From: Greg Kroah-Hartman Date: Tue, 13 May 2014 23:20:36 +0000 (-0700) Subject: 3.4-stable patches X-Git-Tag: v3.4.91~23 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=19f9438d73833ed532c3ba4955f9c981c9af16f2;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch --- diff --git a/queue-3.4/n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch b/queue-3.4/n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch new file mode 100644 index 00000000000..2b866f23fc2 --- /dev/null +++ b/queue-3.4/n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch @@ -0,0 +1,77 @@ +From: Peter Hurley +Date: Sat, 3 May 2014 14:04:59 +0200 +Subject: n_tty: Fix n_tty_write crash when echoing in raw mode + +commit 4291086b1f081b869c6d79e5b7441633dc3ace00 upstream. + +The tty atomic_write_lock does not provide an exclusion guarantee for +the tty driver if the termios settings are LECHO & !OPOST. And since +it is unexpected and not allowed to call TTY buffer helpers like +tty_insert_flip_string concurrently, this may lead to crashes when +concurrect writers call pty_write. In that case the following two +writers: +* the ECHOing from a workqueue and +* pty_write from the process +race and can overflow the corresponding TTY buffer like follows. + +If we look into tty_insert_flip_string_fixed_flag, there is: + int space = __tty_buffer_request_room(port, goal, flags); + struct tty_buffer *tb = port->buf.tail; + ... + memcpy(char_buf_ptr(tb, tb->used), chars, space); + ... + tb->used += space; + +so the race of the two can result in something like this: + A B +__tty_buffer_request_room + __tty_buffer_request_room +memcpy(buf(tb->used), ...) +tb->used += space; + memcpy(buf(tb->used), ...) ->BOOM + +B's memcpy is past the tty_buffer due to the previous A's tb->used +increment. + +Since the N_TTY line discipline input processing can output +concurrently with a tty write, obtain the N_TTY ldisc output_lock to +serialize echo output with normal tty writes. This ensures the tty +buffer helper tty_insert_flip_string is not called concurrently and +everything is fine. + +Note that this is nicely reproducible by an ordinary user using +forkpty and some setup around that (raw termios + ECHO). And it is +present in kernels at least after commit +d945cb9cce20ac7143c2de8d88b187f62db99bdc (pty: Rework the pty layer to +use the normal buffering logic) in 2.6.31-rc3. + +js: add more info to the commit log +js: switch to bool +js: lock unconditionally +js: lock only the tty->ops->write call + +References: CVE-2014-0196 +Reported-and-tested-by: Jiri Slaby +Signed-off-by: Peter Hurley +Signed-off-by: Jiri Slaby +Cc: Linus Torvalds +Cc: Alan Cox +Signed-off-by: Greg Kroah-Hartman +[bwh: Backported to 3.2: output_lock is a member of struct tty_struct] +Signed-off-by: Ben Hutchings +--- + drivers/tty/n_tty.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/tty/n_tty.c ++++ b/drivers/tty/n_tty.c +@@ -1996,7 +1996,9 @@ static ssize_t n_tty_write(struct tty_st + tty->ops->flush_chars(tty); + } else { + while (nr > 0) { ++ mutex_lock(&tty->output_lock); + c = tty->ops->write(tty, b, nr); ++ mutex_unlock(&tty->output_lock); + if (c < 0) { + retval = c; + goto break_out; diff --git a/queue-3.4/series b/queue-3.4/series index 07f65a4e9b7..642b8048e70 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -1 +1,2 @@ scsi-megaraid-missing-bounds-check-in-mimd_to_kioc.patch +n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch