)]}'
{
  "commit": "34a0731bd49147bb99bec5f916bb4b1cd60aa2ce",
  "tree": "b9c6bb09045328d336bea06cd68665316bd54a2c",
  "parents": [
    "ae1a9679619463fe95da84f0388272de24f6ecca"
  ],
  "author": {
    "name": "Jann Horn",
    "email": "jannh@google.com",
    "time": "Thu Dec 03 02:25:05 2020 +0100"
  },
  "committer": {
    "name": "Dexter Rivera",
    "email": "riverade@google.com",
    "time": "Tue Dec 29 01:47:21 2020 +0000"
  },
  "message": "tty: Fix -\u003esession locking\n\ncommit c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9 upstream.\n\nCurrently, locking of -\u003esession is very inconsistent; most places\nprotect it using the legacy tty mutex, but disassociate_ctty(),\n__do_SAK(), tiocspgrp() and tiocgsid() don\u0027t.\nTwo of the writers hold the ctrl_lock (because they already need it for\n-\u003epgrp), but __proc_set_tty() doesn\u0027t do that yet.\n\nOn a PREEMPT\u003dy system, an unprivileged user can theoretically abuse\nthis broken locking to read 4 bytes of freed memory via TIOCGSID if\ntiocgsid() is preempted long enough at the right point. (Other things\nmight also go wrong, especially if root-only ioctls are involved; I\u0027m\nnot sure about that.)\n\nChange the locking on -\u003esession such that:\n\n - tty_lock() is held by all writers: By making disassociate_ctty()\n   hold it. This should be fine because the same lock can already be\n   taken through the call to tty_vhangup_session().\n   The tricky part is that we need to shorten the area covered by\n   siglock to be able to take tty_lock() without ugly retry logic; as\n   far as I can tell, this should be fine, since nothing in the\n   signal_struct is touched in the `if (tty)` branch.\n - ctrl_lock is held by all writers: By changing __proc_set_tty() to\n   hold the lock a little longer.\n - All readers that aren\u0027t holding tty_lock() hold ctrl_lock: By\n   adding locking to tiocgsid() and __do_SAK(), and expanding the area\n   covered by ctrl_lock in tiocspgrp().\n\nBUG\u003db/176281237\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dFixed CVE-2020-29660\nSOURCE\u003dUPSTREAM(c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9)\n\ncos-patch: security-high\nCc: stable@kernel.org\nSigned-off-by: Jann Horn \u003cjannh@google.com\u003e\nReviewed-by: Jiri Slaby \u003cjirislaby@kernel.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nChange-Id: I83d3547a5e7216c65ea1e2266d269300c444545d\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/9621\nReviewed-by: Vaibhav Rustagi \u003cvaibhavrustagi@google.com\u003e\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\nSigned-off-by: Dexter Rivera \u003criverade@google.com\u003e\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/10061\nReviewed-by: Roy Yang \u003croyyang@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "ac8025cd4a1fefa7f223e9ba12a6b30f9069ac73",
      "old_mode": 33188,
      "old_path": "drivers/tty/tty_io.c",
      "new_id": "ff6a360eef1edfe637025c8a744a0bc8cade362d",
      "new_mode": 33188,
      "new_path": "drivers/tty/tty_io.c"
    },
    {
      "type": "modify",
      "old_id": "a42dec3c95d05500e2dd2811cb4d151618417f71",
      "old_mode": 33188,
      "old_path": "drivers/tty/tty_jobctrl.c",
      "new_id": "ffcab80ba77d9e7bad5b83930acc4b5e8a5f5032",
      "new_mode": 33188,
      "new_path": "drivers/tty/tty_jobctrl.c"
    },
    {
      "type": "modify",
      "old_id": "74226a8f919c15cd1eaed262303b7e8fc41ecae0",
      "old_mode": 33188,
      "old_path": "include/linux/tty.h",
      "new_id": "d808ab9c9aff2594014429a3d4bd94e514e468bb",
      "new_mode": 33188,
      "new_path": "include/linux/tty.h"
    }
  ]
}
