Piteball/android_kernel_google_msm
1
0
Fork 0
mirror of https://github.com/followmsi/android_kernel_google_msm.git synced 2024-11-06 23:17:41 +00:00
Code Issues Projects Releases Wiki Activity
android_kernel_google_msm/drivers/net/wan
History
Peter Hurley 270c07a82d wan/x25: Fix use-after-free in x25_asy_open_tty() 
commit ee9159ddce14bc1dec9435ae4e3bd3153e783706 upstream.

The N_X25 line discipline may access the previous line discipline's closed
and already-freed private data on open [1].

The tty->disc_data field _never_ refers to valid data on entry to the
line discipline's open() method. Rather, the ldisc is expected to
initialize that field for its own use for the lifetime of the instance
(ie. from open() to close() only).

[1]
    [  634.336761] ==================================================================
    [  634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0
    [  634.339558] Read of size 4 by task syzkaller_execu/8981
    [  634.340359] =============================================================================
    [  634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected
    ...
    [  634.405018] Call Trace:
    [  634.405277] dump_stack (lib/dump_stack.c:52)
    [  634.405775] print_trailer (mm/slub.c:655)
    [  634.406361] object_err (mm/slub.c:662)
    [  634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236)
    [  634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279)
    [  634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1))
    [  634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447)
    [  634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567)
    [  634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879)
    [  634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607)
    [  634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613)
    [  634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188)

Reported-and-tested-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Zefan Li <lizefan@huawei.com>
2016-10-26 23:15:33 +08:00
..
lmc
.gitignore
c101.c
cosa.c
cosa.h
cycx_drv.c
cycx_main.c
cycx_x25.c
dlci.c dlci: validate the net device in dlci_del() 2013-07-03 10:59:04 -07:00
dscc4.c
farsync.c farsync: fix info leak in ioctl 2013-11-04 04:23:41 -08:00
farsync.h
hd64570.c
hd64570.h
hd64572.c
hd64572.h
hdlc.c
hdlc_cisco.c
hdlc_fr.c
hdlc_ppp.c
hdlc_raw.c
hdlc_raw_eth.c
hdlc_x25.c
hostess_sv11.c
ixp4xx_hss.c ixp4xx_hss: fix build failure due to missing linux/module.h inclusion 2012-10-13 05:38:42 +09:00
Kconfig Documentation: remove references to /etc/modprobe.conf 2012-03-30 16:03:15 -07:00
lapbether.c
Makefile
n2.c
pc300-falc-lh.h
pc300.h
pc300_drv.c
pc300_tty.c
pc300too.c
pci200syn.c
sbni.c
sbni.h
sdla.c
sealevel.c
wanxl.c wanxl: fix info leak in ioctl 2013-11-04 04:23:41 -08:00
wanxl.h
wanxlfw.inc_shipped
wanxlfw.S
x25_asy.c wan/x25: Fix use-after-free in x25_asy_open_tty() 2016-10-26 23:15:33 +08:00
x25_asy.h
z85230.c
z85230.h