voidanix
/
android_kernel_lge_bullhead
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
android_kernel_lge_bullhead/drivers/net/irda
History
Peter Hurley 1c7f227a50 net: irda: Fix use-after-free in irtty_open() 
commit 401879c57f01cbf2da204ad2e8db910525c6dbea upstream.

The N_IRDA line discipline may access the previous line discipline's closed
and already-fre private data on open [1].

The tty->disc_data field _never_ refers to valid data on entry to the
line discipline's open() method. Rather, the ldisc is expected to
initialize that field for its own use for the lifetime of the instance
(ie. from open() to close() only).

[1]
    ==================================================================
    BUG: KASAN: use-after-free in irtty_open+0x422/0x550 at addr ffff8800331dd068
    Read of size 4 by task a.out/13960
    =============================================================================
    BUG kmalloc-512 (Tainted: G    B          ): kasan: bad access detected
    -----------------------------------------------------------------------------
    ...
    Call Trace:
     [<ffffffff815fa2ae>] __asan_report_load4_noabort+0x3e/0x40 mm/kasan/report.c:279
     [<ffffffff836938a2>] irtty_open+0x422/0x550 drivers/net/irda/irtty-sir.c:436
     [<ffffffff829f1b80>] tty_ldisc_open.isra.2+0x60/0xa0 drivers/tty/tty_ldisc.c:447
     [<ffffffff829f21c0>] tty_set_ldisc+0x1a0/0x940 drivers/tty/tty_ldisc.c:567
     [<     inline     >] tiocsetd drivers/tty/tty_io.c:2650
     [<ffffffff829da49e>] tty_ioctl+0xace/0x1fd0 drivers/tty/tty_io.c:2883
     [<     inline     >] vfs_ioctl fs/ioctl.c:43
     [<ffffffff816708ac>] do_vfs_ioctl+0x57c/0xe60 fs/ioctl.c:607
     [<     inline     >] SYSC_ioctl fs/ioctl.c:622
     [<ffffffff81671204>] SyS_ioctl+0x74/0x80 fs/ioctl.c:613
     [<ffffffff852a7876>] entry_SYSCALL_64_fastpath+0x16/0x7a

Reported-and-tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
 		2016-06-07 10:42:46 +02:00
..
Kconfig tty/serial patches for 3.9-rc1 2013-02-21 13:41:04 -08:00
Makefile
act200l-sir.c
actisys-sir.c
ali-ircc.c drivers:net: dma_alloc_coherent: use __GFP_ZERO instead of memset(, 0) 2013-03-17 12:50:24 -04:00
ali-ircc.h
au1k_ir.c net: au1k_ir: Use module_platform_driver() 2013-03-20 13:25:36 -04:00
bfin_sir.c net/irda: fix error return code in bfin_sir_open() 2013-05-08 13:13:29 -07:00
bfin_sir.h
donauboe.c donauboe: replace excessive udelay with msleep 2012-04-21 15:28:47 -04:00
donauboe.h
ep7211-sir.c irda: ep7211-sir: Convert to platform_diver 2012-12-03 13:32:15 -05:00
esi-sir.c
girbil-sir.c
irda-usb.c USB: irda-usb.c: remove err() usage 2012-04-25 14:48:49 -07:00
irda-usb.h
irtty-sir.c net: irda: Fix use-after-free in irtty_open() 2016-06-07 10:42:46 +02:00
irtty-sir.h
kingsun-sir.c USB: kingsun-sir.c: remove err() usage 2012-04-25 14:48:50 -07:00
ks959-sir.c drivers/net/irda: fix error return code 2012-08-20 02:33:21 -07:00
ksdazzle-sir.c drivers/net/irda: fix error return code 2012-08-20 02:33:21 -07:00
litelink-sir.c
ma600-sir.c
mcp2120-sir.c
mcs7780.c drivers/net/irda/mcs7780.c: fix error return code 2012-10-07 14:37:11 -04:00
mcs7780.h
nsc-ircc.c drivers:net: dma_alloc_coherent: use __GFP_ZERO instead of memset(, 0) 2013-03-17 12:50:24 -04:00
nsc-ircc.h
old_belkin-sir.c
pxaficp_ir.c drivers:net: dma_alloc_coherent: use __GFP_ZERO instead of memset(, 0) 2013-03-17 12:50:24 -04:00
sa1100_ir.c drivers/net/irda/sa1100_ir.c: fix error return code 2012-10-07 14:37:11 -04:00
sh_irda.c irda: remove __dev* attributes 2012-12-03 11:16:56 -08:00
sh_sir.c irda: remove __dev* attributes 2012-12-03 11:16:56 -08:00
sir-dev.h
sir_dev.c irda: sir_dev: Fix copy/paste typo 2012-11-20 15:51:55 -05:00
sir_dongle.c
smsc-ircc2.c drivers:net: dma_alloc_coherent: use __GFP_ZERO instead of memset(, 0) 2013-03-17 12:50:24 -04:00
smsc-ircc2.h
smsc-sio.h
stir4200.c USB: stir4200.c: remove err() usage 2012-04-25 14:48:51 -07:00
tekram-sir.c
toim3232-sir.c
via-ircc.c drivers:net: dma_alloc_coherent: use __GFP_ZERO instead of memset(, 0) 2013-03-17 12:50:24 -04:00
via-ircc.h
vlsi_ir.c proc: Supply PDE attribute setting accessor functions 2013-05-01 17:29:18 -04:00
vlsi_ir.h
w83977af.h
w83977af_ir.c drivers:net: dma_alloc_coherent: use __GFP_ZERO instead of memset(, 0) 2013-03-17 12:50:24 -04:00
w83977af_ir.h