Re: BUG in tty_open when using containers and ptrace

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Grzegorz Nosek [root@xxxxxxxxxxxxxx] wrote:
| On Sat, Jul 04, 2009 at 03:28:52PM +0200, Grzegorz Nosek wrote:
| > Decoding the code yields:
| > All code
| > ========
| >    0:   81 fb 00 f0 ff ff       cmp    $0xfffff000,%ebx
| >    6:   76 11                   jbe    0x19
| >    8:   48 c7 c7 60 61 7d 80    mov    $0xffffffff807d6160,%rdi
| >    f:   e8 c1 38 17 00          callq  0x1738d5
| >   14:   e9 a9 00 00 00          jmpq   0xc2
| >   19:   48 85 db                test   %rbx,%rbx
| >   1c:   74 5c                   je     0x7a
| >   1e:   80 bb 40 01 00 00 00    cmpb   $0x0,0x140(%rbx)
| >   25:   48 8b 53 08             mov    0x8(%rbx),%rdx
| >   29:   78 64                   js     0x8f
| >   2b:*  81 ba 9c 00 00 00 04    cmpl   $0x10004,0x9c(%rdx)     <-- trapping instruction
| >   32:   00 01 00
| >   35:   75 16                   jne    0x4d
| >   37:   83                      .byte 0x83
| >   38:   bb 48 01 00 00          mov    $0x148,%ebx
| > 
| > Code starting with the faulting instruction
| > ===========================================
| >    0:   81 ba 9c 00 00 00 04    cmpl   $0x10004,0x9c(%rdx)
| >    7:   00 01 00
| >    a:   75 16                   jne    0x22
| >    c:   83                      .byte 0x83
| >    d:   bb 48 01 00 00          mov    $0x148,%ebx
| 
| To my untrained eye it looks like the cmpl corresponds to:
| 
| 1841        if (tty->driver->type == TTY_DRIVER_TYPE_PTY &&
| 1842            tty->driver->subtype == PTY_TYPE_MASTER)
| 
| in drivers/char/tty_io.c

I don't yet have the exact version of tty_io.c so the line numbers don't
match, but even so isn't the above 'cmpl' comparing a constant 0x10004
with the %rdx+0x9c address ? If so, I am not sure how it matches up to
either TTY_DRIVER_TYPE_PTY (0x0004) or PTY_TYPE_MASTER (0x0001).

Wouldn't the above 'if' require two separate compare instructions ?

| 
| That means that %rdx should contain tty->driver, but contains
| 0x6973646e65732f64, which looks like a part of '/etc/init.d/sendsigs'.
| So, we're possibly using an already freed and overwritten tty struct.

Is it possibly related to this bug where they talk of some sort of
corruption going on with tty data structures (kernel versions appear
to be close, but need to double check).

	http://lkml.org/lkml/2009/6/16/131
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linux-foundation.org/mailman/listinfo/containers
[Index of Archives]     [Cgroups]     [Netdev]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux