github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-07 22:14:04 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
661af9371c
linux/drivers/tty
History
Hillf Danton b549cc7c9c tty: n_gsm: check error while registering tty devices 
[ Upstream commit 0a360e8b65 ]

Add the error path for registering tty devices and roll back in case of error
in bid to avoid the UAF like the below one reported.

Plus syzbot reported general protection fault in cdev_del() on Sep 24, 2020
and both cases are down to the kobject_put() in tty_cdev_add().

 ------------[ cut here ]------------
 refcount_t: underflow; use-after-free.
 WARNING: CPU: 1 PID: 8923 at lib/refcount.c:28
 refcount_warn_saturate+0x1cf/0x210 -origin/lib/refcount.c:28
 Modules linked in:
 CPU: 1 PID: 8923 Comm: executor Not tainted 5.12.0-rc5+ #8
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
 1.13.0-1ubuntu1.1 04/01/2014
 RIP: 0010:refcount_warn_saturate+0x1cf/0x210 -origin/lib/refcount.c:28
 Code: 4f ff ff ff e8 32 fa b5 fe 48 c7 c7 3d f8 f6 86 e8 d6 ab c6 fe
 c6 05 7c 34 67 04 01 48 c7 c7 68 f8 6d 86 31 c0 e8 81 2e 9d fe <0f> 0b
 e9 22 ff ff ff e8 05 fa b5 fe 48 c7 c7 3e f8 f6 86 e8 a9 ab
 RSP: 0018:ffffc90001633c60 EFLAGS: 00010246
 RAX: 15d08b2e34b77800 RBX: 0000000000000003 RCX: ffff88804c056c80
 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
 RBP: 0000000000000003 R08: ffffffff813767aa R09: 0001ffffffffffff
 R10: 0001ffffffffffff R11: ffff88804c056c80 R12: ffff888040b7d000
 R13: ffff88804c206938 R14: ffff88804c206900 R15: ffff888041b18488
 FS:  00000000022c9940(0000) GS:ffff88807ec00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00007f9f9b122008 CR3: 0000000044b4b000 CR4: 0000000000750ee0
 PKRU: 55555554
 Call Trace:
  __refcount_sub_and_test -origin/./include/linux/refcount.h:283 [inline]
  __refcount_dec_and_test -origin/./include/linux/refcount.h:315 [inline]
  refcount_dec_and_test -origin/./include/linux/refcount.h:333 [inline]
  kref_put -origin/./include/linux/kref.h:64 [inline]
  kobject_put+0x17b/0x180 -origin/lib/kobject.c:753
  cdev_del+0x4b/0x50 -origin/fs/char_dev.c:597
  tty_unregister_device+0x99/0xd0 -origin/drivers/tty/tty_io.c:3343
  gsmld_detach_gsm -origin/drivers/tty/n_gsm.c:2409 [inline]
  gsmld_close+0x6c/0x140 -origin/drivers/tty/n_gsm.c:2478
  tty_ldisc_close -origin/drivers/tty/tty_ldisc.c:488 [inline]
  tty_ldisc_kill -origin/drivers/tty/tty_ldisc.c:636 [inline]
  tty_ldisc_release+0x1b6/0x400 -origin/drivers/tty/tty_ldisc.c:809
  tty_release_struct+0x19/0xb0 -origin/drivers/tty/tty_io.c:1714
  tty_release+0x9ad/0xa00 -origin/drivers/tty/tty_io.c:1885
  __fput+0x260/0x4e0 -origin/fs/file_table.c:280
  ____fput+0x11/0x20 -origin/fs/file_table.c:313
  task_work_run+0x8e/0x110 -origin/kernel/task_work.c:140
  tracehook_notify_resume -origin/./include/linux/tracehook.h:189 [inline]
  exit_to_user_mode_loop -origin/kernel/entry/common.c:174 [inline]
  exit_to_user_mode_prepare+0x16b/0x1a0 -origin/kernel/entry/common.c:208
  __syscall_exit_to_user_mode_work -origin/kernel/entry/common.c:290 [inline]
  syscall_exit_to_user_mode+0x20/0x40 -origin/kernel/entry/common.c:301
  do_syscall_64+0x45/0x80 -origin/arch/x86/entry/common.c:56
  entry_SYSCALL_64_after_hwframe+0x44/0xae

Reported-by: syzbot+c49fe6089f295a05e6f8@syzkaller.appspotmail.com
Reported-and-tested-by: Hao Sun <sunhao.th@gmail.com>
Signed-off-by: Hillf Danton <hdanton@sina.com>
Link: https://lore.kernel.org/r/20210412035758.1974-1-hdanton@sina.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-05-11 14:47:21 +02:00
..
hvc tty: hvc: fix link error with CONFIG_SERIAL_CORE_CONSOLE=n 2020-09-27 14:17:43 +02:00
ipwireless tty: ipwireless: fix error handling 2020-09-04 18:08:16 +02:00
serdev serdev: Fix detection of UART devices on Apple machines. 2020-03-06 14:10:44 +01:00
serial soc: qcom-geni-se: Cleanup the code to remove proxy votes 2021-04-07 15:00:13 +02:00
vt vt/consolemap: do font sum unsigned 2021-03-07 12:34:09 +01:00
amiserial.c Remove every trace of SERIAL_MAGIC 2019-11-13 19:01:14 +08:00
cyclades.c treewide: Remove uninitialized_var() usage 2020-07-16 12:35:15 -07:00
ehv_bytechan.c tty: evh_bytechan: Fix out of bounds accesses 2020-03-17 23:40:31 +11:00
goldfish.c
isicom.c treewide: Remove uninitialized_var() usage 2020-07-16 12:35:15 -07:00
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
Makefile
mips_ejtag_fdc.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
moxa.c remove ioremap_nocache and devm_ioremap_nocache 2020-01-06 09:45:59 +01:00
moxa.h tty: fix spelling mistake 2020-06-27 16:21:20 +02:00
mxser.c tty: mxser: make mxser_change_speed() return void 2020-05-15 14:47:05 +02:00
mxser.h
n_gsm.c tty: n_gsm: check error while registering tty devices 2021-05-11 14:47:21 +02:00
n_hdlc.c tty: convert tty_ldisc_ops 'read()' function to take a kernel pointer 2021-03-04 11:37:36 +01:00
n_null.c tty: convert tty_ldisc_ops 'read()' function to take a kernel pointer 2021-03-04 11:37:36 +01:00
n_r3964.c tty: convert tty_ldisc_ops 'read()' function to take a kernel pointer 2021-03-04 11:37:36 +01:00
n_tracerouter.c tty: convert tty_ldisc_ops 'read()' function to take a kernel pointer 2021-03-04 11:37:36 +01:00
n_tracesink.c tty: convert tty_ldisc_ops 'read()' function to take a kernel pointer 2021-03-04 11:37:36 +01:00
n_tracesink.h tty: n_tracesink: Use the correct style for SPDX License Identifier 2020-03-18 13:01:31 +01:00
n_tty.c tty: teach the n_tty ICANON case about the new "cookie continuations" too 2021-03-07 12:34:16 +01:00
nozomi.c tty: nozomi: Use scnprintf() for avoiding potential buffer overflow 2020-03-18 12:59:29 +01:00
pty.c pty: do tty_flip_buffer_push without port->lock in pty_write 2020-09-04 18:10:30 +02:00
rocket_int.h
rocket.c Merge 5.7-rc3 into tty-next 2020-04-27 09:33:21 +02:00
rocket.h
synclink_gt.c tty: synclink_gt: switch from 'pci_' to 'dma_' API 2020-09-04 18:07:22 +02:00
synclink.c tty: synclink, fix kernel-doc 2020-08-18 13:51:18 +02:00
synclinkmp.c tty: synclink, fix kernel-doc 2020-08-18 13:51:18 +02:00
sysrq.c tty/sysrq: Extend the sysrq_key_table to cover capital letters 2020-10-02 14:56:06 +02:00
tty_audit.c
tty_baudrate.c tty: fix kernel-doc 2020-08-18 13:51:18 +02:00
tty_buffer.c tty: fix kernel-doc 2020-08-18 13:51:18 +02:00
tty_io.c tty: fix up hung_up_tty_read() conversion 2021-03-07 12:34:16 +01:00
tty_ioctl.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
tty_jobctrl.c tty: Fix ->session locking 2020-12-04 17:39:58 +01:00
tty_ldisc.c tty: fix kernel-doc 2020-08-18 13:51:18 +02:00
tty_ldsem.c
tty_mutex.c
tty_port.c serdev: ttyport: restore client ops on deregistration 2020-02-10 12:26:44 -08:00
ttynull.c
vcc.c sparc64: vcc: Fix error return code in vcc_probe() 2020-04-28 14:38:54 +02:00