Bug 179665 (CVE-2007-4130)
Summary: | CVE-2007-4130 panic caused by set_mempolicy with MPOL_BIND | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Doug Chapman <dchapman> | ||||
Component: | vulnerability | Assignee: | Luming Yu <luyu> | ||||
Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | unspecified | CC: | jbaron, kreilly, kseifried, lwang, peterm, williams | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | ia64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2011-09-27 21:41:45 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 293201, 293211 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Doug Chapman
2006-02-01 22:56:01 UTC
One important point I neglected to mention. I tried this on the latest upstream kernel (2.6.16-rc1) and did not see the panic. Did some investigation of the code: During the page fault a new page is in the process of being allocated but this fails and returns NULL way down in alloc_pages_current when it calls zonelist_policy because current->policy->v.zonelist[0] == NULL This is set when we do the set_mempolicy because we are sending it a NULL mask (as we have seen with other set_mempoilcy bugs other invalid masks are likely to do break as well). sys_set_mempolicy calls mpol_new which calls bind_zonelist In bind_zonelist since it doesn't find any bits set in the "nodes" bitmask sets zl->zones[num] = NULL; (where num is 0 since we made no iterations of the for loop). There is a check in mpol_new for the MPOL_BIND case where it checks that policy->v.zonelist is not null after calling bind_zonelist. Perhaps we should return EINVAL if policy->v.zonelist[0] is NULL here as well. Neither of the two reproducers above cause any harm on x86_64. I am still able to reproduce this in RHEL4 U4 kernel-2.6.9-42.EL I still can see the problem with the most recent rhel 4 kernel. The two test cases work with upstream and rhel 5.1 kernel. lwoodman, This is a old bug and I believe I can help to fix the problem. Please forgive me I will assign it to me if you are not going to look into it recently. Thanks, Luming Created attachment 161331 [details]
patch for fixing invalid argument
please test the attached patch. I tested it, it fixes the problem.
moving to parent bug, creating tracking bugs for 4.5.z and 4.6. This issue doesn't affect other rhel. Luming, please see the follow up comments to your patch on rhkernel-list. you patch has been NACK'ed, and it needs more work. This issue has been addressed in following products: Red Hat Linux Enterprise 4 Red Hat Linux Enterprise 4.6.z Via RHSA-2008:0055 https://rhn.redhat.com/errata/RHSA-2008-0055.html |