Re: use-after-free in tty_check_change

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Peter Hurley <peter@hurleysoftware.com>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Jiri Slaby <jslaby@suse.com>, LKML <linux-kernel@vger.kernel.org>,
	syzkaller <syzkaller@googlegroups.com>,
	Kostya Serebryany <kcc@google.com>,
	Alexander Potapenko <glider@google.com>,
	Sasha Levin <sasha.levin@oracle.com>,
	Eric Dumazet <edumazet@google.com>
Subject: Re: use-after-free in tty_check_change
Date: Thu, 26 Nov 2015 08:29:01 -0500	[thread overview]
Message-ID: <5657091D.5010500@hurleysoftware.com> (raw)
In-Reply-To: <CACT4Y+b3NGvuhYhqRquHk+MiUH+0yPCuSq4EDkvCa5Ov2Jpr6g@mail.gmail.com>

On 11/26/2015 08:09 AM, Dmitry Vyukov wrote:
> On Thu, Nov 26, 2015 at 2:00 PM, Peter Hurley <peter@hurleysoftware.com> wrote:
>> Hi Dmitry,
>>
>> On 11/26/2015 05:31 AM, Dmitry Vyukov wrote:
>>> Hello,
>>>
>>> The following program causes a use-after-free in tty_check_change:
>>>
>>> // autogenerated by syzkaller (http://github.com/google/syzkaller)
>>> #include <sys/types.h>
>>> #include <sys/stat.h>
>>> #include <fcntl.h>
>>> #include <sys/ioctl.h>
>>>
>>> void *thr(void *arg)
>>> {
>>>         int x = 0;
>>>         ioctl((int)(long)arg, TIOCGETD, &x);
>>>         return 0;
>>> }
>>>
>>> void tty()
>>> {
>>>         int fd = open("/dev/ptmx", O_RDONLY|O_SYNC);
>>>         pthread_t th;
>>>         pthread_create(&th, 0, thr, (void*)(long)fd);
>>>         int x = 16;
>>>         ioctl(fd, TIOCSETD, &x);
>>>         pthread_join(th, 0);
>>> }
>>>
>>> int main()
>>> {
>>>         int i;
>>>
>>>         for (i = 0; i < 10; i++) {
>>>                 if (fork() == 0) {
>>>                         tty();
>>>                         return 0;
>>>                 }
>>>         }
>>>         return 0;
>>> }
>>>
>>>
>>> ==================================================================
>>> BUG: KASAN: use-after-free in tty_ioctl+0x1f06/0x2140 at addr ffff880061aa0968
>>> Read of size 8 by task a.out/6241
>>> =============================================================================
>>> BUG kmalloc-16 (Not tainted): kasan: bad access detected
>>> -----------------------------------------------------------------------------
>>
>> Thanks for the report. I think I have the patch that fixes this in
>> my out-queue as part of a larger patchset.
>>
>> However, the stack backtrace below and the reported eip don't correspond
>> to the what I think the problem is:
>>
>>
>>> BUG: KASAN: use-after-free in tty_ioctl+0x1f06/0x2140 at addr ffff880061aa0968
>>                                  ^^^^^^^^^^^^^^
>> this offset is off the end of compilation unit for me with gcc 4.8.4
>>
>> Could you generate a mixed listing file of drivers/tty/tty_io.c and attach
>> it please?
> 
> 
> The source is plain 6ffeba9607343f15303a399bc402a538800d89d9, but I
> use CONFIG_KASAN=y, CONFIG_KASAN_INLINE=y and gcc version 6.0.0
> 20151014. KASAN does affect generated code significantly.
> Line numbers in the report should be correct.

current->signal? I doubt it. Also note the stack trace pulls the wrong
symbol:  should be __tty_check_change on line 399, not tty_check_change().

>>> Call Trace:
>>>  [<ffffffff81631fde>] __asan_report_load8_noabort+0x3e/0x40
>>> mm/kasan/report.c:280
>>>  [<     inline     >] tty_check_change drivers/tty/tty_io.c:399
                                                       ^^^^^^^^^^^^
                                                             |
                  +------------------------------------------+
                  |                              |
$ git blame -L393,409 -s 6ffeba960734 -- drivers/tty/tty_io.c
2812d9e9 drivers/tty/tty_io.c  393) int __tty_check_change(struct tty_struct *tty, int sig)
^1da177e drivers/char/tty_io.c 394) {
47f86834 drivers/char/tty_io.c 395) 	unsigned long flags;
2812d9e9 drivers/tty/tty_io.c  396) 	struct pid *pgrp, *tty_pgrp;
47f86834 drivers/char/tty_io.c 397) 	int ret = 0;
47f86834 drivers/char/tty_io.c 398) 
^1da177e drivers/char/tty_io.c 399) 	if (current->signal->tty != tty)    <<<==== ???
^1da177e drivers/char/tty_io.c 400) 		return 0;
47f86834 drivers/char/tty_io.c 401) 
6719693c drivers/tty/tty_io.c  402) 	rcu_read_lock();
6719693c drivers/tty/tty_io.c  403) 	pgrp = task_pgrp(current);
6719693c drivers/tty/tty_io.c  404) 
47f86834 drivers/char/tty_io.c 405) 	spin_lock_irqsave(&tty->ctrl_lock, flags);
2812d9e9 drivers/tty/tty_io.c  406) 	tty_pgrp = tty->pgrp;
9ffee4cb drivers/char/tty_io.c 407) 	spin_unlock_irqrestore(&tty->ctrl_lock, flags);
6719693c drivers/tty/tty_io.c  408) 
2812d9e9 drivers/tty/tty_io.c  409) 	if (tty_pgrp && pgrp != tty->pgrp) {


The disassembly would really help. Feel free to send it to me off-list.

Regards,
Peter Hurley

>>> Disabling lock debugging due to kernel taint
>>> INFO: Allocated in tty_ldisc_get.part.3+0x66/0x140 age=6 cpu=3 pid=6230
>>> [<      none      >] kmem_cache_alloc_trace+0x1cf/0x220 mm/slub.c:2589
>>> [<      none      >] tty_ldisc_get.part.3+0x66/0x140 drivers/tty/tty_ldisc.c:172
>>> [<      none      >] tty_set_ldisc+0x83d/0xa70 drivers/tty/tty_ldisc.c:574
>>> [<      none      >] tty_ioctl+0xb2a/0x2140 drivers/tty/tty_io.c:2865
>>> [<     inline     >] spin_unlock include/linux/spinlock.h:347
>>> [<     inline     >] ioctl_fionbio fs/ioctl.c:492
>>> [<      none      >] do_vfs_ioctl+0x681/0xe40 fs/ioctl.c:572
>>> [<      none      >] SyS_ioctl+0x8f/0xc0 fs/readdir.c:25
>>> [<      none      >] entry_SYSCALL_64_fastpath+0x16/0x7a
>>> arch/x86/entry/entry_64.S:185
>>>
>>> INFO: Freed in tty_set_ldisc+0x4c2/0xa70 age=12 cpu=3 pid=6230
>>> [<      none      >] kfree+0x199/0x1b0 mm/slub.c:3632
>>> [<     inline     >] tty_ldisc_restore drivers/tty/tty_ldisc.c:493
>>> [<      none      >] tty_set_ldisc+0x4c2/0xa70 drivers/tty/tty_ldisc.c:571
>>> [<      none      >] tty_ioctl+0xb2a/0x2140 drivers/tty/tty_io.c:2865
>>> [<     inline     >] spin_unlock include/linux/spinlock.h:347
>>> [<     inline     >] ioctl_fionbio fs/ioctl.c:492
>>> [<      none      >] do_vfs_ioctl+0x681/0xe40 fs/ioctl.c:572
>>> [<      none      >] SyS_ioctl+0x8f/0xc0 fs/readdir.c:25
>>> [<      none      >] entry_SYSCALL_64_fastpath+0x16/0x7a
>>> arch/x86/entry/entry_64.S:185
>>>
>>> INFO: Slab 0xffffea000186a800 objects=23 used=19 fp=0xffff880061aa12d0
>>> flags=0x5fffc0000004080
>>> INFO: Object 0xffff880061aa0968 @offset=2408 fp=0xffff880061aa0810
>>> CPU: 2 PID: 6241 Comm: a.out Tainted: G    B           4.4.0-rc1+ #117
>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>>>  00000000ffffffff ffff88006db0fab8 ffffffff827450f6 ffff88003e807980
>>>  ffff880061aa0968 ffff880061aa0000 ffff88006db0fae8 ffffffff81629404
>>>  ffff88003e807980 ffffea000186a800 ffff880061aa0968 000000000000001b
>>>
>>> Call Trace:
>>>  [<ffffffff81631fde>] __asan_report_load8_noabort+0x3e/0x40
>>> mm/kasan/report.c:280
>>>  [<     inline     >] tty_check_change drivers/tty/tty_io.c:399
>>>  [<ffffffff82a7b0a6>] tty_ioctl+0x1f06/0x2140 drivers/tty/tty_io.c:2831
>>>  [<     inline     >] spin_unlock include/linux/spinlock.h:347
>>>  [<     inline     >] ioctl_fionbio fs/ioctl.c:492
>>>  [<ffffffff816aea91>] do_vfs_ioctl+0x681/0xe40 fs/ioctl.c:572
>>>  [<ffffffff816af2df>] SyS_ioctl+0x8f/0xc0 fs/readdir.c:25
>>>  [<ffffffff85415cf6>] entry_SYSCALL_64_fastpath+0x16/0x7a
>>> arch/x86/entry/entry_64.S:185
>>> ==================================================================
>>>
>>>
>>> On commit 6ffeba9607343f15303a399bc402a538800d89d9 (Nov 24).
>>
>>

next prev parent reply	other threads:[~2015-11-26 13:29 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-11-26 10:31 use-after-free in tty_check_change Dmitry Vyukov
2015-11-26 13:00 ` Peter Hurley
2015-11-26 13:09   ` Dmitry Vyukov
2015-11-26 13:29     ` Peter Hurley [this message]
2015-11-26 14:00       ` Dmitry Vyukov
2015-11-26 14:18         ` Peter Hurley
2015-12-31 10:01           ` Dmitry Vyukov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5657091D.5010500@hurleysoftware.com \
    --to=peter@hurleysoftware.com \
    --cc=dvyukov@google.com \
    --cc=edumazet@google.com \
    --cc=glider@google.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=jslaby@suse.com \
    --cc=kcc@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sasha.levin@oracle.com \
    --cc=syzkaller@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.