DescriptionEugene Teo (Security Response)
2010-02-26 06:56:28 UTC
Description of problem:
Alan pointed out a race in the code where hvc_remove is invoked. The recent virtio_console work is the first user of hvc_remove().
Alan describes it thus:
The hvc_console assumes that a close and remove call can't occur at the same time.
In addition tty_hangup(tty) is problematic as tty_hangup is asynchronous itself....
So this can happen
hvc_close hvc_remove
hung up ? - no
lock
tty = hp->tty
unlock
lock
hp->tty = NULL
unlock
notify del
kref_put the hvc struct
close completes
tty is destroyed
tty_hangup dead tty
tty->ops will be NULL
NULL->...
This patch adds some tty krefs and also converts to using tty_vhangup().
Reported-by: Alan Cox <alan.org.uk>
Signed-off-by: Amit Shah <amit.shah>
CC: Alan Cox <alan.org.uk>
CC: linuxppc-dev
CC: Rusty Russell <rusty.au>
---
Alan, how does this version look?
I've tested with multiple virtio_console ports.
There's some other bug in the hvc_remove code that's unrelated: hot-removal of one console port results in all other hvc consoles to stop working. I'll look at that once this is finalised.
drivers/char/hvc_console.c | 31 +++++++++++++++++++++----------
1 files changed, 21 insertions(+), 10 deletions(-)
http://patchwork.kernel.org/patch/83353/
Comment 7Eugene Teo (Security Response)
2010-03-04 08:58:36 UTC
Comment 8Eugene Teo (Security Response)
2010-03-04 09:06:13 UTC
Statement:
Not vulnerable. This issue did not affect the versions of KVM as shipped with Red Hat Enterprise Linux 5 as it does not contain the patch that introduced this vulnerability.