Race condition in the tty_fasync function in drivers/char/tty_io.c in the
Linux kernel before 188.8.131.52 allows local users to cause a denial of
service (NULL pointer dereference and system crash) or possibly have
unspecified other impact via unknown vectors, related to the put_tty_queue
and __f_setown functions. NOTE: the vulnerability was addressed in a
different way in 184.108.40.206.
Al Viro discovered a race condition in the TTY driver. A local attacker
could exploit this to crash the system, leading to a denial of service.
sbeattie> first patch (703625118069f9f8) was reverted and the second
patch was used in 220.127.116.11, which fixes the issue "properly".
smb> IMO the races in tty became visible when the BLK was pushed down into
smb> the line disciplines and switch to unlocked ioctl in 2.6.26
smb> (04f378b198da233ca0aca341b113dc6579d46123), so Hardy and Dapper are not
(2.6.33-rc8, 18.104.22.168, 22.214.171.124)
Updated: 2015-07-29 20:37:28 UTC (commit 9756)