lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 6 Jun 2017 09:01:39 +0200
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     文羊 <lastingyang@...il.com>
Cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Jiri Slaby <jslaby@...e.com>,
        LKML <linux-kernel@...r.kernel.org>,
        syzkaller <syzkaller@...glegroups.com>
Subject: Re: found "kernel panic: Couldn't open N_TTY ldisc for ptm0 --- error
 -12. " with syzkaller

On Tue, Jun 6, 2017 at 8:56 AM, 文羊 <lastingyang@...il.com> wrote:
>
> Hello all!
>
> I've got the following error report while fuzzing the kernel with syzkaller.
>
> On commit ba7b2387ad239a519041f2a2d35a1902bdd03dfb (v4.12-rc4).

Hi,

This is a known bug.
See:
https://groups.google.com/forum/#!msg/syzkaller/ty5IhaYWVp8/aTN_hZ8qBQAJ
and this (whole thread):
http://lists-archives.com/linux-kernel/28809064-tty-serial-driver-fixes-for-4-11-rc4.html


> Crashes:
> DescriptionCountLast TimeReport
> kernel panic: Couldn't open N_TTY ldisc for ptm0 --- error -12.1Jun 06 2017 13:39:12 CSThas repro
> kernel panic: Couldn't open N_TTY ldisc for ptm1 --- error -12.3Jun 06 2017 14:37:30 CSThas repro
>
> ==========================================================================
>
> Syzkaller hit 'kernel panic: Couldn't open N_TTY ldisc for ptm0 --- error -12.' bug on commit .
>
> Kernel panic - not syncing: Couldn't open N_TTY ldisc for ptm0 --- error -12.
> CPU: 0 PID: 6160 Comm: syz-executor3 Not tainted 4.12.0-rc4+ #6
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
> Call Trace:
>  __dump_stack lib/dump_stack.c:16 [inline]
>  dump_stack+0xdc/0x155 lib/dump_stack.c:52
>  panic+0x165/0x327 kernel/panic.c:180
>  tty_ldisc_restore drivers/tty/tty_ldisc.c:523 [inline]
>  tty_set_ldisc+0x42e/0x480 drivers/tty/tty_ldisc.c:582
>  tiocsetd drivers/tty/tty_io.c:2166 [inline]
>  tty_ioctl+0x7ff/0x1020 drivers/tty/tty_io.c:2410
>  vfs_ioctl fs/ioctl.c:45 [inline]
>  do_vfs_ioctl+0x153/0xcc0 fs/ioctl.c:685
>  SYSC_ioctl fs/ioctl.c:700 [inline]
>  SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
>  entry_SYSCALL_64_fastpath+0x1a/0xa5
> RIP: 0033:0x44fb79
> RSP: 002b:00007f86205dfb58 EFLAGS: 00000212 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00000000007080a8 RCX: 000000000044fb79
> RDX: 000000002000cffc RSI: 0000000000005423 RDI: 0000000000000005
> RBP: 0000000000000450 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000212 R12: ffffffffffffffff
> R13: 0000000000000005 R14: 0000000000080000 R15: 0000000000000000
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
>
>
> Syzkaller reproducer:
> # {Threaded:true Collide:false Repeat:true Procs:4 Sandbox:setuid Repro:false}
> mmap(&(0x7f0000000000/0xe000)=nil, (0xe000), 0x3, 0x32, 0xffffffffffffffff, 0x0)
> r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000002000-0xa)="2f6465762f70746d7800", 0x0, 0x0)
> ioctl$TIOCSSOFTCAR(r0, 0x541a, &(0x7f000000a000)=0x1)
> getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, &(0x7f000000b000-0xc)={0x0, 0x0, 0x0}, &(0x7f0000000000)=0xc)
> ioctl$TIOCSETD(r0, 0x5423, &(0x7f000000d000-0x4)=0x2)
>
> ==========================================================================
>
> Syzkaller hit 'kernel panic: Couldn't open N_TTY ldisc for ptm1 --- error -12.' bug on commit .
>
> Kernel panic - not syncing: Couldn't open N_TTY ldisc for ptm1 --- error -12.
> CPU: 3 PID: 15596 Comm: syz-executor2 Not tainted 4.12.0-rc4+ #6
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
> Call Trace:
>  __dump_stack lib/dump_stack.c:16 [inline]
>  dump_stack+0xdc/0x155 lib/dump_stack.c:52
>  panic+0x165/0x327 kernel/panic.c:180
>  tty_ldisc_restore drivers/tty/tty_ldisc.c:523 [inline]
>  tty_set_ldisc+0x42e/0x480 drivers/tty/tty_ldisc.c:582
>  tiocsetd drivers/tty/tty_io.c:2166 [inline]
>  tty_ioctl+0x7ff/0x1020 drivers/tty/tty_io.c:2410
>  vfs_ioctl fs/ioctl.c:45 [inline]
>  do_vfs_ioctl+0x153/0xcc0 fs/ioctl.c:685
>  SYSC_ioctl fs/ioctl.c:700 [inline]
>  SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
>  entry_SYSCALL_64_fastpath+0x1a/0xa5
> RIP: 0033:0x44fb79
> RSP: 002b:00007fa8f34d3b58 EFLAGS: 00000212 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00007fa8f34d4700 RCX: 000000000044fb79
> RDX: 000000002000cffc RSI: 0000000000005423 RDI: 0000000000000019
> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
> R13: 00007ffcdd5dd48f R14: 00007fa8f34d49c0 R15: 0000000000000000
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
>
>
> Syzkaller reproducer:
> # {Threaded:true Collide:true Repeat:true Procs:1 Sandbox:setuid Repro:false}
> mmap(&(0x7f0000000000/0xe000)=nil, (0xe000), 0x3, 0x32, 0xffffffffffffffff, 0x0)
> r0 = creat(&(0x7f0000001000)="2e2f66696c653000", 0x10)
> msync(&(0x7f0000004000/0x1000)=nil, (0x1000), 0x1)
> pipe2(&(0x7f0000000000)={<r1=>0xffffffffffffffff, 0xffffffffffffffff}, 0x80000)
> ioctl$TIOCGETD(r1, 0x5424, &(0x7f0000001000-0x4)=0x0)
> getegid()
> splice(r1, 0x0, r0, 0x0, 0x6, 0x3)
> setsockopt$SCTP_I_WANT_MAPPED_V4_ADDR(r0, 0x84, 0xc, &(0x7f0000004000)=0x80000000, 0x4)
> r2 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000002000-0xa)="2f6465762f70746d7800", 0x0, 0x0)
> ioctl$TCSETAW(r2, 0x5402, &(0x7f0000008000)={0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0x0, 0x0, 0x7, 0x3})
> openat$mixer(0xffffffffffffff9c, &(0x7f000000b000-0xb)="2f6465762f6d6978657200", 0x1, 0x0)
> ioctl$TCXONC(r2, 0x540a, 0x6)
> capget(&(0x7f000000c000-0x8)={0x19980330, 0x0}, &(0x7f000000c000-0x18)={0xa, 0x7fff, 0xffffffffffffffc1, 0x10000, 0x9, 0x6})
> ioctl$TIOCSETD(r2, 0x5423, &(0x7f000000d000-0x4)=0x2)
>
> ==========================================================================
>
>
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+unsubscribe@...glegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ