Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933519AbbLORlo (ORCPT ); Tue, 15 Dec 2015 12:41:44 -0500 Received: from mx1.redhat.com ([209.132.183.28]:47288 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932211AbbLORln (ORCPT ); Tue, 15 Dec 2015 12:41:43 -0500 Date: Tue, 15 Dec 2015 15:41:41 -0200 From: "Herton R. Krzesinski" To: Peter Hurley Cc: linux-kernel@vger.kernel.org, Greg Kroah-Hartman , Jiri Slaby Subject: Re: pty: fix use after free/oops at pty_unix98_shutdown Message-ID: <20151215174141.GB20334@dhcppc10.redhat.com> References: <1450150179-20925-1-git-send-email-herton@redhat.com> <56703D34.7020106@hurleysoftware.com> <20151215163604.GA20334@dhcppc10.redhat.com> <56704DBC.4080503@hurleysoftware.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <56704DBC.4080503@hurleysoftware.com> User-Agent: Mutt/1.5.23.1-rc1 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2021 Lines: 43 On Tue, Dec 15, 2015 at 09:28:28AM -0800, Peter Hurley wrote: > On 12/15/2015 08:36 AM, Herton R. Krzesinski wrote: > > On Tue, Dec 15, 2015 at 08:17:56AM -0800, Peter Hurley wrote: > >>> I also expect in a rare case where all ptmx references are gone/closed, this also > >>> could happen on final close when the master tty is given to pty_unix98_shutdown. > >> > >> This logic I'm not following. If the pty master is being released, then the inode > >> is valid for the release() operation in-progress. > > > > Hi Peter, > > > > yes, you're right if you are eg. closing the /dev/ptmx or /dev/pts/ptmx file > > previously opened. But I thought and refer above to the case where for example > > you are closing /dev/tty and that's the final close and there is no other > > process in the system with the /dev/{,*/}ptmx opened, the inode which referenced > > the previously opened ptmx could be gone. It would be rare though since in a > > running system any logged in user eg. through ssh or with a terminal open in X > > will have at least a ptmx device opened. > > /dev/tty can never be an alias for /dev/ptmx in Linux: a master pty cannot be > a controlling terminal. So if the master pty is being released it will always be > with the /dev/ptmx inode. Indeed, pty_unix98_shutdown in case of /dev/tty close will be called with slave pty tty_struct. Sorry about my previous confusing/wrong statement. My concern is only valid in case final /dev/tty close used the ptmx inode instead of slave_inode created at ptmx_open, which was not the case before/with current code, but is the case when applying my patch, thus I grab the reference to the inode. > > Regards, > Peter Hurley > > PS - for the purpose of this discussion, /dev/pts/ptmx is equivalent. -- []'s Herton -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/