tty: use-after-free in n_tty_receive_buf_fast

70 views
Skip to first unread message

Dmitry Vyukov

unread,
Sep 3, 2016, 8:42:29 AM9/3/16
to Greg Kroah-Hartman, Jiri Slaby, LKML, Peter Hurley, Vegard Nossum, syzkaller
Hello,

The following program causes use-after-free in n_tty_receive_buf_fast:

https://gist.githubusercontent.com/dvyukov/ac81bed0238f280ddf9067e6234cd8b0/raw/791c07ac0cdb27e2e399464d68fa0234d2aa8bd1/gistfile1.txt

BUG: KASAN: use-after-free in n_tty_receive_buf_common+0x1ea9/0x24a0
at addr ffff88006555dcb0
Read of size 1 by task syz-executor/17003
CPU: 0 PID: 17003 Comm: syz-executor Not tainted 4.8.0-rc3-next-20160825+ #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
ffffffff886b6fe0 ffff8800657af628 ffffffff82db38d9 ffffffff8a0e3200
fffffbfff10d6dfc ffff88003e800a00 ffff88006555dbc0 ffff88006555fbc0
000000000000000d dffffc0000000000 ffff8800657af650 ffffffff81809e7c
Call Trace:
[<ffffffff8180a3ee>] __asan_report_load1_noabort+0x3e/0x40
mm/kasan/report.c:319
[< inline >] n_tty_receive_buf_fast drivers/tty/n_tty.c:1575
[< inline >] __receive_buf drivers/tty/n_tty.c:1613
[<ffffffff83234cd9>] n_tty_receive_buf_common+0x1ea9/0x24a0
drivers/tty/n_tty.c:1711
[<ffffffff83235303>] n_tty_receive_buf2+0x33/0x40 drivers/tty/n_tty.c:1746
[<ffffffff8323b2a9>] tty_ldisc_receive_buf+0xa9/0x1b0
drivers/tty/tty_buffer.c:429
[<ffffffff832616de>] paste_selection+0x27e/0x3e0
[<ffffffff8327f286>] tioclinux+0x126/0x410 drivers/tty/vt/vt.c:2683
[<ffffffff8325c1ef>] vt_ioctl+0x13ef/0x2910 drivers/tty/vt/vt_ioctl.c:365
[<ffffffff832245cd>] tty_ioctl+0x69d/0x21e0 drivers/tty/tty_io.c:2983
[< inline >] vfs_ioctl fs/ioctl.c:43
[<ffffffff818a1dfc>] do_vfs_ioctl+0x18c/0x1080 fs/ioctl.c:675
[< inline >] SYSC_ioctl fs/ioctl.c:690
[<ffffffff818a2d7f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:681
[<ffffffff810088ff>] do_syscall_64+0x1df/0x640 arch/x86/entry/common.c:288
[<ffffffff86e107c3>] entry_SYSCALL64_slow_path+0x25/0x25
Object at ffff88006555dbc0, in cache kmalloc-8192 size: 8192
Allocated:
PID = 17003
[<ffffffff8122fc96>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
[<ffffffff81809266>] save_stack+0x46/0xd0 mm/kasan/kasan.c:479
[< inline >] set_track mm/kasan/kasan.c:491
[<ffffffff818094dd>] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:582
[< inline >] __do_kmalloc mm/slab.c:3742
[<ffffffff8180428e>] __kmalloc+0x15e/0x7a0 mm/slab.c:3751
[< inline >] kmalloc include/linux/slab.h:495
[<ffffffff83260b69>] set_selection+0x559/0xe50 drivers/tty/vt/selection.c:298
[<ffffffff8327f270>] tioclinux+0x110/0x410 drivers/tty/vt/vt.c:2679
[<ffffffff8325c1ef>] vt_ioctl+0x13ef/0x2910 drivers/tty/vt/vt_ioctl.c:365
[<ffffffff832245cd>] tty_ioctl+0x69d/0x21e0 drivers/tty/tty_io.c:2983
[< inline >] vfs_ioctl fs/ioctl.c:43
[<ffffffff818a1dfc>] do_vfs_ioctl+0x18c/0x1080 fs/ioctl.c:675
[< inline >] SYSC_ioctl fs/ioctl.c:690
[<ffffffff818a2d7f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:681
[<ffffffff86e10700>] entry_SYSCALL_64_fastpath+0x23/0xc1
Freed:
PID = 17034
[<ffffffff8122fc96>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
[<ffffffff81809266>] save_stack+0x46/0xd0 mm/kasan/kasan.c:479
[< inline >] set_track mm/kasan/kasan.c:491
[<ffffffff81809a92>] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:555
[< inline >] __cache_free mm/slab.c:3520
[<ffffffff81807813>] kfree+0xc3/0x2a0 mm/slab.c:3837
[<ffffffff83260b89>] set_selection+0x579/0xe50 drivers/tty/vt/selection.c:304
[<ffffffff8327f270>] tioclinux+0x110/0x410 drivers/tty/vt/vt.c:2679
[<ffffffff8325c1ef>] vt_ioctl+0x13ef/0x2910 drivers/tty/vt/vt_ioctl.c:365
[<ffffffff832245cd>] tty_ioctl+0x69d/0x21e0 drivers/tty/tty_io.c:2983
[< inline >] vfs_ioctl fs/ioctl.c:43
[<ffffffff818a1dfc>] do_vfs_ioctl+0x18c/0x1080 fs/ioctl.c:675
[< inline >] SYSC_ioctl fs/ioctl.c:690
[<ffffffff818a2d7f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:681
[<ffffffff86e10700>] entry_SYSCALL_64_fastpath+0x23/0xc1
Memory state around the buggy address:
ffff88006555db80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
ffff88006555dc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88006555dc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88006555dd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88006555dd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Program need to be run in a loop, seems to be a race.

On 0f98f121e1670eaa2a2fbb675e07d6ba7f0e146f of linux-next.

One Thousand Gnomes

unread,
Sep 5, 2016, 5:44:04 PM9/5/16
to Dmitry Vyukov, Greg Kroah-Hartman, Jiri Slaby, LKML, Peter Hurley, Vegard Nossum, syzkaller
On Sat, 3 Sep 2016 14:42:08 +0200
Dmitry Vyukov <dvy...@google.com> wrote:

> Hello,
>
> The following program causes use-after-free in n_tty_receive_buf_fast:
>
> https://gist.githubusercontent.com/dvyukov/ac81bed0238f280ddf9067e6234cd8b0/raw/791c07ac0cdb27e2e399464d68fa0234d2aa8bd1/gistfile1.txt
>

Known bug. It's even been documented as broken since 2012, although it's
always been broken. Apparently nobody cares about fixing it although now
the tty buffers belong to the tty_port it is fixable if and when someone
dares to fix the mess that is the console locking code (because you have
to ensure the keyboard, selection and any other queue sources have to be
serialized).

TIOCSTI is broken as well and needs to be dealt with at the same time - in
fact you can currently get a three way race between select, console input
and TIOCSTI if you really want to screw up (and you don't need root for
any of them).

Alan
Reply all
Reply to author
Forward
0 new messages