linux/drivers/tty
Jann Horn c8bcd9c5be tty: Fix ->session locking
Currently, locking of ->session is very inconsistent; most places
protect it using the legacy tty mutex, but disassociate_ctty(),
__do_SAK(), tiocspgrp() and tiocgsid() don't.
Two of the writers hold the ctrl_lock (because they already need it for
->pgrp), but __proc_set_tty() doesn't do that yet.

On a PREEMPT=y system, an unprivileged user can theoretically abuse
this broken locking to read 4 bytes of freed memory via TIOCGSID if
tiocgsid() is preempted long enough at the right point. (Other things
might also go wrong, especially if root-only ioctls are involved; I'm
not sure about that.)

Change the locking on ->session such that:

 - tty_lock() is held by all writers: By making disassociate_ctty()
   hold it. This should be fine because the same lock can already be
   taken through the call to tty_vhangup_session().
   The tricky part is that we need to shorten the area covered by
   siglock to be able to take tty_lock() without ugly retry logic; as
   far as I can tell, this should be fine, since nothing in the
   signal_struct is touched in the `if (tty)` branch.
 - ctrl_lock is held by all writers: By changing __proc_set_tty() to
   hold the lock a little longer.
 - All readers that aren't holding tty_lock() hold ctrl_lock: By
   adding locking to tiocgsid() and __do_SAK(), and expanding the area
   covered by ctrl_lock in tiocspgrp().

Cc: stable@kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-12-04 17:39:58 +01:00
..
hvc tty: hvc: fix link error with CONFIG_SERIAL_CORE_CONSOLE=n 2020-09-27 14:17:43 +02:00
ipwireless tty: ipwireless: fix error handling 2020-09-04 18:08:16 +02:00
serdev serdev: Fix detection of UART devices on Apple machines. 2020-03-06 14:10:44 +01:00
serial serial: ar933x_uart: disable clk on error handling path in probe 2020-11-12 09:41:07 +01:00
vt TTY/Serial fixes for 5.10-rc3 2020-11-08 11:28:08 -08:00
amiserial.c Remove every trace of SERIAL_MAGIC 2019-11-13 19:01:14 +08:00
cyclades.c treewide: Remove uninitialized_var() usage 2020-07-16 12:35:15 -07:00
ehv_bytechan.c tty: evh_bytechan: Fix out of bounds accesses 2020-03-17 23:40:31 +11:00
goldfish.c
isicom.c treewide: Remove uninitialized_var() usage 2020-07-16 12:35:15 -07:00
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
Makefile
mips_ejtag_fdc.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
moxa.c remove ioremap_nocache and devm_ioremap_nocache 2020-01-06 09:45:59 +01:00
moxa.h tty: fix spelling mistake 2020-06-27 16:21:20 +02:00
mxser.c tty: mxser: make mxser_change_speed() return void 2020-05-15 14:47:05 +02:00
mxser.h
n_gsm.c Linux 5.9-rc3 2020-08-31 07:19:25 +02:00
n_hdlc.c Linux 5.9-rc3 2020-08-31 07:19:25 +02:00
n_null.c
n_r3964.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
n_tracerouter.c
n_tracesink.c
n_tracesink.h tty: n_tracesink: Use the correct style for SPDX License Identifier 2020-03-18 13:01:31 +01:00
n_tty.c tty: ldiscs, fix kernel-doc 2020-08-18 13:51:18 +02:00
nozomi.c tty: nozomi: Use scnprintf() for avoiding potential buffer overflow 2020-03-18 12:59:29 +01:00
pty.c pty: do tty_flip_buffer_push without port->lock in pty_write 2020-09-04 18:10:30 +02:00
rocket_int.h
rocket.c Merge 5.7-rc3 into tty-next 2020-04-27 09:33:21 +02:00
rocket.h tty: rocket: Remove RCPK_GET_STRUCT ioctl 2019-04-25 11:58:56 +02:00
synclink_gt.c tty: synclink_gt: switch from 'pci_' to 'dma_' API 2020-09-04 18:07:22 +02:00
synclink.c tty: synclink, fix kernel-doc 2020-08-18 13:51:18 +02:00
synclinkmp.c tty: synclink, fix kernel-doc 2020-08-18 13:51:18 +02:00
sysrq.c tty/sysrq: Extend the sysrq_key_table to cover capital letters 2020-10-02 14:56:06 +02:00
tty_audit.c
tty_baudrate.c tty: fix kernel-doc 2020-08-18 13:51:18 +02:00
tty_buffer.c tty: fix kernel-doc 2020-08-18 13:51:18 +02:00
tty_io.c tty: Fix ->session locking 2020-12-04 17:39:58 +01:00
tty_ioctl.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
tty_jobctrl.c tty: Fix ->session locking 2020-12-04 17:39:58 +01:00
tty_ldisc.c tty: fix kernel-doc 2020-08-18 13:51:18 +02:00
tty_ldsem.c locking/lockdep: Remove unused @nested argument from lock_release() 2019-10-09 12:46:10 +02:00
tty_mutex.c
tty_port.c serdev: ttyport: restore client ops on deregistration 2020-02-10 12:26:44 -08:00
ttynull.c
vcc.c sparc64: vcc: Fix error return code in vcc_probe() 2020-04-28 14:38:54 +02:00