Bug 218777 (CVE-2007-6733)

Summary: CVE-2007-6733 Kernel BUG at locks:1799
Product: Red Hat Enterprise Linux 4 Reporter: Sachin Prabhu <sprabhu>
Component: kernelAssignee: Peter Staubach <staubach>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.4CC: buckh, bwalton, jbaron, shei, steved
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://lkml.org/lkml/2005/12/21/334
Whiteboard:
Fixed In Version: RHBA-2007-0304 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-05-08 04:23:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Proposed patch for 2.6.9-42.0.2.EL none

Description Sachin Prabhu 2006-12-07 14:42:47 UTC
This problem was reported by ASANO Masahiro for the upstream kernel. 
http://lkml.org/lkml/2005/12/21/334

The change in locks_remove_flock for bz #160844 allows the local users to crash
the system. The nfs client prevents mandatory locking. The if statement checking
for this will allow a user to get the nfs client to leave behind posix locks by
changing the mode before unlocking. The changes in locks_remove_flock causes it
to throw a BUG().

Run the attached reproducer a few times on a RHEL 4 U4 server to cause a crash.

Comment 6 Jason Baron 2006-12-21 16:07:03 UTC
committed in stream U5 build 42.30. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/


Comment 9 Jay Turner 2007-02-08 13:41:01 UTC
QE ack for RHEL4.5.

Comment 11 Steve Cleveland 2007-02-26 17:43:19 UTC
According to the included URL, this is a local user NFS exploit.  Is there any
way this bug could be hit by an nfs server or by a user inadvertently?  After a
recent kernel patch on our Sun NFS servers (to address DST), our linux CPU
server (multiple users via ssh) has crashed once about every 12 hours.  Those
Sun servers have been having other issues with NFS since the patch, so I'm
wondering if it's possible that the NFS communication could cause the crash. 
None of our linux workstations have had any problems, but they're likely not
hitting NFS as hard.

I applied the test kernel and so far so good.  Is there a way to get an official
kernel update in FastTrack, or any word on when it might be available on the
beta channel?

I realize this is probably better for a mailing list, but that mail thread is
over a year old.

Comment 12 Mike Gahagan 2007-04-03 16:15:24 UTC
sucessfully tested using the reproducer and verified the patch is in the -52 kernel.



Comment 15 Red Hat Bugzilla 2007-05-08 04:23:37 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0304.html

Comment 19 Peter Staubach 2008-06-18 15:51:03 UTC
*** Bug 208585 has been marked as a duplicate of this bug. ***

Comment 20 Eugene Teo (Security Response) 2010-03-17 01:30:29 UTC
This issue has been assigned with CVE-2007-6733. It was reported back in 12/2006, and was found to be security-relevant while triaging CVE-2010-0727.

Comment 21 Jeff Layton 2010-03-17 12:24:59 UTC
*** Bug 207737 has been marked as a duplicate of this bug. ***