Date: Tue, 26 May 2015 02:18:53 -0400 (EDT) From: Wade Mealing <wmealing@...hat.com> To: OSS Security List <oss-security@...ts.openwall.com> Cc: cve-assign@...re.org Subject: CVE request: vulnerability in the kernel tty subsystem. Gday, An issue was discovered in the linux kernel's tty subsystem handling during shutdown. The flaw was that a new tty thread could hold a reference to the ldisc lock used during the shutdown phase in the original thread and create a deadlock. This race occurs on hangup of tty. It races and hangs on ldsem_down_write on a semaphore that is being aquired by a new reader(CPU 1). The new reader/writer is sleeping in ldsem_down_read() and the hangup is sleeping in ldsem_down_write(). The deadlock can occur under these conditions. CPU 0 | CPU 1 | _raw_spin_unlock_irq | _raw_spin_unlock_irq+0x24/0x26 down_write_failed | down_read_failed+0xe3/0x1b9 ldsem_down_write <-- here | ldsem_down_read <--- here tty_ldisc_lock_pair_timeout | tty_ldisc_ref_wait tty_ldisc_lock_pair_timeout | tty_write tty_ldisc_hangup | redirected_tty_write __tty_hangup | tty_write disassociate_ctty | o_loop_readv_writev do_exit | do_readv_writev | SyS_writev This section of code was re-written upstream by creating a read/write semaphore to specially to handle ldisc, ldsem ( 4898e640caf03fdbaf2122d5a33949bf3e4a5b34 ). This issue was reproduced on a system under load when testing the reproducer for CVE-2014-0196, on a system that already has this issue fixed. No root permissions are required to recreate the deadlock. I would like to request a CVE for this issue. Thanks, Wade Mealing Red Hat Product Security References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0196 https://bugzilla.redhat.com/show_bug.cgi?id=1218879
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ