BUG in tty_open when using containers and ptrace

Grzegorz Nosek root at localdomain.pl
Sat Jul 4 07:34:12 PDT 2009


On Sat, Jul 04, 2009 at 03:28:52PM +0200, Grzegorz Nosek wrote:
> Decoding the code yields:
> All code
> ========
>    0:   81 fb 00 f0 ff ff       cmp    $0xfffff000,%ebx
>    6:   76 11                   jbe    0x19
>    8:   48 c7 c7 60 61 7d 80    mov    $0xffffffff807d6160,%rdi
>    f:   e8 c1 38 17 00          callq  0x1738d5
>   14:   e9 a9 00 00 00          jmpq   0xc2
>   19:   48 85 db                test   %rbx,%rbx
>   1c:   74 5c                   je     0x7a
>   1e:   80 bb 40 01 00 00 00    cmpb   $0x0,0x140(%rbx)
>   25:   48 8b 53 08             mov    0x8(%rbx),%rdx
>   29:   78 64                   js     0x8f
>   2b:*  81 ba 9c 00 00 00 04    cmpl   $0x10004,0x9c(%rdx)     <-- trapping instruction
>   32:   00 01 00
>   35:   75 16                   jne    0x4d
>   37:   83                      .byte 0x83
>   38:   bb 48 01 00 00          mov    $0x148,%ebx
> 
> Code starting with the faulting instruction
> ===========================================
>    0:   81 ba 9c 00 00 00 04    cmpl   $0x10004,0x9c(%rdx)
>    7:   00 01 00
>    a:   75 16                   jne    0x22
>    c:   83                      .byte 0x83
>    d:   bb 48 01 00 00          mov    $0x148,%ebx

To my untrained eye it looks like the cmpl corresponds to:

1841        if (tty->driver->type == TTY_DRIVER_TYPE_PTY &&
1842            tty->driver->subtype == PTY_TYPE_MASTER)

in drivers/char/tty_io.c

That means that %rdx should contain tty->driver, but contains
0x6973646e65732f64, which looks like a part of '/etc/init.d/sendsigs'.
So, we're possibly using an already freed and overwritten tty struct.

Best regards,
 Grzegorz Nosek


More information about the Containers mailing list