[Lucid][CVE-2013-0160][Patch 0/3] TTY: do not update atime/mtime on read/write

Luis Henriques luis.henriques at canonical.com
Fri Jan 24 10:07:17 UTC 2014


Following this email, I am sending 3 patches for Lucid that backport
the fix(es) for CVE-2013-0160:

* b0de59b "TTY: do not update atime/mtime on read/write"
  This would be a clean cherry-pick if it wasn't for the file rename:
  file drivers/tty/tty_io.c is drivers/char/tty_io.c in Lucid

* 37b7f3c "TTY: fix atime/mtime regression"
  The 2nd hunk of this patch is dropped in this backport as it is
  already present in Lucid.

* b0b8856 "tty: fix up atime/mtime mess, take three"
  This backport drops the first hunk as it depends on commit ecf081d
  ("vfs: introduce FMODE_NONOTIFY"), which hasn't been backported to
  Lucid.

I've tested these patches incrementally, i.e.:

1) I was able to verify the 1st one breaks 'w'
2) The 2nd one fixes it but 'w' still doesn't provide useful
  information (updates to 'idle' time take a while)
3) The 3rd one finally makes 'w' usable again.

(Oh, and I've verified the actual CVE is fixed by running the PoCs
available here: http://vladz.devzero.fr/013_ptmx-timing.php)

Jiri Slaby (2):
  TTY: do not update atime/mtime on read/write
  TTY: fix atime/mtime regression

Linus Torvalds (1):
  tty: fix up atime/mtime mess, take three

 drivers/char/tty_io.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

-- 
1.8.3.2




More information about the kernel-team mailing list