OpenCloudOS-Kernel/drivers/net/wan
Peter Hurley ee9159ddce wan/x25: Fix use-after-free in x25_asy_open_tty()
The N_X25 line discipline may access the previous line discipline's closed
and already-freed private data on open [1].

The tty->disc_data field _never_ refers to valid data on entry to the
line discipline's open() method. Rather, the ldisc is expected to
initialize that field for its own use for the lifetime of the instance
(ie. from open() to close() only).

[1]
    [  634.336761] ==================================================================
    [  634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0
    [  634.339558] Read of size 4 by task syzkaller_execu/8981
    [  634.340359] =============================================================================
    [  634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected
    ...
    [  634.405018] Call Trace:
    [  634.405277] dump_stack (lib/dump_stack.c:52)
    [  634.405775] print_trailer (mm/slub.c:655)
    [  634.406361] object_err (mm/slub.c:662)
    [  634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236)
    [  634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279)
    [  634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1))
    [  634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447)
    [  634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567)
    [  634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879)
    [  634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607)
    [  634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613)
    [  634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188)

Reported-and-tested-by: Sasha Levin <sasha.levin@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-12-01 15:17:42 -05:00
..
lmc wan: lmc: fix error return code 2015-04-07 15:21:54 -04:00
.gitignore
Kconfig net: wan: add missing virt_to_bus dependencies 2015-01-29 15:08:21 -08:00
Makefile wanrouter: completely decouple obsolete code from kernel. 2013-01-31 19:20:33 -05:00
c101.c
cosa.c cosa: missing error code on failure in probe() 2015-08-12 16:53:11 -07:00
cosa.h
dlci.c net: Pass a "more" indication down into netdev_start_xmit() code paths. 2014-09-01 17:39:55 -07:00
dscc4.c wan: dscc4: use msecs_to_jiffies for conversions 2015-06-07 23:45:39 -07:00
farsync.c PCI: Remove DEFINE_PCI_DEVICE_TABLE macro use 2014-08-12 12:15:14 -06:00
farsync.h
hd64570.c drivers/net: delete non-required instances of include <linux/init.h> 2014-01-16 11:53:26 -08:00
hd64570.h net: Spelling s/transmition/transmission/ 2014-01-14 17:11:26 -08:00
hd64572.c drivers/net: delete non-required instances of include <linux/init.h> 2014-01-16 11:53:26 -08:00
hd64572.h net: Spelling s/transmition/transmission/ 2014-01-14 17:11:26 -08:00
hdlc.c net: set name_assign_type in alloc_netdev() 2014-07-15 16:12:48 -07:00
hdlc_cisco.c
hdlc_fr.c hdlc: fix null-deref on allocation failure 2015-11-18 14:58:03 -05:00
hdlc_ppp.c
hdlc_raw.c
hdlc_raw_eth.c
hdlc_x25.c
hostess_sv11.c net: wan: remove deprecated IRQF_DISABLED 2013-10-07 15:53:52 -04:00
ixp4xx_hss.c net: wan: remove unnecessary platform_set_drvdata() 2013-05-27 22:34:52 -07:00
lapbether.c netfilter: Remove spurios included of netfilter.h 2015-06-18 21:14:32 +02:00
n2.c
pc300too.c PCI: Remove DEFINE_PCI_DEVICE_TABLE macro use 2014-08-12 12:15:14 -06:00
pci200syn.c PCI: Remove DEFINE_PCI_DEVICE_TABLE macro use 2014-08-12 12:15:14 -06:00
sbni.c net: wan: sbni: fix device usage count 2015-09-05 17:32:53 -07:00
sbni.h
sdla.c net: set name_assign_type in alloc_netdev() 2014-07-15 16:12:48 -07:00
sealevel.c net: wan: remove deprecated IRQF_DISABLED 2013-10-07 15:53:52 -04:00
wanxl.c PCI changes for the v3.17 merge window (part 2): 2014-08-14 18:10:33 -06:00
wanxl.h
wanxlfw.S Fix the wanxl firmware to include missing constants 2012-11-09 16:28:37 -05:00
wanxlfw.inc_shipped
x25_asy.c wan/x25: Fix use-after-free in x25_asy_open_tty() 2015-12-01 15:17:42 -05:00
x25_asy.h wan: Remove extern from function prototypes 2013-09-24 16:40:19 -07:00
z85230.c Doc: z8530book: Fix typo in API-z8530-sync-txdma-open.html 2015-07-10 23:45:31 -07:00
z85230.h wan: Remove extern from function prototypes 2013-09-24 16:40:19 -07:00