Red Hat Bugzilla – Bug 568621
CVE-2010-2653 kvm: vulnerability in the hvc_console code that gets exposed via the new virtio_console functionality
Last modified: 2016-03-29 06:14:38 EDT
Description of problem:
Alan pointed out a race in the code where hvc_remove is invoked. The recent virtio_console work is the first user of hvc_remove().
Alan describes it thus:
The hvc_console assumes that a close and remove call can't occur at the same time.
In addition tty_hangup(tty) is problematic as tty_hangup is asynchronous itself....
So this can happen
hung up ? - no
tty = hp->tty
hp->tty = NULL
kref_put the hvc struct
tty is destroyed
tty_hangup dead tty
tty->ops will be NULL
This patch adds some tty krefs and also converts to using tty_vhangup().
Reported-by: Alan Cox <firstname.lastname@example.org>
Signed-off-by: Amit Shah <email@example.com>
CC: Alan Cox <firstname.lastname@example.org>
CC: Rusty Russell <email@example.com>
Alan, how does this version look?
I've tested with multiple virtio_console ports.
There's some other bug in the hvc_remove code that's unrelated: hot-removal of one console port results in all other hvc consoles to stop working. I'll look at that once this is finalised.
drivers/char/hvc_console.c | 31 +++++++++++++++++++++----------
1 files changed, 21 insertions(+), 10 deletions(-)
Not vulnerable. This issue did not affect the versions of KVM as shipped with Red Hat Enterprise Linux 5 as it does not contain the patch that introduced this vulnerability.
OK, thanks guys, I committed the fix for this to F-13 branch this morning.
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see firstname.lastname@example.org with any questions