Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 5 May 2014 12:08:11 +0200
From: Marcus Meissner <>
To: OSS Security List <>
Subject: CVE-2014-0196: Linux kernel pty layer race condition memory


SUSE customer Ericsson reported a kernel crash to us which turned out
to be a race condition in the PTY write buffer handling.

When two processes/threads write to the same pty, the buffer end could
be overwritten and so memory corruption into adjacent buffers could lead
to crashes / code execution.

Jiri Slaby and Peter Hurley localized and fixed this problem.

CVE-2014-0196 has been assigned to this issue.

Jiri thinks this was introduced during 2.6.31 development by
d945cb9cce20ac7143c2de8d88b187f62db99bdc (pty: Rework the pty
layer to use the normal buffering logic) in 2.6.31-rc3. Until then, pty
was writing directly to a line discipline without using buffers.

Patch is also attached.

Ciao, Marcus

View attachment "n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch" of type "text/x-patch" (3382 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.