lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <e696e720-0cd3-4505-8469-a94815b39467@I-love.SAKURA.ne.jp>
Date: Sat, 20 Apr 2024 20:12:32 +0900
From: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Jiri Slaby <jirislaby@...nel.org>,
        Andrew Morton
 <akpm@...ux-foundation.org>,
        "Starke, Daniel" <daniel.starke@...mens.com>,
        LKML <linux-kernel@...r.kernel.org>
Cc: linux-security-module <linux-security-module@...r.kernel.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>
Subject: [PATCH v2] tty: n_gsm: restrict tty devices to attach

syzbot is reporting sleep in atomic context, for gsmld_write() is calling
con_write() with spinlock held and IRQs disabled.

Since n_gsm is designed to be used for serial port [1], reject attaching to
virtual consoles and PTY devices, by checking tty's device major/minor
numbers at gsmld_open().

Starke, Daniel commented

  Our application of this protocol is only with specific modems to enable
  circuit switched operation (handling calls, selecting/querying networks,
  etc.) while doing packet switched communication (i.e. IP traffic over
  PPP). The protocol was developed for such use cases.

at [2], but it seems that nobody can define allow list for device numbers
where this protocol should accept. Therefore, this patch defines deny list
for device numbers.

Greg Kroah-Hartman is not happy with use of hard-coded magic numbers [3],
but I don't think we want to update include/uapi/linux/major.h and add
include/uapi/linux/minor.h just for fixing this bug.

Link: https://www.kernel.org/doc/html/v6.8/driver-api/tty/n_gsm.html [1]
Link: https://lkml.kernel.org/r/DB9PR10MB588170E923A6ED8B3D6D9613E0CBA@DB9PR10MB5881.EURPRD10.PROD.OUTLOOK.COM [2]
Link: https://lkml.kernel.org/r/2024020615-stir-dragster-aeb6@gregkh [3]
Reported-by: syzbot <syzbot+dbac96d8e73b61aa559c@...kaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=dbac96d8e73b61aa559c
Signed-off-by: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
---
Adding LSM ML to CC list in order to ask for comments if Greg again
complained that we don't want to add sanity check on the kernel side.
I agree that we should fix fuzzers if fuzzers are writing random data
to /dev/mem or /dev/kmem . But for example
https://lkml.kernel.org/r/CAADnVQJQvcZOA_BbFxPqNyRbMdKTBSMnf=cKvW7NJ8LxxP54sA@mail.gmail.com
demonstrates that developers try to fix bugs on the kernel side rather
than tell fuzzers not to do artificial things.

 drivers/tty/n_gsm.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
index 4036566febcb..14581483af78 100644
--- a/drivers/tty/n_gsm.c
+++ b/drivers/tty/n_gsm.c
@@ -3623,6 +3623,7 @@ static void gsmld_close(struct tty_struct *tty)
 static int gsmld_open(struct tty_struct *tty)
 {
 	struct gsm_mux *gsm;
+	int major;
 
 	if (!capable(CAP_NET_ADMIN))
 		return -EPERM;
@@ -3630,6 +3631,17 @@ static int gsmld_open(struct tty_struct *tty)
 	if (tty->ops->write == NULL)
 		return -EINVAL;
 
+	major = tty->driver->major;
+	/* Reject Virtual consoles */
+	if (major == 4 && tty->driver->minor_start == 1)
+		return -EINVAL;
+	/* Reject Unix98 PTY masters/slaves */
+	if (major >= 128 && major <= 143)
+		return -EINVAL;
+	/* Reject BSD PTY masters/slaves */
+	if (major >= 2 && major <= 3)
+		return -EINVAL;
+
 	/* Attach our ldisc data */
 	gsm = gsm_alloc_mux();
 	if (gsm == NULL)
-- 
2.18.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ