linux

History

Peter Hurley 401879c57f net: irda: Fix use-after-free in irtty_open() The N_IRDA line discipline may access the previous line discipline's closed and already-fre private data on open [1]. The tty->disc_data field _never_ refers to valid data on entry to the line discipline's open() method. Rather, the ldisc is expected to initialize that field for its own use for the lifetime of the instance (ie. from open() to close() only). [1] ================================================================== BUG: KASAN: use-after-free in irtty_open+0x422/0x550 at addr ffff8800331dd068 Read of size 4 by task a.out/13960 ============================================================================= BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected ----------------------------------------------------------------------------- ... Call Trace: [<ffffffff815fa2ae>] __asan_report_load4_noabort+0x3e/0x40 mm/kasan/report.c:279 [<ffffffff836938a2>] irtty_open+0x422/0x550 drivers/net/irda/irtty-sir.c:436 [<ffffffff829f1b80>] tty_ldisc_open.isra.2+0x60/0xa0 drivers/tty/tty_ldisc.c:447 [<ffffffff829f21c0>] tty_set_ldisc+0x1a0/0x940 drivers/tty/tty_ldisc.c:567 [< inline >] tiocsetd drivers/tty/tty_io.c:2650 [<ffffffff829da49e>] tty_ioctl+0xace/0x1fd0 drivers/tty/tty_io.c:2883 [< inline >] vfs_ioctl fs/ioctl.c:43 [<ffffffff816708ac>] do_vfs_ioctl+0x57c/0xe60 fs/ioctl.c:607 [< inline >] SYSC_ioctl fs/ioctl.c:622 [<ffffffff81671204>] SyS_ioctl+0x74/0x80 fs/ioctl.c:613 [<ffffffff852a7876>] entry_SYSCALL_64_fastpath+0x16/0x7a Reported-and-tested-by: Dmitry Vyukov <dvyukov@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2016-02-06 23:28:31 -08:00
..
act200l-sir.c	irda: Convert IRDA_DEBUG to pr_debug	2014-11-12 13:56:41 -05:00
actisys-sir.c	irda: Convert IRDA_DEBUG to pr_debug	2014-11-12 13:56:41 -05:00
ali-ircc.c	irda: ali-ircc: Fix deadlock in ali_ircc_sir_change_speed()	2015-09-11 16:18:33 -07:00
ali-ircc.h	irda: ali-ircc: Replace timeval with ktime_t	2015-01-11 21:39:40 -05:00
au1k_ir.c	irda: Removed all unused timeval variables	2015-01-11 21:39:40 -05:00
bfin_sir.c	irda: remove deprecated IRQF_DISABLED	2013-10-07 15:53:52 -04:00
bfin_sir.h
donauboe.c	irda: Convert IRDA_DEBUG to pr_debug	2014-11-12 13:56:41 -05:00
donauboe.h
esi-sir.c	irda: Fix FSF address in file headers	2013-12-06 12:37:55 -05:00
girbil-sir.c	irda: Convert IRDA_DEBUG to pr_debug	2014-11-12 13:56:41 -05:00
irda-usb.c	irda: irda-usb: use msecs_to_jiffies for conversions	2015-05-25 17:39:21 -04:00
irda-usb.h	irda: irda-usb: Replace timeval with ktime_t	2015-01-11 21:39:40 -05:00
irtty-sir.c	net: irda: Fix use-after-free in irtty_open()	2016-02-06 23:28:31 -08:00
irtty-sir.h
Kconfig	drivers/net/irda/Kconfig: Let SH_IRDA depend on HAS_IOMEM	2014-10-03 15:52:04 -07:00
kingsun-sir.c	irda: Removed all unused timeval variables	2015-01-11 21:39:40 -05:00
ks959-sir.c	irda: Removed all unused timeval variables	2015-01-11 21:39:40 -05:00
ksdazzle-sir.c	drivers/net: delete non-required instances of include <linux/init.h>	2014-01-16 11:53:26 -08:00
litelink-sir.c	irda: Convert IRDA_DEBUG to pr_debug	2014-11-12 13:56:41 -05:00
ma600-sir.c	irda: Convert IRDA_DEBUG to pr_debug	2014-11-12 13:56:41 -05:00
Makefile	net: irda: ep7211-sir: Remove driver	2014-02-06 19:54:48 -08:00
mcp2120-sir.c	irda: Convert IRDA_DEBUG to pr_debug	2014-11-12 13:56:41 -05:00
mcs7780.c	irda: Removed all unused timeval variables	2015-01-11 21:39:40 -05:00
mcs7780.h	irda: Removed all unused timeval variables	2015-01-11 21:39:40 -05:00
nsc-ircc.c	irda: nsc-ircc: Replace timeval with ktime_t	2015-01-11 21:39:40 -05:00
nsc-ircc.h	irda: nsc-ircc: Replace timeval with ktime_t	2015-01-11 21:39:40 -05:00
old_belkin-sir.c	irda: Convert IRDA_DEBUG to pr_debug	2014-11-12 13:56:41 -05:00
pxaficp_ir.c	net: irda: pxaficp_ir: dmaengine conversion	2015-09-28 22:32:48 -07:00
sa1100_ir.c	arm: sa1100: move irda header to linux/platform_data	2014-12-30 18:44:07 -05:00
sh_irda.c	irda: sh_irda: use devm_request_irq()	2014-01-09 22:57:13 -05:00
sh_sir.c	irda: sh_sir: Use cpufreq_for_each_valid_entry macro for iteration	2014-04-30 00:06:54 +02:00
sir_dev.c	irda: Convert IRDA_DEBUG to pr_debug	2014-11-12 13:56:41 -05:00
sir_dongle.c	irda: Convert IRDA_DEBUG to pr_debug	2014-11-12 13:56:41 -05:00
sir-dev.h	irda: Remove extern from function prototypes	2013-09-24 12:54:17 -07:00
smsc-ircc2.c	irda: Convert IRDA_DEBUG to pr_debug	2014-11-12 13:56:41 -05:00
smsc-ircc2.h	irda: Fix FSF address in file headers	2013-12-06 12:37:55 -05:00
smsc-sio.h
stir4200.c	irda: stir4200: Replace timeval with ktime_t	2015-01-11 21:39:40 -05:00
tekram-sir.c	irda: Convert IRDA_DEBUG to pr_debug	2014-11-12 13:56:41 -05:00
toim3232-sir.c	irda: toim3232-sir: delete some dead code	2016-01-08 13:25:33 -05:00
via-ircc.c	irda: Convert IRDA_DEBUG to pr_debug	2014-11-12 13:56:41 -05:00
via-ircc.h	irda: Removed all unused timeval variables	2015-01-11 21:39:40 -05:00
vlsi_ir.c	irda: vlsi_ir: Replace timeval with ktime_t	2015-01-11 21:39:40 -05:00
vlsi_ir.h	irda: vlsi_ir: Replace timeval with ktime_t	2015-01-11 21:39:40 -05:00
w83977af_ir.c	irda: Convert IRDA_DEBUG to pr_debug	2014-11-12 13:56:41 -05:00
w83977af_ir.h
w83977af.h