Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v3.0.95 2013-05-08T02:57:22+00:00 2013-05-08T02:57:22+00:00 Linus Torvalds torvalds@linux-foundation.org 2013-05-01T14:32:21+00:00 urn:sha1:5022cf90d4bb8bed51c8176ce57ac7ccf87ed3d4 commit b0b885657b6c8ef63a46bc9299b2a7715d19acde upstream. We first tried to avoid updating atime/mtime entirely (commit b0de59b5733d: "TTY: do not update atime/mtime on read/write"), and then limited it to only update it occasionally (commit 37b7f3c76595: "TTY: fix atime/mtime regression"), but it turns out that this was both insufficient and overkill. It was insufficient because we let people attach to the shared ptmx node to see activity without even reading atime/mtime, and it was overkill because the "only once a minute" means that you can't really tell an idle person from an active one with 'w'. So this tries to fix the problem properly. It marks the shared ptmx node as un-notifiable, and it lowers the "only once a minute" to a few seconds instead - still long enough that you can't time individual keystrokes, but short enough that you can tell whether somebody is active or not. Reported-by: Simon Kirby <sim@hostway.ca> Acked-by: Jiri Slaby <jslaby@suse.cz> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-05-01T15:56:36+00:00 Jiri Slaby jslaby@suse.cz 2013-04-26T11:48:53+00:00 urn:sha1:061bd83c6fd1c22fbcf0357d4b7e306ba5ea8591 commit 37b7f3c76595e23257f61bd80b223de8658617ee upstream. In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write") we removed timestamps from tty inodes to fix a security issue and waited if something breaks. Well, 'w', the utility to find out logged users and their inactivity time broke. It shows that users are inactive since the time they logged in. To revert to the old behaviour while still preventing attackers to guess the password length, we update the timestamps in one-minute intervals by this patch. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-05-01T15:56:35+00:00 Jiri Slaby jslaby@suse.cz 2013-02-15T14:25:05+00:00 urn:sha1:6dd4ef3051173062350a4c53a2c4212d3f052e0c commit b0de59b5733d18b0d1974a060860a8b5c1b36a2e upstream. On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find out length of a password using timestamps of /dev/ptmx. It is documented in "Timing Analysis of Keystrokes and Timing Attacks on SSH". To avoid that problem, do not update time when reading from/writing to a TTY. I am afraid of regressions as this is a behavior we have since 0.97 and apps may expect the time to be current, e.g. for monitoring whether there was a change on the TTY. Now, there is no change. So this would better have a lot of testing before it goes upstream. References: CVE-2013-0160 Signed-off-by: Jiri Slaby <jslaby@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2011-11-11T17:35:12+00:00 Jiri Slaby jslaby@suse.cz 2011-10-12T09:32:43+00:00 urn:sha1:0c1f111ae7fcea822fd1c078ef48e88d93afc57a commit fa90e1c935472281de314e6d7c9a37db9cbc2e4e upstream. If tty_add_file fails at the point it is now, we have to revert all the changes we did to the tty. It means either decrease all refcounts if this was a tty reopen or delete the tty if it was newly allocated. There was a try to fix this in v3.0-rc2 using tty_release in 0259894c7 (TTY: fix fail path in tty_open). But instead it introduced a NULL dereference. It's because tty_release dereferences filp->private_data, but that one is set even in our tty_add_file. And when tty_add_file fails, it's still NULL/garbage. Hence tty_release cannot be called there. To circumvent the original leak (and the current NULL deref) we split tty_add_file into two functions, making the latter non-failing. In that case we may do the former early in open, where handling failures is easy. The latter stays as it is now. So there is no change in functionality. The original bug (leak) was introduced by f573bd176 (tty: Remove __GFP_NOFAIL from tty_add_file()). Thanks Dan for reporting this. Later, we may split tty_release into more functions and call only some of them in this fail path instead. (If at all possible.) Introduced-in: v2.6.37-rc2 Signed-off-by: Jiri Slaby <jslaby@suse.cz> Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: Alan Cox <alan@lxorguk.ukuu.org.uk> Cc: Pekka Enberg <penberg@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2011-11-11T17:35:12+00:00 Jiri Slaby jslaby@suse.cz 2011-10-12T09:32:42+00:00 urn:sha1:36174dd629350d0654982977d7795ca28475c16f commit c290f8358acaeffd8e0c551ddcc24d1206143376 upstream. When tty_driver_lookup_tty fails in tty_open, we forget to drop a reference to the tty driver. This was added by commit 4a2b5fddd5 (Move tty lookup/reopen to caller). Fix that by adding tty_driver_kref_put to the fail path. I will refactor the code later. This is for the ease of backporting to stable. Introduced-in: v2.6.28-rc2 Signed-off-by: Jiri Slaby <jslaby@suse.cz> Cc: Alan Cox <alan@lxorguk.ukuu.org.uk> Acked-by: Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2011-10-03T18:39:49+00:00 Jiri Slaby jslaby@suse.cz 2011-08-10T12:59:28+00:00 urn:sha1:a38df1a01320298198c7cb2e3e8a61fc54459d6a commit 24d406a6bf736f7aebdc8fa0f0ec86e0890c6d24 upstream. tty_operations->remove is normally called like: queue_release_one_tty ->tty_shutdown ->tty_driver_remove_tty ->tty_operations->remove However tty_shutdown() is called from queue_release_one_tty() only if tty_operations->shutdown is NULL. But for pty, it is not. pty_unix98_shutdown() is used there as ->shutdown. So tty_operations->remove of pty (i.e. pty_unix98_remove()) is never called. This results in invalid pty_count. I.e. what can be seen in /proc/sys/kernel/pty/nr. I see this was already reported at: https://lkml.org/lkml/2009/11/5/370 But it was not fixed since then. This patch is kind of a hackish way. The problem lies in ->install. We allocate there another tty (so-called tty->link). So ->install is called once, but ->remove twice, for both tty and tty->link. The fix here is to count both tty and tty->link and divide the count by 2 for user. And to have ->remove called, let's make tty_driver_remove_tty() global and call that from pty_unix98_shutdown() (tty_operations->shutdown). While at it, let's document that when ->shutdown is defined, tty_shutdown() is not called. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Cc: Alan Cox <alan@linux.intel.com> Cc: "H. Peter Anvin" <hpa@zytor.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2011-04-25T21:19:12+00:00 Jiri Slaby jslaby@suse.cz 2011-04-20T08:43:18+00:00 urn:sha1:83c67571b372c4a40023a84e183fdb7fa4e89e48 tty_write_lock and tty_write_unlock contain imbalanced locking. But this is intentional, so mark them appropriately by __acquires/__releases. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2011-04-19T23:33:36+00:00 Jovi Zhang bookjovi@gmail.com 2011-03-30T09:30:41+00:00 urn:sha1:99edb3d10a9d384d69557bd09cc39b9ec62aa04e remove invalid location line in each file header after location moved from driver/char to driver/tty Signed-off-by: Jovi Zhang <bookjovi@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2011-04-19T21:43:01+00:00 Jiri Slaby jslaby@suse.cz 2011-03-23T09:48:37+00:00 urn:sha1:0259894c732837c801565d038eaecdcf8fc5bbe7 When tty_add_file fails we omit to clean up. Fix that by calling tty_release appropriatelly. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Cc: Alan Cox <alan@lxorguk.ukuu.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2011-04-19T21:43:01+00:00 Jiri Slaby jslaby@suse.cz 2011-03-23T09:48:36+00:00 urn:sha1:a9dccddb60913056bcadaeeacfe0395447fd2472 Used the newly introduced deinitialize_tty_struct to properly shut down ldisc. It is intended to fix the Julian's reported problem. He reports that kmemleak checker warns about memory leak: unreferenced object 0xc0e19860 (size 8): comm cat, pid 1226, jiffies 4294919464 (age 287.476s) hex dump (first 8 bytes): 44 de 2d c1 01 00 00 00 D.-..... backtrace: [<c1065a74>] create_object+0x109/0x1ad [<c1063d2b>] kmem_cache_alloc+0x60/0x68 [<c113505c>] tty_ldisc_get+0x54/0x76 [<c11358c9>] tty_ldisc_init+0xa/0x20 [<c1130ab4>] initialize_tty_struct+0x2d/0x1ac [<c1130c8c>] tty_init_dev+0x59/0x10d [<c113136d>] tty_open+0x24a/0x3a2 ... Signed-off-by: Jiri Slaby <jslaby@suse.cz> Cc: Alan Cox <alan@lxorguk.ukuu.org.uk> Reported-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>