lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+Y372h9-B5hV=DodUMXdAkdm30ydGJEK5Xp9rmq30QGoA@mail.gmail.com>
Date:	Thu, 30 Jun 2016 10:41:06 +0200
From:	Dmitry Vyukov <dvyukov@...gle.com>
To:	Peter Hurley <peter@...leysoftware.com>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Jiri Slaby <jslaby@...e.com>,
	LKML <linux-kernel@...r.kernel.org>
Subject: tty: GPF in n_tty_receive_buf_common

Hello,

I've got a GPF after booting kernel and trying to ssh:

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
Modules linked in:
CPU: 0 PID: 462 Comm: kworker/u9:3 Not tainted 4.7.0-rc5+ #22
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: events_unbound flush_to_ldisc
task: ffff88003de997c0 ti: ffff88003da38000 task.ti: ffff88003da38000
RIP: 0010:[<ffffffff8311a0c5>]
  [<     inline     >] __read_once_size include/linux/compiler.h:222
  [<ffffffff8311a0c5>] n_tty_receive_buf_common+0xe5/0x24a0
drivers/tty/n_tty.c:1690
RSP: 0018:ffff88003da3fa50  EFLAGS: 00010202
RAX: 000000000000044c RBX: ffff880035c9b7b8 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffff880035c9bb60 RDI: 0000000000000286
RBP: ffff88003da3fb40 R08: ffffffff89c761d0 R09: 0000000000000000
R10: 0000000000000001 R11: ffffffff8a1a4360 R12: ffff8800360a0ab8
R13: 0000000000000000 R14: 0000000000000002 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055c252926dd0 CR3: 0000000034ba2000 CR4: 00000000000006f0
Stack:
 ffff88003da3fa98 ffff880035c9b9f0 0000000000000000 ffff88003de9a000
 ffffffff86a91815 0000000000000001 0000000000002260 ffff8800360a3fb8
 ffff8800360a3fb0 ffff880035c9bd30 ffff8800360a0ab8 dffffc0000000000
Call Trace:
 [<ffffffff8311c4b3>] n_tty_receive_buf2+0x33/0x40 drivers/tty/n_tty.c:1746
 [<ffffffff831223b9>] tty_ldisc_receive_buf+0xa9/0x1b0
drivers/tty/tty_buffer.c:429
 [<     inline     >] receive_buf drivers/tty/tty_buffer.c:448
 [<ffffffff83123471>] flush_to_ldisc+0x291/0x360 drivers/tty/tty_buffer.c:507
 [<ffffffff813c4543>] process_one_work+0x793/0x1670 kernel/workqueue.c:2097
 [<ffffffff813c54fb>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2231
 [<ffffffff813d576f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
 [<ffffffff86a9b5cf>] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:389
Code: ff ff ff 48 05 b4 03 00 00 48 89 45 80 48 c1 e8 03 4c 01 f8 48
89 85 78 ff ff ff e8 d6 c8 47 fe 48 8b 85 40 ff ff ff 48 c1 e8 03 <42>
80 3c 38 00 0f 85 97 1d 00 00 48 8b 45 88 4c 8b b0 60 22 00
RIP  [<     inline     >] __read_once_size include/linux/compiler.h:222
RIP  [<ffffffff8311a0c5>] n_tty_receive_buf_common+0xe5/0x24a0
drivers/tty/n_tty.c:1690
 RSP <ffff88003da3fa50>
---[ end trace d0c27f5538dd1a3c ]---

I can reproduce it by doing ssh/exit several dozens of times.

The crash happens in n_tty_receive_buf_common on this line:
size_t tail = smp_load_acquire(&ldata->read_tail);

This is with CONFIG_KASAN. Faulting address divided by 8 is RAX=44c.
So the access was done to address 8800. n_tty_data struct is large, so
it means that ldata == NULL.

On commit 00bf377d19ad3d80cbc7a036521279a86e397bfb (Jun 27).

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ