Resolution for CVE-2015-4170 kernel: pty layer race condition on tty ldisc shutdown

Solution Unverified - Updated -

Issue

  • What is CVE-2015-4170 ?
  • System may panic with the following messages :
[362356.090399] ------------[ cut here ]------------
[362356.090409] WARNING: at drivers/tty/tty_ldisc.c:197 tty_ldisc_reinit+0x114/0x120()
[362356.090410] Modules linked in: usb_storage bonding dm_mod iTCO_wdt iTCO_vendor_support intel_powerclamp coretemp intel_rapl kvm_intel kvm crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel
[362356.090432] BUG: unable to handle kernel 
[362356.090434] NULL pointer dereference at 0000000000000248
[362356.090444] IP: [<ffffffff8138f325>] n_tty_set_room+0x85/0x140
[362356.090445] PGD 0 
[362356.090446] Oops: 0000 [#1] SMP 
[362356.090469] Modules linked in: usb_storage bonding dm_mod iTCO_wdt iTCO_vendor_support intel_powerclamp coretemp intel_rapl kvm_intel kvm crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd serio_raw pcspkr sb_edac edac_core lpc_ich i2c_i801 mfd_core hpilo sg hpwdt ioatdma shpchp wmi ipmi_si ipmi_msghandler acpi_power_meter binfmt_misc uinput ip_tables ext4 mbcache jbd2 sd_mod crc_t10dif crct10dif_common mgag200 syscopyarea sysfillrect sysimgblt drm_kms_helper ttm igb tg3 drm dca ptp i2c_algo_bit pps_core hpsa i2c_core
[362356.090472] CPU: 8 PID: 9459 Comm: kworker/8:1 Not tainted 3.10.0-229.el7.x86_64 #1
[362356.090473] Hardware name: HP ProLiant DL380 Gen9/ProLiant DL380 Gen9, BIOS P89 09/13/2016
[362356.090476] Workqueue: events flush_to_ldisc
[362356.090477] task: ffff883eb03f5b00 ti: ffff88339eeb8000 task.ti: ffff88339eeb8000
[362356.090480] RIP: 0010:[<ffffffff8138f325>]  [<ffffffff8138f325>] n_tty_set_room+0x85/0x140
[362356.090481] RSP: 0018:ffff88339eebbd28  EFLAGS: 00010246
[362356.090482] RAX: 0000000000000fff RBX: ffff887f15ffb800 RCX: 0000000000000000
[362356.090483] RDX: 0000000000000000 RSI: 000000000000001d RDI: ffff887f15ffb800
[362356.090483] RBP: ffff88339eebbd30 R08: 0000000000000282 R09: c000000000000000
[362356.090484] R10: de0312533d8af800 R11: 0000000000000246 R12: 0000000000000000
[362356.090485] R13: ffff8827d0e8a929 R14: ffff887f15ffb000 R15: ffff8827d0e8a829
[362356.090485] FS:  0000000000000000(0000) GS:ffff883f7fb00000(0000) knlGS:0000000000000000
[362356.090486] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[362356.090487] CR2: 0000000000000248 CR3: 00000074d6eac000 CR4: 00000000001407e0
[362356.090487] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[362356.090488] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[362356.090488] Stack:
[362356.090493]  ffff887f15ffb800 ffff88339eebbdd0 ffffffff813915dc ffff883eb03f5b68
[362356.090496]  ffff883f7fb13700 ffff887f15ffb9d8 ffff8827d0e8a829 0000000000000001
[362356.090500]  ffff88339eebbdb8 ffffffff810b2a3e ffffffff810abe65 ffff883f7fb13680
[362356.090500] Call Trace:
[362356.090504]  [<ffffffff813915dc>] n_tty_receive_buf+0x13c/0x470
[362356.090511]  [<ffffffff810b2a3e>] ? dequeue_task_fair+0x40e/0x620
[362356.090514]  [<ffffffff810abe65>] ? sched_clock_cpu+0xb5/0x100
[362356.090516]  [<ffffffff813949c9>] flush_to_ldisc+0x109/0x160
[362356.090521]  [<ffffffff8108f0ab>] process_one_work+0x17b/0x470
[362356.090522]  [<ffffffff8108fe8b>] worker_thread+0x11b/0x400
[362356.090524]  [<ffffffff8108fd70>] ? rescuer_thread+0x400/0x400
[362356.090530]  [<ffffffff8109726f>] kthread+0xcf/0xe0
[362356.090532]  [<ffffffff810971a0>] ? kthread_create_on_node+0x140/0x140
[362356.090537]  [<ffffffff81613cfc>] ret_from_fork+0x7c/0xb0
[362356.090539]  [<ffffffff810971a0>] ? kthread_create_on_node+0x140/0x140
[362356.090548] Code: 00 0f 85 96 00 00 00 48 8b 93 68 02 00 00 48 8b 35 59 29 69 00 bf 00 14 00 00 e8 77 e0 cf ff 5b 5d c3 0f 1f 40 00 b8 ff 0f 00 00 <2b> 82 48 02 00 00 85 c0 7f a2 f6 42 14 10 74 1b 8b 82 60 02 00 
[362356.090550] RIP  [<ffffffff8138f325>] n_tty_set_room+0x85/0x140
[362356.090551]  RSP <ffff88339eebbd28>
[362356.090551] CR2: 0000000000000248

Environment

  • Red Hat Enterprise Linux 7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content