Bug 461082 (CVE-2007-6716)
Summary: | CVE-2007-6716 kernel: dio: zero struct dio with kzalloc instead of manually | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Eugene Teo (Security Response) <eteo> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||
Severity: | high | Docs Contact: | |||||||
Priority: | high | ||||||||
Version: | unspecified | CC: | dhoward, jmoyer, jpirko, kzhang, lwang, qcai, vgoyal | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2010-12-21 17:37:57 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 439918, 461089, 461090, 461091, 463868 | ||||||||
Bug Blocks: | |||||||||
Attachments: |
|
Description
Eugene Teo (Security Response)
2008-09-04 02:36:52 UTC
Proposed upstream patch: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=848c4dd5153c7a0de55470ce99a8e13a63b4703f Created attachment 315715 [details]
Upstream patch for this issue
Created attachment 315718 [details]
jobfile for reproducer
when I try to reproduce the bug on 2.6.18-92.1.10.el5, I met kernel panic. On 2.6.18-92.1.13, the same happens. the steps are as follows: 1. download fio-1.21.tar.bz2 from http://freshmeat.net/projects/fio/ and extract the file to /root/kzhang/fio directory 2. make & make install 3. download jobfile from https://bugzilla.redhat.com/attachment.cgi?id=315718 4. change the directory=/root/kzhang/fio 5. ./fio jobfile the system would kernel panic, following is the backtrace. Kernel BUG at mm/filemap.c:553 invalid opcode: 0000 [1] SMP last sysfs file: /block/dm-0/stat CPU 7 Modules linked in: autofs4 hidp rfcomm l2cap bluetooth sunrpc ipv6 xfrm_nalgo crypto_api cpufreq_ondemand acpi_cpufreq dm_multipath video sbs backlight i2c_ec i2c_core button battery asus_acpi acpi_memhotplug ac parport_pc lp parport joydev sr_mod sg bnx2 floppy serio_raw pcspkr ide_cd i5000_edac cdrom edac_mc shpchp dm_snapshot dm_zero dm_mirror dm_mod usb_storage ata_piix libata megaraid_sas sd_mod scsi_mod ext3 jbd uhci_hcd ohci_hcd ehci_hcd Pid: 6447, comm: fio Not tainted 2.6.18-92.1.13.el5 #1 RIP: 0010:[<ffffffff80017c4a>] [<ffffffff80017c4a>] unlock_page+0xf/0x2f RSP: 0018:ffff810052605e18 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff810000e32cf8 RCX: 0000000000000000 RDX: ffff810001918cf8 RSI: ffff81007fe1c550 RDI: ffff810000e32cf8 RBP: 00000000ffffffef R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff81004f64e0e0 R13: 0000000000000000 R14: 0000000000001000 R15: ffff81005eec7220 FS: 00002b8a136f20f0(0000) GS:ffff81007fe1c3c0(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000003d846d3020 CR3: 0000000051e6b000 CR4: 00000000000006e0 Process fio (pid: 6447, threadinfo ffff810052604000, task ffff810051f330c0) Stack: ffff810000e32cf8 ffffffff800ec7cb ffff810052605e98 ffff81004f64e000 ffff81007823ecc0 00000000000200d2 0000000000000010 ffff81004f64e0e0 ffff81004f64e000 0000000000000000 0000000000000000 ffffffff802f66a0 Call Trace: [<ffffffff800ec7cb>] pipe_to_file+0x31d/0x32e [<ffffffff800ebc88>] splice_from_pipe+0x89/0x21a [<ffffffff800ec4ae>] pipe_to_file+0x0/0x32e [<ffffffff800ec04b>] generic_file_splice_write+0x21/0x8a [<ffffffff800ecd59>] sys_splice+0x119/0x238 [<ffffffff8005d28d>] tracesys+0xd5/0xe0 Code: 0f 0b 68 97 3d 29 80 c2 29 02 48 89 df e8 b3 29 00 00 48 89 RIP [<ffffffff80017c4a>] unlock_page+0xf/0x2f RSP <ffff810052605e18> <0>Kernel panic - not syncing: Fatal exception This was addressed via: Red Hat Enterprise Linux version 5 (RHSA-2008:0885) Red Hat Enterprise Linux version 4 (RHSA-2008:0972) |