From: Josh Triplett <josh@joshtriplett.org>
To: Peter Hurley <peter@hurleysoftware.com>
Cc: "Herton R. Krzesinski" <herton@redhat.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-kernel@vger.kernel.org, Alan Cox <alan@linux.intel.com>,
Jiri Slaby <jslaby@suse.com>,
Andrew Morton <akpm@linux-foundation.org>,
Al Viro <viro@zeniv.linux.org.uk>,
David Howells <dhowells@redhat.com>
Subject: Re: [PATCH 1/2 v2] pty: fix possible use after free of tty->driver_data
Date: Wed, 13 Jan 2016 10:28:44 -0800 [thread overview]
Message-ID: <20160113182844.GB8385@cloud> (raw)
In-Reply-To: <56968BD1.5090000@hurleysoftware.com>
On Wed, Jan 13, 2016 at 09:39:29AM -0800, Peter Hurley wrote:
> On 01/11/2016 06:07 AM, Herton R. Krzesinski wrote:
> > This change fixes a bug for a corner case where we have the the last
> > release from a pty master/slave coming from a previously opened /dev/tty
> > file. When this happens, the tty->driver_data can be stale, due to all
> > ptmx or pts/N files having already been closed before (and thus the inode
> > related to these files, which tty->driver_data points to, being already
> > freed/destroyed).
> >
> > The fix here is to keep a reference on the opened master ptmx inode.
> > We maintain the inode referenced until the final pty_unix98_shutdown,
> > and only pass this inode to devpts_kill_index.
>
> Ideally, the tty core should be bumping the inode count for the underlying
> controlling tty
That does indeed sound like the right fix. /dev/tty doesn't act exactly
like opening the underlying device (as it also supports the TIOCNOTTY
ioctl), but it should definitely hold a reference to that underlying
device.
next prev parent reply other threads:[~2016-01-13 18:28 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-11 14:07 pty: fix use after free issues at pty_unix98_shutdown Herton R. Krzesinski
2016-01-11 14:07 ` [PATCH 1/2 v2] pty: fix possible use after free of tty->driver_data Herton R. Krzesinski
2016-01-13 17:39 ` Peter Hurley
2016-01-13 18:28 ` Josh Triplett [this message]
2016-01-14 20:09 ` Herton R. Krzesinski
2016-01-14 21:27 ` Peter Hurley
2016-01-11 14:07 ` [PATCH 2/2] pty: make sure super_block is still valid in final /dev/tty close Herton R. Krzesinski
2016-01-13 17:54 ` Peter Hurley
2016-01-14 19:56 ` [PATCH 2/2 v2] " Herton R. Krzesinski
2016-01-16 21:09 ` Peter Hurley
2016-01-14 20:03 ` [PATCH 2/2] " Herton R. Krzesinski
2016-01-16 21:43 ` Peter Hurley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160113182844.GB8385@cloud \
--to=josh@joshtriplett.org \
--cc=akpm@linux-foundation.org \
--cc=alan@linux.intel.com \
--cc=dhowells@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=herton@redhat.com \
--cc=jslaby@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=peter@hurleysoftware.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.