[Utopic][Vivid][PATCH 0/1] n_tty: Fix read buffer overwrite when no newline

Joseph Salisbury joseph.salisbury at canonical.com
Wed Apr 15 18:54:05 UTC 2015 

On 04/15/2015 01:56 PM, Joseph Salisbury wrote:
> BugLink: http://bugs.launchpad.net/bugs/1381005
>
> == Utopic and Vivid SRU Justification ==
> Long stdin from terminal(>4096 Characters) can result in code execution.
> Under certain conditions, the input entered from a terminal with a foreground 
> process waiting for stdin, can be interpreted and executed by the shell.  
> Instead of reading the input, the current program exits (read() only reads one 
> character before EOF) and the shell executes the same input starting from the 
> second character.
>
> This bug was introduced in v3.12-rc1 when mainline commit 24a89d1 was applied.  
>
> Mainline commit fb5ef9e which was introduced in v4.0-rc1 resolves this bug.
> This commit does not cherry-pick cleanly, so I performed a backport for 
> Utopic and Vivid.  Trusty can not use the backport of fb5ef9e7 
> becuase smp_load_acquire was not introduced until 3.14-rc1.  I'll look into 
> alternative way that this bug could be fixed in Trusty.
>
> I also submitted my backport for inclusion in the vl3.14.y, v3.16.y-ckt, v3.18.y,
> v3.19.y upstream stable kernels. Not requested in upstream v3.12.y or v3.13.y-ckt 
> again because smp_load_acquire was not introduced until 3.14-rc1, so an entirly 
> different fix is needed for those versions. 
>
> == Fix ==
> commit fb5ef9e7da39968fec6d6f37f20a23d23740c75e
> Author: Peter Hurley <peter at hurleysoftware.com>
> Date:   Fri Jan 16 15:05:39 2015 -0500
>
>     n_tty: Fix read buffer overwrite when no newline
>
>
>
> == Test Case ==
>
> A test kernel was built with this patch and tested by myself and another bug 
> commenter.  The bug reporter states the test kernel resolved the bug.
>
>
> Peter Hurley (1):
>   n_tty: Fix read buffer overwrite when no newline
>
>  drivers/tty/n_tty.c | 108 +++++++++++++++++++++++++++++++++++++++-------------
>  1 file changed, 81 insertions(+), 27 deletions(-)
>

I received some feed back from upstream regarding my backport.  I'll be
changing this a bit, so it shouldn't be applied to Utopic or Vivid yet. 
I'll wait from final acks from upstream before sending a V2 SRU request.

Thanks,

Joe

More information about the kernel-team mailing list