Linux Kernel drivers/char/n_tty.c驱动空指针引用拒绝服务漏洞

2009-12-03T00:00:00
ID SSV:15020
Type seebug
Reporter Root
Modified 2009-12-03T00:00:00

Description

BUGTRAQ ID: 37147

Linux Kernel是开放源码操作系统Linux所使用的内核。

Linux Kernel所使用的drivers/char/n_tty.c驱动中存在空指针引用漏洞:

/ * n_tty_close - close the ldisc for this tty * @tty: device * Called from the terminal layer when this line discipline is * being shut down, either because of a close or becsuse of a * discipline change. The function will not be called while other * ldisc methods are in progress. /

static void n_tty_close(struct tty_struct *tty) { n_tty_flush_buffer(tty); if (tty->read_buf) { kfree(tty->read_buf); tty->read_buf = NULL; } if (tty->echo_buf) { kfree(tty->echo_buf); tty->echo_buf = NULL; } }

这个例程的参数是以指向tty_struct结构的指针形式传送的TTY,首先调用n_tty_flush_buffer()然后释放所分配的read_buf和echo_buf缓冲区,并将其设置为NULL。在这里所调用的第一个函数为:

/ * n_tty_flush_buffer - clean input queue * @tty: terminal device * Flush the input buffer. Called when the line discipline is * being closed, when the tty layer wants the buffer flushed (eg * at hangup) or when the N_TTY line discipline internally has to * clean the pending queue (for example some signals). * Locking: ctrl_lock, read_lock. */

static void n_tty_flush_buffer(struct tty_struct tty) { unsigned long flags; / clear everything and unthrottle the driver */ reset_buffer_flags(tty);

if (!tty->link)
    return;

spin_lock_irqsave(&tty->ctrl_lock, flags);
if (tty->link->packet) {
    tty->ctrl_status |= TIOCPKT_FLUSHREAD;
    wake_up_interruptible(&tty->link->read_wait);
}
spin_unlock_irqrestore(&tty->ctrl_lock, flags);

}

上面所保持的唯一一个锁是n_tty_flush_buffer()中的自旋锁。由于这个过程中没有其他的锁,这可能导致竞争条件。具体来讲,在释放缓冲区和kfree()指针期间n_tty_close()没有锁定,如果TTY接收到了字符,代码执行就会到达以下函数:

static inline void n_tty_receive_char(struct tty_struct *tty, unsigned char c) { unsigned long flags; int parmrk;

if (tty->raw) {
    put_tty_queue(c, tty);
    return;
}

... put_tty_queue(c, tty); }

结果会是:

static void put_tty_queue(unsigned char c, struct tty_struct tty) { unsigned long flags; / * The problem of stomping on the buffers ends here. * Why didn't anyone see this one coming? --AJK */ spin_lock_irqsave(&tty->read_lock, flags); put_tty_queue_nolock(c, tty); spin_unlock_irqrestore(&tty->read_lock, flags); }

这会锁定TTY并调用执行以下内容的相应非锁定例程:

static void put_tty_queue_nolock(unsigned char c, struct tty_struct *tty) { if (tty->read_cnt < N_TTY_BUF_SIZE) { tty->read_buf[tty->read_head] = c; tty->read_head = (tty->read_head + 1) & (N_TTY_BUF_SIZE-1); tty->read_cnt++; } }

由于这时tty->read_buf可能已被释放并在n_tty_close()中设置为NULL,分配新的字符“c”可能导致试图访问并写入空指针,之后触发空指针引用。

Linux kernel 2.6.31.5 厂商补丁:

Linux

目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.kernel.org/