Bug 933423 (CVE-2015-4170)

Summary: VUL-1: CVE-2015-4170: kernel: vulnerability in the kernel tty subsystem.
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Jiri Slaby <jslaby>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: bpetkov, eugene.lezar, meissner, mhocko, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/117299/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Stieger 2015-06-03 08:43:41 UTC
via oss-sec http://seclists.org/oss-sec/2015/q2/545

> An issue was discovered in the linux kernel's tty subsystem handling during shutdown. The
> flaw was that a new tty thread could hold a reference to the ldisc lock used during
> the shutdown phase in the original thread and create a deadlock.
> 
> This race occurs on hangup of tty.  It races and hangs on ldsem_down_write on a semaphore 
> that is being aquired by a new reader(CPU 1).  The new reader/writer is sleeping
> in ldsem_down_read() and the hangup is sleeping in ldsem_down_write().
> 
> The deadlock can occur under these conditions.
> 
>    CPU 0                                   |  CPU 1
>                                            |
> _raw_spin_unlock_irq                       | _raw_spin_unlock_irq+0x24/0x26
> down_write_failed                          | down_read_failed+0xe3/0x1b9
> ldsem_down_write <-- here                  | ldsem_down_read  <--- here
> tty_ldisc_lock_pair_timeout                | tty_ldisc_ref_wait
> tty_ldisc_lock_pair_timeout                | tty_write
> tty_ldisc_hangup                           | redirected_tty_write
> __tty_hangup                               | tty_write
> disassociate_ctty                          | o_loop_readv_writev
> do_exit                                    | do_readv_writev
>                                            | SyS_writev
> 
> 
> This section of code was re-written upstream by creating a read/write semaphore to
> specially to handle ldisc, ldsem ( 4898e640caf03fdbaf2122d5a33949bf3e4a5b34 ).  
> 
> This issue was reproduced on a system under load when testing the reproducer for
> CVE-2014-0196, on a system that already has this issue fixed.  No root permissions
> are required to recreate the deadlock.


Two year old though.




References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4170
http://seclists.org/oss-sec/2015/q2/613
https://bugzilla.redhat.com/show_bug.cgi?id=1218879
Comment 1 Andreas Stieger 2015-06-03 08:50:45 UTC
Looks like this is in pre-SLE12 kernels
Comment 2 Swamp Workflow Management 2015-06-03 22:00:14 UTC
bugbot adjusting priority
Comment 4 Jiri Slaby 2015-06-10 10:09:24 UTC
This is fixed in v3.12.7 by:
commit ab69be3e59d79c56bfe16930f0c761daf4837e48
Author: Peter Hurley <peter@hurleysoftware.com>
Date:   Wed Dec 11 21:11:58 2013 -0500

    tty: Fix hang at ldsem_down_read()
    
    commit cf872776fc84128bb779ce2b83a37c884c3203ae upstream.

3.12.7 was in SLE-12-Server-Beta2 already.
Comment 5 Jiri Slaby 2015-06-10 10:11:15 UTC
The bug was introduced by:
commit 4898e640caf03fdbaf2122d5a33949bf3e4a5b34
Author: Peter Hurley <peter@hurleysoftware.com>
Date:   Tue Apr 16 06:15:50 2013 -0400

    tty: Add timed, writer-prioritized rw semaphore

in 3.11 and fixed by the commit above in 3.13.
Comment 6 Michal Hocko 2015-06-10 11:15:28 UTC
(In reply to Jiri Slaby from comment #5)
> The bug was introduced by:
> commit 4898e640caf03fdbaf2122d5a33949bf3e4a5b34
> Author: Peter Hurley <peter@hurleysoftware.com>
> Date:   Tue Apr 16 06:15:50 2013 -0400
> 
>     tty: Add timed, writer-prioritized rw semaphore
> 
> in 3.11 and fixed by the commit above in 3.13.

That means not business for TD branches. Thanks!