• Peter Hurley's avatar
    tty: Fix unsafe ldisc reference via ioctl(TIOCGETD) · f8b1cc04
    Peter Hurley authored
    commit 5c17c861 upstream.
    
    ioctl(TIOCGETD) retrieves the line discipline id directly from the
    ldisc because the line discipline id (c_line) in termios is untrustworthy;
    userspace may have set termios via ioctl(TCSETS*) without actually
    changing the line discipline via ioctl(TIOCSETD).
    
    However, directly accessing the current ldisc via tty->ldisc is
    unsafe; the ldisc ptr dereferenced may be stale if the line discipline
    is changing via ioctl(TIOCSETD) or hangup.
    
    Wait for the line discipline reference (just like read() or write())
    to retrieve the "current" line discipline id.
    Signed-off-by: default avatarPeter Hurley <peter@hurleysoftware.com>
    [bwh: Backported to 2.6.32: adjust filename]
    Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
    Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
    f8b1cc04
tty_io.c 78.7 KB