On 01/07/2016 08:14 AM, Greg Kroah-Hartman wrote: > Adding Peter and linux-serial to the list here, as Peter has been doing > a ton of work in this area... > > Peter, does this seem sane with the tty locking rules? > > thanks, > > greg k-h No. Fix for this is right here: http://lkml.iu.edu/hypermail/linux/kernel/1511.3/03045.html Regards, Peter Hurley > On Thu, Jan 07, 2016 at 03:58:00PM +0100, Mateusz Guzik wrote: >> When the line discipline is being changed, the old one is freed. >> However, the handler for TIOCGETD would dereference it without taking >> any locks, in effect possibly reading freed memory. >> >> Line discipline changes are protected with tty lock. Use it on reader >> side as well. >> >> CVE: CVE-2016-0723 >> Found-by: Milos Vyletel <milos@xxxxxxxxxx> >> Signed-off-by: Mateusz Guzik <mguzik@xxxxxxxxxx> >> --- >> drivers/tty/tty_io.c | 23 ++++++++++++++++++++++- >> 1 file changed, 22 insertions(+), 1 deletion(-) >> >> diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c >> index 892c923..1b10469 100644 >> --- a/drivers/tty/tty_io.c >> +++ b/drivers/tty/tty_io.c >> @@ -2626,6 +2626,27 @@ static int tiocgsid(struct tty_struct *tty, struct tty_struct *real_tty, pid_t _ >> } >> >> /** >> + * tiocgetd - get line discipline >> + * @tty: tty device >> + * @p: pointer to returned line discipline >> + * >> + * Get the line discipline associated with the tty. >> + * >> + * Locking: none >> + */ >> + >> +static int tiocgetd(struct tty_struct *tty, int __user *p) >> +{ >> + int ldisc; >> + >> + tty_lock(tty); >> + ldisc = tty->ldisc->ops->num; >> + tty_unlock(tty); >> + >> + return put_user(ldisc, p); >> +} >> + >> +/** >> * tiocsetd - set line discipline >> * @tty: tty device >> * @p: pointer to user data >> @@ -2874,7 +2895,7 @@ long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg) >> case TIOCGSID: >> return tiocgsid(tty, real_tty, p); >> case TIOCGETD: >> - return put_user(tty->ldisc->ops->num, (int __user *)p); >> + return tiocgetd(tty, p); >> case TIOCSETD: >> return tiocsetd(tty, p); >> case TIOCVHANGUP: >> -- >> 1.8.3.1 -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html