Re: [PATCH] tty: fix possible null-ptr-defer in spk_ttyio_release

Samuel Thibault <samuel.thibault@xxxxxxxxxxxx> · Sat, 3 Dec 2022 00:19:50 +0100

Gaosheng Cui, le ven. 02 déc. 2022 14:06:33 +0800, a ecrit:
> Run the following tests on the qemu platform:
> 
> syzkaller:~# modprobe speakup_audptr
>  input: Speakup as /devices/virtual/input/input4
>  initialized device: /dev/synth, node (MAJOR 10, MINOR 125)
>  speakup 3.1.6: initialized
>  synth name on entry is: (null)
>  synth probe
> 
> spk_ttyio_initialise_ldisc failed because tty_kopen_exclusive returned
> failed (errno -16), then remove the module, we will get a null-ptr-defer
> problem, as follow:
> 
> syzkaller:~# modprobe -r speakup_audptr
>  releasing synth audptr
>  BUG: kernel NULL pointer dereference, address: 0000000000000080
>  #PF: supervisor write access in kernel mode
>  #PF: error_code(0x0002) - not-present page
>  PGD 0 P4D 0
>  Oops: 0002 [#1] PREEMPT SMP PTI
>  CPU: 2 PID: 204 Comm: modprobe Not tainted 6.1.0-rc6-dirty #1
>  RIP: 0010:mutex_lock+0x14/0x30
>  Call Trace:
>  <TASK>
>   spk_ttyio_release+0x19/0x70 [speakup]
>   synth_release.part.6+0xac/0xc0 [speakup]
>   synth_remove+0x56/0x60 [speakup]
>   __x64_sys_delete_module+0x156/0x250
>   ? fpregs_assert_state_consistent+0x1d/0x50
>   do_syscall_64+0x37/0x90
>   entry_SYSCALL_64_after_hwframe+0x63/0xcd
>  </TASK>
>  Modules linked in: speakup_audptr(-) speakup
>  Dumping ftrace buffer:
> 
> in_synth->dev was not initialized during modprobe, so we add check
> for in_synth->dev to fix this bug.
> 
> Fixes: 4f2a81f3a882 ("speakup: Reference synth from tty and tty from synth")
> Signed-off-by: Gaosheng Cui <cuigaosheng1@xxxxxxxxxx>

Reviewed-by: Samuel Thibault <samuel.thibault@xxxxxxxxxxxx>

Please also Cc stable@xxxxxxxxxxxxxxx ;)

Thanks!

> ---
>  drivers/accessibility/speakup/spk_ttyio.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/accessibility/speakup/spk_ttyio.c b/drivers/accessibility/speakup/spk_ttyio.c
> index 08cf8a17754b..07373b3debd1 100644
> --- a/drivers/accessibility/speakup/spk_ttyio.c
> +++ b/drivers/accessibility/speakup/spk_ttyio.c
> @@ -354,6 +354,9 @@ void spk_ttyio_release(struct spk_synth *in_synth)
>  {
>  	struct tty_struct *tty = in_synth->dev;
>  
> +	if (tty == NULL)
> +		return;
> +
>  	tty_lock(tty);
>  
>  	if (tty->ops->close)
> -- 
> 2.25.1
> 

-- 
Samuel
---
Pour une évaluation indépendante, transparente et rigoureuse !
Je soutiens la Commission d'Évaluation de l'Inria.