rpms/kernel
9
2
Fork 4
Code Issues Pull Requests Releases Activity

CVE-2016-0723 memory disclosure and crash in tty layer (rhbz 1296253 1300224)

Browse Source
This commit is contained in:
Josh Boyer 2016-01-20 08:32:28 -05:00
parent e5da0c6fbe
commit a600648d07
2 changed files with 74 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
kernel.spec
View File

@ -602,6 +602,9 @@ Patch625: cpupower-Fix-build-error-in-cpufreq-info.patch
#CVE-2016-0728 rhbz 1296623 #CVE-2016-0728 rhbz 1296623
Patch626: KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch Patch626: KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
#CVE-2016-0723 rhbz 1296253 1300224
Patch637: tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch
# END OF PATCH DEFINITIONS # END OF PATCH DEFINITIONS
%endif %endif
@ -2047,6 +2050,9 @@ fi
# #
# #
%changelog %changelog
* Wed Jan 20 2016 Josh Boyer <jwboyer@fedoraproject.org>
- CVE-2016-0723 memory disclosure and crash in tty layer (rhbz 1296253 1300224)
* Tue Jan 19 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.5.0-0.rc0.git6.1 * Tue Jan 19 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.5.0-0.rc0.git6.1
- Linux v4.4-8855-ga200dcb - Linux v4.4-8855-ga200dcb
- CVE-2016-0728 Keys: reference leak in join_session_keyring (rhbz 1296623) - CVE-2016-0728 Keys: reference leak in join_session_keyring (rhbz 1296623)

68
tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch Normal file
View File

@ -0,0 +1,68 @@
From 938f50fc744cb49892bd42c8f56bdfa63e82a27d Mon Sep 17 00:00:00 2001
From: Peter Hurley <peter@hurleysoftware.com>
Date: Sun, 10 Jan 2016 22:40:55 -0800
Subject: [PATCH] tty: Fix unsafe ldisc reference via ioctl(TIOCGETD)
ioctl(TIOCGETD) retrieves the line discipline id directly from the
ldisc because the line discipline id (c_line) in termios is untrustworthy;
userspace may have set termios via ioctl(TCSETS*) without actually
changing the line discipline via ioctl(TIOCSETD).
However, directly accessing the current ldisc via tty->ldisc is
unsafe; the ldisc ptr dereferenced may be stale if the line discipline
is changing via ioctl(TIOCSETD) or hangup.
Wait for the line discipline reference (just like read() or write())
to retrieve the "current" line discipline id.
Cc: <stable@vger.kernel.org>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
---
drivers/tty/tty_io.c | 24 +++++++++++++++++++++++-
1 file changed, 23 insertions(+), 1 deletion(-)
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
index f435977de740..bd4027e36910 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -2654,6 +2654,28 @@ static int tiocsetd(struct tty_struct *tty, int __user *p)
}
/**
+ * tiocgetd - get line discipline
+ * @tty: tty device
+ * @p: pointer to user data
+ *
+ * Retrieves the line discipline id directly from the ldisc.
+ *
+ * Locking: waits for ldisc reference (in case the line discipline
+ * is changing or the tty is being hungup)
+ */
+
+static int tiocgetd(struct tty_struct *tty, int __user *p)
+{
+ struct tty_ldisc *ld;
+ int ret;
+
+ ld = tty_ldisc_ref_wait(tty);
+ ret = put_user(ld->ops->num, p);
+ tty_ldisc_deref(ld);
+ return ret;
+}
+
+/**
* send_break - performed time break
* @tty: device to break on
* @duration: timeout in mS
@@ -2879,7 +2901,7 @@ long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
case TIOCGSID:
return tiocgsid(tty, real_tty, p);
case TIOCGETD:
- return put_user(tty->ldisc->ops->num, (int __user *)p);
+ return tiocgetd(tty, p);
case TIOCSETD:
return tiocsetd(tty, p);
case TIOCVHANGUP:
--
2.5.0