Bug 568621 (CVE-2010-2653) - CVE-2010-2653 kvm: vulnerability in the hvc_console code that gets exposed via the new virtio_console functionality
Summary: CVE-2010-2653 kvm: vulnerability in the hvc_console code that gets exposed vi...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2010-2653
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 568624 579408
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-02-26 06:56 UTC by Eugene Teo (Security Response)
Modified: 2021-02-25 01:37 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-03-29 10:14:38 UTC
Embargoed:


Attachments (Terms of Use)

Description Eugene Teo (Security Response) 2010-02-26 06:56:28 UTC
Description of problem:
Alan pointed out a race in the code where hvc_remove is invoked. The recent virtio_console work is the first user of hvc_remove().

Alan describes it thus:

The hvc_console assumes that a close and remove call can't occur at the same time.

In addition tty_hangup(tty) is problematic as tty_hangup is asynchronous itself....

So this can happen

        hvc_close                               hvc_remove
        hung up ? - no
                                                lock
                                                tty = hp->tty
                                                unlock
        lock
        hp->tty = NULL
        unlock
        notify del
        kref_put the hvc struct
        close completes
        tty is destroyed
                                                tty_hangup dead tty
                                                tty->ops will be NULL
                                                NULL->...

This patch adds some tty krefs and also converts to using tty_vhangup().

Reported-by: Alan Cox <alan.org.uk>
Signed-off-by: Amit Shah <amit.shah>
CC: Alan Cox <alan.org.uk>
CC: linuxppc-dev
CC: Rusty Russell <rusty.au>
---

Alan, how does this version look?

I've tested with multiple virtio_console ports.

There's some other bug in the hvc_remove code that's unrelated: hot-removal of one console port results in all other hvc consoles to stop working. I'll look at that once this is finalised.

 drivers/char/hvc_console.c |   31 +++++++++++++++++++++----------
 1 files changed, 21 insertions(+), 10 deletions(-)

http://patchwork.kernel.org/patch/83353/

Comment 7 Eugene Teo (Security Response) 2010-03-04 08:58:36 UTC
http://patchwork.kernel.org/patch/83353/
http://lkml.org/lkml/2010/3/3/207

Comment 8 Eugene Teo (Security Response) 2010-03-04 09:06:13 UTC
Statement:

Not vulnerable. This issue did not affect the versions of KVM as shipped with Red Hat Enterprise Linux 5 as it does not contain the patch that introduced this vulnerability.

Comment 9 Kyle McMartin 2010-03-05 12:52:09 UTC
OK, thanks guys, I committed the fix for this to F-13 branch this morning.

Comment 18 Mike McCune 2016-03-28 23:33:48 UTC
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions


Note You need to log in before you can comment on or make changes to this bug.