CVE Request: kernel: hvc_console: Fix race between hvc_close and hvc_remove

[dann frazier <dannf () dannf org>]

[cc'ing coley () linus mitre org]

On Wed, Jun 30, 2010 at 11:06:41PM -0600, dann frazier wrote:
> On Sat, Apr 17, 2010 at 11:26:46PM -0400, Michael Gilbert wrote:
> > On Sat, 17 Apr 2010 18:15:42 -0400 Michael Gilbert wrote:
> >
> > > On Thu, 04 Mar 2010 17:03:58 +0800 Eugene Teo wrote:
> > >
> > > > Heads-up. You might want to backport this if your kernel is affected. We 
> > > > are not requesting a CVE name for this as it does not affect any of our 
> > > > Red Hat supported kernels.
> > >
> > > are you sure about this?  i see the vulnerable code upstream in both
> > > 2.6.26 and 2.6.32.  does redhat not ship hvc in their kernels?  i think
> > > this should get a cve id because the more vanilla distros will have
> > > shipped with this included.
> >
> > i see that hvc_console is disabled by default in the debian kernels,
>
> Actually, upon review, I see that it is enabled (see the powerpc64
> image). Therefore, I'd like to request a CVE ID for it.
>
> > and i assume it is the same for the redhat kernels.
> >
> > are issues in features that are disabled by default generally treated
> > as unimportant? there are bound to be a (perhaps small) subset of users
> > turning these features on; exposing themselves to more risk if these
> > issues go unfixed. i suppose cve assignment depends on whether or not
> > there is an expectation to protect those users in addition to
> > defaults-using users. 
> >
> > mike

-- 
dann frazier