Mitigate CVE-2017-2636 (LPE)
Originally created by @cypherpunks on #12315 (Redmine)
Since Tails has
CONFIG_N_HDLC=m in its kernel config, it is vulnerable
to CVE-2017-2636. Calling
TIOCSETD against a pseudoterminal will
autoload the vulnerable module, allowing any user to escalate their
A mitigation is to blacklist
n_hdlc in an
>N_HDLC line discipline uses a self-made singly linked lists for
>buffers and has n_hdlc.tbuf pointer for buffer retransmitting after
>an error. If sending of a data buffer is not successful, then its
>address is saved in n_hdlc.tbuf and the next time n_hdlc_send_frames()
>will try to resend it first of all.
>But the commit be10eb7589337e5defbe214dae038a53dd21add8 (“tty: n_hdlc
>buffer flushing”) introduced racy access to n_hdlc.tbuf.
>After transmission error concurrent flush_tx_queue() and
>can put a buffer pointed by n_hdlc.tbuf to tx_free_buf_list twice. That
>causes an exploitable double free error in n_hdlc_release().
>To fix the issue I used a standard kernel linked list protected by a
>and got rid of n_hdlc.tbuf. In case of transmission error the current data
>buffer is put after the head of tx_buf_list.
Feature Branch: bugfix/12315-CVE-2017-2636