Bug 586415 (CVE-2010-2070)

Summary: CVE-2010-2070 /kernel/security/CVE-2006-0742 test cause kernel-xen panic on ia64
Product: [Other] Security Response Reporter: Eryu Guan <eguan>
Component: vulnerabilityAssignee: Andrew Jones <drjones>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: alex.williamson, dhoward, drjones, eteo, jlv, jpirko, kzhang, lersek, lwang, plyons, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: ia64   
OS: Linux   
Whiteboard: impact=important,public=20070911,reported=20100427,source=redhat,cvss2=4.7/AV:L/AC:M/Au:N/C:N/I:N/A:C
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-29 08:26:59 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 587475, 587477    
Bug Blocks: 514489    
Attachments:
Description Flags
job xml none

Description Eryu Guan 2010-04-27 10:03:20 EDT
Created attachment 409485 [details]
job xml

Description of problem:

Below is console log,

Starting RHTS testing: Running with correct RECIPEID.
04/27/10 09:37:27  recipeID:393073 start:
Collecting all rpm packages...
Sending rpm info to http://rhts.redhat.com/cgi-bin/rhts/scheduler_xmlrpc.cgi
resp = client.results.allRpms(recipeid, pkg_list)
3165111:/distribution/install has already run..
3165112:/distribution/kernelinstall has already run..
/mnt/tests/kernel/security/CVE-2006-0742 /
(XEN) mm.c:735:d0 vcpu 2 iip 0xa00000010006bad0: bad mpa d 0 0x3ffffff7f0200 (=> 0x1bec20000)
Unable to handle kernel NULL pointer dereference (address 0000000000000000)
swapper[0]: Oops 4294967296 [1]
Modules linked in: autofs4 hidp rfcomm l2cap bluetooth lockd sunrpc ipv6 xfrm_nalgo crypto_api vfat fat loop dm_multipath scsi_dh wmi power_meter hwmon button parport_pc lp parport sr_mod cdrom sg tg3 dm_raid45 dm_message dm_region_hash dm_mem_cache dm_snapshot dm_zero dm_mirror dm_log dm_mod mptspi mptscsih mptbase scsi_transport_spi sd_mod scsi_mod ext3 jbd uhci_hcd ohci_hcd ehci_hcd

Pid: 0, CPU 2, comm:              swapper
psr : 0000101008026010 ifs : 8000000000000004 ip  : [<0000000000000000>]    Not tainted (2.6.18-194.2.1.el5xen)
ip is at __start_ivt_text+0x5fffffff00000000/0x400
unat: 0000000000000000 pfs : 800000000000048d rsc : 0000000000000008
rnat: 0000000000000000 bsps: a0000002011d6180 pr  : 000000000001a965
ldrs: 0000000000000000 ccv : 0000000000000000 fpsr: 0009804c0a70033f
csd : 0000000000000000 ssd : 0000000000000000
b0  : a0000001000a6840 b6  : 0000000000000000 b7  : a0000001000a6380
f6  : 1003e000000000000064e f7  : 1003e0044b82fa09b5a53
f8  : 1003e0000000000177db7 f9  : 1003e0000000000000001
f10 : 1003e62a65c7260000000 f11 : 1003e0000000000000000
r1  : 0000000000000000 r2  : 800000000000048d r3  : 0000000000000001
r8  : a000000100a827d8 r9  : a000000100a827d8 r10 : e0000001bd907bc0
r11 : e0000001bd907bc0 r12 : e0000001bd907bb0 r13 : e0000001bd900000
r14 : 0000000000000001 r15 : e0000001bd907bc0 r16 : a0000001009ad128
r17 : 0000000000200200 r18 : e0000001bd907bc8 r19 : fffffffffff00061
r20 : 0000000000000000 r21 : fffffffffff00060 r22 : fffffffffff00061
r23 : 0000000000000000 r24 : a0000001009ad130 r25 : e0000001bd901068
r26 : a000000100a6e7b8 r27 : e0000001bd894010 r28 : 00000000ffff6b63
r29 : e0000001bd894620 r30 : 00000000ffff6b62 r31 : 0000000000000062

Call Trace:
 [<a00000010001d240>] show_stack+0x40/0xa0
                                sp=e0000001bd907740 bsp=e0000001bd901490
 [<a00000010001db70>] show_regs+0x870/0x8c0
                                sp=e0000001bd907910 bsp=e0000001bd901438
 [<a000000100043720>] die+0x1c0/0x380
                                sp=e0000001bd907910 bsp=e0000001bd9013e8
 [<a00000010068f230>] ia64_do_page_fault+0x970/0xaa0
                                sp=e0000001bd907930 bsp=e0000001bd901398
 [<a00000010006b320>] xen_leave_kernel+0x0/0x3e0
                                sp=e0000001bd9079e0 bsp=e0000001bd901398
 <0>Kernel panic - not syncing: Fatal exception
 (XEN) Domain 0 crashed: rebooting machine in 5 seconds.

And after reboot, another panic log

(XEN) mm.c:735:d0 vcpu 0 iip 0xa00000010006bad0: bad mpa d 0 0x10600010000b9 (=> 0x1bec20000)
(XEN) $$$$$ PANIC in domain 0 (k6=0xf000000007910000): itc on Xen virtual space (f095060001000000)
(XEN) domain_crash_sync called from xenmisc.c:171
(XEN) Domain 0 (vcpu#0) crashed on cpu#0:
(XEN) d 0xf000000007930080 domid 0
(XEN) vcpu 0xf000000007910000 vcpu 0
(XEN)
(XEN) CPU 0
(XEN) psr : 00001212080a6010 ifs : 800000000000048c ip  : [<a00000010057f081>]
(XEN) ip is at ???
(XEN) unat: 0000000000000000 pfs : 800000000000048c rsc : 0000000000000008
(XEN) rnat: 0000000000000000 bsps: a000000100821410 pr  : 0000000000016665
(XEN) ldrs: 0000000001b00000 ccv : 0000000000000000 fpsr: 0009804c0270033f
(XEN) csd : 0000000000000000 ssd : 0000000000000000
(XEN) b0  : a00000010057f060 b6  : a00000010061a160 b7  : a00000010063fd60
(XEN) f6  : 1003e0000000000000000 f7  : 000000000000000000000
(XEN) f8  : 000000000000000000000 f9  : 000000000000000000000
(XEN) f10 : 000000000000000000000 f11 : 000000000000000000000
(XEN) r1  : a000000100c69320 r2  : a000000100a1de38 r3  : 0000000000000070
(XEN) r8  : 000000000000006f r9  : e0000001bbf29300 r10 : e0000001bc864000
(XEN) r11 : 1ffffffe4379bfff r12 : a000000100827b10 r13 : a000000100820000
(XEN) r14 : f0950600010000b9 r15 : a000000100821068 r16 : 0000000000000007
(XEN) r17 : 0000000000000000 r18 : a000000100a1de40 r19 : 0000000000000000
(XEN) r20 : a000000100a1de30 r21 : a000000100821054 r22 : 00000000053111cd
(XEN) r23 : 0000000666bd02da r24 : ffffffff74549c57 r25 : 000000030cdf3c97
(XEN) r26 : e00000019abdf690 r27 : 000000009c570000 r28 : fffffffc3a7539bd
(XEN) r29 : a000000100a6a4a8 r30 : fffffffbaec9d614 r31 : 000000000008133d
(XEN)
(XEN) Call Trace:
(XEN)  [<f0000000040c0450>] show_stack+0x80/0xa0
(XEN)                                 sp=f000000007917ab0 bsp=f000000007911538
(XEN)  [<f00000000401f300>] __domain_crash+0x100/0x140
(XEN)                                 sp=f000000007917c80 bsp=f000000007911510
(XEN)  [<f00000000401f380>] __domain_crash_synchronous+0x40/0xf0
(XEN)                                 sp=f000000007917c80 bsp=f0000000079114e8
(XEN)  [<f000000004093fa0>] panic_domain+0x160/0x170
(XEN)                                 sp=f000000007917c80 bsp=f000000007911480
(XEN)  [<f00000000408d0a0>] vcpu_itc_no_srlz+0x350/0x360
(XEN)                                 sp=f000000007917dc0 bsp=f000000007911418
(XEN)  [<f000000004085f70>] ia64_do_page_fault+0x160/0x650
(XEN)                                 sp=f000000007917dc0 bsp=f000000007911380
(XEN)  [<f0000000040b9240>] ia64_leave_kernel+0x0/0x300
(XEN)                                 sp=f000000007917e00 bsp=f000000007911380
(XEN)
(XEN) Call Trace:
(XEN)  [<f0000000040c0450>] show_stack+0x80/0xa0
(XEN)                                 sp=f000000007917ab0 bsp=f000000007911538
(XEN)  [<f00000000401f310>] __domain_crash+0x110/0x140
(XEN)                                 sp=f000000007917c80 bsp=f000000007911510
(XEN)  [<f00000000401f380>] __domain_crash_synchronous+0x40/0xf0
(XEN)                                 sp=f000000007917c80 bsp=f0000000079114e8
(XEN)  [<f000000004093fa0>] panic_domain+0x160/0x170
(XEN)                                 sp=f000000007917c80 bsp=f000000007911480
(XEN)  [<f00000000408d0a0>] vcpu_itc_no_srlz+0x350/0x360
(XEN)                                 sp=f000000007917dc0 bsp=f000000007911418
(XEN)  [<f000000004085f70>] ia64_do_page_fault+0x160/0x650
(XEN)                                 sp=f000000007917dc0 bsp=f000000007911380
(XEN)  [<f0000000040b9240>] ia64_leave_kernel+0x0/0x300
(XEN)                                 sp=f000000007917e00 bsp=f000000007911380
(XEN) Domain 0 crashed: rebooting machine in 5 seconds.
(XEN) priv_emulate: priv_handle_op fails, isr=0x20000000000 iip=4000000000002980

Version-Release number of selected component (if applicable):
kernel-xen-2.6.18-194.2.1.el5

How reproducible:


Steps to Reproduce:
submit the job xml (see attachment, and MODIFY the submitter field)
submit_job.py -S rhts.redhat.com -j kernel_tier1_rerun_ia64-panic.xml

  
Actual results:
kernel panic

Expected results:
pass the test

Additional info:
job link http://rhts.redhat.com/cgi-bin/rhts/jobs.cgi?id=152572
and this also happens on 2.6.18-194.el5 and 164.15.1.
Comment 17 Eugene Teo (Security Response) 2010-04-29 21:06:10 EDT
This is not the same issue as CVE-2006-0742, therefore it's not a regression.
Comment 26 Eugene Teo (Security Response) 2010-06-10 19:26:41 EDT
This was fixed in xen-{3.4,4.0}-testing via http://xenbits.xensource.com/xen-4.0-testing.hg?rev/42caadb14edb ([IA64] Make Big-Endian appliation run on top of dom0 and domU).
Comment 27 errata-xmlrpc 2010-08-10 14:02:42 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0610 https://rhn.redhat.com/errata/RHSA-2010-0610.html