lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 4 Feb 2019 11:44:36 -0700
From:   shuah <shuah@...nel.org>
To:     Marcel Holtmann <marcel@...tmann.org>
Cc:     Johan Hedberg <johan.hedberg@...il.com>,
        Johan Hovold <johan@...nel.org>,
        Al Viro <viro@...iv.linux.org.uk>,
        Bluez mailing list <linux-bluetooth@...r.kernel.org>,
        linux-kernel@...r.kernel.org, shuah <shuah@...nel.org>
Subject: Re: [PATCH v4] bluetooth: Fix WARNING in tty_set_termios()

On 2/3/19 10:39 PM, Marcel Holtmann wrote:
> Hi Shuah,
> 
>> tty_set_termios() has the following WARN_ON which can be triggered with a
>> syscall to invoke TIOCSETD __NR_ioctl.
>>
>> WARN_ON(tty->driver->type == TTY_DRIVER_TYPE_PTY &&
>>                 tty->driver->subtype == PTY_TYPE_MASTER);
>> Reference: https://syzkaller.appspot.com/bug?id=2410d22f1d8e5984217329dd0884b01d99e3e48d
>>
>> "The problem started with commit 7721383f4199 ("Bluetooth: hci_uart: Support
>> operational speed during setup") which introduced a new way for how
>> tty_set_termios() could end up being called for a master pty."
>>
>> Fix it by by preventing setting the HCI line discipline for PTYs in
>> hci_uart_tty_open().
>>
>> Reported-by: syzbot+a950165cbb86bdd023a4@...kaller.appspotmail.com
>> Cc: Johan Hovold <johan@...nel.org>
>> Cc: Marcel Holtmann <marcel@...tmann.org>
>> Cc: Al Viro <viro@...iv.linux.org.uk>
>> Signed-off-by: Shuah Khan <shuah@...nel.org>
>> ---
>> drivers/bluetooth/hci_ldisc.c | 4 ++--
>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
>> index fbf7b4df23ab..c8faa4759cb7 100644
>> --- a/drivers/bluetooth/hci_ldisc.c
>> +++ b/drivers/bluetooth/hci_ldisc.c
>> @@ -475,9 +475,9 @@ static int hci_uart_tty_open(struct tty_struct *tty)
>> 	BT_DBG("tty %p", tty);
>>
>> 	/* Error if the tty has no write op instead of leaving an exploitable
>> -	 * hole
>> +	 * hole. In addition check if setting HCI line discipline is allowed.
>> 	 */
> 
> this comment is wrong. The result of setting the HCI line discipline is a call into hci_uart_tty_open. You have to check ops->write and ops->set_termios since both are required. That is it.

I will fix the comment.

> 
>> -	if (tty->ops->write == NULL)
>> +	if (tty->ops->write == NULL || tty->ops->set_termios == NULL)
>> 		return -EOPNOTSUPP;
> 
> And while at it, change this to (!tty->ops->write).
> 

Okay. I will fix both.

thanks,
-- Shuah

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ