From patchwork Fri Nov  9 17:04:26 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
X-Patchwork-Id: 995669
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com
	(client-ip=91.189.94.19; helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none)
	header.from=canonical.com
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 42s62b2fkBz9sC7;
	Sat, 10 Nov 2018 04:04:39 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1gLACw-0006jt-Jc; Fri, 09 Nov 2018 17:04:34 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.86_2) (envelope-from <kleber.souza@canonical.com>)
	id 1gLACu-0006iA-Gx
	for kernel-team@lists.ubuntu.com; Fri, 09 Nov 2018 17:04:32 +0000
Received: from mail-wr1-f69.google.com ([209.85.221.69])
	by youngberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <kleber.souza@canonical.com>)
	id 1gLACu-000835-9Z
	for kernel-team@lists.ubuntu.com; Fri, 09 Nov 2018 17:04:32 +0000
Received: by mail-wr1-f69.google.com with SMTP id o9-v6so2133830wrw.2
	for <kernel-team@lists.ubuntu.com>;
	Fri, 09 Nov 2018 09:04:32 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references;
	bh=lNTG2SGsbyzcFhz5xPhgtPCu82VWufR+dQUYmgojCnY=;
	b=IwnEOAEV4o3A2q9ijVWBhphn7lrVX/cgPUadAx6QwCic4oHVqmvTWb0IJ+3+6y/2t5
	Coy8nrUNNsd34RG0sqLAqks5wyjChirsdtqqUw68ATd8f7dZwIXuNo03RPTLoxHwQG4s
	RdkSsUXEmepTuG1v4Uv5RanT6k9AEtNjOew3ilT/xTGFYoDWOFijEoBk0YbZW35MYL+Q
	0DZLucEqdOn7HQAHn1PCMXnhb/NgWLncpuG5AmMlKkN8JUVrbyRS7hn7lXO4hHEvN4P1
	hHJM5B8LSc3frmBUAmHT9Xqm1nkL5JjxAqQ2R1unrMR7U3zp3IhIbAXMXzCObN1v1ZT8
	3Hlw==
X-Gm-Message-State: AGRZ1gK0qkYsRS2srOk3IvItptBK/Jbpc8lxqWoJxLx3nfs/LOYG4bdH
	Z0V0Mv9cjEZhiYyydsgrSOvyjSV5lY0McANw8tRI8hH7VwgQ8rzXO0lqJFe3tCxx+qru5RQC6Xx
	ovEgzafPOuYAhrd0sq0voTwwgWAaZzdeufSsmJXONRQ==
X-Received: by 2002:a5d:5503:: with SMTP id
	b3-v6mr9257556wrv.201.1541783071188;
	Fri, 09 Nov 2018 09:04:31 -0800 (PST)
X-Google-Smtp-Source: 
 AJdET5fdVi3/ybal4nAY6Yu6kq6O4/Qo1V9JAk0xk6OUbdjyqqugLPikxljbxFHZsr8zEuIFLKHmhA==
X-Received: by 2002:a5d:5503:: with SMTP id
	b3-v6mr9257543wrv.201.1541783070905;
	Fri, 09 Nov 2018 09:04:30 -0800 (PST)
Received: from localhost ([2a02:8109:98c0:1604:d18b:fdaf:4fb2:4856])
	by smtp.gmail.com with ESMTPSA id
	b66-v6sm1357654wmb.21.2018.11.09.09.04.29
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Fri, 09 Nov 2018 09:04:30 -0800 (PST)
From: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Trusty][PATCH 1/1] n_tty: fix EXTPROC vs ICANON interaction
	with TIOCINQ (aka FIONREAD)
Date: Fri,  9 Nov 2018 18:04:26 +0100
Message-Id: <20181109170426.6350-2-kleber.souza@canonical.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20181109170426.6350-1-kleber.souza@canonical.com>
References: <20181109170426.6350-1-kleber.souza@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Linus Torvalds <torvalds@linux-foundation.org>

We added support for EXTPROC back in 2010 in commit 26df6d13406d ("tty:
Add EXTPROC support for LINEMODE") and the intent was to allow it to
override some (all?) ICANON behavior.  Quoting from that original commit
message:

         There is a new bit in the termios local flag word, EXTPROC.
         When this bit is set, several aspects of the terminal driver
         are disabled.  Input line editing, character echo, and mapping
         of signals are all disabled.  This allows the telnetd to turn
         off these functions when in linemode, but still keep track of
         what state the user wants the terminal to be in.

but the problem turns out that "several aspects of the terminal driver
are disabled" is a bit ambiguous, and you can really confuse the n_tty
layer by setting EXTPROC and then causing some of the ICANON invariants
to no longer be maintained.

This fixes at least one such case (TIOCINQ) becoming unhappy because of
the confusion over whether ICANON really means ICANON when EXTPROC is set.

This basically makes TIOCINQ match the case of read: if EXTPROC is set,
we ignore ICANON.  Also, make sure to reset the ICANON state ie EXTPROC
changes, not just if ICANON changes.

Fixes: 26df6d13406d ("tty: Add EXTPROC support for LINEMODE")
Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Reported-by: syzkaller <syzkaller@googlegroups.com>
Cc: Jiri Slaby <jslaby@suse.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

CVE-2018-18386
(cherry picked from commit 966031f340185eddd05affcf72b740549f056348)
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Acked-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
---
 drivers/tty/n_tty.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index 8a13b3372804..38bf1d5230d0 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -1811,7 +1811,7 @@ static void n_tty_set_termios(struct tty_struct *tty, struct ktermios *old)
 {
 	struct n_tty_data *ldata = tty->disc_data;
 
-	if (!old || (old->c_lflag ^ tty->termios.c_lflag) & ICANON) {
+	if (!old || (old->c_lflag ^ tty->termios.c_lflag) & (ICANON | EXTPROC)) {
 		bitmap_zero(ldata->read_flags, N_TTY_BUF_SIZE);
 		ldata->line_start = ldata->read_tail;
 		if (!L_ICANON(tty) || !read_cnt(ldata)) {
@@ -2526,7 +2526,7 @@ static int n_tty_ioctl(struct tty_struct *tty, struct file *file,
 		return put_user(tty_chars_in_buffer(tty), (int __user *) arg);
 	case TIOCINQ:
 		down_write(&tty->termios_rwsem);
-		if (L_ICANON(tty))
+		if (L_ICANON(tty) && !L_EXTPROC(tty))
 			retval = inq_canon(ldata);
 		else
 			retval = read_cnt(ldata);