Bug 703016 (CVE-2011-1771)

Summary: CVE-2011-1771 kernel: cifs oops when creating file with O_DIRECT set
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: arozansk, bhu, dhoward, fhrbata, jkacur, kernel-mgr, kmcmartin, lgoncalv, lwang, plougher, rkhan, rt-maint, rwheeler, sforsber, tcallawa, vgoyal, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-29 12:44:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 702642, 703017    
Bug Blocks:    

Description Eugene Teo (Security Response) 2011-05-09 02:25:46 UTC 
BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
IP: [<ffffffffa04a3cc1>] cifsFileInfo_put+0x21/0x220 [cifs]
PGD 15434067 PUD 375bd067 PMD 0 
Oops: 0000 [#1] SMP 
last sysfs file: /sys/devices/virtual/block/dm-1/dm/name
CPU 2 
Modules linked in: cifs nfs nls_utf8 lockd nfs_acl rpcsec_gss_krb5 auth_rpcgss
des_generic sunrpc cachefiles fscache(T) ipv6 dm_mirror dm_region_hash dm_log
virtio_balloon virtio_net sg i2c_piix4 i2c_core ext4 mbcache jbd2 virtio_blk
sr_mod cdrom virtio_pci virtio_ring virtio pata_acpi ata_generic ata_piix
dm_mod [last unloaded: cifs]

Modules linked in: cifs nfs nls_utf8 lockd nfs_acl rpcsec_gss_krb5 auth_rpcgss
des_generic sunrpc cachefiles fscache(T) ipv6 dm_mirror dm_region_hash dm_log
virtio_balloon virtio_net sg i2c_piix4 i2c_core ext4 mbcache jbd2 virtio_blk
sr_mod cdrom virtio_pci virtio_ring virtio pata_acpi ata_generic ata_piix
dm_mod [last unloaded: cifs]
Pid: 11418, comm: opentest Tainted: G           ---------------- T
2.6.32-144.el6.x86_64.debug #1 KVM
RIP: 0010:[<ffffffffa04a3cc1>]  [<ffffffffa04a3cc1>]
cifsFileInfo_put+0x21/0x220 [cifs]
RSP: 0018:ffff8800376f9b98  EFLAGS: 00010282
RAX: ffffffffa04a3f00 RBX: ffff88003b24e1b8 RCX: 0000000000000003
RDX: ffffffffa04bb760 RSI: ffff88003b24e1b8 RDI: 0000000000000000
RBP: ffff8800376f9bc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000100006 R12: 0000000000000008
R13: ffff88002ee7a0d0 R14: ffff88000737b700 R15: ffff88003e7fa578
FS:  00007f4603a80700(0000) GS:ffff880004400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000030 CR3: 000000003d399000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process opentest (pid: 11418, threadinfo ffff8800376f8000, task
ffff8800154e85c0)
Stack:
 0000000000000000 ffff88003b24e1b8 0000000000000008 ffff88002ee7a0d0
<0> ffff88000737b700 ffff88003e7fa578 ffff8800376f9be8 ffffffffa04a3f1d
<0> 0000000000000008 ffff88003b24e1b8 ffff8800376f9c38 ffffffff81190ab8
Call Trace:
 [<ffffffffa04a3f1d>] cifs_close+0x1d/0x40 [cifs]
 [<ffffffff81190ab8>] __fput+0x108/0x280
 [<ffffffff81189ce0>] ? generic_file_open+0x0/0x30
 [<ffffffff81190c55>] fput+0x25/0x30
 [<ffffffff8118c40c>] __dentry_open+0x28c/0x3e0
 [<ffffffff8118c639>] lookup_instantiate_filp+0x69/0x90
 [<ffffffffa04a2182>] cifs_lookup+0x3f2/0x5c0 [cifs]
 [<ffffffff8119e802>] __lookup_hash+0x102/0x160
 [<ffffffff8122f752>] ? selinux_inode_permission+0x72/0xb0
 [<ffffffff8119e93a>] lookup_hash+0x3a/0x50
 [<ffffffff8119f36a>] do_filp_open+0x2ca/0xdc0
 [<ffffffff810d71c2>] ? utrace_stop+0x122/0x1d0
 [<ffffffff811ac63b>] ? alloc_fd+0x3b/0x160
 [<ffffffff8150eccb>] ? _spin_unlock+0x2b/0x40
 [<ffffffff811ac6ab>] ? alloc_fd+0xab/0x160
 [<ffffffff8118c039>] do_sys_open+0x69/0x140
 [<ffffffff8118c150>] sys_open+0x20/0x30
 [<ffffffff8100b3a3>] tracesys+0xd9/0xde

This was reported upstream recently.

    http://marc.info/?l=linux-cifs&m=130204730006155&w=2

...the problem is that CIFS doesn't do O_DIRECT at all, so when you try to open a file with it you get back -EINVAL. CIFS can also do open on lookup in some cases. In that case, fput will be called on the filp, which has not yet had its private_data set.

This is a regression introduced with the patchset to clean up filehandle management in CIFS. The fix is simple and is already upstream -- simply check for a NULL filp->private_data before trying to dereference it.
Comment 2 Eugene Teo (Security Response) 2011-05-09 02:37:50 UTC 
Statement:

This issue did not affect the Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise Linux MRG as they did not backport the upstream commit cdff08e7 that introduced this issue. Future kernel updates for Red Hat Enterprise Linux 6 may address this flaw.
Comment 4 errata-xmlrpc 2011-06-01 19:57:11 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0836 https://rhn.redhat.com/errata/RHSA-2011-0836.html
Comment 5 Eugene Teo (Security Response) 2011-06-28 07:18:43 UTC 
Upstream commit:
http://git.kernel.org/linus/7797069305d13252fd66cf722aa8f2cbeb3c95cd