# CVE-2014-0196: Linux kernel pty layer race

## ChrisJumper

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0196

Exploit: http://www.openwall.com/lists/oss-security/2014/05/12/3

Patch: https://git.kernel.org/cgit/linux/kernel/git/gregkh/tty.git/commit/?h=tty-linus&id=4291086b1f081b869c6d79e5b7441633dc3ace00

German News: http://www.heise.de/open/meldung/Schwachstelle-im-Linux-Kernel-Admin-Rechte-fuer-alle-2187501.html

----------

## bendlas

Gentoo Bug: https://bugs.gentoo.org/show_bug.cgi?id=509840

----------

## alex6z

Here is the patch that was done to the latest linux. I tried it on 3.0 and it wouldn't compile. 3.2 is in long term support but there is no back port yet. This patch likely doesn't work there either.

The good news is that it appears that this exploit is for SMP systems only. I tried the crash PoC here http://pastebin.com/raw.php?i=yTSFUBgZ and it didn't crash my Pentium III on 3.0.76, and it didn't crash 2.6.32 on my Debian system with  a P4 even with hypertheading. Not tried as root in either case.

```

--- old/drivers/tty/n_tty.c

+++ new/drivers/tty/n_tty.c

@@ -2353,8 +2353,12 @@

                        if (tty->ops->flush_chars)

                                tty->ops->flush_chars(tty);

                } else {

+                       struct n_tty_data *ldata = tty->disc_data;

+

                        while (nr > 0) {

+                               mutex_lock(&ldata->output_lock);

                                c = tty->ops->write(tty, b, nr);

+                               mutex_unlock(&ldata->output_lock);

                                if (c < 0) {

                                        retval = c;

                                        goto break_out;

```

----------

## alex6z

Update: got my 2.6.32 Debian system to crash when logged in over ssh, but it didn't work (or not right away) at the console. Turned off HT and now I can't crash it anymore.

----------

## e3k

no new kernel in sight according to the bug... i am too lazy to patch my kernel myself. is there a chance that we will get a patched kernel soon = 1 day ago?

----------

## platojones

The latest gentoo-sources kernel (3.14.4) contains linux patch 3.14.4, which has the fix in it.

----------

## e3k

thank you platojones. i could live without nvidia-drivers using vesa. but i cant get that thing booting because i have root on ZFS. if i only would be lazy enough not to experiment with the root filesystem...

---

3.10.40 is patched too and works for me.

----------

