Bug 1218879 (CVE-2015-4170)

Summary: CVE-2015-4170 kernel: pty layer race condition on tty ldisc shutdown.
Product: [Other] Security Response Reporter: Wade Mealing <wmealing>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agordeev, aquini, arm-mgr, bhu, blc, carnil, dhoward, esammons, fhrbata, gansalmon, hannsj_uhl, iboverma, itamar, jforbes, jkacur, joelsmith, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, lgoncalv, lwang, madhu.chinakonda, matt, mchehab, mcressma, mguzik, mlangsdo, nmurray, pholasek, plougher, pmatouse, rt-maint, rvrbovsk, slawomir, slong, vdronov, vgoyal, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw was discovered in the way the Linux kernel's TTY subsystem handled the tty shutdown phase. A local, unprivileged user could use this flaw to cause denial of service on the system by holding a reference to the ldisc lock during tty shutdown, causing a deadlock.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-12 15:14:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1183479, 1248300, 1248301, 1248302, 1278751, 1332164, 1343555    
Bug Blocks: 1188620    

Description Wade Mealing 2015-05-06 06:29:14 UTC 
An issue was discovered in the linux kernel's tty subsystem handling during shutdown. The flaw was possible to take a reference to the ldisc during shutdown phase.

This race occurs on hangup of tty.  It races and hangs on ldsem_down_write on a semaphore that is being aquired by a new reader(CPU 1).  The new reader/writer is sleeping in ldsem_down_read() and the hangup is sleeping in ldsem_down_write().

Resources:

Fix: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cf872776fc84128bb779ce2b83a37c884c3203ae
CVE request: http://seclists.org/oss-sec/2015/q2/545
Comment 1 Wade Mealing 2015-05-28 04:04:48 UTC 
Statement:

This issue does not affect the Linux kernels as shipped with Red Hat Enterprise Linux 5, 6.

This issue affects the Linux kernel packages kernel as shipped with Red Hat Enterprise Linux 7 and Red Hat Enterprise MRG 2.
Comment 7 errata-xmlrpc 2015-11-19 13:19:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2411 https://rhn.redhat.com/errata/RHSA-2015-2411.html
Comment 8 errata-xmlrpc 2015-11-19 22:15:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2152 https://rhn.redhat.com/errata/RHSA-2015-2152.html
Comment 11 errata-xmlrpc 2016-07-12 09:25:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.1 Extended Update Support

Via RHSA-2016:1395 https://access.redhat.com/errata/RHSA-2016:1395