CVE-2020-29661: git/torvalds/linux.git - Linux kernel source tree

author

Jann Horn [email protected]

2020-12-03 02:25:04 +0100

committer

Greg Kroah-Hartman [email protected]

2020-12-04 17:38:48 +0100

commit

54ffccbf053b5b6ca4f6e45094b942fab92a25fc (patch)

tree

b30e76730582ec6960a35741dea3023040afbaf0

parent

418baf2c28f3473039f2f7377760bd8f6897ae18 (diff)

download

linux-54ffccbf053b5b6ca4f6e45094b942fab92a25fc.tar.gz

tty: Fix ->pgrp locking in tiocspgrp()

tiocspgrp() takes two tty_struct pointers: One to the tty that userspace passed to ioctl() (`tty`) and one to the TTY being changed (`real_tty`). These pointers are different when ioctl() is called with a master fd. To properly lock real_tty->pgrp, we must take real_tty->ctrl_lock. This bug makes it possible for racing ioctl(TIOCSPGRP, …) calls on both sides of a PTY pair to corrupt the refcount of `struct pid`, leading to use-after-free errors. Fixes: 47f86834bbd4 (“redo locking of tty->pgrp”) CC: [email protected] Signed-off-by: Jann Horn [email protected] Reviewed-by: Jiri Slaby [email protected] Signed-off-by: Greg Kroah-Hartman [email protected]

-rw-r–r--

drivers/tty/tty_jobctrl.c

4

1 files changed, 2 insertions, 2 deletions

diff --git a/drivers/tty/tty_jobctrl.c b/drivers/tty/tty_jobctrl.c
index 28a23a0fef21c…baadeea4a289b 100644
— a/drivers/tty/tty_jobctrl.c
+++ b/drivers/tty/tty_jobctrl.c

@@ -494,10 +494,10 @@ static int tiocspgrp(struct tty_struct *tty, struct tty_struct *real_tty, pid_t

if (session_of_pgrp(pgrp) != task_session(current))

goto out_unlock;

retval = 0;

- spin_lock_irq(&tty->ctrl_lock);

+ spin_lock_irq(&real_tty->ctrl_lock);

put_pid(real_tty->pgrp);

real_tty->pgrp = get_pid(pgrp);

- spin_unlock_irq(&tty->ctrl_lock);

+ spin_unlock_irq(&real_tty->ctrl_lock);

out_unlock:

rcu_read_unlock();

return retval;