Linux Kernel drivers/char/n_tty.c驱动空指针引用拒绝服务漏洞

Linux Kernel drivers/char/n_tty.c驱动空指针引用拒绝服务漏洞

发布日期：2009-11-30
更新日期：2009-12-02

受影响系统：
Linux kernel 2.6.31.5
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 37147

Linux Kernel是开放源码操作系统Linux所使用的内核。

Linux Kernel所使用的drivers/char/n_tty.c驱动中存在空指针引用漏洞：

/**
*    n_tty_close        -    close the ldisc for this tty
*    @tty: device
*
*    Called from the terminal layer when this line discipline is
*    being shut down, either because of a close or becSUSE of a
*    discipline change. The function will not be called while other
*    ldisc methods are in progress.
*/

static void n_tty_close(struct tty_struct *tty)
{
    n_tty_flush_buffer(tty);
    if (tty->read_buf) {
        kfree(tty->read_buf);
        tty->read_buf = NULL;
    }
    if (tty->echo_buf) {
        kfree(tty->echo_buf);
        tty->echo_buf = NULL;
    }
}

这个例程的参数是以指向tty_struct结构的指针形式传送的TTY，首先调用n_tty_flush_buffer()然后释放所分配的read_buf和echo_buf缓冲区，并将其设置为NULL。在这里所调用的第一个函数为：

/**
*    n_tty_flush_buffer    -    clean input queue
*    @tty:    terminal device
*
*    Flush the input buffer. Called when the line discipline is
*    being closed, when the tty layer wants the buffer flushed (eg
*    at hangup) or when the N_TTY line discipline internally has to
*    clean the pending queue (for example some signals).
*
*    Locking: ctrl_lock, read_lock.
*/

static void n_tty_flush_buffer(struct tty_struct *tty)
{
    unsigned long flags;
    /* clear everything and unthrottle the driver */
    reset_buffer_flags(tty);

    if (!tty->link)
        return;

    spin_lock_irqsave(&tty->ctrl_lock, flags);
    if (tty->link->packet) {
        tty->ctrl_status |= TIOCPKT_FLUSHREAD;
        wake_up_interruptible(&tty->link->read_wait);
    }
    spin_unlock_irqrestore(&tty->ctrl_lock, flags);
}

上面所保持的唯一一个锁是n_tty_flush_buffer()中的自旋锁。由于这个过程中没有其他的锁，这可能导致竞争条件。