This service will be undergoing maintenance at 20:00 UTC, 2017-04-03. It is expected to last about 30 minutes
Bug 568621 - (CVE-2010-2653) CVE-2010-2653 kvm: vulnerability in the hvc_console code that gets exposed via the new virtio_console functionality
CVE-2010-2653 kvm: vulnerability in the hvc_console code that gets exposed vi...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 568624 579408
  Show dependency treegraph
Reported: 2010-02-26 01:56 EST by Eugene Teo (Security Response)
Modified: 2016-03-29 06:14 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-03-29 06:14:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Eugene Teo (Security Response) 2010-02-26 01:56:28 EST
Description of problem:
Alan pointed out a race in the code where hvc_remove is invoked. The recent virtio_console work is the first user of hvc_remove().

Alan describes it thus:

The hvc_console assumes that a close and remove call can't occur at the same time.

In addition tty_hangup(tty) is problematic as tty_hangup is asynchronous itself....

So this can happen

        hvc_close                               hvc_remove
        hung up ? - no
                                                tty = hp->tty
        hp->tty = NULL
        notify del
        kref_put the hvc struct
        close completes
        tty is destroyed
                                                tty_hangup dead tty
                                                tty->ops will be NULL

This patch adds some tty krefs and also converts to using tty_vhangup().

Reported-by: Alan Cox <>
Signed-off-by: Amit Shah <>
CC: Alan Cox <>
CC: Rusty Russell <>

Alan, how does this version look?

I've tested with multiple virtio_console ports.

There's some other bug in the hvc_remove code that's unrelated: hot-removal of one console port results in all other hvc consoles to stop working. I'll look at that once this is finalised.

 drivers/char/hvc_console.c |   31 +++++++++++++++++++++----------
 1 files changed, 21 insertions(+), 10 deletions(-)
Comment 7 Eugene Teo (Security Response) 2010-03-04 03:58:36 EST
Comment 8 Eugene Teo (Security Response) 2010-03-04 04:06:13 EST

Not vulnerable. This issue did not affect the versions of KVM as shipped with Red Hat Enterprise Linux 5 as it does not contain the patch that introduced this vulnerability.
Comment 9 Kyle McMartin 2010-03-05 07:52:09 EST
OK, thanks guys, I committed the fix for this to F-13 branch this morning.
Comment 18 Mike McCune 2016-03-28 19:33:48 EDT
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see with any questions

Note You need to log in before you can comment on or make changes to this bug.