netbsd-bugs: kern/17382: Repeated TIOCSCTTY calls corrupt session hold count

Subject: kern/17382: Repeated TIOCSCTTY calls corrupt session hold count
To: None <gnats-bugs@gnats.netbsd.org>
From: David Laight <dsl@l8s.co.uk>
List: netbsd-bugs
Date: 06/25/2002 10:57:27

>Number:         17382
>Category:       kern
>Synopsis:       Repeated TIOCSCTTY calls corrupt session hold count
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jun 25 02:58:00 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     David Laight
>Release:        NetBSD 1.6B
>Organization:
nope
>Environment:
System: NetBSD snowdrop 1.6B NetBSD 1.6B (GENERIC) #11: Mon Jun 24 13:09:25 BST 2002
dsl@snowdrop:/usr/bsd-current/src/sys/arch/i386/compile/GENERIC i386
Architecture: i386
Machine: i386
>Description:
	ttioctl in kern/tty.c contains (about line 984) contains:

        case TIOCSCTTY:                 /* become controlling tty */
                /* Session ctty vnode pointer set in vnode layer. */
                if (!SESS_LEADER(p) ||
                    ((p->p_session->s_ttyvp || tp->t_session) &&
                    (tp->t_session != p->p_session)))
                        return (EPERM);
                SESSHOLD(p->p_session);
                tp->t_session = p->p_session;
                tp->t_pgrp = p->p_pgrp;
                p->p_session->s_ttyp = tp;
                p->p_flag |= P_CONTROLT;
                break;  
 
	As I read this, if it proceeds because (tp->t_session == p->p_session) 
	then it does an unnecessary SESSHOLD() - causing the reference
	count on the session structure to become invalid.

>How-To-Repeat:
	Code inspection
>Fix:
	Rework the test... maybe:
+	    if (!tp->t_session) {
		    SESSHOLD(p->p_session);
		    tp->t_session = p->p_session;
+	    }
>Release-Note:
>Audit-Trail:
>Unformatted: