Bug 562582 (CVE-2010-0415)
| Summary: | CVE-2010-0415 kernel: sys_move_pages infoleak | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Eugene Teo (Security Response) <eteo> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | arozansk, bhu, davej, dhoward, jpirko, kmcmartin, lgoncalv, lwang, plyons, pmatouse, tcallawa, williams |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-03-28 08:02:27 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 562588, 562589, 562590, 562591 | ||
| Bug Blocks: | |||
868 /*
869 * Move a list of pages in the address space of the currently executing
870 * process.
871 */
872 asmlinkage long sys_move_pages(pid_t pid, unsigned long nr_pages,
873 const void __user * __user *pages,
874 const int __user *nodes,
875 int __user *status, int flags)
876 {
877 int err = 0;
878 int i;
879 struct task_struct *task;
880 nodemask_t task_nodes;
[...]
936 /*
937 * Get parameters from user space and initialize the pm
938 * array. Return various errors if the user did something wrong.
939 */
940 for (i = 0; i < nr_pages; i++) {
941 const void *p;
942
943 err = -EFAULT;
944 if (get_user(p, pages + i))
945 goto out;
946
947 pm[i].addr = (unsigned long)p;
948 if (nodes) {
949 int node;
950
951 if (get_user(node, nodes + i))
952 goto out;
953
^^ missing boundary checks
954 err = -ENODEV;
955 if (!node_online(node))
956 goto out;
957
958 err = -EACCES;
959 if (!node_isset(node, task_nodes))
960 goto out;
961
962 pm[i].node = node;
963 } else
964 pm[i].node = 0; /* anything to not match MAX_NUMNODES */
965 }
966 /* End marker */
967 pm[nr_pages].node = MAX_NUMNODES;
968
969 if (nodes)
970 err = do_move_pages(mm, pm, flags & MPOL_MF_MOVE_ALL);
971 else
972 err = do_pages_stat(mm, pm);
Got it fixed in Fedora last night. kernel-2.6.31.12-174.2.17.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/kernel-2.6.31.12-174.2.17.fc12 kernel-2.6.30.10-105.2.23.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/kernel-2.6.30.10-105.2.23.fc11 kernel-2.6.31.12-174.2.19.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/kernel-2.6.31.12-174.2.19.fc12 kernel-2.6.30.10-105.2.23.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. kernel-2.6.31.12-174.2.19.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0147 https://rhn.redhat.com/errata/RHSA-2010-0147.html This issue has been addressed in following products: MRG for RHEL-5 Via RHSA-2010:0161 https://rhn.redhat.com/errata/RHSA-2010-0161.html Statement: This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3 and 4, as they do not include support for sys_move_pages. It was only introduced in kernel version 2.6.18 onwards. This issue was addressed in Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2010-0147.html and https://rhn.redhat.com/errata/RHSA-2010-0161.html. |
Description of problem: Ramon de C. Valle spotted a problem in sys_move_pages, where "node" value is read from userspace, but not limited to the node set within the kernel itself. Due to the bit tests in mm/migrate.c:do_move_pages it is easy to read out the kernel memory (as node can also be negative). (The node_isset and node_state functions just map to test_bit, which has no limiter in the normal implementations.) There also is (in my eyes) the chance we can corrupt kernel memory later on if we have all the right bits setup, but I did not research this further. Issue was present starting as sys_move_pages was introduced in 2.6.18. Solved in mainline by commit below. commit 6f5a55f1a6c5abee15a0e878e5c74d9f1569b8b0 Author: Linus Torvalds <torvalds> Date: Fri Feb 5 16:16:50 2010 -0800 Fix potential crash with sys_move_pages We incorrectly depended on the 'node_state/node_isset()' functions testing the node range, rather than checking it explicitly. That's not reliable, even if it might often happen to work. So do the proper explicit test. Reported-by: Marcus Meissner <meissner> Acked-and-tested-by: Brice Goglin <Brice.Goglin> Acked-by: Hugh Dickins <hugh.dickins.uk> Cc: stable Signed-off-by: Linus Torvalds <torvalds> Acknowledgements: Red Hat would like to thank Ramon de C. Valle for reporting this issue.