http://bugzilla.suse.com/show_bug.cgi?id=1028372 Bug ID: 1028372 Summary: VUL-0: CVE-2017-2636: kernel-source: local privilege escalation flaw in n_hdlc Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 716639 --> http://bugzilla.suse.com/attachment.cgi?id=716639&action=edit 0001-tty-n_hdlc-get-rid-of-racy-n_hdlc_tbuf.patch Ref: http://seclists.org/oss-sec/2017/q1/569 ============================================= Hello! This is an announcement of CVE-2017-2636, which is a race condition in the n_hdlc Linux kernel driver (drivers/tty/n_hdlc.c). It can be exploited to gain a local privilege escalation. This driver provides HDLC serial line discipline and comes as a kernel module in many Linux distributions, which have CONFIG_N_HDLC=m in the kernel config. The bug was introduced on 22 June 2009: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b... My fix to the Linux kernel mainline was proposed on 28 February 2017 and should be available soon. Please see the attachment. I will publish my PoC exploit later, giving people some time to update their systems. I've found this bug investigating a suspicious kernel crash made by syzkaller (https://github.com/google/syzkaller). -- Bug details -- N_HDLC line discipline uses a self-made singly linked lists for data buffers and has n_hdlc.tbuf pointer for buffer retransmitting after an error. If sending of a data buffer is not successful, then its address is saved in n_hdlc.tbuf and the next time n_hdlc_send_frames() will try to resend it first of all. But the commit be10eb7589337e5defbe214dae038a53dd21add8 ("tty: n_hdlc add buffer flushing") introduced racy access to n_hdlc.tbuf. After transmission error concurrent flush_tx_queue() and n_hdlc_send_frames() can put a buffer pointed by n_hdlc.tbuf to tx_free_buf_list twice. That causes an exploitable double free error in n_hdlc_release(). To fix the issue I used a standard kernel linked list protected by a spinlock and got rid of n_hdlc.tbuf. In case of transmission error the current data buffer is put after the head of tx_buf_list. -- Kernel updates are ready, please update your systems. Best regards, Alexander Popov Positive Technologies https://www.ptsecurity.com Attachment: 0001-tty-n_hdlc-get-rid-of-racy-n_hdlc.tbuf.patch ============================================= -- You are receiving this mail because: You are on the CC list for the bug.