Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 3 Sep 2009 15:11:21 -0700
From: Greg KH <greg@...ah.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>, Greg KH <gregkh@...e.de>
Subject: Re: CVE request: kernel: tty: make sure to flush
 any pending work when halting the ldisc

On Mon, Aug 31, 2009 at 11:52:21AM +0800, Eugene Teo wrote:
> The tty ldisc code was rewritten to use proper reference counts (commits 
> 65b770468e98 and cbe9352fa08f) in order to avoid a race with hangup, but 
> it also introduced another bug that can result in various problems such 
> as a NULL pointer dereference in run_timer_softirq() or a BUG() in 
> worker_thread. More info in the patch.
> 
> Upstream commit:
> http://git.kernel.org/linus/5c58ceff103d8a654f24769bb1baaf84a841b0cc
> 
> Reproducer:
> http://lkml.org/lkml/2009/8/20/27
> http://lkml.org/lkml/2009/8/20/68
> 
> Backtrace:
> http://lkml.org/lkml/2009/8/20/21
> 
> I believe this affects kernel versions greater than v2.6.26. The code in 
> drivers/char/tty_ldisc.c was from drivers/char/tty_io.c before it was 
> splitted into its own file in v2.6.27-rc1 (commit 01e1abb2). I did not 
> investigate further.

Are you sure about this?  It only looks to be a problem in the 2.6.31-rc
tree, as both of the above referenced patches are in that tree (showed
up in 2.6.31-rc6).

Do you have a backported patch to 2.6.30 that you think fixes the
problem?

thanks,

greg k-h

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ