Re: [PATCH] devpts: fix null pointer dereference on failed memory allocation

[Colin Ian King <colin.king@canonical.com>]

On 26/06/16 19:29, Greg Kroah-Hartman wrote:
> On Mon, Jun 20, 2016 at 03:40:27PM +0100, Colin King wrote:
>> From: Colin Ian King <colin.king@canonical.com>
>>
>> An ENOMEM when creating a pair tty in tty_ldisc_setup causes a null
>> pointer dereference in devpts_kill_index because tty->link->driver_data
>> is NULL.  The oops was triggered with the pty stressor in stress-ng when
>> in a low memory condition.
>>
>> tty_init_dev tries to clean up a tty_ldisc_setup ENOMEM error by calling
>> release_tty, however, this ultimately tries to clean up the NULL pair'd
>> tty in pty_unix98_remove, triggering the Oops.
>>
>> Add check to pty_unix98_remove to only clean up fsi if it is not NULL.
>>
>> Ooops:
>>
>> [   23.020961] Oops: 0000 [#1] SMP
>> [   23.020976] Modules linked in: ppdev snd_hda_codec_generic snd_hda_intel snd_hda_codec parport_pc snd_hda_core snd_hwdep parport snd_pcm input_leds joydev snd_timer serio_raw snd soundcore i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel qxl aes_x86_64 ttm lrw gf128mul glue_helper ablk_helper drm_kms_helper cryptd syscopyarea sysfillrect psmouse sysimgblt floppy fb_sys_fops drm pata_acpi jitterentropy_rng drbg ansi_cprng
>> [   23.020978] CPU: 0 PID: 1452 Comm: stress-ng-pty Not tainted 4.7.0-rc4+ #2
>> [   23.020978] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
>> [   23.020979] task: ffff88007ba30000 ti: ffff880078ea8000 task.ti: ffff880078ea8000
>> [   23.020981] RIP: 0010:[<ffffffff813f11ff>]  [<ffffffff813f11ff>] ida_remove+0x1f/0x120
>> [   23.020981] RSP: 0018:ffff880078eabb60  EFLAGS: 00010a03
>> [   23.020982] RAX: 4444444444444567 RBX: 0000000000000000 RCX: 000000000000001f
>> [   23.020982] RDX: 000000000000014c RSI: 000000000000026f RDI: 0000000000000000
>> [   23.020982] RBP: ffff880078eabb70 R08: 0000000000000004 R09: 0000000000000036
>> [   23.020983] R10: 000000000000026f R11: 0000000000000000 R12: 000000000000026f
>> [   23.020983] R13: 000000000000026f R14: ffff88007c944b40 R15: 000000000000026f
>> [   23.020984] FS:  00007f9a2f3cc700(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
>> [   23.020984] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [   23.020985] CR2: 0000000000000010 CR3: 000000006c81b000 CR4: 00000000001406f0
>> [   23.020988] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>> [   23.020988] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>> [   23.020988] Stack:
>> [   23.020989]  0000000000000000 000000000000026f ffff880078eabb90 ffffffff812a5a99
>> [   23.020990]  0000000000000000 00000000fffffff4 ffff880078eabba8 ffffffff814f9cbe
>> [   23.020991]  ffff88007965c800 ffff880078eabbc8 ffffffff814eef43 fffffffffffffff4
>> [   23.020991] Call Trace:
>> [   23.021000]  [<ffffffff812a5a99>] devpts_kill_index+0x29/0x50
>> [   23.021002]  [<ffffffff814f9cbe>] pty_unix98_remove+0x2e/0x50
>> [   23.021006]  [<ffffffff814eef43>] release_tty+0xb3/0x1b0
>> [   23.021007]  [<ffffffff814f18d4>] tty_init_dev+0xd4/0x1c0
>> [   23.021011]  [<ffffffff814f9fae>] ptmx_open+0xae/0x190
>> [   23.021013]  [<ffffffff812254ef>] chrdev_open+0xbf/0x1b0
>> [   23.021015]  [<ffffffff8121d973>] do_dentry_open+0x203/0x310
>> [   23.021016]  [<ffffffff81225430>] ? cdev_put+0x30/0x30
>> [   23.021017]  [<ffffffff8121ee44>] vfs_open+0x54/0x80
>> [   23.021018]  [<ffffffff8122b8fc>] ? may_open+0x8c/0x100
>> [   23.021019]  [<ffffffff8122f26b>] path_openat+0x2eb/0x1440
>> [   23.021020]  [<ffffffff81230534>] ? putname+0x54/0x60
>> [   23.021022]  [<ffffffff814f6f97>] ? n_tty_ioctl_helper+0x27/0x100
>> [   23.021023]  [<ffffffff81231651>] do_filp_open+0x91/0x100
>> [   23.021024]  [<ffffffff81230596>] ? getname_flags+0x56/0x1f0
>> [   23.021026]  [<ffffffff8123fc66>] ? __alloc_fd+0x46/0x190
>> [   23.021027]  [<ffffffff8121f1e4>] do_sys_open+0x124/0x210
>> [   23.021028]  [<ffffffff8121f2ee>] SyS_open+0x1e/0x20
>> [   23.021035]  [<ffffffff81845576>] entry_SYSCALL_64_fastpath+0x1e/0xa8
>> [   23.021044] Code: 63 28 45 31 e4 eb dd 0f 1f 44 00 00 55 4c 63 d6 48 ba 89 88 88 88 88 88 88 88 4c 89 d0 b9 1f 00 00 00 48 f7 e2 48 89 e5 41 54 53 <8b> 47 10 48 89 fb 8d 3c c5 00 00 00 00 48 c1 ea 09 b8 01 00 00
>> [   23.021045] RIP  [<ffffffff813f11ff>] ida_remove+0x1f/0x120
>> [   23.021045]  RSP <ffff880078eabb60>
>> [   23.021046] CR2: 0000000000000010
>>
>> Signed-off-by: Colin Ian King <colin.king@canonical.com>
>> ---
>>  drivers/tty/pty.c | 7 +++++--
>>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> Any reason this shouldn't also go to the stable kernels?

For 4.6 stable, it won't apply because 4.6 is missing upstream fix
eedf265aa003b4781de24cfed40a655a664457e6 ("devpts: Make each mount of
devpts an independent filesystem.").

pre-4.6 I believe it won't apply because of commit
0f40fbbcc34e093255a2b2d70b6b0fb48c3f39aa ("Fix OpenSSH pty regression on
close").

When I get some free cycles this week I'll sort out a stable fix.

> 
> thanks,
> 
> greg k-h
>