Mitigate CVE-2017-2636 (LPE)
Originally created by @cypherpunks on #12315 (Redmine)
Since Tails has CONFIG_N_HDLC=m
in its kernel config, it is vulnerable
to CVE-2017-2636. Calling TIOCSETD
against a pseudoterminal will
autoload the vulnerable module, allowing any user to escalate their
privileges. See:
https://security-tracker.debian.org/tracker/CVE-2017-2636
A mitigation is to blacklist n_hdlc
in an /etc/modprobe.d/
entry.
Bug details:
>N_HDLC line discipline uses a self-made singly linked lists for
data
>buffers and has n_hdlc.tbuf pointer for buffer retransmitting after
>an error. If sending of a data buffer is not successful, then its
>address is saved in n_hdlc.tbuf and the next time
n_hdlc_send_frames()
>will try to resend it first of all.
>But the commit be10eb7589337e5defbe214dae038a53dd21add8 (“tty: n_hdlc
add
>buffer flushing”) introduced racy access to n_hdlc.tbuf.
>After transmission error concurrent flush_tx_queue() and
n_hdlc_send_frames()
>can put a buffer pointed by n_hdlc.tbuf to tx_free_buf_list twice.
That
>causes an exploitable double free error in n_hdlc_release().
>To fix the issue I used a standard kernel linked list protected by a
spinlock
>and got rid of n_hdlc.tbuf. In case of transmission error the current
data
>buffer is put after the head of tx_buf_list.
Feature Branch: bugfix/12315-CVE-2017-2636