NetBSD Problem Report #58327

From jakllsch@oglaroon.kollasch.net  Sun Jun  9 19:19:58 2024
Return-Path: <jakllsch@oglaroon.kollasch.net>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits)
	 client-signature RSA-PSS (2048 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 806CF1A9238
	for <gnats-bugs@gnats.NetBSD.org>; Sun,  9 Jun 2024 19:19:58 +0000 (UTC)
Message-Id: <20240609191943.BC2E5BA94F@oglaroon.kollasch.net>
Date: Sun,  9 Jun 2024 19:19:43 +0000 (UTC)
From: jakllsch@kollasch.net
Reply-To: jakllsch@kollasch.net
To: gnats-bugs@NetBSD.org
Subject: tty process group use-after-free
X-Send-Pr-Version: 3.95

>Number:         58327
>Category:       kern
>Synopsis:       tty process group use-after-free bug fix
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jun 09 19:20:01 +0000 2024
>Originator:     Jonathan A. Kollasch
>Release:        NetBSD 9.3
>Organization:
>Environment:
System: NetBSD  9.3 NetBSD 9.3 (GENERIC) #0: Thu Aug 4 15:30:37 UTC 2022 mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64
Architecture: x86_64
Machine: amd64
>Description:
I've discovered that there's a use-after-free bug that is triggered by
multiply-opened tty(4) devices where one process uses FIOSETOWN and then
exits.  It occurs, for example, when first ntpd(8) opens a GPS_NMEA(0)
refclock (/dev/gps0 -> /dev/ttyU0), and subsequently gpsd(8) opens the
same tty.  ntpd(8) does a FIOSETOWN ioctl on this tty soon after startup
that sets tp->t_pgrp.  (gpsd does not seem to explicitly FIOSETOWN or
TIOCSCTTY.)  Subsequently when you stop the ntpd process (with
gpsd still running) tp->t_pgrp points to freed chunk of memory.  Soon,
ttysigintr() tries to send SIGIO to this process group, and things
explode (the symptom may vary, as the pgrp memory could have been
re-used, or kASan may have intercepted it, or you just segfault in the
kernel).

I see that the TIOCSCTTY case in ttioctl() calls proc_sesshold(), but
the FIOSETOWN or TIOCSPGRP cases, which are vaguely similar, do not.

The attached patch prevents the UAF bug I observed, but I'm not confident
it's correct; and I'm even less confident for the TIOCSPGRP case which I
was unable to test.  I am mostly concerned it may result in a memory leak,
or at worst a deadlock, but perhaps that's better than crashing the kernel.
>How-To-Repeat:
run ntpd and gpsd on same NEMA GPS tty
>Fix:
Index: src/sys/kern/tty.c
===================================================================
RCS file: /cvsroot/src/sys/kern/tty.c,v
retrieving revision 1.312
diff -d -u -a -p -r1.312 tty.c
--- src/sys/kern/tty.c	7 Dec 2023 09:00:32 -0000	1.312
+++ src/sys/kern/tty.c	24 Apr 2024 01:58:14 -0000
@@ -1441,6 +1441,7 @@ unlock_constty:	mutex_exit(&constty_lock
 			return (EPERM);
 		}
 		mutex_spin_enter(&tty_lock);
+		proc_sesshold(pgrp->pg_session);
 		tp->t_pgrp = pgrp;
 		mutex_spin_exit(&tty_lock);
 		mutex_exit(&proc_lock);
@@ -1464,6 +1465,7 @@ unlock_constty:	mutex_exit(&constty_lock
 			return (EPERM);
 		}
 		mutex_spin_enter(&tty_lock);
+		proc_sesshold(pgrp->pg_session);
 		tp->t_pgrp = pgrp;
 		mutex_spin_exit(&tty_lock);
 		mutex_exit(&proc_lock);

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.