Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 509840 (CVE-2014-0196) - Kernel: pty layer race condition memory corruption (CVE-2014-0196)
Summary: Kernel: pty layer race condition memory corruption (CVE-2014-0196)
Status: IN_PROGRESS
Alias: CVE-2014-0196
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: Normal normal with 5 votes (vote)
Assignee: Gentoo Kernel Security
URL:
Whiteboard:
Keywords:
Depends on: 503632 510488
Blocks:
  Show dependency tree
 
Reported: 2014-05-08 10:07 UTC by Agostino Sarubbo
Modified: 2019-12-06 21:27 UTC (History)
18 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-05-08 10:07:31 UTC
CVE-2014-0196 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0196):
  The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 
  3.14.3 does not properly manage tty driver access in the "LECHO & !OPOST" 
  case, which allows local users to cause a denial of service (memory corruption 
  and system crash) or gain privileges by triggering a race condition involving 
  read and write operations with long strings.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-05-08 18:38:43 UTC
CVE-2014-0196 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0196):
  The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through
  3.14.3 does not properly manage tty driver access in the "LECHO & !OPOST"
  case, which allows local users to cause a denial of service (memory
  corruption and system crash) or gain privileges by triggering a race
  condition involving read and write operations with long strings.
Comment 2 Herwig Hochleitner 2014-05-12 15:46:43 UTC
There is an exploit now for this issue: http://bugfuzz.com/stuff/cve-2014-0196-md.c
This reporter's ~amd64 desktop box (sys-kernel/gentoo-sources-3.14.3) was pwned in 20 seconds with it.
Comment 3 Peter Volkov (RETIRED) gentoo-dev 2014-05-13 08:07:33 UTC
And here is commit to fix this vulnerability:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4291086b1f081b869c6d79e5b7441633dc3ace00
Comment 4 Alex Cannon 2014-05-13 18:03:47 UTC
It looks like this exploit may only affect SMP systems. I ran this cash PoC here: http://pastebin.com/raw.php?i=yTSFUBgZ on my single P3 3.0.76 kernel with no crash. On my 2.6.32-5-amd64 Debian system with Hyperthreading I could get it to crash when logged in over ssh, but not at all or it takes longer from the console. When I turned off hyperthreading, I couldn't make it panic anymore. I don't know how the kernel preemption option affects this, or if Debian has it on.
Comment 5 cyberbat 2014-05-14 16:03:15 UTC
May ask what's next? What version of {gentoo,hardened}-sources will be stabilized to make kernels without this bug in stable gentoo?
Comment 6 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2014-05-15 13:36:07 UTC
(In reply to Peter Volkov from comment #3)
> And here is commit to fix this vulnerability:
> 
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/
> ?id=4291086b1f081b869c6d79e5b7441633dc3ace00

(In reply to cyberbat from comment #5)
> May ask what's next? What version of {gentoo,hardened}-sources will be
> stabilized to make kernels without this bug in stable gentoo?

This patch is already present in:

3.10.40 (https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.40)
3.14.4  (https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.4)

For the other branches, I've added it to the genpatches repository:

------------------------------------------------------------------------
r2788 | tomwij | 2014-05-15 15:30:10 +0200 (Thu, 15 May 2014) | 1 line

Add security fix for CVE-2014-0196 (4291086b1f081b869c6d79e5b7441633dc3ace00) to branches for which upstream has not applied the patch yet, to ensure that the patch gets applied in the next release.
------------------------------------------------------------------------

I expect more releases to follow soon for the other branches; in the case that they don't, we can release revision bumps for them. We'll also need to look into a fast track stabilization soon for the stable version.

While we're at it...

Are there any other security bugs of concern that require fixing as well?
Comment 7 cyberbat 2014-05-15 17:23:19 UTC
(In reply to Tom Wijsman (TomWij) from comment #6)

> (In reply to cyberbat from comment #5)
> > May ask what's next? What version of {gentoo,hardened}-sources will be
> > stabilized to make kernels without this bug in stable gentoo?
> 
> This patch is already present in:
> 
> 3.10.40 (https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.40)
> 3.14.4  (https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.4)

Thanks you for your answer.

Excuse me for spamming in this bug, but I got two very important (it seems not only for me) questions: will it be any kind of quick stabilization of unaffected version of gentoo-sources?

And do anybody know what about hardened-sources? Is it affected? If yes, will it be fixed?
Comment 8 Sergey Popov gentoo-dev 2014-05-16 12:01:36 UTC
(In reply to cyberbat from comment #7)
> Excuse me for spamming in this bug, but I got two very important (it seems
> not only for me) questions: will it be any kind of quick stabilization of
> unaffected version of gentoo-sources?

We will stabilize gentoo-sources ASAP after maintainers open apropriate bug. As it's security stabilization - we do not need to wait 30 days for it.

> And do anybody know what about hardened-sources? Is it affected? If yes,
> will it be fixed?

CCing hardened@ guys - they know better
Comment 9 Anthony Basile gentoo-dev 2014-06-06 19:43:48 UTC
(In reply to Sergey Popov from comment #8)
> (In reply to cyberbat from comment #7)
> > Excuse me for spamming in this bug, but I got two very important (it seems
> > not only for me) questions: will it be any kind of quick stabilization of
> > unaffected version of gentoo-sources?
> 
> We will stabilize gentoo-sources ASAP after maintainers open apropriate bug.
> As it's security stabilization - we do not need to wait 30 days for it.
> 
> > And do anybody know what about hardened-sources? Is it affected? If yes,
> > will it be fixed?
> 
> CCing hardened@ guys - they know better

Given CVE-2014-3153, you should use hardened-sources-3.14.5-r2 or hardened-sources-3.2.59-r5 to cover both issues.  These are not stabilized yet but are slated for rapid stab.  I'm holding off because there is a known issue with KSTACKOVERFLOW.  See http://forums.grsecurity.net/viewtopic.php?f=3&t=3970.
Comment 10 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2014-06-06 20:23:06 UTC
This has since propagated through all the branches and are in releases in the Portage tree for gentoo-sources, as per bug #512526; the only remaining affected are those that are listed in bug #510488 on some remaining arches.
Comment 11 Nico Baggus 2015-02-10 09:26:53 UTC
is this still in progress??
Comment 12 Nico Baggus 2018-07-21 10:20:33 UTC
IMHO thiscould be closed...
Comment 13 Nico Baggus 2019-12-06 21:27:07 UTC
Close?.. no kernel of this type is still in the tree....