diff options
author | André Fabian Silva Delgado <emulatorman@parabola.nu> | 2014-05-13 18:23:13 -0300 |
---|---|---|
committer | André Fabian Silva Delgado <emulatorman@parabola.nu> | 2014-05-13 18:23:13 -0300 |
commit | ee06eb034018f78de937cc8dc9726b5992f901f1 (patch) | |
tree | eb3e99e14e584b9a60c63ab385876563cf870265 /kernels/linux-libre-pae/CVE-2014-0196.patch | |
parent | f995f2c8e4ea48c55b3c5a2be352f14f145cd357 (diff) |
linux-libre-{pae,xen}-3.14.4-1: updating version
Diffstat (limited to 'kernels/linux-libre-pae/CVE-2014-0196.patch')
-rw-r--r-- | kernels/linux-libre-pae/CVE-2014-0196.patch | 80 |
1 files changed, 0 insertions, 80 deletions
diff --git a/kernels/linux-libre-pae/CVE-2014-0196.patch b/kernels/linux-libre-pae/CVE-2014-0196.patch deleted file mode 100644 index a58707d56..000000000 --- a/kernels/linux-libre-pae/CVE-2014-0196.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 4291086b1f081b869c6d79e5b7441633dc3ace00 Mon Sep 17 00:00:00 2001 -From: Peter Hurley <peter@hurleysoftware.com> -Date: Sat, 3 May 2014 14:04:59 +0200 -Subject: n_tty: Fix n_tty_write crash when echoing in raw mode - -The tty atomic_write_lock does not provide an exclusion guarantee for -the tty driver if the termios settings are LECHO & !OPOST. And since -it is unexpected and not allowed to call TTY buffer helpers like -tty_insert_flip_string concurrently, this may lead to crashes when -concurrect writers call pty_write. In that case the following two -writers: -* the ECHOing from a workqueue and -* pty_write from the process -race and can overflow the corresponding TTY buffer like follows. - -If we look into tty_insert_flip_string_fixed_flag, there is: - int space = __tty_buffer_request_room(port, goal, flags); - struct tty_buffer *tb = port->buf.tail; - ... - memcpy(char_buf_ptr(tb, tb->used), chars, space); - ... - tb->used += space; - -so the race of the two can result in something like this: - A B -__tty_buffer_request_room - __tty_buffer_request_room -memcpy(buf(tb->used), ...) -tb->used += space; - memcpy(buf(tb->used), ...) ->BOOM - -B's memcpy is past the tty_buffer due to the previous A's tb->used -increment. - -Since the N_TTY line discipline input processing can output -concurrently with a tty write, obtain the N_TTY ldisc output_lock to -serialize echo output with normal tty writes. This ensures the tty -buffer helper tty_insert_flip_string is not called concurrently and -everything is fine. - -Note that this is nicely reproducible by an ordinary user using -forkpty and some setup around that (raw termios + ECHO). And it is -present in kernels at least after commit -d945cb9cce20ac7143c2de8d88b187f62db99bdc (pty: Rework the pty layer to -use the normal buffering logic) in 2.6.31-rc3. - -js: add more info to the commit log -js: switch to bool -js: lock unconditionally -js: lock only the tty->ops->write call - -References: CVE-2014-0196 -Reported-and-tested-by: Jiri Slaby <jslaby@suse.cz> -Signed-off-by: Peter Hurley <peter@hurleysoftware.com> -Signed-off-by: Jiri Slaby <jslaby@suse.cz> -Cc: Linus Torvalds <torvalds@linux-foundation.org> -Cc: Alan Cox <alan@lxorguk.ukuu.org.uk> -Cc: <stable@vger.kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> - -diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c -index 41fe8a0..fe9d129 100644 ---- a/drivers/tty/n_tty.c -+++ b/drivers/tty/n_tty.c -@@ -2353,8 +2353,12 @@ static ssize_t n_tty_write(struct tty_struct *tty, struct file *file, - if (tty->ops->flush_chars) - tty->ops->flush_chars(tty); - } else { -+ struct n_tty_data *ldata = tty->disc_data; -+ - while (nr > 0) { -+ mutex_lock(&ldata->output_lock); - c = tty->ops->write(tty, b, nr); -+ mutex_unlock(&ldata->output_lock); - if (c < 0) { - retval = c; - goto break_out; --- -cgit v0.10.1-7-g08dc - |