| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20160905224356.6d3538ea@lxorguk.ukuu.org.uk>
Date: Mon, 5 Sep 2016 22:43:56 +0100
From: One Thousand Gnomes <gnomes@...rguk.ukuu.org.uk>
To: Dmitry Vyukov <dvyukov@...gle.com>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Jiri Slaby <jslaby@...e.com>,
LKML <linux-kernel@...r.kernel.org>,
Peter Hurley <peter@...leysoftware.com>,
Vegard Nossum <vegard.nossum@...cle.com>,
syzkaller <syzkaller@...glegroups.com>
Subject: Re: tty: use-after-free in n_tty_receive_buf_fast
On Sat, 3 Sep 2016 14:42:08 +0200
Dmitry Vyukov <dvyukov@...gle.com> wrote:
> Hello,
>
> The following program causes use-after-free in n_tty_receive_buf_fast:
>
> https://gist.githubusercontent.com/dvyukov/ac81bed0238f280ddf9067e6234cd8b0/raw/791c07ac0cdb27e2e399464d68fa0234d2aa8bd1/gistfile1.txt
>
Known bug. It's even been documented as broken since 2012, although it's
always been broken. Apparently nobody cares about fixing it although now
the tty buffers belong to the tty_port it is fixable if and when someone
dares to fix the mess that is the console locking code (because you have
to ensure the keyboard, selection and any other queue sources have to be
serialized).
TIOCSTI is broken as well and needs to be dealt with at the same time - in
fact you can currently get a three way race between select, console input
and TIOCSTI if you really want to screw up (and you don't need root for
any of them).
Alan
Powered by blists - more mailing lists