Bug 559100 (CVE-2009-4895)
Summary: | CVE-2009-4895 kernel: tty->pgrp races | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Eugene Teo (Security Response) <eteo> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | arozansk, bhu, davej, kmcmartin, lgoncalv, lwang, pmatouse, tcallawa, williams |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-03-28 08:35:49 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 547593, 559101, 586022 | ||
Bug Blocks: |
Description
Eugene Teo (Security Response)
2010-01-27 06:36:29 UTC
commit 703625118069f9f8960d356676662d3db5a9d116 is in 2.6.32.6: tty-fix-race-in-tty_fasync.patch commit b04da8bfdfbbd79544cab2fadfdc12e87eb01600 is in 2.6.32.7: fnctl-f_modown-should-call-write_lock_irqsave-restore.patch 2.6.26-rc1 contains 47f86834bbd4193139d61d659bebf9ab9d691e37 : Subject: redo locking of tty->pgrp X-Git-Tag: v2.6.26-rc1~240 X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=47f86834bbd4193139d61d659bebf9ab9d691e37 kernel-2.6.30.10-105.2.13.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/kernel-2.6.30.10-105.2.13.fc11 kernel-2.6.30.10-105.2.13.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. Take note of this patch.. commit 80e1e823989ec44d8e35bdfddadbddcffec90424 Author: Linus Torvalds <torvalds> Date: Sun Feb 7 10:11:23 2010 -0800 Fix race in tty_fasync() properly This reverts commit 703625118069 ("tty: fix race in tty_fasync") and commit b04da8bfdfbb ("fnctl: f_modown should call write_lock_irqsave/ restore") that tried to fix up some of the fallout but was incomplete. It turns out that we really cannot hold 'tty->ctrl_lock' over calling __f_setown, because not only did that cause problems with interrupt disables (which the second commit fixed), it also causes a potential ABBA deadlock due to lock ordering. Thanks to Tetsuo Handa for following up on the issue, and running lockdep to show the problem. It goes roughly like this: - f_getown gets filp->f_owner.lock for reading without interrupts disabled, so an interrupt that happens while that lock is held can cause a lockdep chain from f_owner.lock -> sighand->siglock. - at the same time, the tty->ctrl_lock -> f_owner.lock chain that commit 703625118069 introduced, together with the pre-existing sighand->siglock -> tty->ctrl_lock chain means that we have a lock dependency the other way too. So instead of extending tty->ctrl_lock over the whole __f_setown() call, we now just take a reference to the 'pid' structure while holding the lock, and then release it after having done the __f_setown. That still guarantees that 'struct pid' won't go away from under us, which is all we really ever needed. Reported-and-tested-by: Tetsuo Handa <penguin-kernel.ne.jp> Acked-by: Greg Kroah-Hartman <gregkh> Acked-by: Américo Wang <xiyou.wangcong> Cc: stable Signed-off-by: Linus Torvalds <torvalds> kernel-2.6.31.12-174.2.17.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/kernel-2.6.31.12-174.2.17.fc12 kernel-2.6.31.12-174.2.19.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/kernel-2.6.31.12-174.2.19.fc12 kernel-2.6.31.12-174.2.19.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. Statement: This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4 and 5. This issue was addressed in Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2010-0161.html. |