lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160107171141.GA28979@kroah.com>
Date:	Thu, 7 Jan 2016 09:11:41 -0800
From:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:	Mateusz Guzik <mguzik@...hat.com>
Cc:	Jiri Slaby <jslaby@...e.com>, stable@...r.kernel.org,
	linux-kernel@...r.kernel.org, security@...nel.org, milos@...hat.com
Subject: Re: [PATCH] tty: plug a use-after-free in TIOCGETD ioctl

On Thu, Jan 07, 2016 at 05:21:14PM +0100, Mateusz Guzik wrote:
> On Thu, Jan 07, 2016 at 07:33:10AM -0800, Greg Kroah-Hartman wrote:
> > On Thu, Jan 07, 2016 at 03:58:00PM +0100, Mateusz Guzik wrote:
> > > When the line discipline is being changed, the old one is freed.
> > > However, the handler for TIOCGETD would dereference it without taking
> > > any locks, in effect possibly reading freed memory.
> > > 
> > > Line discipline changes are protected with tty lock. Use it on reader
> > > side as well.
> > > 
> > > CVE: CVE-2016-0723
> > 
> > Why a cve tag?
> > 
> 
> Red Hat SRT assigned a CVE and asked me to included in the commit
> message. I did a quick check how people mark such stuff and found the
> tag. I definitely don't insist on having it mentioned.

It seems odd that any random kernel bug can get assigned a CVE without
actually talking to the developers first, but whatever...


> > > Found-by: Milos Vyletel <milos@...hat.com>
> > > Signed-off-by: Mateusz Guzik <mguzik@...hat.com>
> > > ---
> > >  drivers/tty/tty_io.c | 23 ++++++++++++++++++++++-
> > >  1 file changed, 22 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
> > > index 892c923..1b10469 100644
> > > --- a/drivers/tty/tty_io.c
> > > +++ b/drivers/tty/tty_io.c
> > > @@ -2626,6 +2626,27 @@ static int tiocgsid(struct tty_struct *tty, struct tty_struct *real_tty, pid_t _
> > >  }
> > >  
> > >  /**
> > > + *	tiocgetd	-	get line discipline
> > > + *	@tty: tty device
> > > + *	@p: pointer to returned line discipline
> > > + *
> > > + *	Get the line discipline associated with the tty.
> > > + *
> > > + *	Locking: none
> > > + */
> > > +
> > > +static int tiocgetd(struct tty_struct *tty, int __user *p)
> > > +{
> > > +	int ldisc;
> > > +
> > > +	tty_lock(tty);
> > > +	ldisc = tty->ldisc->ops->num;
> > > +	tty_unlock(tty);
> > > +
> > > +	return put_user(ldisc, p);
> > 
> > Does this really protect anything?  What is preventing ldisc from going
> > away right after the tty_unlock call?
> 
> I guess I should have elaborated, sorry.
> 
> Yes, ldisc can be freed just after tty_unlock, but it does not matter.
> There is only a need to store the number (which is done with the lock
> held) and line discipline is not touched afterwards.

You don't store the number, you store a pointer, which isn't good.  If
you want to just store the number, just store the number.

> > And how are you able to trigger the tty to go away while the file is
> > still held open and this ioctl is being called?
> > 
> 
> It's not the tty going away, but the memory pointed to by previous value
> of tty->ldisc.
> 
> tty_set_ldisc will reassign tty->ldisc to a new value, and will later
> free the old one with tty_ldisc_put.
> 
> In the current code TIOCGETD is:
> 	return put_user(tty->ldisc->ops->num, (int __user *)p);
> 
> A thread doing this ioctl can load tty->ldisc's value, but memory
> pointed to it can be freed before it loads ops's address.

But your fix doesn't solve this, you are keeping a stale pointer around
as the ldisc could have gone away.  See Peter's fix for the "correct"
way to solve this.

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ