From: Greg Kroah-Hartman Date: Fri, 18 Nov 2016 10:59:49 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.4.34~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e397d27d0934b93eb1b91af480c8a408a3d55169;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: tty-prevent-ldisc-drivers-from-re-using-stale-tty-fields.patch --- diff --git a/queue-4.4/series b/queue-4.4/series index 5fffc5ef28c..3b9e550195d 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -14,3 +14,4 @@ sock-fix-sendmmsg-for-partial-sendmsg.patch net-__skb_flow_dissect-must-cap-its-return-value.patch ipv4-use-new_gw-for-redirect-neigh-lookup.patch tcp-take-care-of-truncations-done-by-sk_filter.patch +tty-prevent-ldisc-drivers-from-re-using-stale-tty-fields.patch diff --git a/queue-4.4/tty-prevent-ldisc-drivers-from-re-using-stale-tty-fields.patch b/queue-4.4/tty-prevent-ldisc-drivers-from-re-using-stale-tty-fields.patch new file mode 100644 index 00000000000..49a4b98e0c3 --- /dev/null +++ b/queue-4.4/tty-prevent-ldisc-drivers-from-re-using-stale-tty-fields.patch @@ -0,0 +1,79 @@ +From dd42bf1197144ede075a9d4793123f7689e164bc Mon Sep 17 00:00:00 2001 +From: Peter Hurley +Date: Fri, 27 Nov 2015 14:30:21 -0500 +Subject: tty: Prevent ldisc drivers from re-using stale tty fields + +From: Peter Hurley + +commit dd42bf1197144ede075a9d4793123f7689e164bc upstream. + +Line discipline drivers may mistakenly misuse ldisc-related fields +when initializing. For example, a failure to initialize tty->receive_room +in the N_GIGASET_M101 line discipline was recently found and fixed [1]. +Now, the N_X25 line discipline has been discovered accessing the previous +line discipline's already-freed private data [2]. + +Harden the ldisc interface against misuse by initializing revelant +tty fields before instancing the new line discipline. + +[1] + commit fd98e9419d8d622a4de91f76b306af6aa627aa9c + Author: Tilman Schmidt + Date: Tue Jul 14 00:37:13 2015 +0200 + + isdn/gigaset: reset tty->receive_room when attaching ser_gigaset + +[2] Report from Sasha Levin + [ 634.336761] ================================================================== + [ 634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0 + [ 634.339558] Read of size 4 by task syzkaller_execu/8981 + [ 634.340359] ============================================================================= + [ 634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected + ... + [ 634.405018] Call Trace: + [ 634.405277] dump_stack (lib/dump_stack.c:52) + [ 634.405775] print_trailer (mm/slub.c:655) + [ 634.406361] object_err (mm/slub.c:662) + [ 634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236) + [ 634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279) + [ 634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1)) + [ 634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447) + [ 634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567) + [ 634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879) + [ 634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607) + [ 634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613) + [ 634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188) + +Cc: Tilman Schmidt +Cc: Sasha Levin +Signed-off-by: Peter Hurley +Cc: Jiri Slaby +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/tty_ldisc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/tty/tty_ldisc.c ++++ b/drivers/tty/tty_ldisc.c +@@ -417,6 +417,10 @@ EXPORT_SYMBOL_GPL(tty_ldisc_flush); + * they are not on hot paths so a little discipline won't do + * any harm. + * ++ * The line discipline-related tty_struct fields are reset to ++ * prevent the ldisc driver from re-using stale information for ++ * the new ldisc instance. ++ * + * Locking: takes termios_rwsem + */ + +@@ -425,6 +429,9 @@ static void tty_set_termios_ldisc(struct + down_write(&tty->termios_rwsem); + tty->termios.c_line = num; + up_write(&tty->termios_rwsem); ++ ++ tty->disc_data = NULL; ++ tty->receive_room = 0; + } + + /**