Bug 461082 (CVE-2007-6716)

Summary: CVE-2007-6716 kernel: dio: zero struct dio with kzalloc instead of manually
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: dhoward, jmoyer, jpirko, kzhang, lwang, qcai, vgoyal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-21 17:37:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 439918, 461089, 461090, 461091, 463868    
Bug Blocks:    
Attachments:
Description Flags
Upstream patch for this issue
none
jobfile for reproducer none

Description Eugene Teo (Security Response) 2008-09-04 02:36:52 UTC 
Description of problem:
To avoid exposing ourselves to the risk of finding another field like .map_bh.b_state where we rely on zeroing but don't enforce it in the code. The fix uses kzalloc to zero all the struct dio rather than manually trying to track which fields we rely on being zero.

Reference:
http://lkml.org/lkml/2007/7/26/88
Comment 1 Eugene Teo (Security Response) 2008-09-04 02:42:24 UTC 
Proposed upstream patch:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=848c4dd5153c7a0de55470ce99a8e13a63b4703f
Comment 2 Eugene Teo (Security Response) 2008-09-04 02:43:32 UTC 
Created attachment 315715 [details]
Upstream patch for this issue
Comment 3 Eugene Teo (Security Response) 2008-09-04 02:44:25 UTC 
Reproducer:
http://freshmeat.net/projects/fio/
http://lkml.org/lkml/2007/7/30/448
Comment 8 Eugene Teo (Security Response) 2008-09-04 04:09:22 UTC 
Created attachment 315718 [details]
jobfile for reproducer
Comment 9 Zhang Kexin 2008-09-12 11:00:46 UTC 
when I try to reproduce the bug on 2.6.18-92.1.10.el5, I met kernel panic.
On 2.6.18-92.1.13, the same happens.

the steps are as follows:
1. download fio-1.21.tar.bz2 from http://freshmeat.net/projects/fio/ and extract the file to /root/kzhang/fio directory
2. make & make install
3. download jobfile from https://bugzilla.redhat.com/attachment.cgi?id=315718
4. change the directory=/root/kzhang/fio
5. ./fio jobfile

the system would kernel panic, following is the backtrace.

Kernel BUG at mm/filemap.c:553
invalid opcode: 0000 [1] SMP
last sysfs file: /block/dm-0/stat
CPU 7
Modules linked in: autofs4 hidp rfcomm l2cap bluetooth sunrpc ipv6 xfrm_nalgo crypto_api cpufreq_ondemand acpi_cpufreq dm_multipath video sbs backlight i2c_ec i2c_core button battery asus_acpi acpi_memhotplug ac parport_pc lp parport joydev sr_mod sg bnx2 floppy serio_raw pcspkr ide_cd i5000_edac cdrom edac_mc shpchp dm_snapshot dm_zero dm_mirror dm_mod usb_storage ata_piix libata megaraid_sas sd_mod scsi_mod ext3 jbd uhci_hcd ohci_hcd ehci_hcd
Pid: 6447, comm: fio Not tainted 2.6.18-92.1.13.el5 #1
RIP: 0010:[<ffffffff80017c4a>]  [<ffffffff80017c4a>] unlock_page+0xf/0x2f
RSP: 0018:ffff810052605e18  EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff810000e32cf8 RCX: 0000000000000000
RDX: ffff810001918cf8 RSI: ffff81007fe1c550 RDI: ffff810000e32cf8
RBP: 00000000ffffffef R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff81004f64e0e0
R13: 0000000000000000 R14: 0000000000001000 R15: ffff81005eec7220
FS:  00002b8a136f20f0(0000) GS:ffff81007fe1c3c0(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000003d846d3020 CR3: 0000000051e6b000 CR4: 00000000000006e0
Process fio (pid: 6447, threadinfo ffff810052604000, task ffff810051f330c0)
Stack:  ffff810000e32cf8 ffffffff800ec7cb ffff810052605e98 ffff81004f64e000
 ffff81007823ecc0 00000000000200d2 0000000000000010 ffff81004f64e0e0
 ffff81004f64e000 0000000000000000 0000000000000000 ffffffff802f66a0
Call Trace:
 [<ffffffff800ec7cb>] pipe_to_file+0x31d/0x32e
 [<ffffffff800ebc88>] splice_from_pipe+0x89/0x21a
 [<ffffffff800ec4ae>] pipe_to_file+0x0/0x32e
 [<ffffffff800ec04b>] generic_file_splice_write+0x21/0x8a
 [<ffffffff800ecd59>] sys_splice+0x119/0x238
 [<ffffffff8005d28d>] tracesys+0xd5/0xe0


Code: 0f 0b 68 97 3d 29 80 c2 29 02 48 89 df e8 b3 29 00 00 48 89
RIP  [<ffffffff80017c4a>] unlock_page+0xf/0x2f
 RSP <ffff810052605e18>
 <0>Kernel panic - not syncing: Fatal exception
Comment 17 Vincent Danen 2010-12-21 17:37:57 UTC 
This was addressed via:

Red Hat Enterprise Linux version 5 (RHSA-2008:0885)
Red Hat Enterprise Linux version 4 (RHSA-2008:0972)