Bugzilla – Full Text Bug Listing
|Summary:||VUL-1: CVE-2015-4170: kernel: vulnerability in the kernel tty subsystem.|
|Product:||[Novell Products] SUSE Security Incidents||Reporter:||Andreas Stieger <astieger>|
|Component:||Incidents||Assignee:||Jiri Slaby <jslaby>|
|Status:||RESOLVED FIXED||QA Contact:||Security Team bot <security-team>|
|Priority:||P4 - Low||CC:||bpetkov, eugene.lezar, meissner, mhocko, smash_bz|
|Found By:||Security Response Team||Services Priority:|
|Marketing QA Status:||---||IT Deployment:||---|
Description Andreas Stieger 2015-06-03 08:43:41 UTC
via oss-sec http://seclists.org/oss-sec/2015/q2/545 > An issue was discovered in the linux kernel's tty subsystem handling during shutdown. The > flaw was that a new tty thread could hold a reference to the ldisc lock used during > the shutdown phase in the original thread and create a deadlock. > > This race occurs on hangup of tty. It races and hangs on ldsem_down_write on a semaphore > that is being aquired by a new reader(CPU 1). The new reader/writer is sleeping > in ldsem_down_read() and the hangup is sleeping in ldsem_down_write(). > > The deadlock can occur under these conditions. > > CPU 0 | CPU 1 > | > _raw_spin_unlock_irq | _raw_spin_unlock_irq+0x24/0x26 > down_write_failed | down_read_failed+0xe3/0x1b9 > ldsem_down_write <-- here | ldsem_down_read <--- here > tty_ldisc_lock_pair_timeout | tty_ldisc_ref_wait > tty_ldisc_lock_pair_timeout | tty_write > tty_ldisc_hangup | redirected_tty_write > __tty_hangup | tty_write > disassociate_ctty | o_loop_readv_writev > do_exit | do_readv_writev > | SyS_writev > > > This section of code was re-written upstream by creating a read/write semaphore to > specially to handle ldisc, ldsem ( 4898e640caf03fdbaf2122d5a33949bf3e4a5b34 ). > > This issue was reproduced on a system under load when testing the reproducer for > CVE-2014-0196, on a system that already has this issue fixed. No root permissions > are required to recreate the deadlock. Two year old though. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4170 http://seclists.org/oss-sec/2015/q2/613 https://bugzilla.redhat.com/show_bug.cgi?id=1218879
Comment 1 Andreas Stieger 2015-06-03 08:50:45 UTC
Looks like this is in pre-SLE12 kernels
Comment 2 Swamp Workflow Management 2015-06-03 22:00:14 UTC
bugbot adjusting priority
Comment 4 Jiri Slaby 2015-06-10 10:09:24 UTC
This is fixed in v3.12.7 by: commit ab69be3e59d79c56bfe16930f0c761daf4837e48 Author: Peter Hurley <firstname.lastname@example.org> Date: Wed Dec 11 21:11:58 2013 -0500 tty: Fix hang at ldsem_down_read() commit cf872776fc84128bb779ce2b83a37c884c3203ae upstream. 3.12.7 was in SLE-12-Server-Beta2 already.
Comment 5 Jiri Slaby 2015-06-10 10:11:15 UTC
The bug was introduced by: commit 4898e640caf03fdbaf2122d5a33949bf3e4a5b34 Author: Peter Hurley <email@example.com> Date: Tue Apr 16 06:15:50 2013 -0400 tty: Add timed, writer-prioritized rw semaphore in 3.11 and fixed by the commit above in 3.13.
Comment 6 Michal Hocko 2015-06-10 11:15:28 UTC
(In reply to Jiri Slaby from comment #5) > The bug was introduced by: > commit 4898e640caf03fdbaf2122d5a33949bf3e4a5b34 > Author: Peter Hurley <firstname.lastname@example.org> > Date: Tue Apr 16 06:15:50 2013 -0400 > > tty: Add timed, writer-prioritized rw semaphore > > in 3.11 and fixed by the commit above in 3.13. That means not business for TD branches. Thanks!