Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 7 Mar 2017 20:45:48 +0300
From: Alexander Popov <>
Subject: Linux kernel: CVE-2017-2636: local privilege escalation flaw in


This is an announcement of CVE-2017-2636, which is a race condition in
the n_hdlc Linux kernel driver (drivers/tty/n_hdlc.c). It can be exploited
to gain a local privilege escalation.

This driver provides HDLC serial line discipline and comes as a kernel module
in many Linux distributions, which have CONFIG_N_HDLC=m in the kernel config.

The bug was introduced on 22 June 2009:

My fix to the Linux kernel mainline was proposed on 28 February 2017 and
should be available soon. Please see the attachment.

I will publish my PoC exploit later, giving people some time to update
their systems.

I've found this bug investigating a suspicious kernel crash made by syzkaller

-- Bug details --

N_HDLC line discipline uses a self-made singly linked lists for data
buffers and has n_hdlc.tbuf pointer for buffer retransmitting after
an error. If sending of a data buffer is not successful, then its
address is saved in n_hdlc.tbuf and the next time n_hdlc_send_frames()
will try to resend it first of all.

But the commit be10eb7589337e5defbe214dae038a53dd21add8 ("tty: n_hdlc add
buffer flushing") introduced racy access to n_hdlc.tbuf.

After transmission error concurrent flush_tx_queue() and n_hdlc_send_frames()
can put a buffer pointed by n_hdlc.tbuf to tx_free_buf_list twice. That
causes an exploitable double free error in n_hdlc_release().

To fix the issue I used a standard kernel linked list protected by a spinlock
and got rid of n_hdlc.tbuf. In case of transmission error the current data
buffer is put after the head of tx_buf_list.


Kernel updates are ready, please update your systems.

Best regards,
Alexander Popov
Positive Technologies

View attachment "0001-tty-n_hdlc-get-rid-of-racy-n_hdlc.tbuf.patch" of type "text/x-diff" (10054 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ