[kernel] r16023 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Fri Jul 30 14:43:32 UTC 2010
Author: dannf
Date: Fri Jul 30 14:43:26 2010
New Revision: 16023
Log:
hvc_console: Fix race between hvc_close and hvc_remove (CVE-2010-2653)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/hvc_console-fix-race-between-hvc_close-and-hvc_remove.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Wed Jul 28 02:51:10 2010 (r16022)
+++ dists/lenny-security/linux-2.6/debian/changelog Fri Jul 30 14:43:26 2010 (r16023)
@@ -2,6 +2,7 @@
* cifs: Fix a kernel BUG with remote OS/2 server (CVE-2010-2248)
* Fix race in tty_fasync() properly (CVE-2009-4895)
+ * hvc_console: Fix race between hvc_close and hvc_remove (CVE-2010-2653)
-- dann frazier <dannf at debian.org> Wed, 30 Jun 2010 00:32:02 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/hvc_console-fix-race-between-hvc_close-and-hvc_remove.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/hvc_console-fix-race-between-hvc_close-and-hvc_remove.patch Fri Jul 30 14:43:26 2010 (r16023)
@@ -0,0 +1,68 @@
+commit d3da819481b648303db11a3f90dc00f156d36ad5
+Author: Anton Blanchard <anton at samba.org>
+Date: Tue Apr 6 21:42:38 2010 +1000
+
+ hvc_console: Fix race between hvc_close and hvc_remove
+
+ I don't claim to understand the tty layer, but it seems like hvc_open and
+ hvc_close should be balanced in their kref reference counting.
+
+ Right now we get a kref every call to hvc_open:
+
+ if (hp->count++ > 0) {
+ tty_kref_get(tty); <----- here
+ spin_unlock_irqrestore(&hp->lock, flags);
+ hvc_kick();
+ return 0;
+ } /* else count == 0 */
+
+ tty->driver_data = hp;
+
+ hp->tty = tty_kref_get(tty); <------ or here if hp->count was 0
+
+ But hvc_close has:
+
+ tty_kref_get(tty);
+
+ if (--hp->count == 0) {
+ ...
+ /* Put the ref obtained in hvc_open() */
+ tty_kref_put(tty);
+ ...
+ }
+
+ tty_kref_put(tty);
+
+ Since the outside kref get/put balance we only do a single kref_put when
+ count reaches 0.
+
+ The patch below changes things to call tty_kref_put once for every
+ hvc_close call, and with that my machine boots fine.
+
+ Signed-off-by: Anton Blanchard <anton at samba.org>
+ Acked-by: Amit Shah <amit.shah at redhat.com>
+ Signed-off-by: Rusty Russell <rusty at rustcorp.com.au>
+ Debian-backport-by: dann frazier <dannf at debian.org>
+
+diff --git a/drivers/char/hvc_console.c b/drivers/char/hvc_console.c
+index ea04857..beb5a47 100644
+--- a/drivers/char/hvc_console.c
++++ b/drivers/char/hvc_console.c
+@@ -405,7 +405,6 @@ static void hvc_close(struct tty_struct *tty, struct file * filp)
+ hp = tty->driver_data;
+
+ spin_lock_irqsave(&hp->lock, flags);
+- tty_kref_get(tty);
+
+ if (--hp->count == 0) {
+ if (hp->irq_requested)
+@@ -416,9 +415,6 @@ static void hvc_close(struct tty_struct *tty, struct file * filp)
+ hp->tty = NULL;
+ spin_unlock_irqrestore(&hp->lock, flags);
+
+- /* Put the ref obtained in hvc_open() */
+- tty_kref_put(tty);
+-
+ /*
+ * Chain calls chars_in_buffer() and returns immediately if
+ * there is no buffered data otherwise sleeps on a wait queue
Modified: dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/24lenny1 Wed Jul 28 02:51:10 2010 (r16022)
+++ dists/lenny-security/linux-2.6/debian/patches/series/24lenny1 Fri Jul 30 14:43:26 2010 (r16023)
@@ -1,2 +1,3 @@
+ bugfix/all/cifs-fix-a-kernel-bug-with-remote-os-2-server-try-3.patch
+ bugfix/all/fix-race-in-tty_fasync-properly.patch
++ bugfix/all/hvc_console-fix-race-between-hvc_close-and-hvc_remove.patch
More information about the Kernel-svn-changes
mailing list