Bug 1094363 (CVE-2014-0203)

Summary: CVE-2014-0203 kernel: fs: slab corruption due to the invalid last component type during do_filp_open()
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agordeev, aquini, carnil, dev, dhoward, fhrbata, jkurik, kernel-mgr, khorenko, lwang, nobody, npajkovs, pholasek, plougher, ppandit, rvrbovsk, security-response-team, vvs
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-23 06:54:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1079347, 1094370    
Bug Blocks: 1094374    

Description Petr Matousek 2014-05-05 14:10:08 UTC 
It was found that proc_ns_follow_link() doesn't return LAST_BIND (unlike
proc_pid_follow_link()) which leads to the slab corruption caused by
(excessive) putname() in do_filp_open().

The slab corruption later manifests itself in the form of BUG() in
cache_alloc_refill() when performing "$ echo > /proc/$$/ns/pid" --

kernel BUG at mm/slab.c:3069!
invalid opcode: 0000 [#1] SMP
last sysfs file: /sys/devices/system/node/node0/meminfo
CPU 1
Modules linked in:
Pid: 2249, comm: bash Not tainted 2.6.32-431.5.1.el6.x86_64 #1
RIP: 0010:[<ffffffff8116ed14>]  [<ffffffff8116ed14>] cache_alloc_refill+0x1e4/0x240
RSP: 0018:ffff88007b69fe38  EFLAGS: 00010082
RAX: 000000000000000c RBX: ffff88007ec30f00 RCX: 00000000ffffffff
RDX: 000000000000000c RSI: 0000000000000000 RDI: ffff88007fa96580
RBP: ffff88007b69fe98 R08: 0000000000000000 R09: 000000000000002a
R10: 0000000000000076 R11: 0000000000000000 R12: ffff88007fa96580
R13: ffff88007fae8c40 R14: 000000000000000c R15: ffff88007d9386c0
FS:  00007f6f8819b700(0000) GS:ffff88000c420000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000006d3d88 CR3: 00000000374d1000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process bash (pid: 2249, threadinfo ffff88007b69e000, task ffff8800379a5540)
Stack:
 ffff88007b69fe58 00000000811a1edf ffff88007fae8c80 000412d07bdf1500
 ffff88007fae8c60 ffff88007fae8c50 ffff88007b69feb8 0000000001440530
 00000000000000d0 ffff88007ec30f00 00000000000000d0 0000000000000246
Call Trace:
 [<ffffffff8116fdcf>] kmem_cache_alloc+0x15f/0x190
 [<ffffffff81196ff7>] getname+0x47/0x240
 [<ffffffff81185ce2>] do_sys_open+0x32/0x140
 [<ffffffff81185e30>] sys_open+0x20/0x30
 [<ffffffff8100b072>] system_call_fastpath+0x16/0x1b
Code: 89 ff e8 70 57 12 00 eb 99 66 0f 1f 44 00 00 41 c7 45 60 01 00 00 00 4d 8b 7d 20 4c 39 7d c0 0f 85 f2 fe ff ff eb 84 0f 0b eb fe <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 eb f4 8b 55 ac 8b 75 bc 31
RIP  [<ffffffff8116ed14>] cache_alloc_refill+0x1e4/0x240
 RSP <ffff88007b69fe38>

An unprivileged local user could use this flaw to crash the system.
 
Upstream fix:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=86acdca1b63e6890540fa19495cfc708beff3d8b

Acknowledgements:

Red Hat would like to thank Vladimir Davydov of Parallels for reporting this issue.
Comment 2 Petr Matousek 2014-06-18 09:57:54 UTC 
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 7 and Red Hat Enterprise MRG 2.
Comment 3 errata-xmlrpc 2014-06-19 17:53:55 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0771 https://rhn.redhat.com/errata/RHSA-2014-0771.html