[packages/kernel] - add 'n_tty: Fix buffer overruns with larger-than-4k pastes' upstream fix
arekm
arekm at pld-linux.org
Tue Jan 21 15:26:13 CET 2014
commit bf059aeb508c9dc8113b8b2069409e6125f6951b
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date: Tue Jan 21 15:24:49 2014 +0100
- add 'n_tty: Fix buffer overruns with larger-than-4k pastes' upstream fix
kernel-small_fixes.patch | 113 +++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 113 insertions(+)
---
diff --git a/kernel-small_fixes.patch b/kernel-small_fixes.patch
index 2b0f82d..2d92e0b 100644
--- a/kernel-small_fixes.patch
+++ b/kernel-small_fixes.patch
@@ -70,3 +70,116 @@ index 3b1ea34..eaa808e 100644
/* Ask for all the pages supported by this device */
result = scsi_vpd_inquiry(sdev, buf, 0, buf_len);
if (result)
+commit 4d0ed18277cc6f07513ee0b04475f19cd69e75ef
+Author: Peter Hurley <peter at hurleysoftware.com>
+Date: Tue Dec 10 17:12:02 2013 -0500
+
+ n_tty: Fix buffer overruns with larger-than-4k pastes
+
+ readline() inadvertently triggers an error recovery path when
+ pastes larger than 4k overrun the line discipline buffer. The
+ error recovery path discards input when the line discipline buffer
+ is full and operating in canonical mode and no newline has been
+ received. Because readline() changes the termios to non-canonical
+ mode to read the line char-by-char, the line discipline buffer
+ can become full, and then when readline() restores termios back
+ to canonical mode for the caller, the now-full line discipline
+ buffer triggers the error recovery.
+
+ When changing termios from non-canon to canon mode and the read
+ buffer contains data, simulate an EOF push _without_ the
+ DISABLED_CHAR in the read buffer.
+
+ Importantly for the readline() problem, the termios can be
+ changed back to non-canonical mode without changes to the read
+ buffer occurring; ie., as if the previous termios change had not
+ happened (as long as no intervening read took place).
+
+ Preserve existing userspace behavior which allows '\0's already
+ received in non-canon mode to be read as '\0's in canon mode
+ (rather than trigger add'l EOF pushes or an actual EOF).
+
+ Patch based on original proposal and discussion here
+ https://bugzilla.kernel.org/show_bug.cgi?id=55991
+ by Stas Sergeev <stsp at users.sourceforge.net>
+
+ Reported-by: Margarita Manterola <margamanterola at gmail.com>
+ Cc: Maximiliano Curia <maxy at gnuservers.com.ar>
+ Cc: Pavel Machek <pavel at ucw.cz>
+ Cc: Arkadiusz Miskiewicz <a.miskiewicz at gmail.com>
+ Acked-by: Stas Sergeev <stsp at users.sourceforge.net>
+ Signed-off-by: Peter Hurley <peter at hurleysoftware.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+
+diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
+index fdc2ecd..961e6a9 100644
+--- a/drivers/tty/n_tty.c
++++ b/drivers/tty/n_tty.c
+@@ -104,6 +104,7 @@ struct n_tty_data {
+
+ /* must hold exclusive termios_rwsem to reset these */
+ unsigned char lnext:1, erasing:1, raw:1, real_raw:1, icanon:1;
++ unsigned char push:1;
+
+ /* shared by producer and consumer */
+ char read_buf[N_TTY_BUF_SIZE];
+@@ -341,6 +342,7 @@ static void reset_buffer_flags(struct n_tty_data *ldata)
+
+ ldata->erasing = 0;
+ bitmap_zero(ldata->read_flags, N_TTY_BUF_SIZE);
++ ldata->push = 0;
+ }
+
+ static void n_tty_packet_mode_flush(struct tty_struct *tty)
+@@ -1745,7 +1747,16 @@ static void n_tty_set_termios(struct tty_struct *tty, struct ktermios *old)
+
+ if (!old || (old->c_lflag ^ tty->termios.c_lflag) & ICANON) {
+ bitmap_zero(ldata->read_flags, N_TTY_BUF_SIZE);
+- ldata->line_start = ldata->canon_head = ldata->read_tail;
++ ldata->line_start = ldata->read_tail;
++ if (!L_ICANON(tty) || !read_cnt(ldata)) {
++ ldata->canon_head = ldata->read_tail;
++ ldata->push = 0;
++ } else {
++ set_bit((ldata->read_head - 1) & (N_TTY_BUF_SIZE - 1),
++ ldata->read_flags);
++ ldata->canon_head = ldata->read_head;
++ ldata->push = 1;
++ }
+ ldata->erasing = 0;
+ ldata->lnext = 0;
+ }
+@@ -1951,6 +1962,12 @@ static int copy_from_read_buf(struct tty_struct *tty,
+ * it copies one line of input up to and including the line-delimiting
+ * character into the user-space buffer.
+ *
++ * NB: When termios is changed from non-canonical to canonical mode and
++ * the read buffer contains data, n_tty_set_termios() simulates an EOF
++ * push (as if C-d were input) _without_ the DISABLED_CHAR in the buffer.
++ * This causes data already processed as input to be immediately available
++ * as input although a newline has not been received.
++ *
+ * Called under the atomic_read_lock mutex
+ *
+ * n_tty_read()/consumer path:
+@@ -1997,7 +2014,7 @@ static int canon_copy_from_read_buf(struct tty_struct *tty,
+ n += found;
+ c = n;
+
+- if (found && read_buf(ldata, eol) == __DISABLED_CHAR) {
++ if (found && !ldata->push && read_buf(ldata, eol) == __DISABLED_CHAR) {
+ n--;
+ eof_push = !n && ldata->read_tail != ldata->line_start;
+ }
+@@ -2024,7 +2041,10 @@ static int canon_copy_from_read_buf(struct tty_struct *tty,
+ ldata->read_tail += c;
+
+ if (found) {
+- ldata->line_start = ldata->read_tail;
++ if (!ldata->push)
++ ldata->line_start = ldata->read_tail;
++ else
++ ldata->push = 0;
+ tty_audit_push(tty);
+ }
+ return eof_push ? -EAGAIN : 0;
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/kernel.git/commitdiff/bf059aeb508c9dc8113b8b2069409e6125f6951b
More information about the pld-cvs-commit
mailing list