| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 19 Dec 2012 15:27:58 -0500 From: Peter Hurley <peter@...leysoftware.com> To: Ilya Zykov <ilya@...x.ru> Cc: Sasha Levin <levinsasha928@...il.com>, Alan Cox <alan@...ux.intel.com>, Jiri Slaby <jslaby@...e.cz>, linux-serial@...r.kernel.org, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, linux-kernel@...r.kernel.org Subject: Re: [PATCH v2 00/11] tty: Fix buffer work access-after-free On Wed, 2012-12-19 at 00:44 +0400, Ilya Zykov wrote: > Stress test for tty. :) > You can use this program for debug new tty changes. > Use with caution. Thanks a lot for writing this. I was really struggling to come up with a test that would exercise the code races in tty properly. I'm going test this tonight and tomorrow (During the interlull, I've been doing the yearly refresh of my desktop with mixed results :). > In any case(with/without Peter's patches) I have BUG(): > > BUG: unable to handle kernel NULL pointer dereference at 000000000000004c > IP: [<ffffffff81116650>] devpts_pty_kill+0x17/0x81 > PGD 48696067 PUD a79c5067 PMD 0 > Oops: 0000 [#1] SMP > Pid: 7877, comm: a.out Tainted: P O 3.7.0-next-20121214-tty.1+ #9 System manufacturer P5K Premium/P5K Premium > RIP: 0010:[<ffffffff81116650>] [<ffffffff81116650>] devpts_pty_kill+0x17/0x81 > RSP: 0018:ffff8800484a3aa8 EFLAGS: 00010292 > RAX: ffff88012f0385a0 RBX: 0000000000000000 RCX: 0000000000000000 > RDX: 0000000000000000 RSI: 0000000000000282 RDI: 0000000000000000 > RBP: ffff8800484a3ac8 R08: 0000000000000000 R09: ffff880046f26d40 > R10: ffffffff81426ec8 R11: 0000000000000246 R12: ffff8800486a6c00 > R13: ffff8800484c7180 R14: ffff880046ec4890 R15: 00000000fffffffb > FS: 00007f9a64345700(0000) GS:ffff88012fd00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b > CR2: 000000000000004c CR3: 00000000a7a01000 CR4: 00000000000407e0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 > Process a.out (pid: 7877, threadinfo ffff8800484a2000, task ffff88007576d220) > Stack: > ffff880000000001 ffff88004854a400 ffff8800486a6c00 ffff8800484c7180 > ffff8800484a3ae8 ffffffff811e0c1b ffff8800484c7180 ffff88004854a400 > ffff8800484a3bd8 ffffffff811d83aa ffff880046f26d78 0000000000000009 > Call Trace: > [<ffffffff811e0c1b>] pty_close+0x123/0x14f > [<ffffffff811d83aa>] tty_release+0x17a/0x53d > [<ffffffff812e7442>] ? __mutex_unlock_slowpath+0x15/0x39 > [<ffffffff811e1003>] ptmx_open+0x12c/0x161 > [<ffffffff810c6d4b>] chrdev_open+0x12a/0x14b > [<ffffffff810c6c21>] ? cdev_put+0x23/0x23 > [<ffffffff810c27a9>] do_dentry_open+0x170/0x217 > [<ffffffff810c2933>] finish_open+0x34/0x40 > [<ffffffff810ce069>] do_last+0x8c4/0xa72 > [<ffffffff810ce2ed>] ? path_init+0xd6/0x2fe > [<ffffffff810ceaf4>] path_openat+0xcb/0x363 > [<ffffffff81051033>] ? __dequeue_entity+0x2e/0x33 > [<ffffffff810cee91>] do_filp_open+0x38/0x84 > [<ffffffff810d9846>] ? __alloc_fd+0x51/0x110 > [<ffffffff810c24ed>] do_sys_open+0x6d/0xff > [<ffffffff810c25ac>] sys_open+0x1c/0x1e > [<ffffffff812ee652>] system_call_fastpath+0x16/0x1b > Code: 08 02 00 00 48 89 c7 e8 6c f3 fb ff 5b 4c 89 e0 41 5c c9 c3 55 48 89 e5 41 55 41 54 53 48 89 fb 48 83 ec 08 48 8b 05 80 43 71 00 <81> 7f 4c 02 00 50 00 48 8b 40 08 4c 8b 60 60 75 04 0f 0b eb fe > RIP [<ffffffff81116650>] devpts_pty_kill+0x17/0x81 > RSP <ffff8800484a3aa8> > CR2: 000000000000004c [...] > With Peter's patches I have WARN(): Yep. Sasha found this Saturday. It's a false positive that I need to correct for this code path explicitly. > WARNING: at drivers/tty/n_tty.c:160 n_tty_set_room+0xe7/0xf8() > Hardware name: P5K Premium > scheduling buffer work for halted ldisc > Pid: 3127, comm: a.out Tainted: P W O 3.7.0-next-20121214-tty.1+ #9 > Call Trace: > [<ffffffff8102ce58>] warn_slowpath_common+0x80/0x98 > [<ffffffff8102cf04>] warn_slowpath_fmt+0x41/0x43 > [<ffffffff811dae01>] n_tty_set_room+0xe7/0xf8 > [<ffffffff811db2cf>] reset_buffer_flags+0xad/0xb6 > [<ffffffff811dd01b>] n_tty_open+0xca/0x11f > [<ffffffff811de4c9>] tty_ldisc_open+0x4e/0x5f > [<ffffffff811ded14>] tty_ldisc_hangup+0x1f5/0x292 > [<ffffffff810d0289>] ? fasync_helper+0x22/0x6c > [<ffffffff811d7a03>] __tty_hangup+0x102/0x30e > [<ffffffff810d52ad>] ? d_delete+0x12d/0x136 > [<ffffffff811d7c2a>] tty_vhangup+0x9/0xb > [<ffffffff811e0c3b>] pty_close+0x143/0x14f > [<ffffffff811d83aa>] tty_release+0x17a/0x53d > [<ffffffff8104b9f7>] ? __wake_up+0x3f/0x48 > [<ffffffff810efb55>] ? fsnotify+0x21d/0x244 > [<ffffffff810c4bc5>] __fput+0xf9/0x1bd > [<ffffffff810c4ccf>] ____fput+0x9/0xb > [<ffffffff81041cd4>] task_work_run+0x80/0x98 > [<ffffffff810025bd>] do_notify_resume+0x58/0x69 > [<ffffffff812ee8da>] int_signal+0x12/0x17 > > > --- > /* > * stress_test_tty.c > * > * Created on: Dec, 2012 > * Copyright (C) 2012 Ilya Zykov > * > * This program is free software: you can redistribute it and/or modify > * it under the terms of the GNU General Public License as published by > * the Free Software Foundation, either version 2 of the License, or > * (at your option) any later version. > * > * This program is distributed in the hope that it will be useful, > * but WITHOUT ANY WARRANTY; without even the implied warranty of > * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > * GNU General Public License for more details. > * > * You should have received a copy of the GNU General Public License > * along with this program. If not, see <http://www.gnu.org/licenses/>. > */ Thanks for GPL'ing this test. It will make things much easier to test and comment on. Happy Holidays, Peter Hurley -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists