lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 20 Apr 2024 15:13:26 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>
Cc: Jiri Slaby <jirislaby@...nel.org>,
	Andrew Morton <akpm@...ux-foundation.org>,
	"Starke, Daniel" <daniel.starke@...mens.com>,
	LKML <linux-kernel@...r.kernel.org>,
	linux-security-module <linux-security-module@...r.kernel.org>,
	Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: [PATCH v2] tty: n_gsm: restrict tty devices to attach

On Sat, Apr 20, 2024 at 08:12:32PM +0900, Tetsuo Handa wrote:
> syzbot is reporting sleep in atomic context, for gsmld_write() is calling
> con_write() with spinlock held and IRQs disabled.
> 
> Since n_gsm is designed to be used for serial port [1], reject attaching to
> virtual consoles and PTY devices, by checking tty's device major/minor
> numbers at gsmld_open().
> 
> Starke, Daniel commented
> 
>   Our application of this protocol is only with specific modems to enable
>   circuit switched operation (handling calls, selecting/querying networks,
>   etc.) while doing packet switched communication (i.e. IP traffic over
>   PPP). The protocol was developed for such use cases.
> 
> at [2], but it seems that nobody can define allow list for device numbers
> where this protocol should accept. Therefore, this patch defines deny list
> for device numbers.
> 
> Greg Kroah-Hartman is not happy with use of hard-coded magic numbers [3],
> but I don't think we want to update include/uapi/linux/major.h and add
> include/uapi/linux/minor.h just for fixing this bug.

Sorry, but again, do it properly, nothing has changed here, so I will
not take this patch.

> Link: https://www.kernel.org/doc/html/v6.8/driver-api/tty/n_gsm.html [1]
> Link: https://lkml.kernel.org/r/DB9PR10MB588170E923A6ED8B3D6D9613E0CBA@DB9PR10MB5881.EURPRD10.PROD.OUTLOOK.COM [2]
> Link: https://lkml.kernel.org/r/2024020615-stir-dragster-aeb6@gregkh [3]
> Reported-by: syzbot <syzbot+dbac96d8e73b61aa559c@...kaller.appspotmail.com>
> Closes: https://syzkaller.appspot.com/bug?extid=dbac96d8e73b61aa559c
> Signed-off-by: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
> ---
> Adding LSM ML to CC list in order to ask for comments if Greg again
> complained that we don't want to add sanity check on the kernel side.
> I agree that we should fix fuzzers if fuzzers are writing random data
> to /dev/mem or /dev/kmem . But for example
> https://lkml.kernel.org/r/CAADnVQJQvcZOA_BbFxPqNyRbMdKTBSMnf=cKvW7NJ8LxxP54sA@mail.gmail.com
> demonstrates that developers try to fix bugs on the kernel side rather
> than tell fuzzers not to do artificial things.

Again, this ldisc requires root permissions to bind to it, and we have a
very long list of known bugs in this driver, this one being only one
very tiny minor one.  To fix it properly, do it right, as stated before,
this type of odd bandage isn't ok as it doesn't actually fix/solve
anything except fuzzers doing the wrong thing (i.e. no real user will
ever do this.)

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ