CVE request: vulnerability in the kernel tty subsystem.

[Wade Mealing <wmealing () redhat com>]

Gday,

An issue was discovered in the linux kernel's tty subsystem handling during shutdown. The
flaw was that a new tty thread could hold a reference to the ldisc lock used during
the shutdown phase in the original thread and create a deadlock.

This race occurs on hangup of tty.  It races and hangs on ldsem_down_write on a semaphore 
that is being aquired by a new reader(CPU 1).  The new reader/writer is sleeping
in ldsem_down_read() and the hangup is sleeping in ldsem_down_write().

The deadlock can occur under these conditions.

   CPU 0                                   |  CPU 1
                                           |
_raw_spin_unlock_irq                       | _raw_spin_unlock_irq+0x24/0x26
down_write_failed                          | down_read_failed+0xe3/0x1b9
ldsem_down_write <-- here                  | ldsem_down_read  <--- here
tty_ldisc_lock_pair_timeout                | tty_ldisc_ref_wait
tty_ldisc_lock_pair_timeout                | tty_write
tty_ldisc_hangup                           | redirected_tty_write
__tty_hangup                               | tty_write
disassociate_ctty                          | o_loop_readv_writev
do_exit                                    | do_readv_writev
                                           | SyS_writev


This section of code was re-written upstream by creating a read/write semaphore to
specially to handle ldisc, ldsem ( 4898e640caf03fdbaf2122d5a33949bf3e4a5b34 ).  

This issue was reproduced on a system under load when testing the reproducer for
CVE-2014-0196, on a system that already has this issue fixed.  No root permissions
are required to recreate the deadlock.

I would like to request a CVE for this issue.

Thanks,

Wade Mealing
Red Hat Product Security


References:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0196
https://bugzilla.redhat.com/show_bug.cgi?id=1218879