描述

SUSE社区在2014年4月29日发现一个pty设备的race condition，可导致内存泄漏，从而可以用于本地提权。此漏洞被报告到上游kernel security邮件组，已经被证实并修复。

官方描述为： A flaw was discovered in the Linux kernel’s pseudo tty (pty) device. An unprivileged user could exploit this flaw to cause a denial of service (system crash) or potentially gain administrator privileges.

SUSE社区的bugzilla中有POC代码用于针对特定版本的内核进行验证，可能需要针对特定版本进行修改才能运行。

影响范围及修复

kernel官方评估范围为内核版本2.6.31-rc3至3.15-rc4。

Note that this is nicely reproducible by an ordinary user using
forkpty and some setup around that (raw termios + ECHO). And it is
present in kernels at least after commit
d945cb9cce20ac7143c2de8d88b187f62db99bdc (pty: Rework the pty layer to
use the normal buffering logic) in 2.6.31-rc3.

RedHat企业版（RHEL）版本5系列不受影响（因为默认内核是较旧的2.6.18 ），RHEL版本6正在准备相关更新，Fedora的更新已经发布。Ubuntu和Debian已经发布内核更新。

建议涉及相关版本的用户关注相应发行版的升级信息，以避免造成损失。

内核维护者已经提交了修复patch。

Diffstat
-rw-r--r--	drivers/tty/n_tty.c	4
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index 41fe8a0..fe9d129 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -2353,8 +2353,12 @@ static ssize_t n_tty_write(struct tty_struct *tty, struct file *file,
 			if (tty->ops->flush_chars)
 				tty->ops->flush_chars(tty);
 		} else {
+			struct n_tty_data *ldata = tty->disc_data;
+
 			while (nr > 0) {
+				mutex_lock(&ldata->output_lock);
 				c = tty->ops->write(tty, b, nr);
+				mutex_unlock(&ldata->output_lock);
 				if (c < 0) {
 					retval = c;
 					goto break_out;

参考文档

• CVE-2014-0196 LWN
• POC Code
• Linux gets fix for code-execution flaw that was undetected since 2009
• OSS Security List
• RHEL
• Fedora
• Debian
• Ubuntu