描述
SUSE社区在2014年4月29日发现一个pty设备的race condition,可导致内存泄漏,从而可以用于本地提权。此漏洞被报告到上游kernel security邮件组,已经被证实并修复。
官方描述为:
A flaw was discovered in the Linux kernel's pseudo tty (pty) device.
An unprivileged user could exploit this flaw to cause a denial
of service (system crash) or potentially gain administrator privileges.
SUSE社区的bugzilla中有POC代码用于针对特定版本的内核进行验证,可能需要针对特定版本进行修改才能运行。
影响范围及修复
kernel官方评估范围为内核版本2.6.31-rc3
至3.15-rc4
。
Note that this is nicely reproducible by an ordinary user using
forkpty and some setup around that (raw termios + ECHO). And it is
present in kernels at least after commit
d945cb9cce20ac7143c2de8d88b187f62db99bdc (pty: Rework the pty layer to
use the normal buffering logic) in 2.6.31-rc3.
RedHat企业版(RHEL)版本5系列不受影响(因为默认内核是较旧的2.6.18 ),RHEL版本6正在准备相关更新,Fedora的更新已经发布。Ubuntu和Debian已经发布内核更新。
建议涉及相关版本的用户关注相应发行版的升级信息,以避免造成损失。
内核维护者已经提交了修复patch。
Diffstat
-rw-r--r-- drivers/tty/n_tty.c 4
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index 41fe8a0..fe9d129 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -2353,8 +2353,12 @@ static ssize_t n_tty_write(struct tty_struct *tty, struct file *file,
if (tty->ops->flush_chars)
tty->ops->flush_chars(tty);
} else {
+ struct n_tty_data *ldata = tty->disc_data;
+
while (nr > 0) {
+ mutex_lock(&ldata->output_lock);
c = tty->ops->write(tty, b, nr);
+ mutex_unlock(&ldata->output_lock);
if (c < 0) {
retval = c;
goto break_out;