Bug 711205

Summary: [REGRESSION] In rt31.64.el5rt regression in signal.c
Product: Red Hat Enterprise MRG Reporter: Jeremy Eder <jeder>
Component: realtime-kernelAssignee: Luis Claudio R. Goncalves <lgoncalv>
Status: CLOSED ERRATA QA Contact: David Sommerseth <davids>
Severity: high Docs Contact:
Priority: unspecified    
Version: 2.0CC: bhu, jkodak, jumanjiman, lgoncalv, ovasik, williams
Target Milestone: 2.0.2   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: The fix to a possible signal spoofing case in the kernel implemented a set of too strict checks related to si_code. Consequence: User space glibc's aio implementation receives permission errors (EPERM) in legitimate requests. Fix: relax the si_code check, observing the security implications fixed before. Result: restore previous behavior.
 Story Points: ---
Clone Of: 711198 Environment:
Last Closed: 2011-08-22 05:56:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 711198    
Bug Blocks:    

Comment 3 Paul Morgan 2011-06-09 22:11:15 UTC 
posting a public comment for searchability...

original symptom:

------------[ cut here ]------------
WARNING: at kernel/signal.c:2487 sys_rt_sigqueueinfo+0x66/0x9c()
Hardware name: ProLiant BL460c G6
Modules linked in: [snip]
Pid: 7548, comm: umestored Not tainted 2.6.33.9-rt31.64.el5rt #1
Call Trace:
 [<ffffffff81054a1f>] ? sys_rt_sigqueueinfo+0x66/0x9c
 [<ffffffff81042403>] warn_slowpath_common+0x7c/0x94
 [<ffffffff8104242f>] warn_slowpath_null+0x14/0x16
 [<ffffffff81054a1f>] sys_rt_sigqueueinfo+0x66/0x9c
 [<ffffffff81002cdb>] system_call_fastpath+0x16/0x1b
---[ end trace 1841b12aaca9853b ]---

cause: 

commit da48524eb20662618854bb3df2db01fc65f3070c included in kernel-rt-2.6.33.9-rt31.64.el5rt

solution:

deploy kernel-rt-2.6.33.9-rt31.65.el5rt, which includes
commit 243b422af9ea9af4ead07a8ad54c90d4f9b6081a

Significant testing with an in-house reproducer indicates kernel-rt-2.6.33.9-rt31.65.el5rt is a clean fix.
Comment 4 Luis Claudio R. Goncalves 2011-07-18 16:34:14 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: The fix to a possible signal spoofing case in the kernel implemented a set of too strict checks related to si_code.
Consequence: User space glibc's aio implementation receives permission errors (EPERM) in legitimate requests.
Fix: relax the si_code check, observing the security implications fixed before. 
Result: restore previous behavior.
Comment 5 David Sommerseth 2011-08-11 15:38:46 UTC 
Verified by code review.

Found upstream commit 243b422af9ea9af4ead07a8ad54c90d4f9b6081a applied to mrg-rt dev tree as 061d9bef7d6672d8cad37aedfa7e57e7e77c34e6 applied to kernel-rt-2.6.33.9-rt31.73.src.rpm.
Comment 6 errata-xmlrpc 2011-08-22 05:56:50 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1192.html