tun/tap: Fix crashes if open() /dev/net/tun and then poll() it.
Fix NULL pointer dereference in tun_chr_pool() introduced by commit
33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554 ("tun: Limit amount of queued
packets per device") and triggered by this code:
struct pollfd pfd;
fd = open("/dev/net/tun", O_RDWR);
pfd.fd = fd;
pfd.events = POLLIN | POLLOUT;
poll(&pfd, 1, 0);
Reported-by: Eugene Kapun <firstname.lastname@example.org>
Signed-off-by: Mariusz Kozlowski <email@example.com>
Signed-off-by: David S. Miller <firstname.lastname@example.org>
This is applicable to >=2.6.30, not <2.6.31. Also, the security impact of the bug is somewhat worse than the summary and severity level suggests. Further information, including a video demonstrating spender's exploit (acquiring a root shell in the process):
Citation regarding the bug's scope:
"The commit that introduced the vulnerability (Feb 6th):
Though it was committed before the release of the 2.6.29 kernel, it did not (thankfully) make it into the 2.6.29 kernel. It first appeared in 2.6.30."
That's an excerpt from the (interesting) opening comment in the exploit.c file, from the cheddar_bay tarball.
This bug has galvanised upstream into queueing the following patch for stable, which enables -fno-delete-null-pointer-checks:
The tun_chr_poll function in drivers/net/tun.c in the tun subsystem
in the Linux kernel 2.6.30 and 22.214.171.124, when the
-fno-delete-null-pointer-checks gcc option is omitted, allows local
users to gain privileges via vectors involving a NULL pointer
dereference and an mmap of /dev/net/tun, a different vulnerability