From owner-freebsd-current@FreeBSD.ORG Wed Nov 2 02:59:09 2005 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D09EB16A41F; Wed, 2 Nov 2005 02:59:09 +0000 (GMT) (envelope-from nge@cs.hmc.edu) Received: from turing.cs.hmc.edu (turing.cs.hmc.edu [134.173.42.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9200043D45; Wed, 2 Nov 2005 02:59:09 +0000 (GMT) (envelope-from nge@cs.hmc.edu) Received: by turing.cs.hmc.edu (Postfix, from userid 26983) id 2058253286; Tue, 1 Nov 2005 18:59:09 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by turing.cs.hmc.edu (Postfix) with ESMTP id 0AB2F5A8DE; Tue, 1 Nov 2005 18:59:08 -0800 (PST) Date: Tue, 1 Nov 2005 18:59:08 -0800 (PST) From: Nate Eldredge X-X-Sender: nate@turing To: bug-followup@FreeBSD.org, marcolz@stack.nl Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-current@freebsd.org, rwatson@freebsd.org, Philippe.Pegon@crc.u-strasbg.fr Subject: Re: kern/83375: Fatal trap 12 cloning a pty (was: show stopper for FreeBSD 6) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Nov 2005 02:59:10 -0000 Okay, well I have made some progress here. The problem, at least on 7.0-CURRENT, occurs when you revoke() somebody's controlling tty, and then they try to clone it by opening /dev/tty. revoke() will set the vnode's type to VBAD and ->v_rdev to NULL. However ctty_clone() assumes that if the P_CONTROLT flag is set and p_session->s_ttyvp is non-null then s_ttyvp->v_rdev is non-null as well, and it passes it to dev_ref which dereferences the pointer. One way to fix this is to have ctty_clone check for v_type == VBAD and/or v_rdev == NULL, and treat it like the case of s_ttyvp == NULL (give them the dummy /dev/ctty instead). Does that seem reasonable? I am not very familiar with the kernel, just trying to learn through fixing bugs. When I do that, the screen testcase works until the machine runs out of memory :) The dumps posted from 5.x look very different and this may be a separate bug. Unfortunately I don't have a 5.x test box. Here is a simpler test case. I use /dev/ttyv9 as the terminal device, so you have to be root to run it, but it should also work with a pty. So a regular user could exploit this. ------------------------snip--------------------- #include #include #include #include #include #include #include #define TTY "/dev/ttyv9" /* should be totally unused */ #define CTTY "/dev/tty" int main(void) { int ttyfd; pid_t pid; /* Get rid of my ctty. */ printf("Parent starting: pid %d\n", getpid()); pid = fork(); if (pid < 0) { perror("fork"); exit(1); } else if (pid > 0) { int status; /* parent */ waitpid(pid, &status, 0); exit(0); } /* child */ printf("Child: pid %d\n", getpid()); if (setsid() < 0) { perror("setsid"); exit(1); } ttyfd = open(TTY, O_RDWR); if (ttyfd < 0) { perror(TTY); exit(1); } if (ioctl(ttyfd, TIOCSCTTY) < 0) { perror("ioctl(TIOCSCTTY)"); exit(1); } if (revoke(TTY) < 0) { perror("revoke"); exit(1); } if (open(CTTY, O_RDWR) < 0) { perror(CTTY); exit(1); } return 0; } -----------------------------snip------------------- -- Nate Eldredge nge@cs.hmc.edu