 89bf67f1f0
Use vzalloc() and vzalloc_node() in net drivers
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Jon Mason <jon.mason@exar.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ref: 89bf67f1f0
- revert (from newest):
pppoe: fix memory corruption in padt work structure
fe53985aaa
ppp: remove PPPOX_ZOMBIE socket state
a8acce6aa5
ppp: don't set sk_state to PPPOX_ZOMBIE in pppoe_disc_rcv()
8734e485fe
pppoe: Use workqueue to die properly when a PADT is received
287f3a943f
- revert (from newest):
pppoe: fix memory corruption in padt work structure
fe53985aaa
ppp: remove PPPOX_ZOMBIE socket state
a8acce6aa5
ppp: don't set sk_state to PPPOX_ZOMBIE in pppoe_disc_rcv()
8734e485fe
pppoe: Use workqueue to die properly when a PADT is received
287f3a943f
pppoe: remove unused return value from two methods
3b12bb6043
ppp: slight optimization of addr compare
7ed8ca5b1e
net: pppoe: use correct channel MTU when using Multilink PPP
a8a3e41c67
pppoe: Use workqueue to die properly when a PADT is received
287f3a943f
pppoe: Lacks DST MAC address check
a068833bbf
pppoe: drop pppoe device in pppoe_unbind_sock_work
665a6cd809
ppp: don't override sk->sk_state in pppoe_flush_dev()
e6740165b8
ppp: fix pppoe_dev deletion condition in pppoe_release()
1acea4f6ce
ppp: don't set sk_state to PPPOX_ZOMBIE in pppoe_disc_rcv()
8734e485fe
ppp: remove PPPOX_ZOMBIE socket state
a8acce6aa5
pppoe: fix memory corruption in padt work structure
fe53985aaa
pppoe: only process PADT targeted at local interfaces
b8c1583951
pppoe: remove unused return value from two methods
3b12bb6043
ppp: slight optimization of addr compare
7ed8ca5b1e
net: pppoe: use correct channel MTU when using Multilink PPP
a8a3e41c67
pppoe: Use workqueue to die properly when a PADT is received
287f3a943f
pppoe: Lacks DST MAC address check
a068833bbf
pppoe: drop pppoe device in pppoe_unbind_sock_work
665a6cd809
ppp: don't override sk->sk_state in pppoe_flush_dev()
e6740165b8
ppp: fix pppoe_dev deletion condition in pppoe_release()
1acea4f6ce
ppp: don't set sk_state to PPPOX_ZOMBIE in pppoe_disc_rcv()
8734e485fe
ppp: remove PPPOX_ZOMBIE socket state
a8acce6aa5
pppoe: fix memory corruption in padt work structure
fe53985aaa
pppoe: only process PADT targeted at local interfaces
b8c1583951
M_ars
pedro