Bug 568621 (CVE-2010-2653)

Summary: CVE-2010-2653 kvm: vulnerability in the hvc_console code that gets exposed via the new virtio_console functionality
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: amit.shah, arozansk, bressers, jkacur, lihuang, lwang, peterm, pmatouse, security-response-team, tcallawa
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-29 10:14:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 568624, 579408    
Bug Blocks:    

Description Eugene Teo (Security Response) 2010-02-26 06:56:28 UTC 
Description of problem:
Alan pointed out a race in the code where hvc_remove is invoked. The recent virtio_console work is the first user of hvc_remove().

Alan describes it thus:

The hvc_console assumes that a close and remove call can't occur at the same time.

In addition tty_hangup(tty) is problematic as tty_hangup is asynchronous itself....

So this can happen

        hvc_close                               hvc_remove
        hung up ? - no
                                                lock
                                                tty = hp->tty
                                                unlock
        lock
        hp->tty = NULL
        unlock
        notify del
        kref_put the hvc struct
        close completes
        tty is destroyed
                                                tty_hangup dead tty
                                                tty->ops will be NULL
                                                NULL->...

This patch adds some tty krefs and also converts to using tty_vhangup().

Reported-by: Alan Cox <alan.org.uk>
Signed-off-by: Amit Shah <amit.shah>
CC: Alan Cox <alan.org.uk>
CC: linuxppc-dev
CC: Rusty Russell <rusty.au>
---

Alan, how does this version look?

I've tested with multiple virtio_console ports.

There's some other bug in the hvc_remove code that's unrelated: hot-removal of one console port results in all other hvc consoles to stop working. I'll look at that once this is finalised.

 drivers/char/hvc_console.c |   31 +++++++++++++++++++++----------
 1 files changed, 21 insertions(+), 10 deletions(-)

http://patchwork.kernel.org/patch/83353/
Comment 7 Eugene Teo (Security Response) 2010-03-04 08:58:36 UTC 
http://patchwork.kernel.org/patch/83353/
http://lkml.org/lkml/2010/3/3/207
Comment 8 Eugene Teo (Security Response) 2010-03-04 09:06:13 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of KVM as shipped with Red Hat Enterprise Linux 5 as it does not contain the patch that introduced this vulnerability.
Comment 9 Kyle McMartin 2010-03-05 12:52:09 UTC 
OK, thanks guys, I committed the fix for this to F-13 branch this morning.
Comment 18 Mike McCune 2016-03-28 23:33:48 UTC 
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions