Kernel/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2025-01-03 19:55:31 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
9462f4ca56
linux-stable/drivers/tty
History
Longlong Xia 9462f4ca56 tty: n_gsm: Fix use-after-free in gsm_cleanup_mux 
BUG: KASAN: slab-use-after-free in gsm_cleanup_mux+0x77b/0x7b0
drivers/tty/n_gsm.c:3160 [n_gsm]
Read of size 8 at addr ffff88815fe99c00 by task poc/3379
CPU: 0 UID: 0 PID: 3379 Comm: poc Not tainted 6.11.0+ #56
Hardware name: VMware, Inc. VMware Virtual Platform/440BX
Desktop Reference Platform, BIOS 6.00 11/12/2020
Call Trace:
 <TASK>
 gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm]
 __pfx_gsm_cleanup_mux+0x10/0x10 drivers/tty/n_gsm.c:3124 [n_gsm]
 __pfx_sched_clock_cpu+0x10/0x10 kernel/sched/clock.c:389
 update_load_avg+0x1c1/0x27b0 kernel/sched/fair.c:4500
 __pfx_min_vruntime_cb_rotate+0x10/0x10 kernel/sched/fair.c:846
 __rb_insert_augmented+0x492/0xbf0 lib/rbtree.c:161
 gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm]
 _raw_spin_lock_irqsave+0x92/0xf0 arch/x86/include/asm/atomic.h:107
 __pfx_gsmld_ioctl+0x10/0x10 drivers/tty/n_gsm.c:3822 [n_gsm]
 ktime_get+0x5e/0x140 kernel/time/timekeeping.c:195
 ldsem_down_read+0x94/0x4e0 arch/x86/include/asm/atomic64_64.h:79
 __pfx_ldsem_down_read+0x10/0x10 drivers/tty/tty_ldsem.c:338
 __pfx_do_vfs_ioctl+0x10/0x10 fs/ioctl.c:805
 tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818

Allocated by task 65:
 gsm_data_alloc.constprop.0+0x27/0x190 drivers/tty/n_gsm.c:926 [n_gsm]
 gsm_send+0x2c/0x580 drivers/tty/n_gsm.c:819 [n_gsm]
 gsm1_receive+0x547/0xad0 drivers/tty/n_gsm.c:3038 [n_gsm]
 gsmld_receive_buf+0x176/0x280 drivers/tty/n_gsm.c:3609 [n_gsm]
 tty_ldisc_receive_buf+0x101/0x1e0 drivers/tty/tty_buffer.c:391
 tty_port_default_receive_buf+0x61/0xa0 drivers/tty/tty_port.c:39
 flush_to_ldisc+0x1b0/0x750 drivers/tty/tty_buffer.c:445
 process_scheduled_works+0x2b0/0x10d0 kernel/workqueue.c:3229
 worker_thread+0x3dc/0x950 kernel/workqueue.c:3391
 kthread+0x2a3/0x370 kernel/kthread.c:389
 ret_from_fork+0x2d/0x70 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:257

Freed by task 3367:
 kfree+0x126/0x420 mm/slub.c:4580
 gsm_cleanup_mux+0x36c/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm]
 gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm]
 tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818

[Analysis]
gsm_msg on the tx_ctrl_list or tx_data_list of gsm_mux
can be freed by multi threads through ioctl,which leads
to the occurrence of uaf. Protect it by gsm tx lock.

Signed-off-by: Longlong Xia <xialonglong@kylinos.cn>
Cc: stable <stable@kernel.org>
Suggested-by: Jiri Slaby <jirislaby@kernel.org>
Link: https://lore.kernel.org/r/20240926130213.531959-1-xialonglong@kylinos.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-10-11 08:28:17 +02:00
..
hvc tty: hvc: convert comma to semicolon 2024-09-03 10:47:56 +02:00
ipwireless tty: ipwireless: remove unused ipw_dev::attribute_memory 2023-11-23 19:16:03 +00:00
serdev serdev: Use of_property_present() 2024-08-07 13:08:14 +02:00
serial move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
vt vt: prevent kernel-infoleak in con_font_get() 2024-10-11 08:27:36 +02:00
amiserial.c tty: add missing MODULE_DESCRIPTION() macros 2024-06-24 16:10:11 +02:00
ehv_bytechan.c tty: ehv_bytechan: convert to u8 and size_t 2023-12-08 12:02:37 +01:00
goldfish.c tty: add missing MODULE_DESCRIPTION() macros 2024-06-24 16:10:11 +02:00
Kconfig vt: remove superfluous CONFIG_HW_CONSOLE 2024-01-27 19:03:51 -08:00
Makefile tty: add rpmsg driver 2021-10-21 12:35:35 +02:00
mips_ejtag_fdc.c tty: mips_ejtag_fdc: Fix passing incompatible pointer type warning 2024-02-23 10:14:16 +01:00
moxa.c tty: moxa: convert to u8 and size_t 2023-12-08 12:02:38 +01:00
mxser.c mxser: convert comma to semicolon 2024-09-03 10:47:47 +02:00
n_gsm.c tty: n_gsm: Fix use-after-free in gsm_cleanup_mux 2024-10-11 08:28:17 +02:00
n_hdlc.c tty: add missing MODULE_DESCRIPTION() macros 2024-06-24 16:10:11 +02:00
n_null.c tty: ldops: unify to u8 2023-08-11 21:12:47 +02:00
n_tty.c tty: n_tty: Fix buffer offsets when lookahead is used 2024-06-04 14:07:27 +02:00
nozomi.c tty: nozomi: convert to u8 and size_t 2023-12-08 12:02:38 +01:00
pty.c tty: make tty_operations::write()'s count size_t 2023-08-11 21:12:46 +02:00
rpmsg_tty.c tty: make tty_operations::write()'s count size_t 2023-08-11 21:12:46 +02:00
synclink_gt.c tty: add missing MODULE_DESCRIPTION() macros 2024-06-24 16:10:11 +02:00
sysrq.c Linux 6.11-rc1 2024-07-30 09:30:11 -10:00
tty_audit.c tty: audit: unify to u8 2023-08-11 21:12:46 +02:00
tty_baudrate.c tty: Fix comment style in tty_termios_input_baud_rate() 2022-08-30 14:22:34 +02:00
tty_buffer.c tty: Don't include tty_buffer.h in tty.h 2024-02-18 18:59:59 +01:00
tty_io.c [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
tty_ioctl.c tty: allow TIOCSLCKTRMIOS with CAP_CHECKPOINT_RESTORE 2023-12-15 14:20:03 +01:00
tty_jobctrl.c tty: tty_jobctrl: fix pid memleak in disassociate_ctty() 2023-09-18 11:14:43 +02:00
tty_ldisc.c tty: add the option to have a tty reject a new ldisc 2024-05-04 18:45:11 +02:00
tty_ldsem.c tty/ldsem: Fix syntax errors in comments 2021-12-21 09:15:49 +01:00
tty_mutex.c tty: remove TTY_MAGIC 2022-09-22 16:12:34 +02:00
tty_port.c tty: switch tty_port::xmit_* to u8 2023-12-08 12:02:37 +01:00
tty.h tty: convert THROTTLE constants into enum 2023-10-03 14:31:16 +02:00
ttynull.c tty: add missing MODULE_DESCRIPTION() macros 2024-06-24 16:10:11 +02:00
vcc.c tty: vcc: Add check for kstrdup() in vcc_probe() 2023-09-18 11:14:42 +02:00