On Sun, May 29, 2016 at 11:43:23AM -0700, Francesco Ruggeri wrote:
> Commit 1f55c718c2 ["pty: make sure super_block is still valid in final
> /dev/tty close"] addressed a corner case in devpts, but the same
> problem can occur in other file systems as well.
> I ran into this panic in tmpfs, which I can reproduce using this program
> (adapted from Herton's) in both 4.5.5 and 3.18.28.
> I am not sure if this affects other file systems as well, or what the
> right fix should be.
> Any suggestions are appreciated.
> Thanks,
> Francesco Ruggeri
Hi Francesco,
good catch. Back then I missed this another vulnerable point as well :/
>From what I see, the problem here is that ptmx inode is on tmpfs, but devpts
doesn't check if the inode is on a devpts or not, only checks if inode
is on a devpts instance, otherwise returns super_block of "main" instance.
Thus it returns always a devpts super_block not the tmpfs super_block, on
pts_sb_from_inode()... and we never get a reference count increase on tmpfs
super_block.
However, I believe Linus indirectly fixed this problem on commit below, by
removing the inode game/dependency:
commit 67245ff332064c01b760afa7a384ccda024bfd24
Author: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Date: Sat Apr 16 15:16:07 2016 -0700
devpts: clean up interface to pty drivers
Can you apply on top of 4.5.5/3.18.28 and test?
In case you confirm it fixes the problem, I think would be a good idea to
backport/apply commit above on stable kernels.
>
> #define _XOPEN_SOURCE
> #include <fcntl.h>
> #include <stdlib.h>
> #include <sys/ioctl.h>
> #include <sys/stat.h>
> #include <sys/types.h>
> #include <unistd.h>
>
> int main(int argc, char **argv)
> {
> pid_t pid;
> int ptm_fd, pty_fd, tty_fd;
>
> system("mkdir -p /mnt/dev");
> system("mount -n -t tmpfs none /mnt/dev");
> system("mknod --mode=0666 /mnt/dev/ptmx c 5 2");
> pid = fork();
> if (pid != 0)
> exit(0);
> daemon(1, 0);
> ptm_fd = open("/mnt/dev/ptmx", O_RDWR);
> unlockpt(ptm_fd);
> pty_fd = open(ptsname(ptm_fd), O_RDWR);
> tty_fd = open("/dev/tty", O_RDWR);
> pid = fork();
> if (pid == 0) {
> ioctl(tty_fd, TIOCNOTTY, NULL);
> setsid();
> sleep(10);
> close(pty_fd);
> close(ptm_fd);
> system("umount /mnt/dev");
> sleep(10);
> exit(0);
> }
> sleep(5);
> close(pty_fd);
> close(ptm_fd);
> return 0;
> }
>
> [ 2912.559259] VFS: Busy inodes after unmount of tmpfs. Self-destruct in 5 seconds. Have a nice day...
> [ 2922.561790] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
> [ 2922.562186] IP: [<ffffffff8110e089>] shmem_free_inode+0x13/0x2f
> [ 2922.562606] PGD 0
> [ 2922.562973] Oops: 0000 [#1] SMP
> [ 2922.563347] Modules linked in: ... <snip>
> [ 2922.568920] CPU: 1 PID: 4291 Comm: devpts Not tainted 4.5.5-3224969.AroraKernelnextfruggeri.4.fc18.x86_64 #1
> [ 2922.570075] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2012
> [ 2922.571343] task: ffff8801396b2640 ti: ffff8800ba580000 task.ti: ffff8800ba580000
> [ 2922.571993] RIP: 0010:[<ffffffff8110e089>] [<ffffffff8110e089>] shmem_free_inode+0x13/0x2f
> [ 2922.572665] RSP: 0018:ffff8800ba583ca8 EFLAGS: 00010246
> [ 2922.573296] RAX: ffff880137e1d6b0 RBX: 0000000000000000 RCX: 0000000000000036
> [ 2922.573951] RDX: ffff88013ffebd80 RSI: 000000000000012a RDI: ffff8801390e1800
> [ 2922.574616] RBP: ffff8800ba583cb8 R08: 0000000000000001 R09: ffff880035c24000
> [ 2922.575290] R10: ffff8800ba583d48 R11: ffff880035c24000 R12: ffff880137e1d540
> [ 2922.575948] R13: ffff880137e1d540 R14: ffff880137e1d540 R15: 0000000000000000
> [ 2922.576586] FS: 0000000000000000(0000) GS:ffff88013ae20000(0000) knlGS:0000000000000000
> [ 2922.577233] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 2922.577924] CR2: 0000000000000030 CR3: 0000000001a09000 CR4: 00000000001406e0
> [ 2922.578699] Stack:
> [ 2922.579402] 0000000000000001 ffff880137e1d558 ffff8800ba583ce8 ffffffff811110ee
> [ 2922.580148] ffff880137e1d558 ffff880137e1d668 ffffffff81612540 ffff880138083600
> [ 2922.580907] ffff8800ba583d18 ffffffff8115ea4a ffff880137e1d658 ffff880137e1d558
> [ 2922.581692] Call Trace:
> [ 2922.582466] [<ffffffff811110ee>] shmem_evict_inode+0xe0/0xf1
> [ 2922.583266] [<ffffffff8115ea4a>] evict+0xb9/0x16b
> [ 2922.584088] [<ffffffff8115f3bc>] iput+0x195/0x1bf
> [ 2922.584877] [<ffffffff811adea6>] devpts_del_ref+0x23/0x30
> [ 2922.585707] [<ffffffff81343783>] pty_unix98_shutdown+0x41/0x45
> [ 2922.586482] [<ffffffff8133c3fd>] release_tty+0x51/0xb9
> [ 2922.587269] [<ffffffff8133c8ad>] tty_release+0x448/0x4b1
> [ 2922.588007] [<ffffffff8114b298>] __fput+0xe7/0x18c
> [ 2922.588724] [<ffffffff8114b377>] ____fput+0xe/0x10
> [ 2922.589509] [<ffffffff81065f15>] task_work_run+0x6b/0x82
> [ 2922.590192] [<ffffffff81051581>] do_exit+0x3fa/0x9d7
> [ 2922.590890] [<ffffffff81001471>] ? do_audit_syscall_entry+0x63/0x65
> [ 2922.591573] [<ffffffff81051c4b>] do_group_exit+0x71/0xa7
> [ 2922.592224] [<ffffffff81051c98>] SyS_exit_group+0x17/0x17
> [ 2922.592882] [<ffffffff8153e1ae>] entry_SYSCALL_64_fastpath+0x12/0x71
> [ 2922.593501] Code: ff 4c 89 e6 4c 89 ef e8 f0 e2 04 00 5b 41 5c 41 5d 44 89 f0 41 5e 5d c3 0f 1f 44 00 00 55 48 89 e5 53 41 50 48 8b 9f 58 04 00 00 <48> 83 7b 30 00 74 11 48 8d 7b 40 e8 65 fe 42 00 48 ff 43 38 c6
> [ 2922.595397] RIP [<ffffffff8110e089>] shmem_free_inode+0x13/0x2f
> [ 2922.595982] RSP <ffff8800ba583ca8>
> [ 2922.596566] CR2: 0000000000000030
--
[]'s
Herton
--
To unsubscribe from this list: send the line "unsubscribe linux-serial" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
