From a600648d07d5f71e3d273bd06867e784e0b3443b Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Jan 20 2016 13:35:36 +0000 Subject: CVE-2016-0723 memory disclosure and crash in tty layer (rhbz 1296253 1300224) --- diff --git a/kernel.spec b/kernel.spec index d6d1a2c..0425225 100644 --- a/kernel.spec +++ b/kernel.spec @@ -602,6 +602,9 @@ Patch625: cpupower-Fix-build-error-in-cpufreq-info.patch #CVE-2016-0728 rhbz 1296623 Patch626: KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch +#CVE-2016-0723 rhbz 1296253 1300224 +Patch637: tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch + # END OF PATCH DEFINITIONS %endif @@ -2047,6 +2050,9 @@ fi # # %changelog +* Wed Jan 20 2016 Josh Boyer +- CVE-2016-0723 memory disclosure and crash in tty layer (rhbz 1296253 1300224) + * Tue Jan 19 2016 Justin M. Forbes - 4.5.0-0.rc0.git6.1 - Linux v4.4-8855-ga200dcb - CVE-2016-0728 Keys: reference leak in join_session_keyring (rhbz 1296623) diff --git a/tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch b/tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch new file mode 100644 index 0000000..d169105 --- /dev/null +++ b/tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch @@ -0,0 +1,68 @@ +From 938f50fc744cb49892bd42c8f56bdfa63e82a27d Mon Sep 17 00:00:00 2001 +From: Peter Hurley +Date: Sun, 10 Jan 2016 22:40:55 -0800 +Subject: [PATCH] tty: Fix unsafe ldisc reference via ioctl(TIOCGETD) + +ioctl(TIOCGETD) retrieves the line discipline id directly from the +ldisc because the line discipline id (c_line) in termios is untrustworthy; +userspace may have set termios via ioctl(TCSETS*) without actually +changing the line discipline via ioctl(TIOCSETD). + +However, directly accessing the current ldisc via tty->ldisc is +unsafe; the ldisc ptr dereferenced may be stale if the line discipline +is changing via ioctl(TIOCSETD) or hangup. + +Wait for the line discipline reference (just like read() or write()) +to retrieve the "current" line discipline id. + +Cc: +Signed-off-by: Peter Hurley +--- + drivers/tty/tty_io.c | 24 +++++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index f435977de740..bd4027e36910 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -2654,6 +2654,28 @@ static int tiocsetd(struct tty_struct *tty, int __user *p) + } + + /** ++ * tiocgetd - get line discipline ++ * @tty: tty device ++ * @p: pointer to user data ++ * ++ * Retrieves the line discipline id directly from the ldisc. ++ * ++ * Locking: waits for ldisc reference (in case the line discipline ++ * is changing or the tty is being hungup) ++ */ ++ ++static int tiocgetd(struct tty_struct *tty, int __user *p) ++{ ++ struct tty_ldisc *ld; ++ int ret; ++ ++ ld = tty_ldisc_ref_wait(tty); ++ ret = put_user(ld->ops->num, p); ++ tty_ldisc_deref(ld); ++ return ret; ++} ++ ++/** + * send_break - performed time break + * @tty: device to break on + * @duration: timeout in mS +@@ -2879,7 +2901,7 @@ long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + case TIOCGSID: + return tiocgsid(tty, real_tty, p); + case TIOCGETD: +- return put_user(tty->ldisc->ops->num, (int __user *)p); ++ return tiocgetd(tty, p); + case TIOCSETD: + return tiocsetd(tty, p); + case TIOCVHANGUP: +-- +2.5.0 +