Red Hat Bugzilla – Bug 559100
CVE-2009-4895 kernel: tty->pgrp races
Last modified: 2015-08-19 04:43:19 EDT
Description of problem:
Changes to tty to use struct pid happened here:
mrg-1/rhel-6 are missing:
1) redo locking of tty->pgrp
2) tty: fix race in tty_fasync
3) fnctl: f_modown should call write_lock_irqsave/restore
commit 703625118069f9f8960d356676662d3db5a9d116 is in 220.127.116.11:
commit b04da8bfdfbbd79544cab2fadfdc12e87eb01600 is in 18.104.22.168:
2.6.26-rc1 contains 47f86834bbd4193139d61d659bebf9ab9d691e37 :
Subject: redo locking of tty->pgrp
kernel-22.214.171.124-105.2.13.fc11 has been submitted as an update for Fedora 11.
kernel-126.96.36.199-105.2.13.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
Take note of this patch..
Author: Linus Torvalds <email@example.com>
Date: Sun Feb 7 10:11:23 2010 -0800
Fix race in tty_fasync() properly
This reverts commit 703625118069 ("tty: fix race in tty_fasync") and
commit b04da8bfdfbb ("fnctl: f_modown should call write_lock_irqsave/
restore") that tried to fix up some of the fallout but was incomplete.
It turns out that we really cannot hold 'tty->ctrl_lock' over calling
__f_setown, because not only did that cause problems with interrupt
disables (which the second commit fixed), it also causes a potential
ABBA deadlock due to lock ordering.
Thanks to Tetsuo Handa for following up on the issue, and running
lockdep to show the problem. It goes roughly like this:
- f_getown gets filp->f_owner.lock for reading without interrupts
disabled, so an interrupt that happens while that lock is held can
cause a lockdep chain from f_owner.lock -> sighand->siglock.
- at the same time, the tty->ctrl_lock -> f_owner.lock chain that
commit 703625118069 introduced, together with the pre-existing
sighand->siglock -> tty->ctrl_lock chain means that we have a lock
dependency the other way too.
So instead of extending tty->ctrl_lock over the whole __f_setown() call,
we now just take a reference to the 'pid' structure while holding the
lock, and then release it after having done the __f_setown. That still
guarantees that 'struct pid' won't go away from under us, which is all
we really ever needed.
Reported-and-tested-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Greg Kroah-Hartman <firstname.lastname@example.org>
Acked-by: Américo Wang <email@example.com>
Signed-off-by: Linus Torvalds <firstname.lastname@example.org>
kernel-188.8.131.52-174.2.17.fc12 has been submitted as an update for Fedora 12.
kernel-184.108.40.206-174.2.19.fc12 has been submitted as an update for Fedora 12.
kernel-220.127.116.11-174.2.19.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
This issue did not affect the version of Linux kernel as shipped with Red Hat
Enterprise Linux 3, 4 and 5. This issue was addressed in Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2010-0161.html.