Bug 184510
| Summary: | CVE-2006-0557 get_nodes crash | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 4 | Reporter: | Mark J. Cox <mjc> | ||||||
| Component: | kernel | Assignee: | Ernie Petrides <petrides> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 4.0 | CC: | jbaron, lwang, lwoodman, security-response-team | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | public=20060217,source=vendorsec,reported=20060307,impact=important | ||||||||
| Fixed In Version: | RHBA-2007-0304 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2007-05-08 00:42:49 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Mark J. Cox
2006-03-09 13:16:01 UTC
I've determined that RHEL4 U4 is *not* vulnerable to this DoS because of the difference in stack layout of the callers of get_nodes(). Please downgrade this bug to a non-security issue and record that RHEL4 isn't vulerable to CVE-2006-0557. However, there is still a bug in RHEL4 in the validation of "maxnodes", although I have yet determined how to verify what improper syscall behavior might occur. A value of of -(BITS_PER_LONG-1) to -1 will cause the local variable "start" inside sys_mbind() to be overwritten, which is likely to cause improper mbind(2) syscall operation (but no crash). A similar situation exists for the set_mempolicy(2) syscall, which also causes the same get_nodes() function call (but no crash). Created attachment 128925 [details]
RHEL4 U4 patch resolving this problem
Note that the upstream patch refers to the identifier BITS_PER_BYTE,
which is not defined in RHEL4. It's more efficient to test for a zero
"nlongs" value anyway.
Patch posted for review on 11-May-2006.
Another relevant aspect of this problem is that the code with the bug is only compiled into kernels with CONFIG_NUMA enabled. The following config files set this: config-i686-hugemem config-ia64-generic config-ppc64-generic config-x86_64-generic Thus, the only potential exposure on RHEL4 is with these configs. I've only tested x86_64. Jason is going to test the x86 hugemem kernel shortly. The test program in comment #3 should be used with the -1L parameter set to -31L (for i686) or -63L (for ia64 or ppc64) to check for crashses. Correction to last comment: the i686-hugemem config is not used on RHEL4. Thus, there is no possible exposure to this bug on any x86 RHEL4 kernel. *** Bug 183665 has been marked as a duplicate of this bug. *** committed in stream U5 build 42.2. A test kernel with this patch is available from http://people.redhat.com/~jbaron/rhel4/ This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. Verified that the patch is in the -52 kernel. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0304.html |