CVE-2014-0196 pty race leading to memory corruption (rhbz 1094232 1094240)
This commit is contained in:
parent
0dd4df32f2
commit
34d445d582
|
@ -769,6 +769,9 @@ Patch25074: 0001-acpi-video-Add-use_native_backlight-quirks-for-Think.patch
|
|||
#rhbz 1082586
|
||||
Patch25075: locks-allow-__break_lease-to-sleep-even-when-break_t.patch
|
||||
|
||||
#CVE-2014-0196 rhbz 1094232 1094240
|
||||
Patch25076: n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -1491,6 +1494,9 @@ ApplyPatch 0001-acpi-video-Add-use_native_backlight-quirks-for-Think.patch
|
|||
#rhbz 1082586
|
||||
ApplyPatch locks-allow-__break_lease-to-sleep-even-when-break_t.patch
|
||||
|
||||
#CVE-2014-0196 rhbz 1094232 1094240
|
||||
ApplyPatch n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2303,6 +2309,7 @@ fi
|
|||
# || ||
|
||||
%changelog
|
||||
* Tue May 06 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2014-0196 pty race leading to memory corruption (rhbz 1094232 1094240)
|
||||
- Add patch to fix smdb soft-lockup (rhbz 1082586)
|
||||
|
||||
* Mon May 05 2014 Hans de Goede <hdegoede@redhat.com>
|
||||
|
|
|
@ -0,0 +1,86 @@
|
|||
Bugzilla: 1094240
|
||||
Upstream-status: 3.15 and CC'd to stable
|
||||
|
||||
From 4291086b1f081b869c6d79e5b7441633dc3ace00 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hurley <peter@hurleysoftware.com>
|
||||
Date: Sat, 3 May 2014 14:04:59 +0200
|
||||
Subject: [PATCH] n_tty: Fix n_tty_write crash when echoing in raw mode
|
||||
|
||||
The tty atomic_write_lock does not provide an exclusion guarantee for
|
||||
the tty driver if the termios settings are LECHO & !OPOST. And since
|
||||
it is unexpected and not allowed to call TTY buffer helpers like
|
||||
tty_insert_flip_string concurrently, this may lead to crashes when
|
||||
concurrect writers call pty_write. In that case the following two
|
||||
writers:
|
||||
* the ECHOing from a workqueue and
|
||||
* pty_write from the process
|
||||
race and can overflow the corresponding TTY buffer like follows.
|
||||
|
||||
If we look into tty_insert_flip_string_fixed_flag, there is:
|
||||
int space = __tty_buffer_request_room(port, goal, flags);
|
||||
struct tty_buffer *tb = port->buf.tail;
|
||||
...
|
||||
memcpy(char_buf_ptr(tb, tb->used), chars, space);
|
||||
...
|
||||
tb->used += space;
|
||||
|
||||
so the race of the two can result in something like this:
|
||||
A B
|
||||
__tty_buffer_request_room
|
||||
__tty_buffer_request_room
|
||||
memcpy(buf(tb->used), ...)
|
||||
tb->used += space;
|
||||
memcpy(buf(tb->used), ...) ->BOOM
|
||||
|
||||
B's memcpy is past the tty_buffer due to the previous A's tb->used
|
||||
increment.
|
||||
|
||||
Since the N_TTY line discipline input processing can output
|
||||
concurrently with a tty write, obtain the N_TTY ldisc output_lock to
|
||||
serialize echo output with normal tty writes. This ensures the tty
|
||||
buffer helper tty_insert_flip_string is not called concurrently and
|
||||
everything is fine.
|
||||
|
||||
Note that this is nicely reproducible by an ordinary user using
|
||||
forkpty and some setup around that (raw termios + ECHO). And it is
|
||||
present in kernels at least after commit
|
||||
d945cb9cce20ac7143c2de8d88b187f62db99bdc (pty: Rework the pty layer to
|
||||
use the normal buffering logic) in 2.6.31-rc3.
|
||||
|
||||
js: add more info to the commit log
|
||||
js: switch to bool
|
||||
js: lock unconditionally
|
||||
js: lock only the tty->ops->write call
|
||||
|
||||
References: CVE-2014-0196
|
||||
Reported-and-tested-by: Jiri Slaby <jslaby@suse.cz>
|
||||
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
|
||||
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
|
||||
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
drivers/tty/n_tty.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
|
||||
index 41fe8a047d37..fe9d129c8735 100644
|
||||
--- a/drivers/tty/n_tty.c
|
||||
+++ b/drivers/tty/n_tty.c
|
||||
@@ -2353,8 +2353,12 @@ static ssize_t n_tty_write(struct tty_struct *tty, struct file *file,
|
||||
if (tty->ops->flush_chars)
|
||||
tty->ops->flush_chars(tty);
|
||||
} else {
|
||||
+ struct n_tty_data *ldata = tty->disc_data;
|
||||
+
|
||||
while (nr > 0) {
|
||||
+ mutex_lock(&ldata->output_lock);
|
||||
c = tty->ops->write(tty, b, nr);
|
||||
+ mutex_unlock(&ldata->output_lock);
|
||||
if (c < 0) {
|
||||
retval = c;
|
||||
goto break_out;
|
||||
--
|
||||
1.9.0
|
||||
|
Loading…
Reference in New Issue