Resolution for CVE-2015-4170 kernel: pty layer race condition on tty ldisc shutdown
Issue
- What is CVE-2015-4170 ?
- System may panic with the following messages :
[362356.090399] ------------[ cut here ]------------
[362356.090409] WARNING: at drivers/tty/tty_ldisc.c:197 tty_ldisc_reinit+0x114/0x120()
[362356.090410] Modules linked in: usb_storage bonding dm_mod iTCO_wdt iTCO_vendor_support intel_powerclamp coretemp intel_rapl kvm_intel kvm crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel
[362356.090432] BUG: unable to handle kernel
[362356.090434] NULL pointer dereference at 0000000000000248
[362356.090444] IP: [<ffffffff8138f325>] n_tty_set_room+0x85/0x140
[362356.090445] PGD 0
[362356.090446] Oops: 0000 [#1] SMP
[362356.090469] Modules linked in: usb_storage bonding dm_mod iTCO_wdt iTCO_vendor_support intel_powerclamp coretemp intel_rapl kvm_intel kvm crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd serio_raw pcspkr sb_edac edac_core lpc_ich i2c_i801 mfd_core hpilo sg hpwdt ioatdma shpchp wmi ipmi_si ipmi_msghandler acpi_power_meter binfmt_misc uinput ip_tables ext4 mbcache jbd2 sd_mod crc_t10dif crct10dif_common mgag200 syscopyarea sysfillrect sysimgblt drm_kms_helper ttm igb tg3 drm dca ptp i2c_algo_bit pps_core hpsa i2c_core
[362356.090472] CPU: 8 PID: 9459 Comm: kworker/8:1 Not tainted 3.10.0-229.el7.x86_64 #1
[362356.090473] Hardware name: HP ProLiant DL380 Gen9/ProLiant DL380 Gen9, BIOS P89 09/13/2016
[362356.090476] Workqueue: events flush_to_ldisc
[362356.090477] task: ffff883eb03f5b00 ti: ffff88339eeb8000 task.ti: ffff88339eeb8000
[362356.090480] RIP: 0010:[<ffffffff8138f325>] [<ffffffff8138f325>] n_tty_set_room+0x85/0x140
[362356.090481] RSP: 0018:ffff88339eebbd28 EFLAGS: 00010246
[362356.090482] RAX: 0000000000000fff RBX: ffff887f15ffb800 RCX: 0000000000000000
[362356.090483] RDX: 0000000000000000 RSI: 000000000000001d RDI: ffff887f15ffb800
[362356.090483] RBP: ffff88339eebbd30 R08: 0000000000000282 R09: c000000000000000
[362356.090484] R10: de0312533d8af800 R11: 0000000000000246 R12: 0000000000000000
[362356.090485] R13: ffff8827d0e8a929 R14: ffff887f15ffb000 R15: ffff8827d0e8a829
[362356.090485] FS: 0000000000000000(0000) GS:ffff883f7fb00000(0000) knlGS:0000000000000000
[362356.090486] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[362356.090487] CR2: 0000000000000248 CR3: 00000074d6eac000 CR4: 00000000001407e0
[362356.090487] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[362356.090488] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[362356.090488] Stack:
[362356.090493] ffff887f15ffb800 ffff88339eebbdd0 ffffffff813915dc ffff883eb03f5b68
[362356.090496] ffff883f7fb13700 ffff887f15ffb9d8 ffff8827d0e8a829 0000000000000001
[362356.090500] ffff88339eebbdb8 ffffffff810b2a3e ffffffff810abe65 ffff883f7fb13680
[362356.090500] Call Trace:
[362356.090504] [<ffffffff813915dc>] n_tty_receive_buf+0x13c/0x470
[362356.090511] [<ffffffff810b2a3e>] ? dequeue_task_fair+0x40e/0x620
[362356.090514] [<ffffffff810abe65>] ? sched_clock_cpu+0xb5/0x100
[362356.090516] [<ffffffff813949c9>] flush_to_ldisc+0x109/0x160
[362356.090521] [<ffffffff8108f0ab>] process_one_work+0x17b/0x470
[362356.090522] [<ffffffff8108fe8b>] worker_thread+0x11b/0x400
[362356.090524] [<ffffffff8108fd70>] ? rescuer_thread+0x400/0x400
[362356.090530] [<ffffffff8109726f>] kthread+0xcf/0xe0
[362356.090532] [<ffffffff810971a0>] ? kthread_create_on_node+0x140/0x140
[362356.090537] [<ffffffff81613cfc>] ret_from_fork+0x7c/0xb0
[362356.090539] [<ffffffff810971a0>] ? kthread_create_on_node+0x140/0x140
[362356.090548] Code: 00 0f 85 96 00 00 00 48 8b 93 68 02 00 00 48 8b 35 59 29 69 00 bf 00 14 00 00 e8 77 e0 cf ff 5b 5d c3 0f 1f 40 00 b8 ff 0f 00 00 <2b> 82 48 02 00 00 85 c0 7f a2 f6 42 14 10 74 1b 8b 82 60 02 00
[362356.090550] RIP [<ffffffff8138f325>] n_tty_set_room+0x85/0x140
[362356.090551] RSP <ffff88339eebbd28>
[362356.090551] CR2: 0000000000000248
Environment
- Red Hat Enterprise Linux 7
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.