Bug 578261
Summary: | [5.5] SCTP: Check if the file structure is valid before checking the non-blocking flag | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Issue Tracker <tao> | ||||||
Component: | kernel | Assignee: | Jiri Pirko <jpirko> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Boris Ranto <branto> | ||||||
Severity: | urgent | Docs Contact: | |||||||
Priority: | urgent | ||||||||
Version: | 5.5 | CC: | branto, cward, dhoward, jwest, nhorman, plyons, rkhan, tao | ||||||
Target Milestone: | rc | Keywords: | ZStream | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: |
When the Stream Control Transmission Protocol (SCTP) kernel code attempted to check a non-blocking flag, it could have dereferenced a NULL file pointer due to the fact that in-kernel sockets created with the sock_create_kern() function may not have a file structure and descriptor allocated to them. The kernel would crash as a result of the dereference. With this update, SCTP ensures that the file is valid before attempting to set a timeout, thus preventing a possible NULL dereference and consequent kernel crash.
|
Story Points: | --- | ||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2011-01-13 21:22:46 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 598355 | ||||||||
Attachments: |
|
Description
Issue Tracker
2010-03-30 18:00:52 UTC
Event posted on 03-25-2010 02:41am CDT by mwata RHN System ID: Customer Contact Name: Ueki Kohei Description of Problem: In-kernel sockets created with sock_create_kern() don't usually have a file structure and file descriptor allocated to them. As a result, when SCTP tries to check the non-blocking flag, the kernel will panic when dereferencing a NULL file pointer. Version-Release number of selected component: Red Hat Enterprise Linux Version Number: RHEL5.5 Release Number: 5.5SS3 Architecture: x86_64 Kernel Version: kernel-2.6.18-190.el5 Related Package Version: none Related Middleware / Application: none Drivers or hardware or architecture dependency: none How reproducible: every time Step to Reproduce: Use the reproduce program. Step1 prepare the test program and Makefile. files : sctp_kernel_test.c Makefile Step2 # make Step3 # insmod sctp_kernel_test.ko Actual Results: After step3, the kernel panicked at function __sctp_connect(). Expected Results: After step3, the kernel should not panic. Summary of actions taken to resolve issue: none Location of diagnostic data: none Hardware configuration: Model: PRIMERGY TX150 S5 CPU Info: Intel(R) Xeon(R) CPU 3040 @ 1.86GHz Memory Info: 6GB Business Impact: Our customer uses sctp functions. The business scale is about 3000 systems in three years. (the first year is about $250,000.) Target Release: 5.6 Errata Request: 5.5 asynch errata Hotfix Request: No Additional Info: The sosreport file is attached: sosreport-dora.0324-319189-6dc231.tar.bz2 The md5sum is: 99e702e9ffabc3b23d86e774a06dc231 The reproduce program is attached: files: sctp_kernel_test.c Makefile The patch file is attached: file: SCTP-Check-to-make-sure-file-is-valid-before-setting-timeout.patch These patches have already been applied for the Community's kernel. Please refer to the URL: http://marc.info/?l=git-commits-head&m=118374837517413&w=2 This event sent from IssueTracker by streeter [Support Engineering Group] issue 681353 Event posted on 03-25-2010 02:43am CDT by mwata File uploaded: SCTP-Check-to-make-sure-file-is-valid-before-setting-timeout.patch This event sent from IssueTracker by streeter [Support Engineering Group] issue 681353 it_file 512083 Event posted on 03-25-2010 02:43am CDT by mwata File uploaded: sctp_kernel_test.c This event sent from IssueTracker by streeter [Support Engineering Group] issue 681353 it_file 512093 Event posted on 03-25-2010 02:43am CDT by mwata File uploaded: Makefile This event sent from IssueTracker by streeter [Support Engineering Group] issue 681353 it_file 512103 Created attachment 403538 [details]
reproducer supplied by Fujitsu
Created attachment 403539 [details]
patch tested by Fujitsu
Upstream commit is f50f95cab735ebe2993e8d1549f0615bad05f3f2
Event posted on 06-07-2010 10:00am JST by moshiro Hi, Could you please make test package available? I would like FJ to verify a fix. Best Regards, M Oshiro This event sent from IssueTracker by moshiro issue 681353 in kernel-2.6.18-203.el5 You can download this test kernel from http://people.redhat.com/jwilson/el5 Detailed testing feedback is always welcomed. Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: When the Stream Control Transmission Protocol (SCTP) kernel code attempted to check a non-blocking flag, it could have dereferenced a NULL file pointer due to the fact that in-kernel sockets created with the sock_create_kern() function may not have a file structure and descriptor allocated to them. The kernel would crash as a result of the dereference. With this update, SCTP ensures that the file is valid before attempting to set a timeout, thus preventing a possible NULL dereference and consequent kernel crash. Could anyone with an access to issue tracker upload Makefile to this bugzilla? I've tried using generic Makefile but without any success. Please ignore the previous comment, I've already managed to get it compiled. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2011-0017.html |