devpts bug fix (2.1.121 is still affected)

Duncan Simpson (dps@io.stargate.co.uk)
Mon, 14 Sep 1998 18:58:35 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Raul Miller: "Re: NEWSFLASH! Linux ported to Commodore VIC-20!!"
Previous message: Chris Zwilling: "Re: NEWSFLASH! Linux ported to Commodore VIC-20!!"
Next in thread: H. Peter Anvin: "Re: devpts bug fix (2.1.121 is still affected)"
Maybe reply: H. Peter Anvin: "Re: devpts bug fix (2.1.121 is still affected)"

Looks like my previous attempts to get this to the right people failed. The
bug reads memory beyond the end of an array and might have dire conseuqneces
if you are really unlucky. 98% of the time in oopses and leaves a process in
permanent
uninteruptable sleep. The attachment is source for a silly demo program
(assumes <667 unix 98 ptys configured).

This patches fixes a bug that is present in 2.1.115 at least. To demonstrate
log into another terminal and type
cat /dev/pts/666 (WARNNIG: this locks the terminal)
and you get an oops. Switiching to the other terminal shows that command
in disk waiting state, so you can not kill it. Worse it says there for all
time. If you discover that /dev/pts/666 does not exist and no panic your system
is not affected by the bug this patch fixes.

If your system is affected this patch will fix it. The bug is a simple lack
of bounds checking on the size of entry. If entry is too big (normally this
means >= 256) then sbi->inodes[] is memory that has not been allocated for
that purpose. After applying the patch the oops goes away and you discover
that /dev/pts/666 does not exist.

Since this is a kernel exploit fancy fireworks might hit your system, of course
if you are really unlucky. The patch assumes you are in the
/usr/src/linux/fs/devpts directory. This will probably get fixed "officially"
soon. (2.1.117 seems to be still affected).

BTW The only method of freeing up the process table entry used by that cat
command is rebooting. Bad guys could write a program that forks off processes
that exploit this bug and then exploits itself to tie process table entries,
obviously. That could be bad news.

--- linux/fs/devpts/root.c.dist Thu Aug 13 17:54:17 1998
+++ linux/fs/devpts/root.c Thu Aug 13 20:33:50 1998
@@ -159,10 +159,12 @@
entry += (*p++ - '0');
}
}
-
- dentry->d_inode = sbi->inodes[entry];
- if ( dentry->d_inode )
- dentry->d_inode->i_count++;
+ if (entry<sbi->max_ptys) /* Check range of number */
+ {
+ dentry->d_inode = sbi->inodes[entry];
+ if ( dentry->d_inode )
+ dentry->d_inode->i_count++;
+ }

d_add(dentry, dentry->d_inode);

-- Duncan (-: "software industry, the: unique industry where selling substandard goods is legal and you can charge extra for fixing the problems."

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/faq.html

Next message: Raul Miller: "Re: NEWSFLASH! Linux ported to Commodore VIC-20!!"
Previous message: Chris Zwilling: "Re: NEWSFLASH! Linux ported to Commodore VIC-20!!"
Next in thread: H. Peter Anvin: "Re: devpts bug fix (2.1.121 is still affected)"
Maybe reply: H. Peter Anvin: "Re: devpts bug fix (2.1.121 is still affected)"