* [PATCH] devpts: fix null pointer dereference on failed memory allocation
@ 2016-06-20 14:40 Colin King
2016-06-26 18:29 ` Greg Kroah-Hartman
0 siblings, 1 reply; 3+ messages in thread
From: Colin King @ 2016-06-20 14:40 UTC (permalink / raw)
To: Greg Kroah-Hartman, Jiri Slaby; +Cc: linux-kernel
From: Colin Ian King <colin.king@canonical.com>
An ENOMEM when creating a pair tty in tty_ldisc_setup causes a null
pointer dereference in devpts_kill_index because tty->link->driver_data
is NULL. The oops was triggered with the pty stressor in stress-ng when
in a low memory condition.
tty_init_dev tries to clean up a tty_ldisc_setup ENOMEM error by calling
release_tty, however, this ultimately tries to clean up the NULL pair'd
tty in pty_unix98_remove, triggering the Oops.
Add check to pty_unix98_remove to only clean up fsi if it is not NULL.
Ooops:
[ 23.020961] Oops: 0000 [#1] SMP
[ 23.020976] Modules linked in: ppdev snd_hda_codec_generic snd_hda_intel snd_hda_codec parport_pc snd_hda_core snd_hwdep parport snd_pcm input_leds joydev snd_timer serio_raw snd soundcore i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel qxl aes_x86_64 ttm lrw gf128mul glue_helper ablk_helper drm_kms_helper cryptd syscopyarea sysfillrect psmouse sysimgblt floppy fb_sys_fops drm pata_acpi jitterentropy_rng drbg ansi_cprng
[ 23.020978] CPU: 0 PID: 1452 Comm: stress-ng-pty Not tainted 4.7.0-rc4+ #2
[ 23.020978] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 23.020979] task: ffff88007ba30000 ti: ffff880078ea8000 task.ti: ffff880078ea8000
[ 23.020981] RIP: 0010:[<ffffffff813f11ff>] [<ffffffff813f11ff>] ida_remove+0x1f/0x120
[ 23.020981] RSP: 0018:ffff880078eabb60 EFLAGS: 00010a03
[ 23.020982] RAX: 4444444444444567 RBX: 0000000000000000 RCX: 000000000000001f
[ 23.020982] RDX: 000000000000014c RSI: 000000000000026f RDI: 0000000000000000
[ 23.020982] RBP: ffff880078eabb70 R08: 0000000000000004 R09: 0000000000000036
[ 23.020983] R10: 000000000000026f R11: 0000000000000000 R12: 000000000000026f
[ 23.020983] R13: 000000000000026f R14: ffff88007c944b40 R15: 000000000000026f
[ 23.020984] FS: 00007f9a2f3cc700(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
[ 23.020984] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 23.020985] CR2: 0000000000000010 CR3: 000000006c81b000 CR4: 00000000001406f0
[ 23.020988] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 23.020988] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 23.020988] Stack:
[ 23.020989] 0000000000000000 000000000000026f ffff880078eabb90 ffffffff812a5a99
[ 23.020990] 0000000000000000 00000000fffffff4 ffff880078eabba8 ffffffff814f9cbe
[ 23.020991] ffff88007965c800 ffff880078eabbc8 ffffffff814eef43 fffffffffffffff4
[ 23.020991] Call Trace:
[ 23.021000] [<ffffffff812a5a99>] devpts_kill_index+0x29/0x50
[ 23.021002] [<ffffffff814f9cbe>] pty_unix98_remove+0x2e/0x50
[ 23.021006] [<ffffffff814eef43>] release_tty+0xb3/0x1b0
[ 23.021007] [<ffffffff814f18d4>] tty_init_dev+0xd4/0x1c0
[ 23.021011] [<ffffffff814f9fae>] ptmx_open+0xae/0x190
[ 23.021013] [<ffffffff812254ef>] chrdev_open+0xbf/0x1b0
[ 23.021015] [<ffffffff8121d973>] do_dentry_open+0x203/0x310
[ 23.021016] [<ffffffff81225430>] ? cdev_put+0x30/0x30
[ 23.021017] [<ffffffff8121ee44>] vfs_open+0x54/0x80
[ 23.021018] [<ffffffff8122b8fc>] ? may_open+0x8c/0x100
[ 23.021019] [<ffffffff8122f26b>] path_openat+0x2eb/0x1440
[ 23.021020] [<ffffffff81230534>] ? putname+0x54/0x60
[ 23.021022] [<ffffffff814f6f97>] ? n_tty_ioctl_helper+0x27/0x100
[ 23.021023] [<ffffffff81231651>] do_filp_open+0x91/0x100
[ 23.021024] [<ffffffff81230596>] ? getname_flags+0x56/0x1f0
[ 23.021026] [<ffffffff8123fc66>] ? __alloc_fd+0x46/0x190
[ 23.021027] [<ffffffff8121f1e4>] do_sys_open+0x124/0x210
[ 23.021028] [<ffffffff8121f2ee>] SyS_open+0x1e/0x20
[ 23.021035] [<ffffffff81845576>] entry_SYSCALL_64_fastpath+0x1e/0xa8
[ 23.021044] Code: 63 28 45 31 e4 eb dd 0f 1f 44 00 00 55 4c 63 d6 48 ba 89 88 88 88 88 88 88 88 4c 89 d0 b9 1f 00 00 00 48 f7 e2 48 89 e5 41 54 53 <8b> 47 10 48 89 fb 8d 3c c5 00 00 00 00 48 c1 ea 09 b8 01 00 00
[ 23.021045] RIP [<ffffffff813f11ff>] ida_remove+0x1f/0x120
[ 23.021045] RSP <ffff880078eabb60>
[ 23.021046] CR2: 0000000000000010
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
drivers/tty/pty.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
index f856c45..51e0d32 100644
--- a/drivers/tty/pty.c
+++ b/drivers/tty/pty.c
@@ -667,8 +667,11 @@ static void pty_unix98_remove(struct tty_driver *driver, struct tty_struct *tty)
fsi = tty->driver_data;
else
fsi = tty->link->driver_data;
- devpts_kill_index(fsi, tty->index);
- devpts_release(fsi);
+
+ if (fsi) {
+ devpts_kill_index(fsi, tty->index);
+ devpts_release(fsi);
+ }
}
static const struct tty_operations ptm_unix98_ops = {
--
2.8.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] devpts: fix null pointer dereference on failed memory allocation
2016-06-20 14:40 [PATCH] devpts: fix null pointer dereference on failed memory allocation Colin King
@ 2016-06-26 18:29 ` Greg Kroah-Hartman
2016-06-27 12:19 ` Colin Ian King
0 siblings, 1 reply; 3+ messages in thread
From: Greg Kroah-Hartman @ 2016-06-26 18:29 UTC (permalink / raw)
To: Colin King; +Cc: Jiri Slaby, linux-kernel
On Mon, Jun 20, 2016 at 03:40:27PM +0100, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
>
> An ENOMEM when creating a pair tty in tty_ldisc_setup causes a null
> pointer dereference in devpts_kill_index because tty->link->driver_data
> is NULL. The oops was triggered with the pty stressor in stress-ng when
> in a low memory condition.
>
> tty_init_dev tries to clean up a tty_ldisc_setup ENOMEM error by calling
> release_tty, however, this ultimately tries to clean up the NULL pair'd
> tty in pty_unix98_remove, triggering the Oops.
>
> Add check to pty_unix98_remove to only clean up fsi if it is not NULL.
>
> Ooops:
>
> [ 23.020961] Oops: 0000 [#1] SMP
> [ 23.020976] Modules linked in: ppdev snd_hda_codec_generic snd_hda_intel snd_hda_codec parport_pc snd_hda_core snd_hwdep parport snd_pcm input_leds joydev snd_timer serio_raw snd soundcore i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel qxl aes_x86_64 ttm lrw gf128mul glue_helper ablk_helper drm_kms_helper cryptd syscopyarea sysfillrect psmouse sysimgblt floppy fb_sys_fops drm pata_acpi jitterentropy_rng drbg ansi_cprng
> [ 23.020978] CPU: 0 PID: 1452 Comm: stress-ng-pty Not tainted 4.7.0-rc4+ #2
> [ 23.020978] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
> [ 23.020979] task: ffff88007ba30000 ti: ffff880078ea8000 task.ti: ffff880078ea8000
> [ 23.020981] RIP: 0010:[<ffffffff813f11ff>] [<ffffffff813f11ff>] ida_remove+0x1f/0x120
> [ 23.020981] RSP: 0018:ffff880078eabb60 EFLAGS: 00010a03
> [ 23.020982] RAX: 4444444444444567 RBX: 0000000000000000 RCX: 000000000000001f
> [ 23.020982] RDX: 000000000000014c RSI: 000000000000026f RDI: 0000000000000000
> [ 23.020982] RBP: ffff880078eabb70 R08: 0000000000000004 R09: 0000000000000036
> [ 23.020983] R10: 000000000000026f R11: 0000000000000000 R12: 000000000000026f
> [ 23.020983] R13: 000000000000026f R14: ffff88007c944b40 R15: 000000000000026f
> [ 23.020984] FS: 00007f9a2f3cc700(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
> [ 23.020984] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 23.020985] CR2: 0000000000000010 CR3: 000000006c81b000 CR4: 00000000001406f0
> [ 23.020988] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [ 23.020988] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [ 23.020988] Stack:
> [ 23.020989] 0000000000000000 000000000000026f ffff880078eabb90 ffffffff812a5a99
> [ 23.020990] 0000000000000000 00000000fffffff4 ffff880078eabba8 ffffffff814f9cbe
> [ 23.020991] ffff88007965c800 ffff880078eabbc8 ffffffff814eef43 fffffffffffffff4
> [ 23.020991] Call Trace:
> [ 23.021000] [<ffffffff812a5a99>] devpts_kill_index+0x29/0x50
> [ 23.021002] [<ffffffff814f9cbe>] pty_unix98_remove+0x2e/0x50
> [ 23.021006] [<ffffffff814eef43>] release_tty+0xb3/0x1b0
> [ 23.021007] [<ffffffff814f18d4>] tty_init_dev+0xd4/0x1c0
> [ 23.021011] [<ffffffff814f9fae>] ptmx_open+0xae/0x190
> [ 23.021013] [<ffffffff812254ef>] chrdev_open+0xbf/0x1b0
> [ 23.021015] [<ffffffff8121d973>] do_dentry_open+0x203/0x310
> [ 23.021016] [<ffffffff81225430>] ? cdev_put+0x30/0x30
> [ 23.021017] [<ffffffff8121ee44>] vfs_open+0x54/0x80
> [ 23.021018] [<ffffffff8122b8fc>] ? may_open+0x8c/0x100
> [ 23.021019] [<ffffffff8122f26b>] path_openat+0x2eb/0x1440
> [ 23.021020] [<ffffffff81230534>] ? putname+0x54/0x60
> [ 23.021022] [<ffffffff814f6f97>] ? n_tty_ioctl_helper+0x27/0x100
> [ 23.021023] [<ffffffff81231651>] do_filp_open+0x91/0x100
> [ 23.021024] [<ffffffff81230596>] ? getname_flags+0x56/0x1f0
> [ 23.021026] [<ffffffff8123fc66>] ? __alloc_fd+0x46/0x190
> [ 23.021027] [<ffffffff8121f1e4>] do_sys_open+0x124/0x210
> [ 23.021028] [<ffffffff8121f2ee>] SyS_open+0x1e/0x20
> [ 23.021035] [<ffffffff81845576>] entry_SYSCALL_64_fastpath+0x1e/0xa8
> [ 23.021044] Code: 63 28 45 31 e4 eb dd 0f 1f 44 00 00 55 4c 63 d6 48 ba 89 88 88 88 88 88 88 88 4c 89 d0 b9 1f 00 00 00 48 f7 e2 48 89 e5 41 54 53 <8b> 47 10 48 89 fb 8d 3c c5 00 00 00 00 48 c1 ea 09 b8 01 00 00
> [ 23.021045] RIP [<ffffffff813f11ff>] ida_remove+0x1f/0x120
> [ 23.021045] RSP <ffff880078eabb60>
> [ 23.021046] CR2: 0000000000000010
>
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> ---
> drivers/tty/pty.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
Any reason this shouldn't also go to the stable kernels?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] devpts: fix null pointer dereference on failed memory allocation
2016-06-26 18:29 ` Greg Kroah-Hartman
@ 2016-06-27 12:19 ` Colin Ian King
0 siblings, 0 replies; 3+ messages in thread
From: Colin Ian King @ 2016-06-27 12:19 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: Jiri Slaby, linux-kernel
On 26/06/16 19:29, Greg Kroah-Hartman wrote:
> On Mon, Jun 20, 2016 at 03:40:27PM +0100, Colin King wrote:
>> From: Colin Ian King <colin.king@canonical.com>
>>
>> An ENOMEM when creating a pair tty in tty_ldisc_setup causes a null
>> pointer dereference in devpts_kill_index because tty->link->driver_data
>> is NULL. The oops was triggered with the pty stressor in stress-ng when
>> in a low memory condition.
>>
>> tty_init_dev tries to clean up a tty_ldisc_setup ENOMEM error by calling
>> release_tty, however, this ultimately tries to clean up the NULL pair'd
>> tty in pty_unix98_remove, triggering the Oops.
>>
>> Add check to pty_unix98_remove to only clean up fsi if it is not NULL.
>>
>> Ooops:
>>
>> [ 23.020961] Oops: 0000 [#1] SMP
>> [ 23.020976] Modules linked in: ppdev snd_hda_codec_generic snd_hda_intel snd_hda_codec parport_pc snd_hda_core snd_hwdep parport snd_pcm input_leds joydev snd_timer serio_raw snd soundcore i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel qxl aes_x86_64 ttm lrw gf128mul glue_helper ablk_helper drm_kms_helper cryptd syscopyarea sysfillrect psmouse sysimgblt floppy fb_sys_fops drm pata_acpi jitterentropy_rng drbg ansi_cprng
>> [ 23.020978] CPU: 0 PID: 1452 Comm: stress-ng-pty Not tainted 4.7.0-rc4+ #2
>> [ 23.020978] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
>> [ 23.020979] task: ffff88007ba30000 ti: ffff880078ea8000 task.ti: ffff880078ea8000
>> [ 23.020981] RIP: 0010:[<ffffffff813f11ff>] [<ffffffff813f11ff>] ida_remove+0x1f/0x120
>> [ 23.020981] RSP: 0018:ffff880078eabb60 EFLAGS: 00010a03
>> [ 23.020982] RAX: 4444444444444567 RBX: 0000000000000000 RCX: 000000000000001f
>> [ 23.020982] RDX: 000000000000014c RSI: 000000000000026f RDI: 0000000000000000
>> [ 23.020982] RBP: ffff880078eabb70 R08: 0000000000000004 R09: 0000000000000036
>> [ 23.020983] R10: 000000000000026f R11: 0000000000000000 R12: 000000000000026f
>> [ 23.020983] R13: 000000000000026f R14: ffff88007c944b40 R15: 000000000000026f
>> [ 23.020984] FS: 00007f9a2f3cc700(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
>> [ 23.020984] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [ 23.020985] CR2: 0000000000000010 CR3: 000000006c81b000 CR4: 00000000001406f0
>> [ 23.020988] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>> [ 23.020988] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>> [ 23.020988] Stack:
>> [ 23.020989] 0000000000000000 000000000000026f ffff880078eabb90 ffffffff812a5a99
>> [ 23.020990] 0000000000000000 00000000fffffff4 ffff880078eabba8 ffffffff814f9cbe
>> [ 23.020991] ffff88007965c800 ffff880078eabbc8 ffffffff814eef43 fffffffffffffff4
>> [ 23.020991] Call Trace:
>> [ 23.021000] [<ffffffff812a5a99>] devpts_kill_index+0x29/0x50
>> [ 23.021002] [<ffffffff814f9cbe>] pty_unix98_remove+0x2e/0x50
>> [ 23.021006] [<ffffffff814eef43>] release_tty+0xb3/0x1b0
>> [ 23.021007] [<ffffffff814f18d4>] tty_init_dev+0xd4/0x1c0
>> [ 23.021011] [<ffffffff814f9fae>] ptmx_open+0xae/0x190
>> [ 23.021013] [<ffffffff812254ef>] chrdev_open+0xbf/0x1b0
>> [ 23.021015] [<ffffffff8121d973>] do_dentry_open+0x203/0x310
>> [ 23.021016] [<ffffffff81225430>] ? cdev_put+0x30/0x30
>> [ 23.021017] [<ffffffff8121ee44>] vfs_open+0x54/0x80
>> [ 23.021018] [<ffffffff8122b8fc>] ? may_open+0x8c/0x100
>> [ 23.021019] [<ffffffff8122f26b>] path_openat+0x2eb/0x1440
>> [ 23.021020] [<ffffffff81230534>] ? putname+0x54/0x60
>> [ 23.021022] [<ffffffff814f6f97>] ? n_tty_ioctl_helper+0x27/0x100
>> [ 23.021023] [<ffffffff81231651>] do_filp_open+0x91/0x100
>> [ 23.021024] [<ffffffff81230596>] ? getname_flags+0x56/0x1f0
>> [ 23.021026] [<ffffffff8123fc66>] ? __alloc_fd+0x46/0x190
>> [ 23.021027] [<ffffffff8121f1e4>] do_sys_open+0x124/0x210
>> [ 23.021028] [<ffffffff8121f2ee>] SyS_open+0x1e/0x20
>> [ 23.021035] [<ffffffff81845576>] entry_SYSCALL_64_fastpath+0x1e/0xa8
>> [ 23.021044] Code: 63 28 45 31 e4 eb dd 0f 1f 44 00 00 55 4c 63 d6 48 ba 89 88 88 88 88 88 88 88 4c 89 d0 b9 1f 00 00 00 48 f7 e2 48 89 e5 41 54 53 <8b> 47 10 48 89 fb 8d 3c c5 00 00 00 00 48 c1 ea 09 b8 01 00 00
>> [ 23.021045] RIP [<ffffffff813f11ff>] ida_remove+0x1f/0x120
>> [ 23.021045] RSP <ffff880078eabb60>
>> [ 23.021046] CR2: 0000000000000010
>>
>> Signed-off-by: Colin Ian King <colin.king@canonical.com>
>> ---
>> drivers/tty/pty.c | 7 +++++--
>> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> Any reason this shouldn't also go to the stable kernels?
For 4.6 stable, it won't apply because 4.6 is missing upstream fix
eedf265aa003b4781de24cfed40a655a664457e6 ("devpts: Make each mount of
devpts an independent filesystem.").
pre-4.6 I believe it won't apply because of commit
0f40fbbcc34e093255a2b2d70b6b0fb48c3f39aa ("Fix OpenSSH pty regression on
close").
When I get some free cycles this week I'll sort out a stable fix.
>
> thanks,
>
> greg k-h
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-06-27 12:19 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-06-20 14:40 [PATCH] devpts: fix null pointer dereference on failed memory allocation Colin King
2016-06-26 18:29 ` Greg Kroah-Hartman
2016-06-27 12:19 ` Colin Ian King
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).