Bug 568621 - (CVE-2010-2653) CVE-2010-2653 kvm: vulnerability in the hvc_console code that gets exposed via the new virtio_console functionality
CVE-2010-2653 kvm: vulnerability in the hvc_console code that gets exposed vi...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
reported=20100226,public=20100226,sou...
: Security
Depends On: 568624 579408
Blocks:
  Show dependency treegraph
 
Reported: 2010-02-26 01:56 EST by Eugene Teo (Security Response)
Modified: 2016-03-29 06:14 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-29 06:14:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Eugene Teo (Security Response) 2010-02-26 01:56:28 EST
Description of problem:
Alan pointed out a race in the code where hvc_remove is invoked. The recent virtio_console work is the first user of hvc_remove().

Alan describes it thus:

The hvc_console assumes that a close and remove call can't occur at the same time.

In addition tty_hangup(tty) is problematic as tty_hangup is asynchronous itself....

So this can happen

        hvc_close                               hvc_remove
        hung up ? - no
                                                lock
                                                tty = hp->tty
                                                unlock
        lock
        hp->tty = NULL
        unlock
        notify del
        kref_put the hvc struct
        close completes
        tty is destroyed
                                                tty_hangup dead tty
                                                tty->ops will be NULL
                                                NULL->...

This patch adds some tty krefs and also converts to using tty_vhangup().

Reported-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Amit Shah <amit.shah@redhat.com>
CC: Alan Cox <alan@lxorguk.ukuu.org.uk>
CC: linuxppc-dev@ozlabs.org
CC: Rusty Russell <rusty@rustcorp.com.au>
---

Alan, how does this version look?

I've tested with multiple virtio_console ports.

There's some other bug in the hvc_remove code that's unrelated: hot-removal of one console port results in all other hvc consoles to stop working. I'll look at that once this is finalised.

 drivers/char/hvc_console.c |   31 +++++++++++++++++++++----------
 1 files changed, 21 insertions(+), 10 deletions(-)

http://patchwork.kernel.org/patch/83353/
Comment 7 Eugene Teo (Security Response) 2010-03-04 03:58:36 EST
http://patchwork.kernel.org/patch/83353/
http://lkml.org/lkml/2010/3/3/207
Comment 8 Eugene Teo (Security Response) 2010-03-04 04:06:13 EST
Statement:

Not vulnerable. This issue did not affect the versions of KVM as shipped with Red Hat Enterprise Linux 5 as it does not contain the patch that introduced this vulnerability.
Comment 9 Kyle McMartin 2010-03-05 07:52:09 EST
OK, thanks guys, I committed the fix for this to F-13 branch this morning.
Comment 18 Mike McCune 2016-03-28 19:33:48 EDT
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions

Note You need to log in before you can comment on or make changes to this bug.