Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752282AbbKZP0T (ORCPT <rfc822;w@1wt.eu>);
	Thu, 26 Nov 2015 10:26:19 -0500
Received: from mail-wm0-f49.google.com ([74.125.82.49]:38095 "EHLO
	mail-wm0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751060AbbKZP0Q (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Thu, 26 Nov 2015 10:26:16 -0500
MIME-Version: 1.0
In-Reply-To: <56571335.7050709@hurleysoftware.com>
References: <CACT4Y+aXkRPyOKi5-siQ1O=w6cv8QXL5adA2JvySzywCvpx-4g@mail.gmail.com>
 <56571335.7050709@hurleysoftware.com>
From: Dmitry Vyukov <dvyukov@google.com>
Date: Thu, 26 Nov 2015 16:25:55 +0100
Message-ID: <CACT4Y+Z5-SZcLaUeJfdSsB4BqiGDPhXJfMKq4GLYDe+UVsewfQ@mail.gmail.com>
Subject: Re: use-after-free in irtty_open
To: Peter Hurley <peter@hurleysoftware.com>
Cc: Samuel Ortiz <samuel@sortiz.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Jiri Slaby <jslaby@suse.com>, LKML <linux-kernel@vger.kernel.org>,
        syzkaller <syzkaller@googlegroups.com>,
        Kostya Serebryany <kcc@google.com>,
        Alexander Potapenko <glider@google.com>,
        Sasha Levin <sasha.levin@oracle.com>,
        Eric Dumazet <edumazet@google.com>, David Miller <davem@davemloft.net>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 4619
Lines: 117

On Thu, Nov 26, 2015 at 3:12 PM, Peter Hurley <peter@hurleysoftware.com> wrote:
> [ + David Miller ]
>
> On 11/25/2015 10:37 AM, Dmitry Vyukov wrote:
>> Hello,
>>
>> The following program causes a use-after-free in irtty_open:
>>
>> // autogenerated by syzkaller (http://github.com/google/syzkaller)
>> #include <sys/types.h>
>> #include <sys/stat.h>
>> #include <fcntl.h>
>> #include <sys/ioctl.h>
>>
>> int main()
>> {
>>         int fd = open("/dev/ptmx", O_RDONLY|O_NOCTTY);
>>         int val = 9;
>>         ioctl(fd, TIOCSETD, &val);
>>         val = 11;
>>         ioctl(fd, TIOCSETD, &val);
>>         return 0;
>> }
>>
>>
>> ==================================================================
>> BUG: KASAN: use-after-free in irtty_open+0x422/0x550 at addr ffff8800331dd068
>> Read of size 4 by task a.out/13960
>> =============================================================================
>> BUG kmalloc-512 (Tainted: G    B          ): kasan: bad access detected
>> -----------------------------------------------------------------------------
>
> Thanks for the report, Dmitry.
> Would you please test the patch below?

The patch fixes the bug for me.

Tested-by: Dmitry Vyukov <dvyukov@google.com>

> As I wrote to Sasha a couple of days ago, the ldisc api should really prevent
> these kinds of errors. I have a patch for the ldisc core that eliminates
> these errors (reduces them to dead code).
>
> Seems like this was a common pattern at some point; probably need to challenge
> my coccinelle-fu to remove this pattern tree-wide.
>
> Regards,
> Peter Hurley
>
> --- >% ---
> Subject: [PATCH] net: irda: Fix use-after-free in irtty_open()
>
> The N_IRDA line discipline may access the previous line discipline's closed
> and already-fre private data on open [1].
>
> The tty->disc_data field _never_ refers to valid data on entry to the
> line discipline's open() method. Rather, the ldisc is expected to
> initialize that field for its own use for the lifetime of the instance
> (ie. from open() to close() only).
>
> [1] Report from Dmitry Vyukov <dvyukov@google.com>
>     ==================================================================
>     BUG: KASAN: use-after-free in irtty_open+0x422/0x550 at addr ffff8800331dd068
>     Read of size 4 by task a.out/13960
>     =============================================================================
>     BUG kmalloc-512 (Tainted: G    B          ): kasan: bad access detected
>     -----------------------------------------------------------------------------
>     ...
>     Call Trace:
>      [<ffffffff815fa2ae>] __asan_report_load4_noabort+0x3e/0x40 mm/kasan/report.c:279
>      [<ffffffff836938a2>] irtty_open+0x422/0x550 drivers/net/irda/irtty-sir.c:436
>      [<ffffffff829f1b80>] tty_ldisc_open.isra.2+0x60/0xa0 drivers/tty/tty_ldisc.c:447
>      [<ffffffff829f21c0>] tty_set_ldisc+0x1a0/0x940 drivers/tty/tty_ldisc.c:567
>      [<     inline     >] tiocsetd drivers/tty/tty_io.c:2650
>      [<ffffffff829da49e>] tty_ioctl+0xace/0x1fd0 drivers/tty/tty_io.c:2883
>      [<     inline     >] vfs_ioctl fs/ioctl.c:43
>      [<ffffffff816708ac>] do_vfs_ioctl+0x57c/0xe60 fs/ioctl.c:607
>      [<     inline     >] SYSC_ioctl fs/ioctl.c:622
>      [<ffffffff81671204>] SyS_ioctl+0x74/0x80 fs/ioctl.c:613
>      [<ffffffff852a7876>] entry_SYSCALL_64_fastpath+0x16/0x7a
>
> Reported-by: Dmitry Vyukov <dvyukov@google.com>
> Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
> ---
>  drivers/net/irda/irtty-sir.c | 10 ----------
>  1 file changed, 10 deletions(-)
>
> diff --git a/drivers/net/irda/irtty-sir.c b/drivers/net/irda/irtty-sir.c
> index 696852e..7a3f990 100644
> --- a/drivers/net/irda/irtty-sir.c
> +++ b/drivers/net/irda/irtty-sir.c
> @@ -430,16 +430,6 @@ static int irtty_open(struct tty_struct *tty)
>
>         /* Module stuff handled via irda_ldisc.owner - Jean II */
>
> -       /* First make sure we're not already connected. */
> -       if (tty->disc_data != NULL) {
> -               priv = tty->disc_data;
> -               if (priv && priv->magic == IRTTY_MAGIC) {
> -                       ret = -EEXIST;
> -                       goto out;
> -               }
> -               tty->disc_data = NULL;          /* ### */
> -       }
> -
>         /* stop the underlying  driver */
>         irtty_stop_receiver(tty, TRUE);
>         if (tty->ops->stop)
> --
> 2.6.3
>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/