Re: use-after-free in n_tty_read

[Peter Hurley <peter@hurleysoftware.com>]

Hi Dmitry,

On 11/26/2015 08:34 AM, Dmitry Vyukov wrote:
> Hello,
> 
> I've hit the following report once after booting a VM and then scp a
> file into it. It is not reproducible. But maybe the stacks will give
> you some hint as to how it could happen:
> 
> 
> ==================================================================
> BUG: KASAN: use-after-free in n_tty_read+0x1d53/0x1e60 at addr ffff880061ec3ae0
> Read of size 8 by task sshd/5796
> =============================================================================
> BUG kmalloc-16 (Not tainted): kasan: bad access detected
> -----------------------------------------------------------------------------

Thanks for the report. I have this fix in my out-queue, attached below
for reference (which I'll now mark for -stable).

Regards,
Peter Hurley

> Disabling lock debugging due to kernel taint
> INFO: Allocated in tty_ldisc_get.part.3+0x61/0x130 age=11 cpu=3 pid=5796
> [<      none      >] ___slab_alloc+0x489/0x4e0 mm/slub.c:2438
> [<      none      >] __slab_alloc+0x4c/0x90 mm/slub.c:2467
> [<     inline     >] slab_alloc_node mm/slub.c:2530
> [<     inline     >] slab_alloc mm/slub.c:2572
> [<      none      >] kmem_cache_alloc_trace+0x1c6/0x210 mm/slub.c:2589
> [<     inline     >] kmalloc include/linux/slab.h:458
> [<      none      >] tty_ldisc_get.part.3+0x61/0x130 drivers/tty/tty_ldisc.c:171
> [<     inline     >] tty_ldisc_get drivers/tty/tty_ldisc.c:801
> [<      none      >] tty_ldisc_init+0x13/0x70 drivers/tty/tty_ldisc.c:802
> [<      none      >] alloc_tty_struct+0x103/0x810 drivers/tty/tty_io.c:3115
> [<      none      >] pty_common_install+0x1a2/0x940 drivers/tty/pty.c:399
> [<      none      >] pty_unix98_install+0xb/0x10 drivers/tty/pty.c:674
> [<     inline     >] tty_driver_install_tty drivers/tty/tty_io.c:1430
> [<      none      >] tty_init_dev+0xdb/0x3e0 drivers/tty/tty_io.c:1529
> [<      none      >] ptmx_open+0xbc/0x2c0 drivers/tty/pty.c:762
> [<      none      >] chrdev_open+0x1ef/0x570 fs/char_dev.c:388
> [<      none      >] do_dentry_open+0x5d2/0xab0 fs/open.c:736
> [<      none      >] vfs_open+0x166/0x1e0 fs/open.c:853
> [<     inline     >] do_last fs/namei.c:3192
> [<      none      >] path_openat+0xa5c/0x5e00 fs/namei.c:3324
> [<      none      >] do_filp_open+0x170/0x230 fs/namei.c:3359
> [<      none      >] do_sys_open+0x180/0x360 fs/open.c:1025
> 
> INFO: Freed in tty_ldisc_reinit+0xc8/0x1b0 age=7 cpu=0 pid=5798
> [<      none      >] __slab_free+0x206/0x360 mm/slub.c:2648 (discriminator 1)
> [<     inline     >] slab_free mm/slub.c:2803
> [<      none      >] kfree+0x1a2/0x1c0 mm/slub.c:3632
> [<     inline     >] tty_ldisc_put drivers/tty/tty_ldisc.c:194
> [<      none      >] tty_ldisc_reinit+0xc8/0x1b0 drivers/tty/tty_ldisc.c:635
> [<      none      >] tty_ldisc_hangup+0x1fa/0x5f0 drivers/tty/tty_ldisc.c:708
> [<      none      >] __tty_hangup+0x423/0xad0 drivers/tty/tty_io.c:729
> [<     inline     >] tty_vhangup drivers/tty/tty_io.c:802
> [<      none      >] tty_vhangup_self+0x1c/0x40 drivers/tty/tty_io.c:820
> [<      none      >] sys_vhangup+0x1e/0x30 fs/open.c:1121
> [<      none      >] entry_SYSCALL_64_fastpath+0x16/0x7a
> arch/x86/entry/entry_64.S:185
> INFO: Slab 0xffffea000187b080 objects=23 used=16 fp=0xffff880061ec3ae0
> flags=0x5fffc0000004080
> INFO: Object 0xffff880061ec3ae0 @offset=6880 fp=0xffff880061ec3580
> 
> Bytes b4 ffff880061ec3ad0: f1 c1 fb ff 00 00 00 00 5a 5a 5a 5a 5a 5a
> 5a 5a  ........ZZZZZZZZ
> Object ffff880061ec3ae0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
> a5  kkkkkkkkkkkkkkk.
> Redzone ffff880061ec3af0: bb bb bb bb bb bb bb bb
>     ........
> Padding ffff880061ec3c30: 5a 5a 5a 5a 5a 5a 5a 5a
>     ZZZZZZZZ
> CPU: 3 PID: 5796 Comm: sshd Tainted: G    B           4.4.0-rc2+ #51
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>  ffff880061ec2000 ffff88006a377928 ffffffff826c8be0 ffff88003e807980
>  ffff88006a377958 ffffffff815f1604 ffff88003e807980 ffffea000187b080
>  ffff880061ec3ae0 ffff8800620c4670 ffff88006a377980 ffffffff815f775f
> Call Trace:
>  [<     inline     >] __dump_stack lib/dump_stack.c:15
>  [<ffffffff826c8be0>] dump_stack+0x44/0x64 lib/dump_stack.c:50
>  [<ffffffff815f1604>] print_trailer+0xf4/0x150 mm/slub.c:652
>  [<ffffffff815f775f>] object_err+0x2f/0x40 mm/slub.c:659
>  [<     inline     >] print_address_description mm/kasan/report.c:138
>  [<ffffffff815f9ee0>] kasan_report_error+0x210/0x520 mm/kasan/report.c:236
>  [<     inline     >] kasan_report mm/kasan/report.c:259
>  [<ffffffff815fa2ee>] __asan_report_load8_noabort+0x3e/0x40
> mm/kasan/report.c:280
>  [<     inline     >] n_tty_check_unthrottle drivers/tty/n_tty.c:262
>  [<ffffffff829e73b3>] n_tty_read+0x1d53/0x1e60 drivers/tty/n_tty.c:2302
>  [<ffffffff829d8596>] tty_read+0x146/0x230 drivers/tty/tty_io.c:1071
>  [<ffffffff81633bcb>] __vfs_read+0xdb/0x490 fs/read_write.c:432
>  [<ffffffff81635edb>] vfs_read+0xdb/0x2d0 fs/read_write.c:454
>  [<     inline     >] SYSC_read fs/read_write.c:569
>  [<ffffffff81638c1c>] SyS_read+0x10c/0x220 fs/read_write.c:562
>  [<ffffffff852a7876>] entry_SYSCALL_64_fastpath+0x16/0x7a
> arch/x86/entry/entry_64.S:185
> ==================================================================
> 
> 
> On commit 6ffeba9607343f15303a399bc402a538800d89d9.
> 


--- >% ---
Subject: [PATCH] n_tty: Fix unsafe reference to "other" ldisc

Although n_tty_check_unthrottle() has a valid ldisc reference (since
the tty core gets the ldisc ref in tty_read() before calling the line
discipline read() method), it does not have a valid ldisc reference to
the "other" pty of a pty pair. Since getting an ldisc reference for
tty->link essentially open-codes tty_wakeup(), just replace with the
equivalent tty_wakeup().

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
---
 drivers/tty/n_tty.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index 1dcd10b..58e009d 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -261,16 +261,13 @@ static void n_tty_check_throttle(struct tty_struct *tty)
 
 static void n_tty_check_unthrottle(struct tty_struct *tty)
 {
-	if (tty->driver->type == TTY_DRIVER_TYPE_PTY &&
-	    tty->link->ldisc->ops->write_wakeup == n_tty_write_wakeup) {
+	if (tty->driver->type == TTY_DRIVER_TYPE_PTY) {
 		if (chars_in_buffer(tty) > TTY_THRESHOLD_UNTHROTTLE)
 			return;
 		if (!tty->count)
 			return;
 		n_tty_kick_worker(tty);
-		n_tty_write_wakeup(tty->link);
-		if (waitqueue_active(&tty->link->write_wait))
-			wake_up_interruptible_poll(&tty->link->write_wait, POLLOUT);
+		tty_wakeup(tty->link);
 		return;
 	}
 
-- 
2.6.3