Bug 625688 (CVE-2010-4243)

Summary: CVE-2010-4243 kernel: mm: mem allocated invisible to oom_kill() when not attached to any threads
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: arozansk, bhu, cperry, dfeng, dhoward, jkacur, jlieskov, jmalanik, lgoncalv, lwang, lwoodman, onestero, peterm, plyons, rkhan, roland, tcallawa, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20100813,reported=20100813,source=twitter,cvss2=4.9/AV:L/AC:L/Au:N/C:N/I:N/A:C
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-01 16:40:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 625691, 625692, 625693, 625694, 625695, 627811    
Bug Blocks:    

Description Eugene Teo (Security Response) 2010-08-20 07:05:24 UTC
Description of problem:
This issue was mentioned in http://grsecurity.net/~spender/64bit_dos.c. Written in the comments: "The second bug here is that the memory usage explodes within the kernel from a single 128k allocation in userland The explosion of memory isn't accounted for by any task so it won't be terminated by the OOM killer."

Acknowledgements:

Red Hat would like to thank Brad Spengler for reporting this issue.

Comment 7 Eugene Teo (Security Response) 2010-09-01 04:37:56 UTC
Two issues here, the BUG_ON condition and the OOM dodging issue.

Roland proposed the solution to the BUG_ON issue with http://lkml.org/lkml/2010/8/30/463 as opposed to Kee's http://www.openwall.com/lists/oss-security/2010/08/27/1.

And Motohiro-san proposed http://lkml.org/lkml/2010/8/29/206 for the OOM dodging issue, but no feedback yet.

re: reproducer, Alexander noted http://lkml.org/lkml/2010/8/30/378.

So I see two possible two CVE assignments.

Comment 8 Eugene Teo (Security Response) 2010-09-01 04:39:24 UTC
Introduced by upstream commit b6a2fea39318e43fee84fa7b0b90d68bed92d2ba.

For my reference, bug 443659 (rhel-5).

Comment 14 Eugene Teo (Security Response) 2010-10-21 03:57:08 UTC
The top-level bug for the BUG_ON issue is bug 645222. This bug will be used to address the OOM dodging issue.

Comment 15 Eugene Teo (Security Response) 2010-10-25 03:50:45 UTC
Update:
http://lkml.org/lkml/2010/10/24/207

Comment 16 Eugene Teo (Security Response) 2010-12-01 02:05:56 UTC
(In reply to comment #15)
> Update:
> http://lkml.org/lkml/2010/10/24/207

http://linux.derkeiler.com/Mailing-Lists/Kernel/2010-11/msg13278.html

Comment 17 Danny Feng 2010-12-01 02:33:18 UTC
(In reply to comment #16)
> (In reply to comment #15)
> > Update:
> > http://lkml.org/lkml/2010/10/24/207
> 
> http://linux.derkeiler.com/Mailing-Lists/Kernel/2010-11/msg13278.html

upstream commit 3c77f845722158206a7209c45ccddc264d19319c

Comment 20 errata-xmlrpc 2011-01-13 21:10:37 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0017 https://rhn.redhat.com/errata/RHSA-2011-0017.html

Comment 21 errata-xmlrpc 2011-01-14 09:02:34 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0017 https://rhn.redhat.com/errata/RHSA-2011-0017.html

Comment 22 errata-xmlrpc 2011-02-22 17:38:30 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0283 https://rhn.redhat.com/errata/RHSA-2011-0283.html

Comment 25 errata-xmlrpc 2011-09-12 19:44:48 UTC
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2011:1253 https://rhn.redhat.com/errata/RHSA-2011-1253.html