pty leak or corruption w/ openpty + dup2?

Martin Pieuchot Wed, 29 Apr 2020 02:13:22 -0700

Program below is the smaller version of a syzkaller report [0].  After
running it one is left without usable console.  A second execution will
make openpty(3) pick a different "/dev/tty*" node:


  50361 crash    CALL  ioctl(3,PTMGET,0x7f7ffffeda80)
  50361 crash    NAMI  "/dev/ptypd"
  50361 crash    NAMI  "/dev/ttypd"
  50361 crash    NAMI  "/dev/ttypd"
  50361 crash    RET   ioctl 0

After some more tries:

  65559 crash    CALL  ioctl(3,PTMGET,0x7f7ffffc36a0)
  65559 crash    NAMI  "/dev/ptypm"
  65559 crash    NAMI  "/dev/ttypm"
  65559 crash    NAMI  "/dev/ttypm"
  65559 crash    RET   ioctl 0

[0] 
https://syzkaller.appspot.com/bug?id=a74718ca902617e6aa7327aa008b25844eccf2d3

----- crash.c -----

#include <unistd.h>
#include <util.h>

int 
main(void)
{
        char garbage[100];
        int master, slave;

        if (openpty(&master, &slave, NULL, NULL, NULL) == -1)
                return -1;
        if (dup2(master, master + 100) != -1)
                close(master);

        write(slave, garbage, 99);

        return 0;
}

pty leak or corruption w/ openpty + dup2?

Reply via email to