Bug 653648 (CVE-2011-0695)
| Summary: | CVE-2011-0695 kernel: panic in ib_cm:cm_work_handler | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guy Streeter <streeter> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | Infiniband QE <infiniband-qe> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | acme, bhu, dledford, eteo, honli, jkacur, jrusnack, lgoncalv, nobody, pmatouse, rryder, srostedt, williams |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-05-04 06:08:55 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 676190, 676191, 676192, 679995, 679996 | ||
| Bug Blocks: | |||
|
Description
Guy Streeter
2010-11-15 21:02:33 UTC
They tried the 1.3 kernel and got this backtrace: 6-NOV-2010 01:03:54.36|ott0140.xeop.de login: BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 6-NOV-2010 01:03:54.36|IP: [<ffffffff810c54f0>] put_compound_page+0x11/0x24 6-NOV-2010 01:03:54.36|PGD 620d8b067 PUD 4da801067 PMD 0 6-NOV-2010 01:03:54.36|Oops: 0002 [#1] PREEMPT SMP 6-NOV-2010 01:03:54.36|last sysfs file: /sys/class/infiniband/mlx4_0/node_guid 6-NOV-2010 01:03:54.36|CPU 1 6-NOV-2010 01:03:54.36|Pid: 28628, comm: OFI Not tainted 2.6.33.7-rt29.45.el5rt #1 /ProLiant BL460c G1 6-NOV-2010 01:03:54.36|RIP: 0010:[<ffffffff810c54f0>] [<ffffffff810c54f0>] put_compound_page+0x11/0x24 6-NOV-2010 01:03:54.36|RSP: 0018:ffff880561a8fd28 EFLAGS: 00010286 6-NOV-2010 01:03:54.41|RAX: 0000000000000000 RBX: ffff880711f84800 RCX: 0000000000000000 6-NOV-2010 01:03:54.41|RDX: 0000000000000000 RSI: 11a0dbc0ffffea00 RDI: 0000000000000000 6-NOV-2010 01:03:54.41|RBP: ffff880561a8fd28 R08: ffff880561a8fd38 R09: ffffffff813552af 6-NOV-2010 01:03:54.41|R10: ffff880730581c00 R11: dead000000200200 R12: ffff880711f84918 6-NOV-2010 01:03:54.41|R13: ffffea0011a0db5c R14: 0000000000000008 R15: ffff8807306dc6e0 6-NOV-2010 01:03:54.41|FS: 00000000421bb940(0063) GS:ffff880028240000(0000) knlGS:0000000000000000 6-NOV-2010 01:03:54.56|CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 6-NOV-2010 01:03:54.56|CR2: 0000000000000008 CR3: 0000000561874000 CR4: 00000000000406e0 6-NOV-2010 01:03:54.56|DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 6-NOV-2010 01:03:54.56|DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 6-NOV-2010 01:03:54.56|Process OFI (pid: 28628, threadinfo ffff880561a8e000, task ffff88059d8ca600) 6-NOV-2010 01:03:54.56|Stack: 6-NOV-2010 01:03:54.56| ffff880561a8fd58 ffffffff810c5e4e ffff880711f84818 ffff880711f84800 6-NOV-2010 01:03:54.56|<0> ffff880711f84918 ffffea0011a0db5c ffff880561a8fda8 ffffffffa02789fa 6-NOV-2010 01:03:54.61|<0> 000000012699c4c8 ffff8807306dc6c0 ffff88082a202800 ffff8807306dc6c0 6-NOV-2010 01:03:54.61|Call Trace: 6-NOV-2010 01:03:54.61| [<ffffffff810c5e4e>] put_page+0x21/0x7a 6-NOV-2010 01:03:54.61| [<ffffffffa02789fa>] __ib_umem_release+0xb2/0xe6 [ib_core] 6-NOV-2010 01:03:54.61| [<ffffffffa0278fe2>] ib_umem_release+0x26/0xd8 [ib_core] 6-NOV-2010 01:03:54.61| [<ffffffffa028a0a5>] mlx4_ib_destroy_qp+0x254/0x2eb [mlx4_ib] 6-NOV-2010 01:03:54.61| [<ffffffffa0274c46>] ib_destroy_qp+0x29/0x4f [ib_core] 6-NOV-2010 01:03:54.61| [<ffffffffa03a311d>] ib_uverbs_destroy_qp+0x94/0x161 [ib_uverbs] 6-NOV-2010 01:03:54.61| [<ffffffffa039fa17>] ib_uverbs_write+0xa6/0xc0 [ib_uverbs] 6-NOV-2010 01:03:54.61| [<ffffffff810f528b>] ? rw_verify_area+0x8d/0xb1 6-NOV-2010 01:03:54.66| [<ffffffff810f56cc>] vfs_write+0xb0/0x10a 6-NOV-2010 01:03:54.66| [<ffffffff810f57ea>] sys_write+0x4c/0x72 6-NOV-2010 01:03:54.66| [<ffffffff81002d1b>] system_call_fastpath+0x16/0x1b 6-NOV-2010 01:03:54.66|Code: c9 c3 55 48 89 e5 0f 1f 44 00 00 66 83 3f 00 79 04 48 8b 7f 10 c9 48 89 f8 c3 55 48 89 e5 0f 1f 44 00 00 e8 da ff ff ff 48 89 c2 <f0> ff 48 08 0f 94 c0 84 c0 74 06 48 89 d7 ff 52 60 c9 c3 55 48 6-NOV-2010 01:03:54.66|RIP [<ffffffff810c54f0>] put_compound_page+0x11/0x24 6-NOV-2010 01:03:54.71| RSP <ffff880561a8fd28> 6-NOV-2010 01:03:54.71|CR2: 0000000000000008 Proposed patches: [PATCH 1/2] rdma/cm: Fix crash in request handlers http://www.spinics.net/lists/linux-rdma/msg07447.html [PATCH 2/2] ib/cm: Bump reference count on cm_id before invoking callback http://www.spinics.net/lists/linux-rdma/msg07448.html Statement: This has been addressed in Red Hat Enterprise Linux 5, 6, and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-0927.html, https://rhn.redhat.com/errata/RHSA-2011-0421.html, and https://rhn.redhat.com/errata/RHSA-2011-0500.html. Red Hat Enterprise Linux 4 is now in Production 3 of the maintenance life-cycle, https://access.redhat.com/support/policy/updates/errata/, therefore the fix for this issue is not currently planned to be included in the future updates. This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0421 https://rhn.redhat.com/errata/RHSA-2011-0421.html Upstream commits: 25ae21a10112875763c18b385624df713a288a05 29963437a48475036353b95ab142bf199adb909e This issue has been addressed in following products: MRG for RHEL-5 Via RHSA-2011:0500 https://rhn.redhat.com/errata/RHSA-2011-0500.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2011:0927 https://rhn.redhat.com/errata/RHSA-2011-0927.html |