From: Sven Schnelle <svens@linux.ibm.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jiri Slaby <jirislaby@kernel.org>
Cc: Christian Borntraeger <borntraeger@de.ibm.com>,
linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org
Subject: [PATCH 0/1] crash in tty layer when specifying invalid console=ttyX
Date: Wed, 7 Dec 2022 08:52:35 +0100 [thread overview]
Message-ID: <20221207075236.23171-1-svens@linux.ibm.com> (raw)
Hi,
we had a user specifying 'console=tty3270' assuming that this will use the
tty3270 driver from s390 as console device. However, it will try to open
tty number 3270 as tty which is not what the user expected. That alone
isn't really a problem, but the kernel crashes while dereferencing invalid
memory with this option.
I tested this with qemu on x86, and it crashes in the same way. I never
worked in the tty layer, but it looks to me like there's some out-of-bound
checking missing in tty_driver_lookup_tty(). If this fix is wrong or
there's a better place to do that, let me know.
Sven Schnelle (1):
tty: fix out-of-bounds access in tty_driver_lookup_tty()
drivers/tty/tty_io.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--
2.34.1
next reply other threads:[~2022-12-07 7:53 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-07 7:52 Sven Schnelle [this message]
2022-12-07 7:52 ` [PATCH 1/1] tty: fix out-of-bounds access in tty_driver_lookup_tty() Sven Schnelle
2022-12-09 7:17 ` Jiri Slaby
2022-12-09 8:10 ` Sven Schnelle
2022-12-09 8:43 ` Jiri Slaby
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221207075236.23171-1-svens@linux.ibm.com \
--to=svens@linux.ibm.com \
--cc=borntraeger@de.ibm.com \
--cc=gregkh@linuxfoundation.org \
--cc=jirislaby@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox