Serious devpts bug (still not fixed)

Duncan Simpson (dps@io.stargate.co.uk)
Fri, 11 Sep 1998 04:15:01 +0100

I tried to report this bug a while back but it is still at large. At the
end of fs/devpts/root.c it says

dentry->d_inode = sbi->inodes[entry];
if ( dentry->d_inode )
dentry->d_inode->i_count++;

Sadly it only checks that the filename is all 0 to 9 and has no leading 0s.
There is no check that entry is small enough to be a legimate index of
the sbi->inodes[]. Since the default is 256 and most people go with that
cat /dev/pts/666 is normal lethal. If you are unluckly dentry->d_inode contains
some really lethal screwy data and the dentry->d_inode->i_count++ screws
some important data structure somewhere.

I changed by kernel to say
if (entry<sbi->max_ptys) /* Check range of number */
{
dentry->d_inode = sbi->inodes[entry];
if ( dentry->d_inode )
dentry->d_inode->i_count++;
}
instead so if entry is too big dentry stays NULL and the naughty memory
reference does not happen.

libpt-0.3, avialable by annoymous ftp from mars.astra.co.uk in the pub/word2x
directory contains a demo/bug test program and diff to apply this fix the
patches directory.

Assuming you have gcc <2.8 is might also work too., [2~ (glibc 2.1.x is a loser,
because it inists on gcc >2.8 or egcs >1.0.2 to avoid tickling bugs. This
bug is not fixed in 2.1.121 (or anything else, probably).

An altetnative patch says

if (entry>=sbi->max_ptys)
return 0;

before using index as an array element number.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/faq.html