Re: possible pty DoS

From: Andrew Morton (andrewm@uow.edu.au)
Date: Fri Dec 22 2000 - 06:13:32 EST

Next message: Alexander Zarochentcev: "Re: memmove() in 2.4.0-test12, alpha platform"
Previous message: f5ibh: "usb id for scanner epson 1640SU Photo"
In reply to: berndj@prism.co.za: "possible pty DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This 2.4 bug must be fixed.

berndj@prism.co.za wrote:
>
> This snippet can prevent progress of any other processes that tries to do
> a write to a pty:
>
> ============
> #include <sys/fcntl.h>
> #include <unistd.h>
>
> int main()
> {
> int ptm;
> ptm = open("/dev/ptmx", O_WRONLY);
> while (1)
> write(ptm, "hello, world!\n", 14);
> }
> ============
>

Your program fills up the pty write buffer and then blocks.
This is fair enough. But it blocks while holding the /dev/ptmx
inode semaphore, so _all_ other users of /dev/ptmx are blocked.
Your xterms get stuck, telnet and ssh are dead. It's time to
find the car keys.

In 2.2, we have a per-tty semaphore. No problems. This
patch basically restores the 2.2 implementation and it
passes basic sanity testing.

But it's not my area. Is there really a _need_ to take the inode
semaphore while we're writing to the pty instance? I hope
not, because I took that out.

Perhaps it would be logical to clone the /dev/ptmx inode
in some manner when it's opened?

Anyone?

--- linux-2.4.0-test13-pre4/include/linux/tty.h Tue Dec 12 19:24:23 2000
+++ linux-akpm/include/linux/tty.h Fri Dec 22 21:44:47 2000
@@ -305,6 +305,7 @@
         unsigned long canon_head;
         unsigned int canon_column;
         struct semaphore atomic_read;
+ struct semaphore atomic_write;
         spinlock_t read_lock;
};

--- linux-2.4.0-test13-pre4/drivers/char/tty_io.c Tue Dec 12 19:24:17 2000
+++ linux-akpm/drivers/char/tty_io.c Fri Dec 22 21:48:22 2000
@@ -699,9 +699,8 @@
         size_t count)
{
         ssize_t ret = 0, written = 0;
- struct inode *inode = file->f_dentry->d_inode;

- if (down_interruptible(&inode->i_sem)) {
+ if (down_interruptible(&tty->atomic_write)) {
                 return -ERESTARTSYS;
         }
         if ( test_bit(TTY_NO_WRITE_SPLIT, &tty->flags) ) {
@@ -734,7 +733,7 @@
                 file->f_dentry->d_inode->i_mtime = CURRENT_TIME;
                 ret = written;
         }
- up(&inode->i_sem);
+ up(&tty->atomic_write);
         return ret;
}

@@ -1972,6 +1971,7 @@
         tty->tq_hangup.routine = do_tty_hangup;
         tty->tq_hangup.data = tty;
         sema_init(&tty->atomic_read, 1);
+ sema_init(&tty->atomic_write, 1);
         spin_lock_init(&tty->read_lock);
         INIT_LIST_HEAD(&tty->tty_files);
}

-
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alexander Zarochentcev: "Re: memmove() in 2.4.0-test12, alpha platform"
Previous message: f5ibh: "usb id for scanner epson 1640SU Photo"
In reply to: berndj@prism.co.za: "possible pty DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Sat Dec 23 2000 - 21:00:31 EST