| Summary: | Kernel: pty layer race condition memory corruption (CVE-2014-0196) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Kernel | Assignee: | Gentoo Kernel Security <security-kernel> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | alexander, buddha, cyberbat83, gentoo-bugzilla, gentoo, gentoo, hardened, hhochleitner, jlec, john_r_graham, kbonner, kernel, kfm, luw8000, mail, morlix, mstockin, pva |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: | https://bugs.gentoo.org/show_bug.cgi?id=510552 | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 503632, 510488 | ||
| Bug Blocks: | |||
|
Description
Agostino Sarubbo
2014-05-08 10:07:31 UTC
CVE-2014-0196 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0196): The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the "LECHO & !OPOST" case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings. There is an exploit now for this issue: http://bugfuzz.com/stuff/cve-2014-0196-md.c This reporter's ~amd64 desktop box (sys-kernel/gentoo-sources-3.14.3) was pwned in 20 seconds with it. And here is commit to fix this vulnerability: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4291086b1f081b869c6d79e5b7441633dc3ace00 It looks like this exploit may only affect SMP systems. I ran this cash PoC here: http://pastebin.com/raw.php?i=yTSFUBgZ on my single P3 3.0.76 kernel with no crash. On my 2.6.32-5-amd64 Debian system with Hyperthreading I could get it to crash when logged in over ssh, but not at all or it takes longer from the console. When I turned off hyperthreading, I couldn't make it panic anymore. I don't know how the kernel preemption option affects this, or if Debian has it on. May ask what's next? What version of {gentoo,hardened}-sources will be stabilized to make kernels without this bug in stable gentoo?
(In reply to Peter Volkov from comment #3) > And here is commit to fix this vulnerability: > > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/ > ?id=4291086b1f081b869c6d79e5b7441633dc3ace00 (In reply to cyberbat from comment #5) > May ask what's next? What version of {gentoo,hardened}-sources will be > stabilized to make kernels without this bug in stable gentoo? This patch is already present in: 3.10.40 (https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.40) 3.14.4 (https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.4) For the other branches, I've added it to the genpatches repository: ------------------------------------------------------------------------ r2788 | tomwij | 2014-05-15 15:30:10 +0200 (Thu, 15 May 2014) | 1 line Add security fix for CVE-2014-0196 (4291086b1f081b869c6d79e5b7441633dc3ace00) to branches for which upstream has not applied the patch yet, to ensure that the patch gets applied in the next release. ------------------------------------------------------------------------ I expect more releases to follow soon for the other branches; in the case that they don't, we can release revision bumps for them. We'll also need to look into a fast track stabilization soon for the stable version. While we're at it... Are there any other security bugs of concern that require fixing as well? (In reply to Tom Wijsman (TomWij) from comment #6) > (In reply to cyberbat from comment #5) > > May ask what's next? What version of {gentoo,hardened}-sources will be > > stabilized to make kernels without this bug in stable gentoo? > > This patch is already present in: > > 3.10.40 (https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.40) > 3.14.4 (https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.4) Thanks you for your answer. Excuse me for spamming in this bug, but I got two very important (it seems not only for me) questions: will it be any kind of quick stabilization of unaffected version of gentoo-sources? And do anybody know what about hardened-sources? Is it affected? If yes, will it be fixed? (In reply to cyberbat from comment #7) > Excuse me for spamming in this bug, but I got two very important (it seems > not only for me) questions: will it be any kind of quick stabilization of > unaffected version of gentoo-sources? We will stabilize gentoo-sources ASAP after maintainers open apropriate bug. As it's security stabilization - we do not need to wait 30 days for it. > And do anybody know what about hardened-sources? Is it affected? If yes, > will it be fixed? CCing hardened@ guys - they know better (In reply to Sergey Popov from comment #8) > (In reply to cyberbat from comment #7) > > Excuse me for spamming in this bug, but I got two very important (it seems > > not only for me) questions: will it be any kind of quick stabilization of > > unaffected version of gentoo-sources? > > We will stabilize gentoo-sources ASAP after maintainers open apropriate bug. > As it's security stabilization - we do not need to wait 30 days for it. > > > And do anybody know what about hardened-sources? Is it affected? If yes, > > will it be fixed? > > CCing hardened@ guys - they know better Given CVE-2014-3153, you should use hardened-sources-3.14.5-r2 or hardened-sources-3.2.59-r5 to cover both issues. These are not stabilized yet but are slated for rapid stab. I'm holding off because there is a known issue with KSTACKOVERFLOW. See http://forums.grsecurity.net/viewtopic.php?f=3&t=3970. This has since propagated through all the branches and are in releases in the Portage tree for gentoo-sources, as per bug #512526; the only remaining affected are those that are listed in bug #510488 on some remaining arches. is this still in progress?? IMHO thiscould be closed... Close?.. no kernel of this type is still in the tree.... Fix in 3.15, 4291086b1f081b869c6d79e5b7441633dc3ace00 |
