发布日期:2009-11-30
更新日期:2009-12-02
受影响系统:
Linux kernel 2.6.31.5
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 37147
Linux Kernel是开放源码操作系统Linux所使用的内核。
Linux Kernel所使用的drivers/char/n_tty.c驱动中存在空指针引用漏洞:
/**
* n_tty_close - close the ldisc for this tty
* @tty: device
*
* Called from the terminal layer when this line discipline is
* being shut down, either because of a close or becSUSE of a
* discipline change. The function will not be called while other
* ldisc methods are in progress.
*/
static void n_tty_close(struct tty_struct *tty)
{
n_tty_flush_buffer(tty);
if (tty->read_buf) {
kfree(tty->read_buf);
tty->read_buf = NULL;
}
if (tty->echo_buf) {
kfree(tty->echo_buf);
tty->echo_buf = NULL;
}
}
这个例程的参数是以指向tty_struct结构的指针形式传送的TTY,首先调用n_tty_flush_buffer()然后释放所分配的read_buf和echo_buf缓冲区,并将其设置为NULL。在这里所调用的第一个函数为:
/**
* n_tty_flush_buffer - clean input queue
* @tty: terminal device
*
* Flush the input buffer. Called when the line discipline is
* being closed, when the tty layer wants the buffer flushed (eg
* at hangup) or when the N_TTY line discipline internally has to
* clean the pending queue (for example some signals).
*
* Locking: ctrl_lock, read_lock.
*/
static void n_tty_flush_buffer(struct tty_struct *tty)
{
unsigned long flags;
/* clear everything and unthrottle the driver */
reset_buffer_flags(tty);
if (!tty->link)
return;
spin_lock_irqsave(&tty->ctrl_lock, flags);
if (tty->link->packet) {
tty->ctrl_status |= TIOCPKT_FLUSHREAD;
wake_up_interruptible(&tty->link->read_wait);
}
spin_unlock_irqrestore(&tty->ctrl_lock, flags);
}
上面所保持的唯一一个锁是n_tty_flush_buffer()中的自旋锁。由于这个过程中没有其他的锁,这可能导致竞争条件。