Bug 633170 (CVE-2010-3086)

Summary: CVE-2010-3086 kernel panic via futex
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: d.bein, dhoward, eguan, lgoncalv, lwang, plyons, pmatouse, rkhan, security-response-team, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,reported=20100913,public=20101109,source=researcher,cvss2=4.9/AV:L/AC:L/Au:N/C:N/I:N/A:C
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 633175, 633176    
Bug Blocks:    

Description Eugene Teo (Security Response) 2010-09-13 01:01:16 EDT
Description of problem:
BUG: unable to handle kernel paging request at virtual address 0028a000
 printing eip:
c0439751
*pde = 2902e067
Oops: 0002 [#1]
SMP
last sysfs file: /devices/pci0000:00/0000:00:00.0/resource
Modules linked in: autofs4 hidp rfcomm l2cap bluetooth lockd sunrpc ip_conntrack_netbios_ns ipt_REJECT xt_state ip_conntrack nfnetlink iptable_filter ip_tables ip6t_REJECT xt_tcpudp ip6table_filter ip6_tables x_tables ipv6 xfrm_nalgo crypto_api vmblock(U) vsock(U) vmmemctl(U) vmhgfs(U) acpiphp dm_mirror dm_multipath scsi_dh video backlight sbs power_meter hwmon i2c_ec dell_wmi wmi button battery asus_acpi ac lp floppy sg pcspkr snd_ens1371 gameport snd_rawmidi snd_ac97_codec ac97_bus snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss i2c_piix4 i2c_core vmci(U) snd_mixer_oss snd_pcm snd_timer snd soundcore snd_page_alloc mii parport_pc ide_cd parport cdrom serio_raw pvscsi(U) vmxnet3(U) vmxnet(U) dm_raid45 dm_message dm_region_hash dm_log dm_mod dm_mem_cache ata_piix libata mptspi mptscsih mptbase scsi_transport_spi sd_mod scsi_mod ext3 jbd uhci_hcd ohci_hcd ehci_hcd
CPU:    0
EIP:    0060:[<c0439751>]    Tainted: G      VLI
EFLAGS: 00210246   (2.6.18-194.11.3.el5 #1)
EIP is at futex_lock_pi+0x1ad/0x822
eax: 00000000   ebx: c07bdb10   ecx: 0000128d   edx: 00000000
esi: fffffff2   edi: 00000000   ebp: 0028a000   esp: dea9ce08
ds: 007b   es: 007b   ss: 0068
Process iknowthis (pid: 4749, ti=dea9c000 task=e9620550 task.ti=dea9c000)
Stack: d08a2d59 13f631b6 00000000 00000000 00000000 dea9ce78 e9620550 00000000
      00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      00000000 00000001 dea9ce50 dea9ce50 c07bdb10 0028a000 e96bf900 00000000
Call Trace:
 [<c0438448>] hrtimer_wakeup+0x0/0x18
 [<c043a953>] do_futex+0xb8d/0xbf6
 [<c044bece>] audit_syscall_entry+0x15a/0x18c
 [<c043aacd>] sys_futex+0x111/0x127
 [<c0404f17>] syscall_call+0x7/0xb
 =======================
Code: 89 e0 89 ee 25 00 f0 ff ff 8b 10 8b 8a a8 00 00 00 83 c6 04 19 d2 39 70 18 83 da 00 ff 40 14 85 d2 be f2 ff ff ff 75 09 89 d0 90 <0f> b1 4d 00 89 c6 89 e0 25 00 f0 ff ff ff 48 14 83 fe f2 0f 84
EIP: [<c0439751>] futex_lock_pi+0x1ad/0x822 SS:ESP 0068:dea9ce08
 <0>Kernel panic - not syncing: Fatal exception

Acknowledgements:

Red Hat would like to thank Tavis Ormandy for reporting this issue.
Comment 5 Eugene Teo (Security Response) 2010-10-10 21:35:48 EDT
Upstream commit:
x86: replace LOCK_PREFIX in futex.h
http://git.kernel.org/linus/9d55b9923a1b7ea8193b8875c57ec940dc2ff027
Comment 7 Eugene Teo (Security Response) 2010-11-02 01:30:37 EDT
Statement:

This issue did not affect the version of Linux kernel as shipped with Red Hat
Enterprise Linux 3 and 4 as they did not support for the FUTEX_LOCK_PI futex operation. It did not affect the version of Linux kernel as shipped with Red Hat Enterprise MRG as it has already had the fix to this issue. This issue was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0839.html
Comment 8 errata-xmlrpc 2010-11-09 13:06:26 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0839 https://rhn.redhat.com/errata/RHSA-2010-0839.html
Comment 9 Jes Sorensen 2013-02-27 04:46:02 EST
*** Bug 633940 has been marked as a duplicate of this bug. ***