Bug#870691: marked as done (tty: incorrect audit source in tty_copy_to_user)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Mon, 31 Aug 2020 01:39:31 +0200
with message-id <20200830233930.zqdjsllkgqdbe46q@percival.namespace.at>
and subject line Re: Bug#870691: linux-image bug
has caused the Debian Bug report #870691,
regarding tty: incorrect audit source in tty_copy_to_user
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
870691: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870691
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Cc: wang jian <wangjian@bytedance.com>
• Subject: linux-image bug
• From: 张永肃 <zhangyongsu@bytedance.com>
• Date: Fri, 4 Aug 2017 15:05:50 +0800
• Message-id: <CAKFKGZYuLyCBE_00=Wu0T1xOCptEF2sB=Q7vhMnXgF8+bsZiyA@mail.gmail.com>

Package: linux-image-3.16.0-4-amd64

Version: 3.16.43-2+deb8u2

kernel panic on tty driver:

[  306.962357] BUG: unable to handle kernel paging request at 00007f78bcc12000
[  306.962595] IP: [<ffffffff812bb2b6>] memcpy+0x6/0x110
[  306.962758] PGD 846260067 PUD 832d46067 PMD 832cc8067 PTE 0
[  306.963130] Oops: 0000 [#1] SMP 
[  306.963354] Modules linked in: ipt_MASQUERADE xfrm_user xfrm_algo iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 xt_addrtype iptable_filter ip_tables xt_conntrack x_tables nf_nat nf_conntrack bridge aufs(C) 8021q garp stp mrp llc ipmi_devintf x86_pkg_temp_thermal coretemp kvm_intel kvm iTCO_wdt iTCO_vendor_support mxm_wmi crc32_pclmul evdev dcdbas aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd ttm drm_kms_helper drm i2c_algo_bit pcspkr i2c_core lpc_ich mei_me mfd_core mei shpchp ipmi_si ipmi_msghandler wmi processor acpi_power_meter thermal_sys button autofs4 ext4 crc16 mbcache jbd2 sg sd_mod crc_t10dif crct10dif_generic crct10dif_pclmul crct10dif_common ahci crc32c_intel libahci libata ehci_pci xhci_hcd ehci_hcd ixgbe dca ptp usbcore pps_core scsi_mod mdio usb_common
[  306.969565] 
[  306.969640] CPU: 0 PID: 2209 Comm: apt-get Tainted: G         C    3.16.0-4-amd64 #1 Debian 3.16.43-2+deb8u2
[  306.969737] Hardware name: Dell Inc. PowerEdge C6320/082F9M, BIOS 2.1.5 04/12/2016
[  306.969827] task: ffff88085305c190 ti: ffff880852428000 task.ti: ffff880852428000
[  306.969939] RIP: 0010:[<ffffffff812bb2b6>]  [<ffffffff812bb2b6>] memcpy+0x6/0x110
[  306.970144] RSP: 0018:ffff88085242bd80  EFLAGS: 00010246
[  306.970251] RAX: ffff88085291b000 RBX: 0000000000000000 RCX: 0000000000000002
[  306.970361] RDX: 0000000000000002 RSI: 00007f78bcc12000 RDI: ffff88085291b000
[  306.970472] RBP: 00007f78bcc12002 R08: 0000000000000002 R09: 0000000000000000
[  306.970583] R10: 0000000000000002 R11: 0000000000000fc9 R12: 0000000000000002
[  306.970694] R13: 0000000000001000 R14: ffff88085666e6c0 R15: 0000000000000000
[  306.970805] FS:  00007f78bcc08740(0000) GS:ffff88087f200000(0000) knlGS:0000000000000000
[  306.970939] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  306.971047] CR2: 00007f78bcc12000 CR3: 0000000854af6000 CR4: 00000000003407f0
[  306.971158] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  306.971268] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  306.971379] Stack:
[  306.971477]  ffffffff81375053 ffff88085666e6c8 0000008800011208 ffff88085666e6c0
[  306.971896]  ffffc90019295000 ffff881048f1e400 00007f78bcc12000 0000000000000000
[  306.972315]  0000000000000001 ffffc90019295000 ffffffff8136e3d6 7fffffffffffffff
[  306.972734] Call Trace:
[  306.972840]  [<ffffffff81375053>] ? tty_audit_add_data+0x173/0x3a0
[  306.972950]  [<ffffffff8136e3d6>] ? n_tty_read+0x826/0xb70
[  306.973061]  [<ffffffff81098370>] ? wake_up_state+0x10/0x10
[  306.973168]  [<ffffffff813695a8>] ? tty_read+0x88/0x100
[  306.973276]  [<ffffffff811aada3>] ? vfs_read+0x93/0x170
[  306.973383]  [<ffffffff811ab9d2>] ? SyS_read+0x42/0xa0
[  306.973492]  [<ffffffff810f7ef6>] ? __audit_syscall_exit+0x1f6/0x2a0
[  306.973606]  [<ffffffff8151a48d>] ? system_call_fast_compare_end+0x10/0x15
[  306.973808] Code: 43 50 88 43 4e 5b c3 66 0f 1f 44 00 00 e8 03 fc ff ff 48 8b 43 58 48 2b 43 50 88 43 4e eb e6 90 90 90 90 90 90 48 89 f8 48 89 d1 <f3> a4 c3 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 20 4c 8b 06 4c 8b 
[  306.978655] RIP  [<ffffffff812bb2b6>] memcpy+0x6/0x110
[  306.978834]  RSP <ffff88085242bd80>
[  306.978935] CR2: 00007f78bcc12000

I can reproduce this issue by add pam_tty_audit.so in the /etc/pam.d/sshd, like this:
    session   required pam_tty_audit.so disable=* enable=root

following the trace: 

n_tty_read -> canon_copy_from_read_buf -> tty_copy_to_user -> tty_copy_to_user

the usr space addr  is used as the kernel addr directly.

 

check kernel version 4.4 the code has been changed. 

this patch below is ok for me: 

diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c

index 9ab5c40..f7fbe7d 100644

--- a/drivers/tty/n_tty.c

+++ b/drivers/tty/n_tty.c

@@ -168,7 +168,7 @@ static inline int tty_copy_to_user(struct tty_struct *tty,

 {

  struct n_tty_data *ldata = tty->disc_data;

- tty_audit_add_data(tty, from, n, ldata->icanon);

+ tty_audit_add_data(tty, to, n, ldata->icanon);

  return copy_to_user(to, from, n);

 }

--- End Message ---

--- Begin Message ---

• To: 870691-done@bugs.debian.org
• Subject: Re: Bug#870691: linux-image bug
• From: Chris Hofstaedtler <zeha@debian.org>
• Date: Mon, 31 Aug 2020 01:39:31 +0200
• Message-id: <20200830233930.zqdjsllkgqdbe46q@percival.namespace.at>
• In-reply-to: <CAKFKGZYuLyCBE_00=Wu0T1xOCptEF2sB=Q7vhMnXgF8+bsZiyA@mail.gmail.com>
• References: <CAKFKGZYuLyCBE_00=Wu0T1xOCptEF2sB=Q7vhMnXgF8+bsZiyA@mail.gmail.com>

* 张永肃 <zhangyongsu@bytedance.com> [200830 23:37]:
[..]
> following the trace:
> n_tty_read -> canon_copy_from_read_buf -> tty_copy_to_user ->
> tty_copy_to_user
> 
> the usr space addr  is used as the kernel addr directly.
> 
> check kernel version 4.4 the code has been changed.

Upstream fix appears to be:

| commit 6b2a3d628aa752f0ab825fc6d4d07b09e274d1c1
| Author: Peter Hurley <peter@hurleysoftware.com>
| Date:   Sun Nov 8 08:52:31 2015 -0500
| 
|     tty: audit: Fix audit source
| 
|     The data to audit/record is in the 'from' buffer (ie., the input
|     read buffer).
| 
|     Fixes: 72586c6061ab ("n_tty: Fix auditing support for cannonical mode")
|     Cc: stable <stable@vger.kernel.org> # 4.1+
|     Cc: Miloslav Trmač <mitr@redhat.com>
|     Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
|     Acked-by: Laura Abbott <labbott@fedoraproject.org>
|     Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Marking as done, as the version in stable has this change.

Best,
Chris

--- End Message ---