描述

SUSE社区在2014年4月29日发现一个pty设备的race condition,可导致内存泄漏,从而可以用于本地提权。此漏洞被报告到上游kernel security邮件组,已经被证实并修复。

官方描述为: A flaw was discovered in the Linux kernel’s pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges.

SUSE社区的bugzilla中有POC代码用于针对特定版本的内核进行验证,可能需要针对特定版本进行修改才能运行。

影响范围及修复

kernel官方评估范围为内核版本2.6.31-rc33.15-rc4

Note that this is nicely reproducible by an ordinary user using
forkpty and some setup around that (raw termios + ECHO). And it is
present in kernels at least after commit
d945cb9cce20ac7143c2de8d88b187f62db99bdc (pty: Rework the pty layer to
use the normal buffering logic) in 2.6.31-rc3.

RedHat企业版(RHEL)版本5系列不受影响(因为默认内核是较旧的2.6.18 ),RHEL版本6正在准备相关更新,Fedora的更新已经发布。Ubuntu和Debian已经发布内核更新。

建议涉及相关版本的用户关注相应发行版的升级信息,以避免造成损失。

内核维护者已经提交了修复patch

Diffstat
-rw-r--r--	drivers/tty/n_tty.c	4	
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index 41fe8a0..fe9d129 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -2353,8 +2353,12 @@ static ssize_t n_tty_write(struct tty_struct *tty, struct file *file,
 			if (tty->ops->flush_chars)
 				tty->ops->flush_chars(tty);
 		} else {
+			struct n_tty_data *ldata = tty->disc_data;
+
 			while (nr > 0) {
+				mutex_lock(&ldata->output_lock);
 				c = tty->ops->write(tty, b, nr);
+				mutex_unlock(&ldata->output_lock);
 				if (c < 0) {
 					retval = c;
 					goto break_out;

参考文档