Bug 499092

Summary: Request to include (CVE-2008-4307) CVE-2008-4307 Kernel BUG() in locks_remove_flock patch in RHEL 5.x Kernel
Product: Red Hat Enterprise Linux 5 Reporter: Raghavendra Badiger <badiger>
Component: kernelAssignee: Red Hat Kernel Manager <kernel-mgr>
Status: CLOSED DUPLICATE QA Contact: Red Hat Kernel QE team <kernel-qe>
Severity: high Docs Contact:
Priority: low    
Version: 5.3CC: k.dasharathi
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-06-02 01:16:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Raghavendra Badiger 2009-05-05 07:41:49 UTC 
Description of problem:

RHEL5.X latest kernel Update is missing suggested patch in Bugzilla
(https://bugzilla.redhat.com/show_bug.cgi?id=456282)
(CVE-2008-4307) CVE-2008-4307 Kernel BUG() in locks_remove_flock  (edit)

The reported issue in BZ456282 can be readily reproducible on RHEL4.6 with test
programs(lockit.c,locker.c) and  steps given in the Bugzilla 456282 resulting 
kernel panic with below stack trace.

As this patch is missing in Latest RHEL5.x Kernel Update, This patch is applicable to RHEL5.X too. 

This Bugzilla is to request to include this patch in Next 5.X kernel updates to fix this issue.


Stack trace with RHEL4.6 Kernel
===============================
# crash /boot/System.map-2.6.9-67.XCsmp /boot/vmlinux-2.6.9-67.XCsmp
/var/log/dump/0/dump.0 

crash 4.0-3.9.lnxhpc.1
....
 SYSTEM MAP: /boot/System.map-2.6.9-67.XCsmp                  
DEBUG KERNEL: /boot/vmlinux-2.6.9-67.XCsmp (2.6.9-67.XCsmp)
    DUMPFILE: /var/log/dump/0/dump.0
        CPUS: 4
        DATE: Thu Mar 19 12:40:23 2009
      UPTIME: 20 days, 00:26:58
LOAD AVERAGE: 0.68, 0.17, 0.10
       TASKS: 417
    NODENAME: n0
     RELEASE: 2.6.9-67.XCsmp
     VERSION: #1 SMP Mon Aug 11 20:21:11 EDT 2008
     MACHINE: x86_64  (1866 Mhz)
      MEMORY: 17 GB
       PANIC: "invalid operand"
         PID: 22550
     COMMAND: "locker"
        TASK: 1041f9ad810  [THREAD_INFO: 101c9fa4000]
         CPU: 0
       STATE: TASK_RUNNING (PANIC)
crash> bt
PID: 22550  TASK: 1041f9ad810       CPU: 0   COMMAND: "locker"
 #0 [101c9fa78a8] schedule at ffffffff8031a0eb
 #1 [101c9fa7db0] error_exit at ffffffff80110e4d
    [exception RIP: locks_remove_flock+201]
    RIP: ffffffff80191e92  RSP: 00000101c9fa7e68  RFLAGS: 00010246
    RAX: 000001042ca38f60  RBX: 00000103b398de80  RCX: 0000000000000003
    RDX: 0000000000000000  RSI: 000000000000007c  RDI: ffffffff80525180
    RBP: 00000103b398dd70   R8: 000000000000270f   R9: 000001042fb85000
    R10: 000001042fb85000  R11: 000001042b8cf100  R12: 00000103e400b340
    R13: 00000103b3e219a8  R14: 0000000000000003  R15: 0000003a2720d280
    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
 #2 [101c9fa7e60] locks_remove_flock at ffffffff80191e46
 #3 [101c9fa7e90] fcntl_setlk at ffffffff80191c19
 #4 [101c9fa7ea0] tty_ldisc_deref at ffffffff8022f8bc
 #5 [101c9fa7ec0] tty_write at ffffffff8022ffe3
 #6 [101c9fa7ee0] dnotify_parent at ffffffff80197334
 #7 [101c9fa7f20] __fput at ffffffff8017cb6d
 #8 [101c9fa7f50] sys_fcntl at ffffffff8018de39
 #9 [101c9fa7f80] system_call at ffffffff8011029a
    RIP: 0000003a2720b3fa  RSP: 00000000409fd840  RFLAGS: 00010246
    RAX: 0000000000000048  RBX: ffffffff8011029a  RCX: 00000000ffffffff
    RDX: 0000000040a00110  RSI: 0000000000000007  RDI: 0000000000000003
    RBP: 0000000000000000   R8: 0000000000000000   R9: 00000000ffffffff
    R10: 0000000040a00001  R11: 0000000000000206  R12: 0000003a2720d280
    R13: 0000003a272060a0  R14: 0000000000000003  R15: 0000000040a00110
    ORIG_RAX: 0000000000000048  CS: 0033  SS: 002b 




Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:

This problem can be reproduced with the test programs(lockit.c,locker.c) and 
steps given in the following Bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=456282

Steps to reproduce:

1. Mount a writable NFS volume from a remote host with nfslock running.
2. Compile the two test programs
gcc -pthread -Wall -o locker locker.c
gcc -Wall -o lockit lockit.c
3. In one terminal start lockit running on a file on the NFS volume:

# lockit /mnt/test

4. In a 2nd terminal start locker running on the same file:

# locker /mnt/test

5. Terminate lockit (CTRL-C)

Actual results:
# ./locker /mnt/locktest
pid 4907 main launching thread
pid 4907 thread 4908 in do_lock
pid 4907 thread 4908  locking
Read from remote host p380-1.gsslab: Connection reset by peer
Connection to p380-1.gsslab closed.

Host died with BUG() in comment #2

Expected results:


Actual results:
Kernel panic with above stack trace

Expected results:
No Panic

Additional info:
Comment 1 Linda Wang 2009-06-02 01:16:09 UTC 

*** This bug has been marked as a duplicate of bug 456288 ***