Bug 691793 (CVE-2011-1479)

Summary: CVE-2011-1479 kernel: DoS (crash) due slab corruption in inotify_init1 (incomplete fix for CVE-2010-4250)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: arozansk, bhu, davej, dhoward, dtian, eparis, fhrbata, jkacur, kernel-mgr, kmcmartin, lgoncalv, lwang, pmatouse, rt-maint, security-response-team, sforsber, tcallawa, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-24 04:31:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 692096    
Bug Blocks:    

Description Jan Lieskovsky 2011-03-29 13:49:00 UTC 
Originally, the CVE-2010-4250 identifier has been assigned to the
following vulnerability:

Memory leak in the inotify_init() system call could, in some cases,
leak a group, allowing a local, unprivileged user to eventually cause
a denial of service.

References:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4250

Later, it was found that relevant upstream commit:
a2ae4cc9a16e211c8a128ba10d22a85431f093ab, v2.6.37-rc5

did not properly address the issue / introduced a regression
(slab corruption by double free of user_struct in inotify_init1),
which could allow a local, unprivileged user to cause a denial of
service (kernel crash).
Comment 5 Eugene Teo (Security Response) 2011-04-11 03:28:36 UTC 
Upstream commit:
http://git.kernel.org/linus/d0de4dc584ec6aa3b26fffea320a8457827768fc
Comment 6 Eugene Teo (Security Response) 2011-04-11 03:36:16 UTC 
Statement:

This issue did not affect the versions of Linux kernel as shipped with Red Hat
Enterprise Linux 4 and 5. This has been addressed in Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-0498.html and https://rhn.redhat.com/errata/RHSA-2011-1253.html.
Comment 8 Chuck Ebbert 2011-04-14 01:54:42 UTC 
The fix will also be in 2.6.38.3 .
Comment 9 errata-xmlrpc 2011-09-12 19:45:08 UTC 
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2011:1253 https://rhn.redhat.com/errata/RHSA-2011-1253.html