• Jiri Slaby's avatar
    TTY: n_tty, do not dereference user buffer · 3fa10cc8
    Jiri Slaby authored
    copy_from_read_buf currently copies data to a user buffer and then
    checks if the data is single EOF. But it checks it by accessing the
    user buffer. First, the buffer may be changed by other threads of the
    user program already. Second, it accesses the buffer without any
    checks. It might be write-only for example.
    
    Fix this by inspecting contents of the tty (kernel) buffer instead.
    Note that "n == 1" is necessary, but not sufficient. But we check
    later that there is nothing left by "!tty->read_cnt" condition.
    
    There is still an issue with the current code that EOF being wrapped
    to the start of the circular buffer will result in an inappropriate
    losing of the EOF character. But this is not intended to be fixed by
    this patch.
    Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
    Reported-by: default avatarEmil Goode <emilgoode@gmail.com>
    Cc: Howard Chu <hyc@symas.com>
    Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    3fa10cc8
n_tty.c 51.9 KB